Agenda item

The purpose of this report is to provide an update on Internal and External Audit activity since the last report to the Pension Board on 8^th December 2022.

The Head of Audit & Assurance introduced this report to the Board and highlighted the following areas from within it.

He explained that since the last Internal Audit update report was presented to the Pension Board on 8^th December 2022, 3 audit reports have been issued.

1.  Pension Investment Reporting - This audit did not have any significant weaknesses reported and this resulted in the “Substantial” Assurance rating being assigned.

2.   Cyber Security – APF Staff Training & Awareness – This audit was assigned a “Reasonable” Assurance rating.

The Avon Pension Fund (APF) workforce is employed by Bath & North East Somerset Council (B&NES). Accordingly, the B&NES cyber security e-learning and policy frameworks for information security and data protection apply to APF.

We have therefore reported our findings and made recommendations to the Council’s Information Governance Manager and IT Service Delivery Manager, and they have agreed to implement all the Audit Review recommendations by the end of the 2023-24 financial year.

3.  APF System Access Controls - It is adopted practice to report to Board if any Audit Reports are assigned a ‘Limited Assurance’ (Level 2) or ‘No Assurance’ (Level 1) rating. The 2022/23 Audit Review of APF System Access Controls was issued as a ‘Final Audit Report’ in February 2023 and a Level 2 ‘Limited Assurance’ rating was assigned.

The majority of the recommendations in this report concerned i-Connect. A total of two ‘high’ and six ‘medium’ recommendations were made for i- Connect, placing it into the ‘Weak’ category. A further ‘high’ recommendation was made concerning employer data access for Employer Self Service (ESS), which was due to be replaced by i-Connect by the end of February 2023.  A follow up review was completed in July 2023, and we are pleased to report that all recommendations have been implemented.

Comments relating to the Pension Investment Reporting Audit

In response to the weakness found within ‘Reconciliation’ the Group Manager for Funding, Investment & Risk replied by saying that this was mainly due to a timing issue and that steps have now been put in place to add the quarterly figure from the latest Brunel performance report.

The Governance & Risk Advisor added that the ‘Member Training’ weakness had been addressed and said that following the agreement at the Committee meeting in December 2022 it would be mandatory for all Committee members to study the Hymans modules within one year of becoming a Committee member and every three years after that.

The Chair on behalf of the Board noted the concern regarding the Committee training and was pleased to see that steps had been taken to improve this aspect.

Helen Ball referred to the Cyber Security Training report and stated that she was concerned to read that ‘Users do not feel personally invested in cyber security and are less likely to adopt good security behaviours’.

The Governance & Risk Advisor replied that the auditor had stated this was a risk, rather than there being any evidence that users felt this way.

The Head of Audit & Assurance added that staff training was essential to the security of the Fund. He explained that the IT infrastructure was within the control of the Council, not the Fund.

Alison Wyatt suggested that a programme of dummy emails could be put in place to test the awareness of staff.

The Director, One West replied that a programme of work along those lines was due to take place during this current quarter.

The Digital Services Manager assured the Board that i-Connect had developed since the Internal Audit report had been produced.

The Chair suggested the following areas as possible future reviews.

·  Key Controls

·  Payroll

·  KPIs

·  Annual Benefit Statements

The Head of Audit & Assurance said that between now and the year-end they would have discussions with Pensions Officers regarding potential areas for review and look to share these with the Board in March 2024.

The Pensions Operations Manager added that she was also working with the Head of Audit & Assurance on the Pensions Increase project.

The Chair stated that he wished to acknowledge the achievement of the Fund receiving an unqualified audit opinion and having the Annual Accounts signed off by External Audit.

The Governance & Risk Advisor added that the Fund’s Annual Report had now been published.

The Board RESOLVED to:

i)  Note the report and the outcomes of the Internal & External Audit work carried out on behalf of the Avon Pension Fund.

ii)  Suggest the following areas be considered for potential inclusion in the 2024/25 Internal Audit Plan.

•  Key Controls

•  Payroll

•  KPIs

•  Annual Benefit Statements