AUDIT OF ICT STRATEGY IMPLEMENTATION

Similar documents
Provider Monitoring Report. City and Guilds

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Information backup - diagnostic review Abertawe Bro Morgannwg University Health Board. Issued: September 2013 Document reference: 495A2013

REPORT 2015/010 INTERNAL AUDIT DIVISION

NHS Fife. 2015/16 Audit Computer Service Review Follow Up

REPORT 2015/149 INTERNAL AUDIT DIVISION

Manchester Metropolitan University Information Security Strategy

Level Access Information Security Policy

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Dated 3 rd of November 2017 MEMORANDUM OF UNDERSTANDING SIERRA LEONE NATIONAL ehealth COORDINATION HUB

Organisational Development Programme Update Policy Review & Performance Scrutiny Committee January 2017

Nottinghamshire Office of the Police & Crime Commissioner & Nottinghamshire Chief Constable

Information Security Strategy

Policy. Business Resilience MB2010.P.119

Audit Report. The Prince s Trust. 27 September 2017

INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

UWTSD Group Data Protection Policy

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Chapter 4 EDGE Approval Protocol for Auditors Version 3.0 June 2017

Canada Life Cyber Security Statement 2018

Audit Report. City & Guilds

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Privacy Impact Assessment

SAMPLE REPORT. Business Continuity Gap Analysis Report. Prepared for XYZ Business by CSC Business Continuity Services Date: xx/xx/xxxx

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

REPORT 2015/186 INTERNAL AUDIT DIVISION

Asda. Privacy and Electronic Communications Regulations audit report

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

ITSM20F_Umang. Number: ITSM20F Passing Score: 800 Time Limit: 120 min File Version: 4.0. Exin ITSM20F

Data Processing Agreement

INFORMATION TECHNOLOGY SECURITY POLICY

BOARD OF DIRECTORS (OPEN) Meeting Date: 14 th November 2018

NDIS Quality and Safeguards Commission. Incident Management System Guidance

INFORMATION SECURITY AND RISK POLICY

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

EXIN BCS SIAM Foundation. Sample Exam. Edition

Data Security Standards

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

EU General Data Protection Regulation (GDPR) Achieving compliance

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

CHAIR AND MEMBERS CIVIC WORKS COMMITTEE MEETING ON NOVEMBER 29, 2016

Audit Report. City & Guilds

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

General Data Protection Regulation

Continuing Professional Development Program Guidelines

Audit Considerations Relating to an Entity Using a Service Organization

Enabling efficiency through Data Governance: a phased approach

Version 1/2018. GDPR Processor Security Controls

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

Post-accreditation monitoring report: British Computer Society (BCS) September 2006 QCA/06/2926

Target Operating Model For the Delivery of Alternative Home Area Networks for the GB Smart Metering Rollout

MEETING: RSSB Board Meeting DATE: 03 November 2016 SUBJECT: Rail Industry Cyber Security Strategy SPONSOR: Mark Phillips AUTHOR: Tom Lee

External Supplier Control Obligations. Cyber Security

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

HSCIC Audit of Data Sharing Activities:

SCHEME OF DELEGATION (Based on the model produced to the National Governors Association)

Data Protection Policy

OFFICE OF INTERNAL AUDIT Information Technology (IT) Audit Plan

Audit Report. The Chartered Institute of Personnel and Development (CIPD)

Certificate Software Asset Management Essentials Syllabus. Version 2.0

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Subcontracted Delivery Policy

OCM ACADEMIC SERVICES PROJECT INITIATION DOCUMENT. Project Title: Online Coursework Management

CERTIFICATE IN LUXEMBOURG COMPANY SECRETARIAL & GOVERNANCE PRACTICE

Marine Institute Job Description

Audit Report. English Speaking Board (ESB)

Audit Report. Mineral Products Qualifications Council (MPQC) 31 March 2014

ETHIOPIAN NATIONAL ACCREDITATION OFFICE. Minimum Requirements For The Operation Of Product Certification Bodies

DATA PROCESSING TERMS

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

INTERNAL AUDIT SERVICES REPORT REF No 2016/ Loch Lomond & The Trossachs National Park Authority General ICT Controls

Business Continuity Policy

A1 Complete Plumbing and Heating Limited Job Applicant Privacy Notice

Introduction to ISO/IEC 27001:2005

New Zealand Certificate in Regulatory Compliance (Operational Practice) Level 4

the steps that IS Services should take to ensure that this document is aligned with the SNH s KIMS and SNH s Change Requirement;

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

AUTHORITY FOR ELECTRICITY REGULATION

APPROVAL SHEET PROCEDURE INFORMATION SECURITY MANAGEMENT SYSTEM CERTIFICATION. PT. TÜV NORD Indonesia PS - TNI 001 Rev.05

VOLUNTARY CERTIFICATION SCHEME FOR MEDICINAL PLANT PRODUCE REQUIREMENTS FOR CERTIFICATION BODIES

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Continuing Professional Development: Professional and Regulatory Requirements

Protecting your data. EY s approach to data privacy and information security

New Zealand Certificate in Contact Centres (Level 3)

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Requirements for a Managed System

ROLE DESCRIPTION IT SPECIALIST

UNCONTROLLED IF PRINTED

NATIONAL INFRASTRUCTURE COMMISSION CORPORATE PLAN TO

Qualification Specification. Level 2 Award in Cyber Security Awareness For Business

New Zealand Certificate in Regulatory Compliance (Core Knowledge) (Level 3)

AGENDA ITEM: 3.4 DATE OF MEETING: 3 MAY 2018 INFORMATION MANAGEMENT, TECHNOLOGY & GOVERNANCE COMMITTEE

Transcription:

APPENDIX A 2 1. Background AUDIT OF ICT STRATEGY IMPLEMENTATION 1.1. This report summarises the findings from the audit of ICT Strategy Implementation. This was a planned audit assignment which was undertaken in accordance with the 2016/17 Audit Plan. 1.2. The two year Copeland Borough Council ICT Strategy was formally agreed at the Executive meeting in April 2015, following presentation of a report by the Interim Director of Commercial & Corporate Resources (& Section 151 Officer). 2. Audit Approach 2.1. Audit Scope and Limitations 2.1.1. The Audit Scope was agreed with management prior to the commencement of this audit review. The Client Sponsor for this review was Fiona Rooney, Interim Director of Commercial and Corporate Resources (Section 151 Officer). The agreed scope of the audit was to provide assurance over management s arrangements for governance, risk management and internal control in the implementation of the ICT Strategy. 2.1.2. There were no instances whereby the audit work undertaken was impaired by the availability of information. 3. Assurance Opinion 3.1. From the areas examined and tested as part of this audit review, we consider the current controls operating within the implementation of the ICT Strategy provide partial assurance. Note: as audit work is restricted by the areas identified in the Audit Scope and is primarily sample based, full coverage of the system and complete assurance cannot be given to an audit area. Cumbria Shared Internal Audit Service: Internal Audit Report Page 1

4. Summary of Recommendations, Audit Findings and Report Distribution COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 4.1. There are 6 audit recommendations arising from this audit review and these can be summarised as follows: No. of recommendations Control Objective High Medium Advisory 1. Management - achievement of the organisation s strategic objectives achieved (see section 5.1.) 1-2. Regulatory - compliance with laws, regulations, policies, procedures and contracts (see section 5.2.) 1 - - 3. Security - safeguarding of assets (see section 5.3) 1 - - 4. Value - effectiveness and efficiency of operations and programmes (see section 5.4) 1 2 - Total Number of Recommendations 4 2-4.2. Strengths: The following areas of good practice were identified during the course of the audit: Governance arrangements for the implementation of the ICT strategy have been fully developed. Senior management are included in the governance framework. 4.3. Areas for development: Improvements in the following areas are necessary in order to strengthen existing control arrangements: 4.3.1. High priority issues: Governance arrangements have not always been effectively applied resulting in insufficient challenge to the implementation of the ICT Strategy. The ICT Strategy has not been implemented in accordance with the project management framework. Public Services Network (PSN) certification has lapsed. A risk register has not been developed for the implementation of the ICT strategy. Cumbria Shared Internal Audit Service: Internal Audit Report Page 2

4.3.2. Medium priority issues: Key messages in relation to the ICT strategy are not communicated to staff affected. Individuals have not been assigned to work streams. COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy Comment from the Interim Director of Commercial & Corporate Resources (&Section 151 Officer) This audit was requested by myself to ensure we were making solid progress on the implementation of the ICT Strategy that was agreed by Executive in April 2015. This audit has highlighted a number of areas that require further work and all recommendations have been agreed by management to be implemented. Cumbria Shared Internal Audit Service: Internal Audit Report Page 3

Management Action Plan COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5. Matters Arising / Agreed Action Plan 5.1. Management - achievement of the organisation s strategic objectives. High priority (a) Governance and Accountability Although clear governance arrangements for the implementation of the ICT Strategy have been documented and approved, these have not always been effectively applied. For example: Governance groups have not met regularly as set out in the terms of reference. Governance groups have not fulfilled their obligations as set out in the terms of reference. Lack of challenge on progress of implementation. Incomplete progress updates provided to the Business Theme Board. Minutes of the governance groups have not always been completed with sufficient detail to provide an accurate record of decisions, actions and responsibilities. Key officers have not been held accountable for the delivery of agreed objectives through regular appraisals. Agreed. This is a priority for us. We are revisiting the governance around ICT and a report will be presented to CLT once the Service Review is in place. Recommendation 1: Management should ensure that: Governance groups meet on a regular basis as set out in their terms of reference. Governance groups fulfil their obligations as set out in their terms of reference, including sufficient monitoring and challenge on project delivery. Provision is made for accurate minutes to be taken at all governance meetings. The objectives of key officers and accountability for these objectives should be formally agreed and documented through the appraisal process. ICT Strategy is not effectively implemented on a timely basis with consequent adverse impact on the achievement of Council s objectives. Fiona Rooney/Business Support Manager/Martin Stroud Cumbria Shared Internal Audit Service: Internal Audit Report Page 4

COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 04/2017 5.2. Regulatory - compliance with laws, regulations, policies, procedures and contracts. High priority (a) Project Management Framework The report to the Executive in April 2015 required the ICT Strategy development to be managed in accordance with the Council s Project Management Framework. Assurance cannot be given that the implementation of the ICT Strategy has been managed in accordance with the Council s Project Management Framework. Agreed. Recommendation 2: The implementation of the ICT strategy should be managed in accordance with the Council s Project Management framework. ICT strategy is not managed effectively leading to delivery failure. Martin Stroud 03/2017 Cumbria Shared Internal Audit Service: Internal Audit Report Page 5

COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5.3. Security safeguarding of assets. High priority (a) Public Services Network Certification The Public Services Network (PSN) compliance process exists to provide the PSN community with: Confidence the services they use over the government s high-performance network will work without problems. Assurance that their data is protected in accordance with suppliers commitments. The promise that if things do go wrong they can be quickly put right. Full compliance with PSN is included as a high level work stream in the ICT work plan, with a requirement for completion by March 2016. During audit testing in June 2016, the MIS Manager stated that the PSN compliance certification had lapsed. Agreed. Recommendation 3: Management should seek assurance from the MIS Manager regarding PSN certification, ensuring that it is brought up to date and remains current. Disconnection from the Public Services Network. Fiona Rooney 12/2016 Cumbria Shared Internal Audit Service: Internal Audit Report Page 6

COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy 5.4. Value - effectiveness and efficiency of operations and programmes. High priority (a) Risk Register A report to the Council s Executive in April 2015 stated that risks to the implementation of the ICT Strategy will be monitored and managed through the ICT Steering Group. The Project Management framework requires a documented risk register, which is owned by the Project Manager to ensure that risks are managed as efficiently and effectively as possible. Risks to the implementation of the ICT Strategy have not been monitored through the ICT Steering Group using a documented risk register. Agreed. Whilst risks are reported and discussed, the structure of the reporting needs to align to the ICT Strategy. Recommendation 4: A risk register should be developed for the implementation of the ICT Strategy, to identify, analyse, evaluate and mitigate risks that could impact on delivery. Project risks are allowed to escalate without management action leading to strategy failure. Business Support Manager/Martin Stroud 04/2017 Medium priority (b) Communication of the ICT Strategy Service representatives attend the ICT working group meetings but their roles have not been defined. There is no clear plan as to how key messages relating to the ICT strategy are communicated back to the directorates. Agreed Recommendation 5: A clear communication plan should be developed setting out what, when, how and by whom the Cumbria Shared Internal Audit Service: Internal Audit Report Page 7

COPELAND BOROUGH COUNCIL Audit of Implementation of ICT Strategy messages should be circulated so that all those affected by ICT strategy delivery are kept informed. Benefits of ICT strategy are not realised because staff are unaware. Lack of staff engagement and participation. Business Support Manager/Martin Stroud 03/2017 Medium priority (c) Responsibility and Accountability for Work Streams The ICT working group haven t formally allocated responsibility for the individual work streams as part of the group s responsibility to develop and implement the ICT strategy plan. Without formal allocation of responsibility, management cannot hold individuals accountable for delivery. Agreed Recommendation 6: The ICT working group should assess the skills sets of ICT staff/ management and formally assign appropriate individuals to work streams, establishing clear accountability for performance and delivery for each aspect of the ICT strategy implementation. Individual work streams underperform with accountability for those work streams unclear. Business Support Manager/Martin Stroud 04/2017 Cumbria Shared Internal Audit Service: Internal Audit Report Page 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback