Agenda item

Stuart Cutts introduced the report and highlighted the key points. Particular emphasis was placed on the Opinion of the Head of Internal Audit on page 19 and the two significant control weaknesses identified.

During the discussion, the following points were raised.

-       Members queried whether the Committee should be satisfied with a Reasonable Assurance opinion. Max Thomas advised that while the Council should always aim for the highest standards, the current position was considered positive given the significant changes brought about by Local Government Reorganisation and other factors.

-       Concerns were expressed regarding the identified weakness in capital scheme management and it was confirmed that Officers are aware of the recommended actions. Members requested that a report on capital scheme management be brought to a future meeting. Karen Iveson confirmed that Officers would report back once the actions had been implemented.

-       Members queried why the Claro Road project review had not been given an audit opinion. Max Thomas explained that the audit focused on specific elements rather than the full system, and therefore an overall opinion could not be provided. It was noted that the project was inherited from Harrogate Borough Council and that some issues only became apparent over time. Stuart Cutts emphasised that lessons could be learned from the project.

-       A query was raised regarding the Scarborough Waterpark draft audit report. Max Thomas confirmed that fieldwork had been completed and a draft report issued, which was currently under management review. The report is expected to be finalised within a couple of months.

-       Members raised a query about the cash handling at leisure centres audit. It was confirmed that some of the agreed actions remain outstanding.

In relation to information security, Members raised the following points.

-       Concerns were expressed about the increasing threat from hackers. Max Thomas acknowledged this and stressed the need for appropriate resource allocation.

-       Members queried whether all employees had completed information security training and Max Thomas confirmed that mandatory training is in place and ongoing. NYC and NYPF employees are subject to simulated phishing tests using Boxphish emails - Members queried the percentage of staff clicking on these links and the consequences of repeated failures. Officers were unable to provide figures but confirmed that warnings and further training are issued where necessary. It was reported that the failure rate has decreased since the introduction of the tests. Members emphasised the importance of reporting any accidental link clicks to mitigate potential damage. It was noted that phishing emails are becoming increasingly sophisticated.

-       Members referred to the data breaches listed on pages 66 and 67 of the report and queried the outstanding case noted at paragraph 5.6 on page 67. Max Thomas confirmed that breaches are reported to the Information Commissioner’s Office (ICO) promptly and that the ICO has not taken regulatory action. The outstanding case was not considered serious.

-       Some Members reported issues with the email address used to report spam. Max Thomas agreed to investigate this.

Resolved

That the Committee:

a)    notes the Reasonable Assurance opinion of the Head of Internal Audit regarding the overall framework of governance, risk management and control operating within North Yorkshire Council as set out.

b)    notes the two significant control issues which are recommended for inclusion in the 2024/25 Annual Governance Statement.

c)    notes the outcome of the quality assurance and development arrangements and the confirmation that the internal audit service conforms to relevant professional standards.

d)    approves the updated Internal Audit Charter.