He said the council needed to review the process around how it reported on performance measures to ensure that "adequate systems" were in place.
Council responded that its survey of 100 building consent customers represented just over 4 per cent of all building consents issued and was in line with previous surveys. "A full methodology is available."
Councillors heard that the customers were randomly selected and phoned. The survey was carried out within the council organisation and not independently. Additional disclosures would be put around how the surveys were done.
Audit New Zealand's overall management report on its interim audit for the year ending June 30 did not list anything as needing "urgent" attention.
However a number of suggested improvements were listed as "necessary". This meant they needed to be addressed at the earliest reasonable opportunity and generally within six months.
Most of the improvements were identified in the Information Communications Technology (ICT) area of the council's operations. It included monitoring and reporting of ICT systems and the management of generic network accounts.
The council responded that operational performance and planned outages were published daily and that the pace and growth of the council such as new appointments had at times placed extraordinary pressure on ICT resources.
Audit NZ said the ICT incident management process did not include formalised reporting on major incidents. Subsequent to its visit to the council, there had been a "Cryptowall" ransomware attack, introduced through a USB stick.
The council said the virus was immediately detected by the system and the incident report completed within one hour of the response. The response was not actioned until the morning because no staff were rostered overnight.
"Corrective actions have been taken including further monitoring alerts," the council report said.
It was also revealed that the council has taken legal advice and would not be issuing bonds for the year ending June 30 next year.'