Posted on April 22, 2020 by Gareth Davies
With Parliament returning yesterday, I wanted to take the opportunity to reflect on the last few extraordinary weeks and set out what it means for the National Audit Office and its work.
Firstly though, on behalf of the whole NAO, I would like to pay tribute to everyone who is working so hard to see our country through this crisis. That of course includes our courageous health and social care workers and others on the front line of the response, but also all the public servants behind the scenes at the national and local level keeping our country going. As the organisation responsible for scrutinising so many of these public bodies, we have a privileged insight into how vital they are to everyone’s lives every day – and even more so at a time like this.
To all of the public servants rising to this unprecedented challenge, thank you.
Like many other organisations, the NAO has been home-based for a month now. In infrastructure terms, the NAO was well-prepared for homeworking as our systems are designed to support secure remote auditing. We are working hard to support our staff as they grapple with the practical and wellbeing challenges of the current situation. We are of course not the only ones. And as an organisation that supports Parliament, that has been especially brought home to us as we see the House of Commons resume business in a manner we have never seen before.
As Parliament adapts, so too are we in order to ensure that we can help it to hold government to account. The response to the global pandemic will have implications for many years for public spending and public service delivery. It is too early to tell exactly what the impact will be, but it will be profound.
What is already clear is that MPs, and the public that they represent, will expect us to carry out a substantial programme of work on the COVID-19 response so we can learn for the future. This will include looking at government spending on the direct health response as well as the wider emergency response. We will also look at the spending on the measures to protect businesses and individuals from the economic impact.
It will take us time to develop and produce our work, more importantly it will take time for the public sector to be in a place where it can learn from our findings. Our challenge is to try and provide the appropriate level of evidence-based reporting to support accountability and provide insight at the most suitable time. We must not get in the way of public servants working hard to save lives, but we must also ensure that our reporting is sufficiently prompt to support proper accountability for public money.
We have decided to begin with a factual summary of the significant government spending commitments and programmes relating to COVID-19 which we hope to publish next month. We will use this to identify a risk-based series of evaluative studies where we think there is most to learn.
What is also important to Parliament is that we do not lose sight of the wider picture. There are many other challenges facing the UK including EU Exit; progress in meeting government’s net zero carbon emissions target; major infrastructure projects and the financial sustainability of key public services. Our work programme will have to balance this with the demands of COVID-19. That is why we will be continuing to publish reports already in train. We are also working hard to meet our key statutory duty to audit the accounts of over 450 public bodies.
My colleagues and I are committed to providing Parliament and the public with the evidence they need to understand how public money has been used in tackling this crisis. We will also help ensure that the appropriate lessons are learned for the future.
Posted on April 16, 2020 by Yvonne Gallagher
COVID-19 is affecting us all. The way we live, work and socialise has changed dramatically. The National Audit Office is no different, our staff are working from home and we will also have an important role to play in reporting on the government’s response to COVID-19. You can find more information on our emerging plans here. In the meantime, we’re resharing some of our knowledge on how organisations can make a success of working remotely at this time.
Technology is a great enabler for working from home, but there are pitfalls to avoid. In September 2017, we issued a guide to cyber security for audit committees and now is an appropriate time to revisit some of the key points.
Policies and procedures
The most important point to note is that your organisation’s information security policies and procedures still apply – they exist for good reason. Security shouldn’t be sacrificed, even during difficult and uncertain times.
If your organisation doesn’t have a homeworking policy, now could be an opportunity to think about what it might look like. But don’t be forced into a knee-jerk reaction because of the current situation; take the time to get the approach right and build it into your longer-term business continuity arrangements.
Using personally owned IT
If your organisation routinely provides laptops to staff which are securely configured and set up for remote access, then you’re in a good place. If not, Bring Your Own Device (BYOD) is a possibility, but inevitably this approach brings risks that need to be considered. The main risks are around unauthorised access and data loss.
A popular BYOD approach for smartphones and tablets running Android or iOS is the ‘managed container application’. This means all corporate data is accessed via one or more designated apps (for example, Microsoft Office). This allows strong controls to protect and isolate corporate data from the user’s personal apps and prevents copying and pasting of data across the container boundary.
Use of personal PCs is a more difficult area. Technology such as remote desktops minimises the risk of data loss as the apps and data stay on the remote server. Most IT departments will be familiar with remote desktops, and the main barrier to their more widespread use is having the necessary infrastructure to support the volume of users required.
Allowing users to access work data through a web browser over an internet connection from their own PC might seem an attractive option, particularly with more services becoming available in the ‘cloud‘. However, NCSC are clear that this is a risky approach.
They advise that it’s difficult to gain confidence in the security or configuration of the PC, and there are limited technical controls you can enforce to reliably prevent data loss or access from insecure or out-of-date devices. And, from a legal perspective, responsibility for protecting data and complying with GDPR and the Data Protection Act 2018 rests with the data controller, not the device owner. You may also have commercial arrangements that restrict running of business software on or accessing business data from personally owned devices.
There are many established software tools for videoconferencing and collaborative working. Common apps include Microsoft Teams, Skype for Business, Google Hangouts, Cisco WebEx, GoToMeeting and Zoom. Do bear in mind that these should be securely configured, their privacy policies and settings reviewed, and used appropriately in relation to the sensitivity of the meeting content being discussed.
Where you are meeting with a third party, it would be wise to set agreed expectations around call recording and screen sharing and request explicit permission before capturing any information discussed during the meeting, for example screenshots.
There are also considerations relating to the home working environment itself. Devices outside an office environment are more vulnerable to theft or loss. This can be mitigated by physical security measures and by encryption – but do check that each device is turned on and set up correctly.
Also consider your policy around printing from home and whether it’s necessary. Information in physical form needs to be protected in the same way as information in electronic form. Forwarding information from work to personal email accounts for printing is a big confidentiality risk, so where there is a legitimate need to print, you will need to make suitable arrangements.
In shared accommodation, you should also be aware of who might be able to overlook your screen or overhear your teleconferences. There are reports that some organisations are advising people to turn off smart speakers and voice assistants during working hours when sensitive matters are being discussed.
Preventing unauthorised access to devices is another obvious but essential consideration – NCSC has recently issued guidance on good password policy, including practical suggestions for reducing password overload for end users.
Be aware of phishing scams, whether by email or text message. This advice applies generally, and some security companies have reported seeing a large increase in phishing attacks as a result of the current pandemic. NCSC has good advice on spotting suspicious emails.
It’s important to promote and maintain a strong security-minded culture, even when your people are trying to collaborate and work flexibly.
Obtaining IT equipment and services
The Crown Commercial Service (CCS) has published information on a number of agreements that can enable the public sector and related organisations to quickly and easily procure technology products and services to allow employees to work more flexibly.
CCS also note that a number of providers of collaboration software are offering introductory or extended trials of their products. These include Microsoft (Office365), Google (G Suite, Hangouts Meet) and Cisco (WebEx, Duo, Umbrella, AnyConnect).
The current situation is putting unprecedented pressure on individuals and organisations alike but try not to lose sight of the security basics. If you’re struggling to get a fully-fledged remote working strategy in place I’d recommend focusing on the fundamentals. Find the right approach for your organisation and gradually build it into your longer-term business continuity arrangements.
We’re all having to adapt to these new ways of working, but don’t worry there’s plenty of support out there to help you protect your corporate and customer data.
Posted on April 8, 2020 by Abdool Kara
We all rely on local public services to be able to function in our day-to-day lives, and in these challenging times, we’re even more reliant on those services. Whether from local authorities, local NHS organisations police forces and fire and rescue organisations, to keep us safe and take care of us should we need it.
At the National Audit Office (NAO) we’re responsible for scrutinising the spending of central government departments, agencies and other national public bodies but who audits local public services? And what do those auditors do?
Local public bodies are audited by firms appointed as local auditors. Every year, they carry out their work auditing these bodies’ accounts and assessing the adequacy of their arrangements to secure value for money. They carry out this work in accordance with the Code of Audit Practice and, although the NAO doesn’t audit local public bodies, the Code they must follow is set by the Comptroller and Auditor General (C&AG) who leads the NAO.
The law requires the Code to be reviewed at least once every five years, which meant a revised Code was due by April 2020. So, back in the summer of 2018 we started on the project to review and prepare a new Code.
Our review of the Code
The review of the Code came at an interesting time in the audit world, given both the increased level of interest in the audit profession more widely, and the announcement of a number of independent reviews across the profession. The review by Sir Donald Brydon and, more recently, the review of local authority audit and financial reporting being undertaken by Sir Tony Redmond. To add to this complex environment, the review started under the NAO’s previous C&AG but was to be completed under our new C&AG, Gareth Davies, who arrived at the NAO in June 2019.
We wanted to ensure that we were engaging as widely as possible, so last Spring we began the first stage of our consultation process, seeking views about the issues people considered were relevant to the development of the new Code. We received over 40 formal responses to the first stage of the consultation and gathered further useful information from wider engagement through attendance at conferences and other events
Having taken into account those views, we drafted the text of the new Code and undertook a further public consultation on the draft text in the autumn of 2019. The draft was further refined in light of this second round of feedback, and the final draft of the Code was then laid before Parliament in January 2020. It received approval in March and, almost two years after the project began, came into force last week. The Code applies to audits of 2020-21 financial statements onwards.
What’s changed under the new Code?
In the first part of our consultation, we received a lot of feedback telling us that people wanted auditors’ work to be more useful to the bodies being audited as well as the wider public, that reporting by auditors should be more timely, and that much of the language used by auditors was not readily understandable to a non-accountant.
A significant proportion of these comments were made in relation to the work auditors do assessing and reporting on the arrangements that local audited bodies have in place to secure value for money. Unlike the NAO’s studies, where we report on whether value for money has actually been achieved, local auditors look at the overall arrangements that bodies have in place across a range of areas covering decision making, governance, and working with others through partnerships. From the consultation, it was clear that people wanted to see more information being reported from auditors’ work, and in particular in relation to financial sustainability.
The new Code looks to address these issues by requiring auditors to issue an annual commentary on the arrangements that bodies have in place, under three focussed headings:
- Financial Sustainability
- Governance and
- Improving Economy, Efficiency and Effectiveness
Where an auditor finds significant weaknesses in a body’s arrangements, they are expected to bring this to the body’s attention promptly, and to accompany it with clear recommendations setting out what the body should do to address the weakness. The commentary and recommendations will be set out in an Auditor’s Annual Report, that will bring together all of the work the auditor has undertaken in the previous year, including following up on recommendations made previously.
For the NAO, the publication of the new Code is not the end of the story. Colleagues are now working hard to develop the detailed guidance that will sit underneath the new Code, and we’re again looking to consult the relevant sectors extensively as we take forward its development.
I’m delighted that the new Code has now come into force and would like to thank colleagues in the NAO’s Local Audit Code and Guidance Team for their work in bringing the new Code into being, and to all of you who responded constructively to our various consultations over the last 18 months. I look forward to seeing the impact that the approaches I’ve outlined here will have on helping to ensure that local public bodies continually improve their arrangements to make best use of their scarce resources.
2020-21 will be a very challenging year for local bodies as they put in place all kinds of arrangements to cope, with the new reality presented by COVID-19 Coronavirus. Through the new Code, local auditors will have an opportunity to use their reporting to help their clients rise to the challenge.