Appendix 2
Audit Plan 2001/2002
Procurement
Final report issued May 2002 / / / / / / /Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
38/02/01 / Internal Audit supports the Council's moves towards the setting up of contracts for regularly used supplies of goods and services. All efforts should be made in order to progress the implementation of such contracts in areas where they may be advantageous to the Council. / Important / Corporate Contracts have been set up for the following goods and services:-
Gas supply, Mobile telephones, Least cost routing, Electricity supply, Photocopiers, Network printers, P.C.’s, Advertising, Stationery and Copy paper.
A corporate contract for external printing remains to be put in place.
Report has been sent to Resources Policy Panel for Sept meeting ITT to be issued in October 2006 / Procurement Officer / Various / û / July 2006
(for revised tender programme)
Audit Plan 2003/2004
Remit Income Distribution System Application ReviewFinal report issued February 2004 / / / / / / /
Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
36/03/05 / We recommend that the number of permissible logon attempts before the user is locked out of the REMIT application should be limited to 3. / Important / Capita has completed the work and the amendment is in the test system. Limited user testing has taken place and the amendment appears satisfactory. There are two other developments currently taking place (Flex interface and amended web file download) which have still to be thoroughly tested however. When all the testing has been completed, the three amendments will then be incorporated in the live system.
Current position (August 2006): Following more testing, Capita has been advised that further work is required regarding the development regarding the interface from Flex. The revised amendment will require to be thoroughly tested when Capita have completed their work / Senior Income Officer / û / (July 2004)
(Jan 2005)
(March 2005)
(October 2005)
May 2006
October 2006
Procurement (Low Value)
Final report issued October 2003 /Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
04/04/01 / The content of the procurement procedures outlined in ‘checklist 2’ should be enhanced to make the procedures more useful to the user. The revisions should include the following:
Guidance should be given on how officers should identify suppliers
The extent to which post tender negotiations can be undertaken
The process to be followed to agree amendments to the Councils standard terms and conditions
Guidance on the writing of specifications for suppliers and where further advise can be sought
The requirement and process for checking the financial standing of potential suppliers
A document that records quotations obtained and/or sought should be made mandatory
The reference in the draft to permitting negotiation of final details with the preferred supplier should be clarified as to the level of amendment from the original specification that is permissible
The reference in the draft to sending a declining letter to unsuccessful tenders should be removed / Essential / Agreed.
Revised Procurement Strategy and Procurement Procedures were approved by the Resources Policy Panel on 14 December 2005 (Minute R.PP16/05 refers).
Goods Received Note and Post Contract Review Procedures will be written once new E-Procurement system is in place (Sep/Oct 2006) and completed by end Dec 2006 / Best Value Performance Officer – Procurement / 31 January 2004 / û / (Resources Policy Panel
27/05/04)/
(Executive Cttee 28/06/04)
(30 Nov 2004)
(30 Apr 05)
(30 Sept )
(Nov 2005)
(Dec 2005)
31 Dec 06
04/04/03 / When the officer certifying the order on Radius as being complete (i.e. confirming goods received) is reliant upon information obtained from the actual end user, written confirmation of the goods being received should always be obtained.
The requirement for obtaining written confirmation should be incorporated into the procedure notes. / Important / Agreed.
Revised Procurement Strategy and Procurement Procedures were approved by the Resources Policy Panel on 14 December 2005 (Minute R.PP16/05 refers).
Goods Received Note and Post Contract Review Procedures will be written once new E-Procurement system is in place (Sep/Oct 2006) and completed by end Dec 2006 / Best Value Performance Officer – Procurement / 31 January 2004
28 February 2004 / û / (September 2004)
(30 Apr 05)
Nov 2005
Dec 2005
Dec 2006
Contract Audit
Final report issued November 2003 /Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
26/04/01 / Post completion reviews of non building contracts performed by department officers should be communicated to the Procurement Officer. / Important / Agreed.
Revised Procurement Strategy and Procurement Procedures were approved by the Resources Policy Panel on 14 December 2005 (Minute R.PP16/05 refers).
Goods Received Note and Post Contract Review Procedures will be written once new E-Procurement system is in place (Sep/Oct 2006) and completed by end Dec 2006 / Procurement Officer / April 2004 / û / (Nov 2004)
(30 Apr 05)
Nov 2005
Dec 2006
Review of Internet and Follow-Up Review of E-Mail
Final report issued February 2004 /Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
34/04/01 / Management should consider implementing a formal resilience and recovery procedure for the Internet Firewall. / Important / An order for the implementation of the firewall recommendations has been placed with Steria. The new firewall hardware has arrived on site and is in the process of being configured. The expected live date for the new configuration is planned for 2 October 2006 / Denis Adams / April 2004 / û / (Oct 2004)
(Jan 2005)
(April 05)
(Dec 2005)
(July 2006)
Oct 2006
34/04/03 / It is recommended that an effective Intrusion Detection System be implemented. / Important / An order for the implementation of the firewall recommendations has been placed with Steria. The new firewall hardware has arrived on site and is in the process of being configured. The expected live date for the new configuration is planned for 2 October 2006 / Denis Adams / April 2004 / û / (Oct 2004)
(April 05)
(Dec 2005)
(July 2006)
Oct 2006
34/04/04 / Management should consider obtaining a periodic independent attack and penetration test of the Checkpoint Firewall 1. / Important / Following the implementation of the other firewall related recommendations in this report, the independent penetration testing will be implemented. / Denis Adams / June 2004 / û / (Oct 2004)
(Jan 2005)
(April 05)
(Dec 2005)
(Aug 2006)
Nov 2006
34/04/05 / It is recommended that management strongly consider implementation of the recent solution provided by SchlumbergerSema – NIS Technical Consulting Division following their review of the Network to segment the Network with two Checkpoint Firewalls. This will enable external users to authenticate through the Firewall. / Important / An order for the implementation of the firewall recommendations has been placed with Steria. The new firewall hardware has arrived on site and is in the process of being configured. The expected live date for the new configuration is planned for 2 October 2006. / Denis Adams / April 2004 / û / (Oct 2004)
(April 05)
(Dec 2005)
(July 2006)
Oct 2006
34/04/07 / Firewall alarms should be implemented, which alert administrators of vulnerabilities that may well be engaging an attack. In addition, there should be formal procedures over what action needs to be taken in the event of an incident being reported over the Firewall. / Important / An order for the implementation of the firewall recommendations has been placed with Steria. The new firewall hardware has arrived on site and is in the process of being configured. The expected live date for the new configuration is planned for 2 October 2006. / Denis Adams / April 2004 / û / (Oct 2004)
(April 05)
(Dec 2005)
(July 2006)
Oct 2006
Appendix 3
Audit Plan 2004/2005
Three Rivers Construction
Final report Reissued August 2004 /Ref. No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
05/05/13 / The TRC business plan should be formalised and agreed with all relevant parties. / Important / Agree with recommendation.
An improvement plan for was agreed at Resources Policy Panel on 21.07.2005 and subsequently at Executive Committee and a Business Plan is to be finalised within year 1 of the improvement plan.
This will be one of the first tasks for the TRC Manager when appointed. One recruitment cycle undertaken in March 2006 was un successful and another advert is in circulation with a closing date of 26 June 2006 / Contracts Manager / September 2004 / û / (31 Mar 05)
21.07.06 (in line with improve-ment plan
Contract Audit
Final report issued February 2005 /Ref No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
26/05/01 / The Contract Procedures checklist should be updated to include all steps of the contract process up to post completion reviews. The checklist should be distributed to non building contract project managers as well as being separately updated on the intranet. / Important / Agreed. Revised Procurement Strategy and Procurement Procedures were approved by the Resources Policy Panel on 14 December 2005 (Minute R.PP16/05 refers).
Goods Received Note and Post Contract Review Procedures will be written once new E-Procurement system is in place (Sep/Oct 2006) and completed end Dec 06 / Procurement Officer / March 2005 / û / (Nov 05)
(31 May 06)
31 Dec 06
Appendix 4
Audit Plan 2005/2006
/Disaster Recovery
Final report issued February 2006 // Ref No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
01/06/01 / We recommend that a full Disaster recovery plan to cover ICT and the restoration of services in line with the Business Continuity Plan (BCP) is developed, tested and maintained. This should include but not be limited to: -
The restoration of specific applications to meet the BCP restoration requirements.
A detailed contact list for all relevant staff
Details of the DR team and their roles and responsibilities in a DR situation
Copies of all third party contracts and DR agreements
Disaster escalation procedures
Procedures to invoke appropriate sections of the DR plan
'Immediate response' procedures (server shut down, emergency services, etc)
Salvage procedures and contacts for IT related equipment
Recovery procedures for various levels of disaster
Emergency expenditure arrangements
The development of the plan should be carried out in full consultation with the owners of the BCP and the business. / Essential / Agreed.
The BCP includes ICT system and accommodation requirements. It was tested on 18/10/05. Although arrangements for the loss of ICT and accommodation were perceived as adequate – weaknesses in staffing availability were identified. The full disaster recovery plan referred to in this recommendation will deal with how to invoke the DR Contract (rather than the requirements init) and will be appended to the BCP and the ICT Service Plan.
Update August 2006: The development of the Disaster Recovery Plan will now be included in the overall Corporate project for Business Continuity planning. This process will co-ordinate the development of individual service continuity plans, resulting in an IT recovery plan for inclusion in the ICT Service Plan. / Tim Cowland
(ICT Officer) / 31/07/2006 / û / (Aug 2006)
Mar 2007
01/06/02 / Management should seek to confirm and document the provision of, and extent of services provided by Steria Limited should Disaster Recovery be invoked at Three Rivers District Council. / Important / Agreed. A draft out of hours procedure has been submitted by Steria for comment. This now requires integration into the Three Rivers Disaster Recovery Plan.
Update Aug 2006: This information will be included in the Disaster Recovery Plan referred to in 01/06/01 / Tim Cowland
(ICT Officer) / 28/04/2006 / Mar 2007
01/06/03 / Salvage procedures in relation to IT and telephony equipment should be investigated and details included in the DR plan. / Important / Agreed.: Advice is being sought on the type of salvage procedures to be included. Once established, details will be included in the overall plan due for publication in July 2006
Update Aug 2006: This information will be included in the Disaster Recovery Plan referred to in 01/06/01 / Tim Cowland
(ICT Officer) / 31/07/2006 / Mar 2007
01/06/04 / We recommend that, once the DR plan has been formally documented and agreed an annual walk through test should be scheduled and carried out in addition to the restore testing. / Important / Agreed. Once the plan has been developed and in place annual testing will be carried out. / Tim Cowland
(ICT Officer) / 31/07/2006 / May 2007
Corporate Governance
Final report issued May 2006 /Ref No. / Recommendation / Priority / Action to Date / Responsibility / Deadline / Resolved / Revised deadline /
13/06/04 / The staff Code of Conduct should be subject to regular review and formal approval by the Council. Furthermore, a copy of the Code of Conduct should be incorporated into the staff handbook and provided to all new employees. / Important / Agreed.
This Code is also found in the Council’s Constitution and was adopted by members on 12/02/02. Officers last updated the Code in May 2003. We have since been waiting for the revised National Code of Conduct for staff following consultation by the government in 2004. In July 2006 the government are to issue a Statutory Instrument which will be the consultative draft for the new code. There will be a 12 week consultation period after which comments will be considered. Regulations are expected to be laid by the end of 2006.
This Council’s Staff Code of Conduct will be reviewed following the publication of the National Code.
The Code of Conduct is covered in induction sessions for staff. / Director of Corporate Resources, in conjunction with the Personnel Manager / March 2007
Post Entry Training and Career Development Loans