Agenda item

The Head of Internal Audit to submit a report to update Members on progress made in delivery of the 2018/19 Annual Audit Plan and key findings arising from audit assignments completed since the last Committee meeting.

The Head of Internal Audit

(a)  submitted a report (copies of which had previously been circulated to Members), updating the Committee on progress made in delivery of the 2018/19 Annual Audit Plan and key findings arising from audit assignments completed since the last Committee meeting;

(b)  highlighted that 82% of planned audit assignments were either complete or in progress (and 100% of the Audit Plan was either complete or in progress).  A copy of the Audit Plan, as detailed at Appendix A of the report showed the progress made on all planned audit assignments;

(c)  confirmed that since the last Committee meeting, two reports had been finalised and the key findings were set out at section 2.5 of Appendix A

                      i.    Business Continuity and Emergency Planning:  The Council had a comprehensive corporate Business Continuity Plan in place, which was informed by annual business impact analysis, in line with good practice.  At the time of audit, the plan had not been subject to periodic testing.  This reduced the assurance opinion which Internal Audit were able to give for compliance.  Arrangements for emergency planning were confirmed to be robust and test exercises on the planning with partner agencies took place bi-annually.  A good assurance opinion for design and a satisfactory assurance opinion for compliance had been given.

                     ii.    General Data Protection Regulation (GDPR):  The revised data protection legislation came into force on 25 May 2018.  The Council was in the process of implementing all actions required to meet GDPR compliance.  An Information Asset Register was in place and policies were available to all staff.  There remained some areas to be addressed, including data retention arrangements and completion of staff and Member training.  Based upon these findings, a satisfactory assurance opinion for design and a good assurance opinion for compliance had been given;

(d)  advised that since the last Committee meeting, fourteen actions from audit reports had been completed.  There were nineteen actions overdue for implementation, as detailed at Appendix 3 of Appendix A and only one of these actions was high priority, as detailed at Appendix 4 of Appendix A.  It was anticipated that implementation of this action would be confirmed before the next meeting of this Committee.  Appendix 3 included a breakdown of the service areas responsible, as requested by Members at the last meeting of this Committee.

A Member commented that they were disappointed to note that the emergency key contact list was not up to date at the time of audit and hoped that this had been dealt with quickly.  The Head of Internal Audit advised that she anticipated this action to be implemented as a high priority and would follow this up.

A Member advised that as a County Councillor, they had received a certificate of protection, in relation to GDPR from Leicestershire County Council and asked if Borough Councillors would receive the same from this Council.

The Director for Legal and Democratic Services confirmed that online training was available and Members had also been given the opportunity to attend training with East Midlands Councils.  The Council had registered Members for data protection and had paid the Information Commissioner’s Office fee on behalf of Members.  In addition, Privacy Notices on the Council’s website also protected Members.  The Council had a Data Protection Action Plan in place and were eager to do more in relation to protection.  It would undertake more proactive work as part of its Member induction and development processes to increase confidence in dealing with data.

A Member asked if the Council’s internal MIKE site offered training or information on GDPR.  The Director for Legal and Democratic Services and Director for Corporate Services advised that there were a number of training courses on GDPR, freedom of information, data protection etc and some courses were specifically aimed at Members.  A link to the MIKE site had been provided in a recent copy of the Members’ Bulletin and would be provided again to the Member.

It was highlighted that the Information Commissioner’s Office had superb guidance on GDPR and were willing to discuss issues and problems.

A Member commented that it was important to avoid sending group emails, which included private email addresses, as this was a breach of data protection.  They added that they hoped all audit recommendations would be implemented within deadlines and the Head of Internal Audit advised that she attended Senior Leadership Team meetings on a quarterly basis to review overdue actions.  This helped to progress them.  Many actions had been closed over the last few months and this issue was very high on the radar for Senior Management.

There being no further comments or questions from Members, Councillor Posnett moved the recommendation and Councillor Simpson seconded.

RESOLVED that the report be noted together with the progress made by the Internal Audit team in delivery of the Audit Plan.