Agenda item

To consider report FIN/447 of the Audit and Risk Manager.

The Committee considered report FIN/447 of the Audit and Risk Manager.  The purpose of the report was primarily to update the Committee on the progress made towards the completion of the 2017/2018 and 2018/2019 Audit Plans, and to report on the progress made in implementing the previous recommendations.  The report also included an update on the Council’s Strategic Risks.  The Committee discussed and noted all the Audit Plan reviews in progress, along with other work as detailed in the report. 

The Audit and Risk Manager took this opportunity to brief the Committee on high priority findings and follow up audits.  In terms of the former, she confirmed that following discussions on the matter, further fraud awareness training would be provided to services across the Council, and that this would be undertaken shortly in cooperation with the Fraud and Investigation Team. 

The main focus of the report was the limited audit opinion given to the Data Centre Migration Project 2018-2019.  The review’s findings indicated that the project was yet to be completed, having significantly exceeded the Project’s completion target, and that there was a reported large overspend against the Project’s budget.  The Committee discussed this matter in detail, and in so doing, Members expressed their own concerns, and indeed disappointment, with the audit review’s outcomes, with particular emphasis on the generally weak arrangements in relation to the project’s management.  At the request of the Chair, the Head of Digital and Transformation addressed the Committee, and:

·         Explained that in the short time that he had been in post, he was continuing to clarify the extent of the project work that remained to be done and what efforts were needed in order to meet that remaining workload.

·         Commented that there were a number of reasons for the delay, including problems with the telephone links to the Surrey Business Centre – which were outside of the Council’s control.

·         Confirmed that a lot of work had been delayed more recently due to the relocation of the Town Hall Communications Room.

·         Explained that whilst the report indicated that the project would be completed within a month, it was difficult to confirm at this stage whether that target would be possible.

With the Committee considering the matter further, and in response to issues and concerns raised, the Audit and Risk Manager:

·       Confirmed the different categories of audit opinion, including that of limited assurance.

·       Emphasised that the actual costs (as advised by the IT Manager, but yet to be confirmed by the Audit and Risk Manager) at 31 May 2018 for the Data Centre Migration Project of £703,668.78 (identified on page 15 of the report), was a combination of revenue and capital.

·       Confirmed that whilst a risk register was absent for this project, such a register was expected to be available for all projects.

·       Advised that with important documentation, such as a project Initiation document and a risk register being absent, the roles and responsibilities were not clearly defined.

·       Commented that information gathered in the lead-up to the project, including that from various outside sources, did not suggest that the project’s budget had been underestimated, and that it was only when the actual work started / difficulties came to light, that budgetary issues arose.  The Head of Digital and Transformation Indicated that given the additional revenue expenditure incurred on the project came from the IT budget, it was likely that a number of IT related projects would have to be put on hold for the future.

·       Confirmed that some costs had been incorrectly charged to the Project, as they related to other IT projects, and so there had been some difficulty at this stage in asserting what the actual overspend was.

·       Explained that as yet information was not fully available in terms of where expenditures should have been coded to.  A better breakdown would be determined as to what projects the various costs should have been coded / allocated to, to help to clarify this matter.

·       Suggested that rather than being a recommendation as part of her report, an independent review should be something to be considered.  The Head of Digital and Transformation suggested that such a review could, for example, be undertaken as an internal review, a peer review, or an independent review, although it would be the most effective way forward that would be sought. Consideration was also being given to establishing a workshop to seek the views of the ICT Team, which the Head of Service considered critical in terms of avoiding similar issues arising again.

With the indication that a judgement could not yet be made as to whether the Data Centre arrangements represented value for money, the Committee continued to discuss the matter in detail, including the options for the best way forward in undertaking a review into the Project’s findings.  At this point and in response to a question from a Member of the Committee, the Leader of the Council emphasised that the Cabinet was taking this matter very seriously, and hence the reason for his attendance at this meeting.  In indicating that it was only until recently that he had been made aware of the absence of a risk register for this project, he acknowledged that a lot of processes that should have been followed hadn’t been, and that having now spoken to the Chief Executive, structures were being put in place to ensure this didn’t happen again.  From this project’s review, a number of findings, and recommendation had been raised which had since been discussed with Management and actions agreed with the, Head of Finance, Revenues and Benefits, the Head of Digital and Transformation, Deputy Chief Executive and the Chief Executive, who had agreed to form a Corporate Project Assurance Board to ensure that capital projects were delivered in a timely and cost effective manner and to share good practice across the organisation.  The Leader emphasised that we needed to keep resilience in protecting our data, and in this connection we would need to see what the suggested review identified.  The Audit and Risk Manager indicated that whilst, if necessary, follow up audits would be carried out for reviews generally, these would not be provided with a further assurance level, but would provide an update on where we were and the agreed actions to be taken.  With a limited audit opinion In respect of this Project, work would be undertaken immediately, and it was intended to submit a follow up report to the Committee’s meeting in October.

In taking all issues into account, and in accordance with the suggestion of the Chair, the Committee considered that a clear end date for the project be provided within 6 weeks, and that prior to the next meeting of the Committee, and in approximately 6 weeks from the date of this meeting, an update report should be circulated to Members by the Head of Digital and Transformation to update Members on costs and where we were in arranging the review on the Project as a whole to confirm value for money / fitness for purpose / the way forward (ACTION).

The Committee then considered the update on Risk Management.  The Committee sought and received clarification on several points, including the assessment of risks relating to the new Town Hall.  In response to comments from Members, the Head of Finance, Revenues and Benefits indicated that in view of potential inflation to building costs etc, the associated tender exercise continued to remain a risk and it would be important that the tender prices remained within budget.  However, budgets were agreed and clearly communicated in order for the risks to be mitigated through the risk register, and to keep the project on track, and regular budget updates would be reported to CMT.  All Members received a copy of the quarterly monitoring reports to Cabinet.

RESOLVED

That the Internal Audit Progress Report as at 12 July 2018, Incorporating a Risk Management Update as at 30 June 2018, be noted.