Agenda item

Consider report by Chief Officer Audit and Risk.  (Copy attached.)

10.1     There had been circulated copies of a report by Chief Officer Audit and Risk that sought to gain approval to the proposed Internal Audit Strategy and Internal Audit Annual Plan 2023-24 to enable the Chief Audit Executive to prepare annual opinions on the adequacy of the overall control environment for Scottish Borders Council, Scottish Borders Pension Fund, and Scottish Borders Health and Social Care Integration Joint Board.  A fundamental role of the Council’s Internal Audit function was to provide senior management and members with independent and objective assurance which is designed to add value and improve the organisation’s operations.  In addition, the Chief Audit Executive (CAE) was also required to prepare an Internal Audit annual opinion on the adequacy of the organisation’s overall control environment.  The Internal Audit Strategy at Appendix 1 of the report outlined the strategic direction for how Internal Audit would achieve its objectives, which were set out in the Internal Audit Charter, in conformance with PSIAS.  It guided the Internal Audit function in delivering high quality Internal Audit services to Scottish Borders Council (SBC), Scottish Borders Council Pension Fund (SBCPF), and Scottish Borders Health and Social Care Integration Joint Board (SBIJB).  The Internal Audit Annual Plan 2023-24 at Appendix 2 of the report had been developed by the Chief Officer Audit & Risk (CAE) and the Principal Internal Auditor.  It set out the range and breadth of audit activity and sufficient work within the audit programme of work to enable the CAE to prepare an Internal Audit annual opinions for SBC, SBCPF, and SBIJB.  Separate Internal Audit Annual Plans 2023-24 for the SBCPF and SBIJB would be presented to their respective board/audit committee for approval.  Key components of the audit planning process included a clear understanding of each organisation’s functions, associated risks, and assurance framework.

10.2     The Chief Officer Audit and Risk summarised the report and answered Members questions.  With regards to risk appetite and tolerance, Internal Audit had an obligation to provide an opinion on how well SBC risk management arrangements were defined and operated as part of the annual assurance opinion.  The rollout of the Risk Appetite Toolkit was still being progressed.  Comment wouldn’t normally be made by Internal Audit on what the risk appetite would be; however good practice elements would be assessed.  The Chief Executive explained that risk appetite varied across 137 high-level Council services, and that the Risk Appetite Toolkit provided additional guidance to Management by defining acceptable levels of risk in relation to different risk categories of a local authority.  With regards to cyber security, the Chief Executive advised that CGI was responsible for 24/7 cyber threat monitoring and for setting in place appropriate arrangements and that SBC were accredited by the UK Government in terms of security of data transfer and retention.  Furthermore, CGI had been asked to assess further steps that could be taken in terms of IT security and internal process such as password security and staff activity.

DECISION

AGREED to:

(a)       Endorse the Internal Audit staff resources needed to deliver the Internal Audit Strategy and Annual Plans;

(b)       Approve the Internal Audit Strategy detailed in Appendix 1 of the report; and,

(c)       Approve the Internal Audit Annual Plan 2023-24 detailed in Appendix 2 of the report.