Issue - meetings

Report of Grant Thornton.

Grant Thornton presented a report on Information Technology Controls, the purpose of which was to provide assurance regarding controls in those areas of information technology that may impact on the Council’s financial statements. The assessment had covered areas including security, administration, access and the implementation of new systems. The report concluded that the Councils controls were suitably designed. Two low priority recommendations had been identified, the requirement of all staff to acknowledge their understanding of the security policy and procedures and the introduction of controls within SAP to prevent common or predictable passwords. It had been agreed that both recommendations would be implemented by December 2009. In response to a query from the Committee regarding why it would take until December 2009 to implement the recommendations, Grant Thornton reported that they had been advised that this was due to the length of time required to introduce a new table for passwords into SAP.

The Committee asked whether more sensitive systems, for example those in social services, had been looked at in relation to the complexity of passwords. It was confirmed that 100 days of audit work on the Council’s IT systems was carried out as part of the yearly Internal Audit Plan. The Committee requested that a report be presented to the next Committee meeting on whether the issue of password complexity had been specifically looked into in sensitive areas, such as children’s services.

The Committee expressed a view that all staff should be expected to understand the policies and procedures as part of their work, and should be asked to confirm their acceptance of the relevant procedures in writing. The Committee requested that an explanation be provided of why the advice from HR was that it was not always appropriate to obtain this confirmation in writing.

The Committee discussed the scope of the report, and Grant Thornton confirmed that the report was only on those key controls relating to the Council’s financial statements, and not the IT systems overall. If as a result of this work, however, broader recommendations relating to IT were identified, it was confirmed that these would be reported. It was reported that dedicated IT audit work was carried out on an ongoing basis on the Council’s systems, as a result of which any adverse findings would be reported and followed up, and the implementation of all recommendations relating to IT systems was monitored. The Chair noted that it was the role of the Audit Committee to ensure best practice, and asked the Chief Financial Officer to advise whether a further detailed audit review of all the Council’s IT systems was necessary or whether to accept the scope of the review as set out by the external auditor. The Chief Financial Officer recommended that the guidance of the external auditor be taken and the scope of the review as reported on be accepted.

RESOLVED

That the content of the report be noted.