The Council’s external auditors Mazars undertook an audit in the first quarter of 2016 to assess a selection of key Council IT systems as part of the audit of the financial statements

The Assistant Director, Transformation and Change will submit Document “X” which shows the Council’s progress on implementing two External Audit Recommendations from the 2016 review undertaken by Mazars.

Recommended-

That the update on the External Audit Report Recommendations relating to the Council’s Information Technology systems be noted.

                                                            (Column Sheridan-Small – 01274 434047)

The Council’s external auditors Mazars undertook an audit in the first quarter of 2016 to assess a selection of key Council IT systems as part of the audit of the financial statements

The Assistant Director, Transformation and Change submitted Document “X” which showed the Council’s progress on implementing two External Audit Recommendations from the 2016 review undertaken by Mazars.

The two outstanding external audit recommendations included:

(1)   Business Continuity - In order to ensure proper and timely recovery in case of a disaster or major incident, we recommend testing the Disaster Recovery Plan at least on an annual basis.

(2)  User Access - In order to avoid unauthorised access to the Council's network and programs, we recommend ensuring that formal access disabling requests are issued for all leavers before their leaving date.

The outstanding recommendations were aimed at improving two areas managed by IT Services. Namely the process for managing the close down of computer accounts when staff leave the organisation referred to as “the Leavers” process, and the management of the annual review and testing of key Council IT systems in line with the Council’s Business Continuity planning process. A revised plan to implement the two recommendations was attached (Appendix A).

It was reported that in relation to recommendation 1 a plan was being developed to manage this activity which would result in the identified departments undertaking a “desktop” IT Disaster Recovery scenario walkthrough of their business continuity plan. This activity would be reviewed annually and next year would see a planned coordinated IT system outage with a selected IT system in each department. This would be a rolling programme of activity as IT Services worked with each of the Council departments to formalise and schedule their IT Disaster Recovery testing plans.

Members were informed that since the external audit recommendations were issued, existing user management systems had been updated to improve the management of staff leaving the organisation. To further support this IT Services had been undertaking a review of network logon accounts to ensure none were missed within the current leavers process, any identified account issues were followed up with the relevant Council departments to validate if their removal was appropriate.

Once the user management system went live in March 2019, the external audit Recommendation 2 would have been implemented.

In response to a Member’s question as to why there was a delay in implementing the recommendations it was reported IT Services had experienced a number of operational issues in 2016 and 2017. In addition to this was the complexity of the challenge to ensure that all the IT systems a leaver had access to were  closed out. IT Services provide and support over 250 systems to council departments and a leaver may have access to several of these. New systems and supporting processes would be in place by March 2019 which would enable  greater integration of IT systems to manage the staff leavers process.

In response to a Member’s question it was reported that a degree of resilience was in place in the event of a disaster; however these resilience measures would now be tested more robustly to ensure that disaster recovery was effective. It was important to make sure key departments could deliver key services in a disaster situation, it was also noted that business continuity was reported quarterly in the Finance Monitoring Reports.

Resolved-

That the update on the External Audit Report Recommendations relating to the Council’s Information Technology systems be noted.