Agenda item

INTERNAL AUDIT PROGRESS REPORT

Minutes:

FSD21058

 

At the previous meeting, an update had been received concerning the ongoing issues regarding the possibility of a power failure to the data centre. As this had been ongoing and a matter of concern for some time, a further update had been requested for this meeting. To this end Vinit Shukle (Assistant Director for IT Services) attended the meeting in person, whilst Sara Bowrey (Director of Housing, Planning and Regeneration) and Mike Watkins( Assistant Director for Strategic Property) attended by conference call.

 

The Director of Housing, Planning and Regeneration informed the Committee that a firm date had now been arranged for all contractors to attend on site to finally resolve the issue. This had been confirmed for the weekend commencing Friday, November 26—that would be when all the back-up work would take place. Work on replacing the switch would take place over the weekend of 27th-28th, with the system being back up and running on Monday 29th November. The Oracle financial system would need to be tested on Monday 29th due to the availability of a specialist contractor.

 

The Assistant Director for Strategic Property acknowledged Member frustration and outlined the difficulties that had had been experienced when attempting to arrange for multiple contractors to be available on site at the same time.

 

A Member asked if a roll back plan was ready if the work planned for that weekend failed. The Assistant Director for IT Services responded and said that data backups would be taken initially--prior to the work being handed over to the Facilities Team. If the contractors encountered difficulties and felt that the work was going to fail, then the Council would be alerted and the Data Centre back up would be reinstated.

 

A Member commented that although it was good that the matter was now hopefully coming to a successful conclusion, Members should not forget the history of the issue and stop asking questions. It was important to understand why this matter had taken so long to resolve, so that steps could be taken to ensure that it did not happen ever again. The Member also queried as to whether or not there were other vulnerable parts in the system that could cause similar problems to the Council in the future.

 

The Assistant Director for Strategic Property responded to the question as to why the matter had taken so long to resolve. He said that historically this was an old piece of kit and that no one had really understood its criticality. No one in the past had really taken time to consider properly what would happen if the system failed. It had also been the case historically that the Council had not benefited from having access to all of the relevant specifications of the UPS. Resultantly, a shutdown had been required to look at specifications, parts and methodology.

 

Another contributing factor had been the poor service that had been received from Amey who were the previous Facilities Management contractor. After dispensing with the services of Amey, the Council employed Frankham’s Consultancy to oversee the project. Frankham’s subsequently subcontracted out work to a specialist. After this, the Council needed to set up a Vaccine Centre because of COVID and this meant that the work could not take place at that time for fears of disrupting the work of the Vaccine Centre. Then came elections. After that, there had been issues of mis-communication with the sub-contractor. The process had been very complex and it was difficult to align the work of the numerous subcontractors involved. There had also been issues concerning the availability of UK Power Networks. A positive outcome of all of the work that had been undertaken was that this part of the IT network and interface was now fully understood. There were now no vulnerabilities that existed in terms of property issues.

 

The Assistant Director for IT Services responded regarding other possible vulnerabilities and criticalities from an IT perspective. The Chairman asked if it was the case that proper system documentation was now in place. It was confirmed by both the Assistant Director for IT Services and the Assistant Director for Strategic Property that the relevant documentation was now in place.

 

A Member pointed out that the possible failure of the IT systems or the power supply feeding the IT systems had always been noted on the Council’s Risk Register. He wondered if the Council therefore had just been paying ‘lip service’ to the Risk Register and had therefore not been dealing effectively with risks. He wondered why this risk, (as it had been noted on the Risk Register) was not analysed and mitigated against. He asked if the Risk Register had any practical purpose if the risks that had been outlined were not being taken seriously. He expressed the view that modelled questions needed to be asked, especially with respect to high risk activities. He wondered if senior officers were discussing and looking at the risks on the Risk Register.

 

The Head of Audit and Assurance responded by outlining that the Council had a Corporate Risk Management Group that looked at the various challenges and issues highlighted on the Risk Register. In addition, the Internal Audit Team planned much of its work around issues noted on the Risk Register.

 

Internal Audit had conducted audit work regarding the issue of the UPS and data security because it had been pinpointed first on the Risk Register; Internal Audit had subsequently identified various vulnerabilities; because of this the issue with the faulty switch had been spotted. In addition, each department was responsible for reviewing its level of risk. Much good work had been carried out by David Tait (Emergency Planning and Corporate Resilience Lead) and consequently much of the Council's data had been transferred to the ‘Cloud’, thus reducing the level of risk. A corporate study had been undertaken by a graduate trainee concerning the matter of risk and this was being discussed at a meeting on the 9th of November by the Chief Executive and the Corporate Leadership Team. The Head of Audit and Assurance promised that he would feedback to the Chief Executive at the meeting with some of the comments that had been made by Members regarding risk and the Risk Registers.

 

A Member referred to a power cut that occurred in 2018 where there was a storm, the Council had lost power and the generator had failed to activate. She wondered therefore if this was a problem that had been around for a number of years. In addition, she referred to her employer’s work with respect to ISO 27001 and the level of detail that was involved. She wondered if business continuity was the issue and that more detailed work was required.

 

(Note: ISO 27001 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.)

 

The Head of Audit and Assurance responded that much detailed work regarding business continuity had been undertaken by  the Head of Business Continuity and Resilience and that since Mr Tait had taken over the role, the Council’s business continuity plans were now significantly more robust and detailed than when he first joined the Council. The Assistant Director for Strategic Property stated that although there had been issues identified with the switch to the power supply, in most cases, where there had been an interruption to the power supply from external sources the switch had still worked.

 

A Member asked who the current supplier of the switch was and who the new supplier would be. The Assistant Director  for Strategic Property replied that the company responsible for servicing and maintaining the switch was a company called ‘IBM Power Mode’ and the switch itself was an ‘Eaton 120kw UPS’. The Assistant Director clarified that the system was being replaced with a new version of the same system and with a new warranty. The quote for the new system was going through the relevant procurement channels.

 

The Member asked if the replacement USP would be a single or dual replacement. The Assistant Director for IT Services confirmed that the replacement was like for like—so it was a single replacement. The Member responded and said that as it was a single unit it should remain on the Risk Register as it was potentially a single point of failure.

 

It was with regret that the Chairman and the Committee noted that this would be the last meeting with Dave Hogan acting in the capacity of the Head of Audit and Assurance as he would be retiring shortly. The Chairman and the Committee thanked Mr Hogan for his hard work, dedication, attention to detail and for the excellent audits and audit reports generated by Mr Hogan and his team. They expressed their appreciation to him for his excellent service to the Council and wished him all the very best for his retirement.       

 

The Chairman introduced Fran Chivers who would be taking over from Dave Hogan as the new Head of Internal Audit and Assurance. She was currently the Chief Audit Executive at Dartford and Sevenoaks District Council Internal Audit Partnership. Her start date with Bromley Council would be December 13th. 

 

The Chairman highlighted the review of the engagement of a consultant for a business area of Children’s Services. He commented that the rise in cumulative spending should have been picked up earlier. The Head of Audit and Assurance responded by confirming that Internal Audit had queried and criticised this. The overspend had beenoffset by the overall underspend of the department.

 

A Member commented that he found the matter disturbing because of the absence of the relevant paper trail and lack of authority. This scenario had arisen previously where there was a gap in the work of a consultant, who then came back to work for the Council again at a later date. He expressed concern regarding the significant increased feesinvolved; the original budget had been £33,750 and by the end of the day this had increased £94,850. He expressed the view that this was close to a disciplinary matter for the overseeing manager. In these sorts of cases the relevant manager should be able to justify the increased expenditure. He expressed the view that this was badly handled and seemed to be an old problem that was resurfacing from the same department.

 

The Head of Audit and Assurance responded and said that this was a one off incident and there was no evidence to suggest that this sort of thing was widespread. It was reported to the Director of Finance and the Director of Human Resources. The Director of Finance was keen to ensure that the Council did not fall foul of any HMRC rules and regulations. The Head of Audit and Assurance said that the response from the Director of Finance and the Chief Executive had been robust.

 

The Chairman highlighted that with respect to the audit of Subject Access Requests—the audit opinion was ‘Limited’ and a new P1 recommendation had been raised. The Chairman asked what the risks of this could be for the Council.

 

The Head of Audit and Assurance responded that the Council had a statutory timescale in which to respond to information requests and that the Council should be able to prove what information was sent out. It would be bad practise if the Council was not able to provide this information and the Council could fall foul of the Information Commissioner. A new system was being implemented and this would be subject to further testing by Internal Audit in due course.

 

A Member asked if there was a report available which detailed how often the Information Commissioner ruled against Bromley Council. He wondered who dealt with such a report and which Committee it went to. He felt it would be useful to monitor any trends. It was noted that an annual complaints report was produced and this normally went to the GP&L Committee.

 

A Member stated that there was a need to keep a better track of FOIs and that these requests needed to be dealt with fully and properly. He felt that Internal Audit should note the number of requests and then identify the root cause of the complaints which he felt was a result of poor information being given to residents in the first place. The Head of Audit and Assurance said that he would find out what figures were currently available. Information Governance data had now been transferred to a new system so hopefully matters would now improve.

 

No questions were raised regarding the audit of Housing Benefit and the Chairman remarked that he felt the audit of waste contracts looked healthy. Regarding this audit, a Member highlighted section 3.2. 46 where it stated The Waste Strategy Manager acknowledged that this agreed process was not fully followed in 2020/21 as LBB staff were not always on site due to COVID-19 restrictions, to undertake the required checks on the rejected paper loads’ She asked what these Covid restrictions were as this should have been an outdoor activity. The Head of Audit and Assurance said that he would clarify what the restrictions were.

 

Members noted that the audit of Marjorie McClure School was ‘Reasonable’ although several P2 recommendations had been raised.A Member hoped that the clutch of P2 recommendations was not an indication that procedures were too lax. It was noted that the school was re-locating. The Head of Audit and Assurance responded that the Internal Audit Team did not feel there were any serious matters of concern that currently required attention.

 

With respect to the Highways Maintenance audit, it was noted that some time had elapsed since the previous two outstanding P1 recommendations. The most appropriate course of action now was to conduct a brand new audit for the Highways Maintenance Department which would look at the previous issues that had been raised, together with any new ones that may be emerging.

 

Members noted the update concerning the Disabled Facilities Capital Grant. A Member commented that he had been looking at the capital programme and expected to see figures concerning the disabled facilities capital grant in the capital programme, but the figures were not there. He wondered if the grant had been carried forward to this financial year or not. The Head of Audit and Assurance said that he would look into the matter and report back.

 

In terms of the various Covid related grants that the Council had to manage, it was noted that these were resource intensive. Some additional ‘burdens grant’ funding would be made available to assist councils with the extra work that was involved. 

 

A Member asked if an audit would be undertaken regarding the grant for Holidays, Activities and Food. The Head of Audit and Assurance stated that Internal Audit did not have any plans to undertake an audit of this particular grant. The Member said that she would raise the matter with the Executive, Contracts and Resources Committee as this committee had indicated that Internal Audit would be auditing all Covid related grants. 

 

Members noted the Risk Registers. A Member expressed some concern that PDS Committees were sent the Risk Registers to look at ‘for noting’. His concern was that they may not be being scrutinised in sufficient depth.

 

Members noted the update with respect to KPMG and the objection to the Council's accounts.  It seemed that the matter was now close to being resolved. The objector had requested more time to look at KPMG’s conclusions.

 

Members noted the update regarding Blue Badge Fraud. A Member expressed the view that the use of cautions in certain cases was ineffective and should be withdrawn. The Head of Audit and Assurance responded that in certain cases the use of a caution was proportionate.

 

A Member raised the issue of Social Services staff benefiting from parking dispensations when visiting clients. He drew attention to the fact that when individuals in receipt of direct payments paid for their own carers, those carers did not benefit from the same parking dispensations and he asked if this could be looked into. The Head of Audit and Assurance said that he would speak to Parking Services to see if this was something that they could consider. 

 

A discussion took place regarding various Covid related grants and the fact that in some cases money was being claimed back from businesses that had not previously fully declared changes in circumstances to the Council. £90k had been identified to be reclaimed by the Council at the time of drafting the report, but it was reported that this could increase to as much as £176k based on the latest estimates.

 

An update was provided regarding  Business Support Grants investigations arising from NFI matches and it was suggested by a Member that control charts should be used to monitor how long the different types of cases were taking to be resolved.

 

RESOLVED that:

 

1) The Head of Audit and Assurance would feed back to the Chief Executive and the Corporate Leadership Team some of the comments that had been made by the Committee regarding possible attitudes to Risk and the Risk Registers.

 

2) The Head of Audit and Assurance would look into what data was available with respect to FOI and Subject Access Requests

 

3) The Head of Audit and Assurance said that he would clarify what the Covid restrictions were that had been mentioned in the audit of the waste services contract.

 

4) The Head of Audit and Assurance would investigate to find out if the monies relating to the Disabled Facilities Grant had been carried forward to this financial year.

 

5) The Head of Audit and Assurance would contact Parking Services to see if they could consider parking dispensations for the carers of members of the public who were paying for carers from Direct Payments.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Supporting documents:

 

Original Text: