Bedfordshire Fire and Rescue Authority Corporate Services Policy and Challenge Group 9 September 2014 Item No. 6

Transcription

1 For Publication Bedfordshire Fire Rescue Authority Corporate Services Policy Challenge Group 9 September 2014 Item No. 6 REPORT AUTHOR: SUBJECT: ASSISTANT CHIEF OFFICER (HUMAN RESOURCES AND ORGANISATIONAL DEVELOPMENT) AUDIT AND GOVERNANCE ACTION PLANS MONITORING REPORT For further information on this report contact: Karen Daniels Audit Performance Manager Tel No: Background Papers: Action Plans contained in Internal External Audit s Action Plan contained in the Annual Governance Statement 2013/14 Minutes of the Audit Committee dated 5 April 2012 Implications (tick ): LEGAL FINANCIAL HUMAN RESOURCES EQUALITY IMPACT ENVIRONMENTAL POLICY CORPORATE RISK Known OTHER (please specify) New CORE BRIEF Any implications affecting this report are noted at the end of the report. PURPOSE: To report on progress made to date against current action plans arising from internal external audit reports from the Fire Authority s 2013/14 Annual Governance Statement. RECOMMENDATION: That Members acknowledge progress made to date against the action plans consider any issues arising. 6.1

2 1. Introduction 1.1 The Members of the Audit Stards Committee previously endorsed that the Committee should receive monitoring reports at each of its meetings advising of progress against current action plans arising from internal external audit reports, the Authority s Annual Governance Statement. 1.2 In their meeting on 5 April 2012, Members of the Audit Stards Committee agreed that progress on the action plans be reported to each meeting of the appropriate Policy Challenge Group action point owners report progress by exception to the Audit Stards Committee. This is the second such report to the Corporate Services Policy Challenge Group for the year 2014/ Monitoring of Actions Arising from Internal External Audit s 2.1 The monitoring report of progress made to date against agreed actions arising from internal external audit reports is attached as Appendix A. 2.2 The monitoring report covers, in order, the following: Outsting actions from internal external audit reports, including those reports received during 2014/15 those from previous years, which have a proposal to extend the original completion date. Outsting actions from internal external audit reports, including those reports received during 2014/15 those from previous years, which are on target to meet the original or agreed revised completion date. Completed actions which are subject to a subsequent or follow up audit. These will remain on the report until this audit is complete the action validated. Completed actions that are of a Low risk do not require a follow-up audit. These will be removed from the report once they have been reported as completed to the Policy Challenge Group. Any actions that have been superseded by new actions. (Actions are removed from the report once they have been reported as superseded to the Policy Challenge Group.) 3. Monitoring of Actions Arising from the Authority s Annual Governance Statement 3.1 The monitoring report of progress made to date against actions arising from the Authority s Annual Governance Statement is attached as Appendix B. 3.2 The monitoring report covers the actions within the 2013/14 Annual Governance Statement (if applicable) which was formally adopted by Members of the Audit Stards Committee, on behalf of the Authority, at their meeting on 26 June 2014, as part of the 2013/14 Statement of Accounts. 6.2

3 4. Priority Grades 4.1 The Service Audit Outcomes in Appendix A have a priority grading system. The table below explains the key to the priority grades: Baker Tilley (formerly RSM Tenon) High Low Recommendations are prioritised to reflect s assessment of risk associated with the control weaknesses. 5. Organisational Risk Implications 5.1 The actions identified within internal external audit reports the Annual Governance Statement represent important improvements to the Authority s current systems arrangements. As such, they constitute important measures whereby the Authority s overall management of organisational risk can be enhanced. 5.2 In addition, ensuring effective external internal audit arrangements the publication of an Annual Governance Statement are legal requirements for the Authority the processes of implementation, monitoring reporting of improvement actions arising therefore constitute an important element of the Authority s governance arrangements. ZOE EVANS ASSISTANT CHIEF OFFICER (HUMAN RESOURCES AND ORGANISATIONAL DEVELOPMENT) 6.3

4 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or PAR 2 Partnerships The Partnership Governance Procedures should be enhanced to: Outline detailed responsibilities for staff within the organisation, for instance who is required to approve the commencement of a partnership who is responsible for capturing the details of the partnership on an overarching register; Include a defined time-bound internal escalation process to provide assurance that partnerships have been subject to review presented to an appropriate forum (the Corporate Management Team for partnerships of a high strategic importance). A series of workshops was undertaken to review existing planned partnerships the associated roles responsibilities. The definition of Partnerships other collaboration has been agreed a register of partnerships is in place. Procedural guidance has been drafted defining responsibilities for the maintenance review of the register partnerships with a focus on those of a high strategic importance. Remains on target for completion September Sep 14 During revisions to the procedures the team who should drive the required changes should involve those employees tasked with managing partnerships to reflect their requirements from the process. PAR 4a Partnerships It would be beneficial to aid compliance with the Partnerships Procedures for the Partnership Start Up Form Review Forms to be streamlined. It should also include some form of due diligence for non-public sector partners. A tiered approach would be beneficial where the existing documentation may be more suitable for the few select highly important partnerships (utilising Following the review of partnerships, their definition differentiation, the Prevention Protection Partnerships Procedures Start up Form Review Forms are being streamlined, including a tiered approach. This streamlined documentation is being incorporated into the Partnership procedures remains on track for completion in September 14. Partnerships with commercial organisations are subject to separate agreements due Sep 14 6 (Appendix A).4

5 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or the current scoring tool); for the majority the Service should consider whether: Each form can capture the key information on a single sheet. Performance review of partnerships can be conducted annually utilising one generic form; Thematic reviews of partnerships can be conducted for a collection of similar partnerships. diligence for non-public sector partners is typically managed through formal procurement governance arrangements that fall outside of the Prevention Protection partnership arrangements. PAR 4b Partnerships Low An agreement (or equivalent that outlines the responsibilities of each partner should be held by the Service for all partnerships (new existing). A series of workshops has been undertaken to review existing planned partnerships the associated roles responsibilities. The definition of Partnerships other collaboration has been confirmed. This has led to the identification of those that should be subject to a formal agreement. These agreements are now being gathered linked to the partnership register. Finalisation of these arrangements is underway remains on target for completion September Sep 14 PAR 5 Partnerships A review of all partnerships (from all departments) should be completed. The review process should be revised to be more streamlined include: An importance scoring for each partnership (in-line with the Partnership Procedures); A continue, reduce input or exit from partnership conclusion (based on its performance importance). A series of workshops was undertaken to review existing planned partnerships the associated roles responsibilities. These workshops included a review of the partnerships in respect of their efficiency value with a consideration as to whether to continue, reduce input or exit. The results of this review have been incorporated into the new Prevention Protection partnership database. These partnerships are now being subject to a review process that will be documented in partnership procedural guidance. Dec 14 6 (Appendix A).5

6 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or PAR 6 Partnerships An annual overarching review of partnerships should be performed by the Service presented to the authority to determine the success of partnerships. The success should include a link to costs benefits realisation. This review process should also include a gap analysis to determine whether there are any potential emerging partnerships the Service should explore. An annual review of partnerships is being undertaken will be presented to the Authority at their year-end meeting in June May 15 1 Low Management should ensure that security policies, procedures, associated documents are regularly reviewed updated that documents contain a review history. The review of the information Security policies related procedures has been completed with a review history incorporated into the documents for ease of reference. This remains on track for completed by the end of August Network user account management policy procedures should be designed implemented for creating, amending revoking user accounts. Steps should be included to ensure that users only have network privileges required for their responsibilities. Network user account management policy procedures have been designed are in the process of implemention including creating, amending revoking user accounts. Steps include controls to ensure that users only have network privileges required for their responsibilities. This remains on track for completed by the end of August (Appendix A).6

7 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or 4 Management should develop implement a policy for managing default accounts default account settings. The policy should include procedures for: Renaming default accounts; Disabling default accounts; Reconfiguring default account settings to improve security The review of ITIL/ISO27001 procedures which includes the Account Management Settings Policies is making good progress is on track for inclusion in the ICT Shared Service Document Library by the end of August Low A virus management policy with matory procedures guidelines should be developed for network administrators users. A virus management policy with matory procedures guidelines are being developed for network administrators users as part of the implementation of Information Technology Infrastructure Library (ITIL) framework. This remains on track for completed by the end of August A patch management policy with appropriate matory procedures should be developed implemented to ensure that patches are tested before they go live in order to ascertain whether or not a new patch will affect the normal operation of any existing software. A Patch Management policy with matory controls, procedures guidelines have been developed for network administrators users as part of the implementation of Information Technology Infrastructure Library (ITIL) framework for the ICT Shared Service. Verification of implementation is continuing on target for completion by the end of August a A security monitoring policy for the Service should be developed, approved, documented. A security monitoring policy has been drafted into the ITIL/ISO27001 procedures for ICT with final approval on track for completion by the end of August as part of the wider implementation of ITIL controls. 6 (Appendix A).7

8 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or 8 9 The ICT change control procedure should be enhanced to include: Matory procedures to ensure that all approved changes align with the business requirements of the Service; Document control should be used to record monitor changes to the procedure. A Disaster Recovery plan should be documented based on the results of a thorough Business Impact Analysis (BIA) a Disaster Recovery focussed risk assessment. The ICT Change control procedure has been enhanced to include matory elements of ISO ITIL with appropriate document change control to record monitor changes. This procedure others are in the process of being formally introduced into the ICT Shared Service operating documentation remains on track for completion by the end of August Disaster recovery plans have been drafted verification activities are underway against the Business Impact Analyses undertaken by the Business Continuity Risk Management Project. This activity remains on track for completion October Oct 14 PAR 1 Partnerships The Service's Corporate Management Team should revisit their definition of a Partnership ensure its appropriateness. Following a review the agreed definition should be clearly communicated to staff this should be the only definition stated in guidance documentation the Service's website. The Service's Corporate Management Team revisited their definition of a Partnership in their meeting on 14th April The Service has now agreed the definition differentiation of partnerships other collaborative relationships, providing examples guidance which is available on the Service's intranet. Apr 14 Completed To be confirmed by follow- up audit The definition should include: Measurable factors that assist in defining a partnership for the service. For instance, in terms of duration resources required. For example, what constitutes long term? An explanation of what takes 6 (Appendix A).8

9 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or precedent in terms of recording the details of the partnership if it also could be defined as a project or activity work. A few scenarios to provide examples of what is what is not a partnership. GOV 1.1 March 14: Final Governance The Register of interests must be fully completed by all Members of the Authority with either a positive or negative declaration being given against each question. Furthermore, Members should be reminded of their obligations under the Localism act the importance of disclosing any arising interest to the Monitoring Officer in writing. All registrations of interest have been completed by all Members an indication of a positive or negative declaration have been given against each question. New existing Members are written to each year to advise them of their obligations under the Localism act the importance of disclosing any arising interest to the Monitoring Officer in writing. Sep 13 Completed To be confirmed by follow- up audit KFC 1.2 Key Financial Finance Treasurer High The Service should ensure that a credit check process is added to the vetting of new suppliers where there value in terms of financial significance of supplies exceeds an agreed threshold; all amendments to vendor details are verified with a senior member of the vendor staff using original contact details held on the payables system that checks are clearly recorded on the Creditor Card Change Form. With immediate effect a credit check will be carried out on each supplier where the contract value is predicted to exceed 50,000. It will be the responsibility of the Procurement Manager to request that the Chief Accountant carries out a check before any contract can be awarded. In addition the Procurement Manager will request that the Chief Accountant carries out a credit check for contracts below 50,000 if the Procurement Manager assesses that nature of the contract is critical to the performance of the Service. Mar 14 Completed To be confirmed by follow- up audit A credit check is also completed on suppliers that are deemed to be key suppliers. An independent check is undertaken to confirm changes to supplier creditor card details, usually using companies house to retrieve a contact 6 (Appendix A).9

10 Monitoring of Actions Arising from Audit s (incorporating any actions outsting at 31 March 2014 from earlier reports) APPENDIX A URN Auditing Body & Source Audit Area Responsible Manager Priority Agreed Action Progress to Date Timing For ('Not Started', 'In Progress' or telephone number. To evidence this check has been undertaken a section will be added to the creditor card change form, which will confirm the source of the independent contact details. 3 7b Low Low Domain administrator access rights should be managed to ensure that administrators only have the rights required for their responsibilities. Management should consider having penetration testing / vulnerability scanning performed on an annual basis to reduce the risk of having vulnerabilities that could be exploited. Domain Access rights have been reviewed processes for managing these rights introduced to ensure adminsitrators only have the rights required for their responsibilities. Management have considered penetration testing /vulnerability scanning have agreed that this will be performed on an annual basis. The plans will be documented by the end of June The first annual testing is planned to start on 1st October Jul 14 Jun 14 Completed No follow- up audit Required Completed No follow- up audit Required 6 (Appendix A).10

11 APPENDIX B Monitoring of Actions Arising from 2013/14 Annual Governance Statement (incorporating any actions outsting from the 2012/13 Annual Governance Statement) No Issue Source Planned Action Progress to date Timing For ('Not Started', '' or 1 Protective Security 2012/13 & 2013/14 AGS & Assurance Statements To commence implementation of the programme of project to establish compliance with the CFOA protective security framework. Protective Security Information Protective Security are both interlinked within the Business Continuity (BC) framework of the Service with the project now at the risk assessment phase of the process. Mar 15 The Risk Assessment is a main feature of the overall project which includes the evaluation of approximately 150 separate stards from the ISO other bodies to ascertain how the Service meets these stards. This element of the project represents a significant piece of work which is now being mapped out to identify the resources required the timescale to complete. The project is on course for completion by the due date. 6 (Appendix B).11

12 APPENDIX B Monitoring of Actions Arising from 2013/14 Annual Governance Statement (incorporating any actions outsting from the 2012/13 Annual Governance Statement) No Issue Source Planned Action Progress to date Timing For ('Not Started', '' or 2 Business Continuity 2012/13 & 2013/14 AGS This is a Corporate Project to align the Business Continuity Planning stage of risk management to be compliant with ISO Stard Further training into the use administration of the Abriska risk management software was undertaken in August with further dates to be identified as the integration of Abriska into the Service continues. With regard to the Business Impact Assessments (BIAs), these have now been completed are with Functional Heads for their review. As part of the review process, the BIAs are being followed up with one to one meetings with the Project Lead to ensure that the BIAs are complete or require further refinement prior to the next step of drafting Functional Recovery Plans including setting the scope of recovery. New proposed 31 Jan 2015 The risk assessment phase of the Business Continuity process, including the adoption integration of the Risk stards from Information Security Protective Security is now in development with approximately 150 separate risks to be evaluated for their assessment of maturity. This part of the Business Continuity implementation represents a significant piece of work is now being mapped out to identify the resources required the timescale to complete. Coupled to this piece of work, with the disruption the effects of the Trade Dispute, the Business Continuity element of the project will not be completed by August as planned will therefore require extending until 31st January 2015 to complete. This new date will still fall in line with the Information Protective Security project completion dates. An extension of this project to 31 st January 2015 is proposed. 6 (Appendix B).12

13 APPENDIX B Monitoring of Actions Arising from 2013/14 Annual Governance Statement (incorporating any actions outsting from the 2012/13 Annual Governance Statement) No Issue Source Planned Action Progress to date Timing For ('Not Started', '' or 3 Information Security 2012/13 & 2013/14 AGS & Assurance Statements This is a Corporate Project to ensure that the Authority's information is secure the policy is in line with ISO Stard Information Security Protective Security are both interlinked within the Business Continuity (BC) framework of the Service with the project now at the risk assessment phase of the overall process. Mar 15 The Risk Assessment is a main feature of setting up Information Security Protective Security with approximately 150 separate stards from the ISO other bodies that have to be evaluated for their assessment of maturity. This part of the project implementation represents a significant piece of work is now being mapped out to identify the resources required the timescale to complete. The project is on course for completion by the due date /14 AGS & Assurance Statement All actions from the 2013/14 Review of Authority Effectiveness Action Plan to be completed during 2014/15 formally reviewed by Members as part of following year s process. All actions from the 2013/14 Review of Authority Effectiveness Action Plan to be completed during 2014/15 formally reviewed by Members as part of following year s process. Mar (Appendix B).13

14 APPENDIX B Monitoring of Actions Arising from 2013/14 Annual Governance Statement (incorporating any actions outsting from the 2012/13 Annual Governance Statement) No Issue Source Planned Action Progress to date Timing For ('Not Started', '' or 5 Term Budget/CRMP Assurance Statements For officers the Fire Rescue Authority to reach agreement on the medium term strategic operational direction, enabling sufficient savings efficiencies to be worked on implemented in line with the estimated medium term budget gap. This work will take place with Members Officers over the coming months, including two Member budget workshops in November January. This work will need to be completed to set a robust medium term balanced budget in February (Appendix B).14