Audit Committee
24 September 2009Item No. 12
ICT Internal Audit Strategy 2009-10 to 2011-12
Report by the Head of Finance
This report introduces the ICT Internal Audit Strategy and asks the Audit Committee to consider and comment on the importance of the strategy and the recommended approach.
1 Background
1.1 Norfolk Audit Services supports the Council’s Strategic Ambitions and the County Council Plan 2009-2012. We aim to support the ambitions and the plan through supporting the arrangements for the Council to provide ‘value for money’ in its services, including ICT. Audit work and reporting
assurance on the adequacy and effectiveness of risk management and internal control forms part of the achievement of the ambitions and the success of the plan.
1.2 ICT underpins the Council’s services and therefore assurance that there are adequate policies, strategies, procedures and practice are key to the achievement of the Council’s plan.
1.3 ICT Audit work forms part of the Council’s overall internal audit planning1 which is approved by the Chief Officers Group and the Council’s Audit Committee annually. Internal audit planning for ICT is undertaken with regard to the approved Internal Audit Strategy2 which has been approved by the Council’s Audit Committee. The main focus of that strategy is to increasingly use the Council’s risk registers to inform audit planning, supplemented by existing audit knowledge and best practice.
1.4 In order to bring the best knowledge and skills to the delivery of the internal audit plan NAS sought a specialist provider to ensure that skills were up to date and comprehensive.
1
http://www.norfolk.gov.uk/consumption/groups/public/documents/committee_report/audit230409item8pdf.pdf
2
1.5 In August 2008 after a bidding process it was agreed through an ESPO framework agreement that PWC would be asked to undertake ICT audit work for Norfolk Audit Services. A budget to allow for around 100 days of auditing was set aside for the purpose. That budget has been included in the 2009-10 Internal Audit Plan1.
1.6 A programme of work for the first year was agreed and this programme is now close to completion. This programme and the current position with respect to each project is set out in the table below.
Audit Current Position
Oracle Change Management
Final Report Issued 18 March 2009
Data Security Final Report awaiting clearance by Head of HR and OD
Disaster Recovery Final Report to be issued by 30 September 2009 Penetration Testing Follow
Up Audit
Final Report issued 27 July 2009
Card Payment Compliance (PCI DSS)
Principal Client Manager to consult “business” client and PCI DSS QSA
1.7 There have been regular liaison meetings during the course of the year and suggestions for improvements for a better delivery have been discussed and these include
• New projects being better defined and delivered through adoption of a Project Initiation Document (PID) rather than Terms of Reference giving for instance
Closer involvement of the “business” client in the audit better management of the delivery timeline
• Attendance at close out meetings by the appropriate “business” client and the Principal Client Manager and presentation of an early draft of the report to the close out meeting,
• CVs of staff undertaking the audit work to be provided,
• Only one exchange of the draft report between ICT and PWC to
establish the factual accuracy of the audit findings, with the possibility of additional comments and opinions being presented in a NAS covering report
1.8 This strategy, an ICT Internal Audit Medium Term Plan and the Annual ICT Internal Audit Plan will be agreed with the Head of ICT and the Head of Finance.
1.10 This strategy was presented to the ICT Medium Term Planning Group on 6 August and was endorsed by the group.
2 Factors to be considered in the medium term audit plan
2.1 The ICT Internal Audit Plan will have regard to the Council’s ICT Plan, which supports the Council’s Plan. (1.1)
2.2 The main focus of the Internal Audit Strategy is to increasingly use the Council’s own risk registers to inform audit planning, supplemented by existing audit knowledge and best practice. (1.3)
2.3 One of the principal factors to be considered is the ICT risk register.
2.4 Other internal control and risk management factors that need to be considered include, for instance
• potential changes to the ICT services
• potential new risks arising during the life of the plan
• other audit drivers not reflected in the risk registers for instance audits identified by business clients rather than ICT and
• mitigating factors that may render any audit work ineffective.
2.5 The ICT Internal Audit Planning will draw on the specialist advice from our provider ensuring that there is full application of current professional audit concepts, standards and methodologies.
2.6 The delivery of the ICT audit work can be through either the provider (specialist ICT work) or through the Council’s In-House team (non-specialist ICT work) as required.
2.7 This strategy will be reviewed annually to ensure that it is fit for purpose.
3 Proposed Process for developing Medium Term ICT Audit Plan
3.1 The Client Manager, Project Manager and Principal Client Manager have met to consider what audits may be appropriate to address the risks set out in the ICT Risk Register. The “top” 14 risks were reviewed and of these
• two risks related to unauthorised attack or access and as such the risk will be mitigated by penetration testing. From the previous work on penetration testing there remains in place an action plan that is actively managed. There are also plans to undertake work on penetration test on a regular basis managed by ICT
• five risks related to Business Continuity and it was not felt that these issues should be addressed in isolation within the ICT Audit Plan. Business
• the remaining seven risks were areas where it may be appropriate to undertake ICT audit work.
3.2 Attached as Appendix A is a schedule of potential audits that have been identified so far, including those identified from the above risk analysis.
3.3 Consideration will then be given to producing a brief outline of each of the potential audits on this list, including identification of the business clients associated with each potential audit. These potential audits will be then be allocated to each of the three years of the medium term plan on a risk assessed basis, including the 2009-10 Annual ICT Internal Audit Plan. The draft plan will be agreed by all the necessary parties (1.8). The draft plan will also be shared with the Audit Commission before it is reported to Chief Officers and the Audit Committee. It will then be decided who should undertake the work (2.7)
3.4 The terms, scope and timing of the audits will be agreed with the client and ‘Business Client’ to ensure minimum disruption and ensure the
effectiveness of the audit work.
3.5 The results of our ICT audit work will be reported to the Audit Committee on completion of the reports, through our quarterly reporting.
3.6 The ICT Internal Audit work will then inform the opinion in the Annual Head of Internal Audit Report to the Audit Committee. That report informs the Council’s Annual Governance Statement, which is published in the Annual Statement of Accounts.
4 Action required from this Committee
The Committee is requested to consider and comment on the ICT Audit Strategy 2009-10 to 2011-12 on the importance of the strategy and the recommended approach.
Adrian Thompson Chief Internal Auditor Norfolk Audit Services 01603 222784
e-mail: [email protected].
If you need this Agenda in large print, audio, Braille,
alternative format or in a different language please
contact Adrian Thompson 0344 800 8020 or 0344 800
8011 (textphone) and we will do our best to help.
Appendix A Schedule of Potential Audits
Potential Audit Risk
Reference
Review of filters on Internet and e-mail 1.4/3.4
Security Logs 1.4/3.4
Unauthorised Access 1.4/3.4
Virtual Licensing 7.1/7.2
Application Licensing 7.1/7.2
Data Security Follow Up 8.2
Disaster Recovery Follow up
Change Management Process – Networks Change Management Process – application Spreadsheet/Access Databases
ICT Governance Review Data and Voice Infrastructure Security incident Processes Government Connect