Agenda item

Internal Audit Update Report

To update the Committee on progress with the Audit Plan – December 2015 to mid-February 2016 (report of the Audit and Risk Manager (Audit Lincolnshire) and the Executive Director Commercialisation enclosed)


Consideration was given to the report of the Audit & Risk Manager (Audit Lincolnshire), and the Executive Director Commercialisation which provided an update on progress with the Audit Plan between December 2015 to mid-February 2016.


The purpose of the report was to:


·         Advise of progress being made with the 2015/16 Audit Plan;

·         Provide details of the audit work during the period;

·         Provide details of the current position with agreed management actions in respect of previously issued reports; and

·         Update the committee on any changes to the 2015/16 Audit Plan and any other matters that may be relevant to the Governance and Audit Committee role.


Contained within the appendices which were attached to the report was detailed information in relation to Assurance Definitions (Appendix 1); Audits with Limited Assurance (Appendix 2); and the Internal Audit Plan and Schedule (Appendix 3).


As detailed within the report, all work was planned for completion by the end of March 2016.  The Audit and Risk Manager (Audit Lincolnshire) confirmed that internal audit services for South Holland District Council would be provided by  Eastern Internal Audit Services from 1 April 2016, and that she would be meeting with the Executive Director Commercialisation next week to consider handover of the new audit plan.


The Committee was also advised that within the report at section 1.13, the implementation date under ICT Strategy and Projects should be 31 March 2016, not 31 June 2015 as stated.


Members considered the information detailed within the report, and the following issues were raised:


·         Section 1.13 (Follow Up on Outstanding Audit Recommendations) – The recommendation for Mobile Devices had a completion date of 29 February 2016. Had this been completed?

o    A follow-up had been undertaken mid-February and this was currently the most up to date position.  The status would be ascertained and fed back to Committee members.


·         Limited assurance had been provided in relation to the ICT Software and ICT Strategy and Projects audit. Could the internal auditors explain this?

o   The Audit and Risk Manager advised that Appendix 2 provided a fuller explanation of the background to the limited assurance provided to ICT Strategy and Projects, and the actions required.  She advised that if the Committee wanted an update on progress with these, that the ICT Director (CPBS) would be able to provide this information.

o   The Chief Accountant commented that there were management actions outside of ICT that would have impact on this area.


·         Had lessons been learned from the recent ICT security breach at Lincolnshire County Council?

o   The Audit and Risk Manager advised that lessons had been learned, that there had been a de-brief following the incident, and that a more formal de-briefing session would be held at the end of March.  She advised that she would share information on cypber-risks with the Internal Audit Consortium Manager.

o   The Audit and Risk Manager also commented that the limited assurance opinion for the two ICT reports showed that improvement was required in the governance of ICT by CPBS.  The Committee may require further assistance in monitoring this.  Information was being shared to try and prevent these cyber attacks happening in the future.  She also stated that IT Security should be featuring on all Corporate Risk Registers




a)    That the report be noted; and


b)    That the Committee be advised of whether the completion date of 29 February 2016, for the outstanding audit recommendation regarding Mobile Devices, had been met.


c)    That the ICT Director (CPBS) provide the Committee with an update on progress with outstanding actions relating to the ICT Software and the ICT Strategy and Projects audits, which had received a limited assurance opinion; and


d)    That the Audit and Risk Manager (Lincolnshire Audit) share information on cyber-risks with the new internal audit provider.


(The Audit and Risk Manager (Lincolnshire Audit) left the meeting following discussion of the above item).

Supporting documents: