The Chief Internal Auditor presented this report, in conjunction with Melanie Watson, Phil Eames, Tim O’Gara, Mark Kempt, Fiona Lester, Mark Williams and Christina Czarkowski-Crouch.
The Committee noted the following supplementary Public Forum questions relating to Appendix 4 – Cyber Security.
Q1 – Councillor David Wilcox
Q: In situations where items on the IT Risk Register remained amber for 3 or 4 periods, they should be upgraded to red. Can cyber security issues be resolved to include these?
A: Officers would investigate this and report back. Action: Tim O’Gara
Q: The date of completion had not been provided in relation to question 7.
A: Officers would follow up and answer this. Action: Tim O’Gara
Q: Please can answers provided for each question be attributed to each officer. Action: Oliver Harrison to ensure that an officer point of contact is provided for each answer given
Appendix 4 – Cyber Security
Melanie Watson introduced the appendix on Cyber Security and, together with Tim O’Gara, made the following comments:
· The review had been carried out a few months ago and had examined data risk management controls.
· There had been limited assurances provided but there was some room for improvement
· There had been no information provided concerning a cyber security strategy and governance at the time of the review
· In terms of risk management, there was no defined security risk
· Targeted training was required and a large number of actions had been implemented
Tim O’Gara made the following points:
· The recommendations provided by Audit had been accepted and enhanced work had taken place concerning cyber security
· The Council was committed to robust procedures which would be put in place to deal with an ever changing situation
The Chief Internal Auditor stressed the importance of mitigating risk as events could not always be predicted.
Appendix 1 – Risk Management Summary Report
Phil Eames made the following points concerning this report:
· The summary of risk management showed that progress was being made in embedding it across Bristol City Council
· There were not clear governance arrangements around risk management which were both manual and complex.
· This issue was a recurring problem as seen in instances such as Bristol Energy. Therefore, a risk assessment was extremely important
· Forms and records had originally been incomplete. Since the review, new systems had been rolled out and training sessions provided to staff which if successful should address the key issues. A review of the success of this would be provided in the coming year
Officers responded to Committee Members’ questions as follows:
· The new software was externally hosted
· Assessments were being made at corporate level in terms of how the risk assessment fits into decision-making. A need to strengthen the alignment of risk management had been made and may need to be included in the Improvement Plan
· A new system of peer review mechanism was being embedded which was more likely to ensure risks were properly captured
· Details of the way corporate risk assessment was made were provided
Appendix 2 – Housing Rents Summary Report
Fiona Lester and Mark Kempt introduced this report and made the following comments:
· There had been a great deal of management change and there had been difficulties in service delivery caused by COVID
· New policies were in place concerning rent setting and arrears. Staff would be trained concerning these and to tackle issues related to an increase of debt for individuals
· Overall debt had reduced to £12.8 Million with the average collection of debt being assessed at over 90%
· An action plan had been put in place to monitor quarterly credits and would be regularly monitored
Committee members thanked officers for their work in this area.
Appendix 3 – Health and Safety Summary Report
Christina Czarkowski-Crouch and Mark Williams introduced this report and made the following comments:
· The managers report had identified that the process was too often seen and a “tick box” exercise with little escalation if standards were not met. In addition, the assessment showed that managers were ignorant of their responsibilities which was an issue that needed to be addressed
· A great deal of progress had been made in this area. The Councillor induction programme and elevated governance were part of the framework to ensure proper scrutiny.
· A new national database would be implemented from autumn. This database was supported by IT
In response to Councillors’ questions, officers made the following comments:
· It was important for all the different service areas to work together to deliver what was required. That was the purpose of the 14 recommendations set out in 2019 Audit
· Service areas worked together closely – for example, in relation to the cyber agenda
· The Audit Committee and Scrutiny Commission should work together to deliver what was required and ensure best practice
RESOLVED – that the Internal Activity Audit report for the period ended 31st August 2021 be noted.