RESOURCES SELECT COMMITTEE- 21 AUGUST 2003
RECOMMENDATIONS OF THE AUDIT PANEL 25 JUNE
2003
HEAD OF SELECT COMMITTEE AND BEST VALUE SUPPORT
REASON FOR SELECT
COMMITTEE CONSIDERATION
As the ‘parent’ committee of the Audit Panel, it is appropriate for the
Resources Select Committee to consider the recommendations made by the Panel at
its meeting on 25 June.
|
ACTION REQUIRED BY THE SELECT COMMITTEE |
|
A. To
recommend that the Portfolio Holder for Resources and Head of ICT : |
|
·
Review ICT security arrangements in the light of the Internal Audit
report and the recent IT security review undertaken by NCC. |
|
·
Compliance with Information Technology Code of Practice for
Information Security Management (BS ISO/IEC17799). BS7799-1:2000 by 31 December 2005, subject to adequate
resources. |
|
B. To determine that the terms of
reference of the E-government Task Group be amended to include overview and
scrutiny of all ICT elements of the authority (and to report back to the
Resources Committee on a regular basis). |
|
C. To endorse the Audit Panel’s support
for the further development of a performance management culture within the
Council and a corporate database of indicators to manage performance (known
otherwise as the Quarterly Performance Management Report). |
|
D. To endorse the Panel’s view that when
reports are considered by the Executive, risks already appearing in the
Strategic Risk Profile should be cross-referenced to the issue under
consideration. |
BACKGROUND
The Audit Panel was established following the Comprehensive Performance
Assessment in 2002 in order to create a forum in which the results of audit
activity, both internal and external, could be discussed so that auditors’
findings and recommendations could be given emphasis at Elected Member level. The Panel also plays an important part in
monitoring the performance of both audit teams, ensuring that they are
achieving objectives and plans. The
Panel will meet four times each year to receive synopses of audit findings and
progress reports on achieving audit plans.
The Panel last met on 25 June, when it received a report from the
Compliance and Risk Manager which reviewed Internal Audit activity since the
beginning of the year. In summary, the
report covered the following areas of audit work :
·
Banking
arrangements
·
Unix Operating
System
·
ICT Project
Management
·
Schools’ Audits
·
Risk Assessment
and Audit Planning
·
Quality
Assurance of Best Value Performance Indicators
·
Best Value
Review of Procurement
·
Partnering
approach to Contracting
·
Fraudulent
Cheque Alteration
·
Core Financial
Systems, Work-in-progress
In respect of many of the issues above, the Audit Panel merely noted the findings without further comment. It did however, in relation to those issues reported above at ‘Action Required’, wish to bring to the attention of the Resources Select Committee those recommendations where it felt it necessary. This might be considered as part of ‘closing the loop’ – an important part of taking corrective action, by making improvements.
With regard to the recommendations concerning ICT security, Members
should also be aware that a major piece of work has been undertaken by
consultants, NCC. A report has been
published at the end of July with the key recommendation being the adoption of
BS7799 as the corporate standard.
Members will note that this is already contained in the recommendations
within this report.
Accordingly, the Audit Panel’s recommendation to this Committee that
the Information Standards, BS ISO/IEC17799, be adopted is very much consistent
with the outcome of the NCC review.
Members may wish to remind themselves of the terms of reference of the E-government Task Group agreed on 20 November 2002 at the Resources Select Committee. These are as follows :
“THAT the ICT Task Group be reconvened as the
E-Government Task Group with a remit to continue to investigate the various
options available for the future delivery of the Council’s e-government
agenda.”
With regard to the recommendations concerning Performance Management,
Members should by now be aware of the quarterly ‘basket’ of indicators being
used to monitor the Council’s performance using a set of key indicators. This is known as the Quarterly Performance
Management Report or QPMR and its first viewing was at the Executive Committee
on 13 August 2003. This is to a
large extent what was envisaged by the Audit Panel when it recommended a
‘corporate database’. This action is
therefore largely achieved.
Finally, with regard to the recommendation concerning risks being drawn
to the attention of the Executive, Members will already be aware that ‘risk’
has for some time now been one of the ‘mandatory’ considerations (along with
Financial and Legal Implications) when reports are presented to the
Executive. Again, therefore, this
action is already largely achieved.
RELEVANT PLANS,
POLICIES, STRATEGIES AND PERFORMANCE INDICATORS
Implementing Electronic Government Strategy i/ii/iii
GAGS Strategy
Data Protection Act
Freedom of Information Act
CONSULTATION
PROCESS
The Internal Audit progress report is monitored by the Audit Panel
FINANCIAL, LEGAL,
CRIME AND DISORDER IMPLICATIONS
The financial implications of adopting BS7799 as a corporate security
standard is to be covered as a strand of the Risk Management Plan. Presently a costed project plan is being
prepared for submission through the Strategic Risk Group for the
Executive. If the plan is approved it
will aim for Council accreditation by 31 December 2005. An estimated cost for the satisfactory
protection of the Council’s communication and computing assets is expected to
be in the order of £500,000.
Strategic development of ICT provision is an integral part of the
delivery of continually improving services in a modernising local
authority. ICT security has a more
technical context in discharging the duties of the Council to strike the right
balance between the sometimes competing statutory objectives of safeguarding
and protecting information (principally under the Data Protection Act 1998),
enabling access to information (principally under the Freedom of Information
Act 2000) and the delivery of best value services under the Local Government
Act 1999.
There are no crime and disorder implications.
25
June 2003 – Audit Panel Internal Audit progress report.
Contact Point :A R Drain, Head Of Select Committee And Best Value
Support, F 823801, e-mail alistair.drain@iow.gov.uk.