Agenda item

To inform the Audit Committee of Senior Management’s progress in implementing the recommendations raised by Internal Audit following a review in their service areas.  This report will enable the Committee to consider what action is required in respect of those that are overdue or appear likely to be implemented later than the target date.

Recommendation

It is recommended that the Committee:

1.         considers the information contained in Annexe 1 and, following discussion at the Audit Committee meeting, identifies any action it wishes to be taken, particularly in relation to the Information Security Governance recommendations which are linked to the recent Data Protection review completed in preparation for the General Data Protection Regulations (GDPR) that comes into force in May 2018.

2.         agrees an appropriate implementation date for the recommendations listed in Annexe 2, where a request has been made by the Head of Service for a change in the previous implementation date.

The Committee reviewed the report detailing the latest position regarding the implementation of Internal Audit Recommendations. Officers provided an update on the three overdue recommendations relating to Information Security Governance; they explained that the Information Security Group had now met, however it had become apparent that the current resourcing for this role was not sufficient to do it justice. Some catch-up work would be required and there was a need to maintain good policies and procedures. A new Information Governance Board had now been established and would be chaired by the Strategic Director – Finance and Resources.

Cllr Hyman noted that the recommendations showed 50% progress and asked what work had been done to support this figure. Graeme Clark explained that the 50% figure was a judgement based on the extent to which the Council had met the recommendations. Generally, Waverley had a good track record with information governance but this was an incredibly important piece of work to enable the Council to consolidate and build on its current position.

Cllr Gray endorsed the comments made by Cllr Hesse at the last meeting where he had emphasised the importance of having the correct processes in place. This was not a criticism of the Legal Service, but they had numerous work pressures which meant that additional resources were needed. Graeme Clark added that several other local authorities were appointing dedicated Information Managers to ensure correct custody and usage of data.

Officers emphasised that the Council did manage data well, and had passed all government requirements such as PSN compliance, however the existing resource didn’t have sufficient capacity to meet the growing demands and new legislation, and there was a need to invest more in order to move forward. The Committee felt it was important that the Council was seen to be prioritising information governance and therefore agreed to forward their concerns over this matter to Executive, endorsing any requests for additional resource/growth that may be required in order to take this forward.

In regard to the recommendation regarding Financial Regulations and CPRs, Officers reported that a lot of work had already been completed by Patrick Tuite, but that the Financial Regulations also required updating. The Audit Committee would be involved in this process, with a briefing to be scheduled in due course. The updated Financial Regulations would be presented to the Audit Committee in November and Council in December 2017. The Committee agreed, that given the fact that the new Financial Regulations would be approved in December 2017 and the implementation of the enhanced Agresso functionality would be in place by the end of January 2018, the deadline for this recommendation (IA16/12.001) be extended to 31 January 2018.

The Committee RESOLVED to:

1.     Pass its concerns to the Executive over the delay in implementing the recommendations relating to Information Security Governance, emphasising the importance of this area of work, and endorsing any additional resource requests that may be required in order to move this forward; and

2.    Agree that the implementation date for IA16/12.001 – Sharepoint Official Orders be amended to 31 January 2018.

[Cllr Nicholas Holder left the meeting at 9.22pm prior to the consideration of the Committee Recurrent Work Programme]