Agenda item

The Internal Audit Progress Report was presented on behalf of the Head of Worcestershire Internal Audit Shared Service. It was reported that of the audit assignments planned for 2025-25, at the time of report writing, one audit assignment had been fully completed, two assignments were at the draft report stage, one assignment was at the fieldwork completion stage with report to be issued shortly, six assignments were in progress, three assignments were at the planning stage, and five assignments had not yet been started.

It was highlighted that this year’s plan remained on track to achieve the targets set out in the Annual Plan. It was noted that the internal audit service was now fully resourced.  

Progress against the key performance indicators for internal audit service was provided, including that at the current stage the target of 90 per cent delivery of audit days against the full year plan target was on track to be achieved. A Member queried why the delivery of audit days target was set at 90 per cent rather than 100 per cent. The Assistant Director Finance and Customer Services undertook to obtain a response to this question from the Internal Audit Shared Service and report back to Members.

It was reported that there were no emerging issues to report arising in relation to Council’s internal controls. There were 23 outstanding internal audit recommendations which remained to be fully actioned by the Council, 1 of which was high-risk overdue recommendation in relation to the provision of assurance that cyber security awareness training had been completed by all Members.

Following the presentation, Members discussed the outstanding high-risk internal audit recommendation. It was requested that a reminder be sent to all Members who had yet to fully complete the cyber security awareness training, including a reminder on how to access the system.

The cyber security risk was deemed to be the main risk for the Council with 6000 cyber threats being reported as intercepted by Council’s firewall systems on a weekly basis. The Committee requested that presentation be provided at the next meeting from the Council’s Emergency Planning / Resilience team regarding the ramifications that a cyber-attack would have on the Council and the response and recovery processes that the Council had in place to respond in the event of a cyber security breach.

It was also requested that a report on cyber security be added as a standing item at every meeting of the Committee, to provide regular data to Members on the cyber security risks status.

An issue of cyber security refresher training for Members was also raised and it was reiterated that provision of refresher training would continue to be investigated and championed by the Executive.

A Member suggested that the Council should consider making its email system inaccessible on devices when located outside the United Kingdom. In the Member’s experience from another organisation, blocking access to mailboxes when outside the country had led to significant reductions in phishing emails and other cyber threats.

RESOLVED that

the Internal Audit Progress Report be noted.