Agenda and draft minutes

None.

None.

RESOLVED: That the minutes of the previous meeting be agreed as a correct record.

The Chief Operating Officer presented the Transformation, Digital & Technology Risk Management item, noting the importance of risk management in the context of transformation, digital, and technology. The Chief Operating Officer oversaw corporate services, including legal, HR, and technology departments.

The Corporate Risk Register showed risks impacting the entire Council. Overspending was a significant risk when linked to Digital Transformation and Technology. On the Corporate Risk Register, amber risks included systems becoming unfit and outdated ICT architecture. Cybersecurity was also a concern.

The Operational Risk Register identified and managed risks specific to services. This included technical risks, cyber attacks, and environmental risks (power outages, floods, fires). Technology Investment Risks included outdated systems. Staff Risks included lack of skills and availability of talent. Supply Chain Risks included cybersecurity, data risks, and outages. Data Risks included confidentiality, integrity, availability. Cybersecurity was the biggest risk and there were regular assessments and compliance programmes.

For specific projects, risks were managed through the project lifecycle, from design to post-implementation. In terms of governance, there were regular programme boards and project boards to review risks and mitigations. Budget management was conducted by addressing overspending risks through the target operating model and savings programme.

ICT and Digital risks involved managing outdated systems and cybersecurity threats.  Investment planning ensured systems were up-to-date and integrated. Technical Controls involved monitoring infrastructure and cyber risks.

Officers discussed a variety of mitigation strategies:

Investment Planning involved a three-year plan for system replacements and integrations, and regular reviews to adapt to changing technologies.

Technical Controls included monitoring infrastructure and cyber risks, and performance monitoring and saving schedules.

Governance involved regular meetings with Cabinet Members and senior management teams; and reporting to the public via budget reports. There was strong and robust governance to manage risks and assess their impacts.

Training and awareness included training staff on cybersecurity and phishing attacks and business continuity tests.

There were regular internal audits that looked at IT systems and external advice was sought.

In monitoring the savings schedule, the Digital team worked closely with the Finance team. Corporate Directors were challenged on a three weekly bases around how they were delivering their savings.

Members asked about the depreciation of IT equipment and the possibility of leasing instead of buying. Officers noted the rollout of new devices and explained the depreciation process and the benefits of buying and leasing. This related to operating systems and life cycles.

Members asked about an annual update on the digital strategy. Officers confirmed the commitment to provide an annual report.

Members asked about the frequency of cyber attacks and the Council’s monitoring system. Officers explained the sophisticated monitoring system that tracked cyber threats and emphasised the importance of regular checks and detailed analysis.

Members expressed concerns about understanding and managing digital systems.  Officers agreed to provide additional training and development for Members to ensure effective use of digital tools.

RESOLVED: That the Committee noted the presentation

This item was taken before item 5.

Officers introduced the external audit update.

The Committee were reminded that the 2022/23 accounts were disclaimed. 2023/24 accounts were also to be disclaimed. As at 28 February only 77 opinions on Council or public sectors accounts had been issued out of 459. Only 1% of the prior year accounts were audited on time. This was a sector wide issue. Officers recognised the need to improve the capability and capacity to deal with preparing working papers. Runover from the 2022/23 disclaimed accounts had a knock on effect on the 2023/24 accounts. CIPFA were due to be engaged with as part of a finance improvement programme. Members asked about the engagement with CIPFA. A contract would be signed quickly to allow CIPFA to meet with key officers and Members. The complexity of local authority accounts continued to grow and there were more requirements on external auditors.

Officers had issued the new set of accounts in June, without the annual governance statement as this had not been signed off by Members or the Leader of the Council at that point. Officers had previously aimed to have the accounts disclaimed and signed off by the 28 February. This was going to be pushed back to 13 March because of a statutory scrutiny period.

Key adjustments had been made around valuations, including an error by valuers on Ruislip Golf Course (officers had corrected for this) and difficulties in valuing school assets. Changes included a £3 million debtors/ creditors issue relating to the DSG, a roughly £2 million difference in earmarked reserves, and a £7.5 million reduction in capital receipts reserves. Future complexities included IFRS 16 and improving the quality of working papers for external audits.

Before the Committee this evening were the provisional audit results report for the 2023/24 financial year. EY’s audit was complete. This audit had been a challenging process which was linked to the 2022/23 position, and also to turnover in officers. EY noted that there were good and positive relationships with the finance team. EY also thanked the finance team for supporting their work. EY intended to issue a disclaimed opinion on the 2023/24 financial statements, linked to the disclaimer on the 2022/23 financial statements. Appendix 1 of the report set out the areas that EY had been unable to complete as part of the 2023/24 audit. The Council had not run a compliant inspection period, which had to be rerun, expiring in March. EY would look to complete their reporting and issue an opinion on the financial statements in March. This meant that the Council will not have met the legislative backstop date of 28 February.

Two significant weaknesses were identified: financial reporting and financial sustainability. The Council's financial sustainability was at risk due to the growing schools deficit and the need for robust forecasting.

Weaknesses in the Council’s arrangements for financial sustainability and the quality of data were highlighted. Recommendations were made to address these, including improving the quality of data  ...  view the full minutes text for item 131.

Officers introduced the risk management and strategic risk reports for Q3.

The number of risks had increased to 250, with red risks rising from 14 to 20.

The number of unscored risks had decreased significantly from 90 to 31. Of these, 26 had original risk scores but not current risk scores. Actions had been set to address this.

23 new risks had been identified, six of which related to financials due to the Council's financial pressures. Only three risks had been closed.

The timescale for how long risks remained in the system without movement was being monitored. A new graph had been included in the report to track this, with further development planned for the next quarter update.

61 risks were overdue for review, up from 48 at the end of quarter 2. This included seven graduated risks and 36 overdue actions. Automated emails were sent to risk owners. A governance board was being established to hold people accountable for updating risks.

On the Corporate Risk Register, seven red rated risks had been added, and one removed. The largest risks included balancing the budget in the short and medium term. There was a new A1 risk relating to insurance valuations due to poor asset data. Discussions were ongoing regarding CMT reviewing the risk registers and strategic risks and around setting up the new governance board.

The Chair suggested that the Committee could send a letter to colleagues who had overdue risks or red risks without actions. It was proposed that the Chief Executive could take this forward and report back to the Committee. The need for better engagement with the risk management process was emphasised. It was also suggested that the Chair could take this forward.

Members asked about the implementation of lead responsibility for risk management. Officers explained that each risk had a risk officer who received automated emails to update risks. There were also risk champions within each directorate. Officers were working on establishing a Directorate and Governance Group to take this forward.

Officers noted that the focus on transformation and financial pressures may lead to less attention on routine risk management tasks. Officers emphasised the need to balance these priorities. The Chair reiterated the importance of managing risks effectively.

RESOLVED: That the Audit Committee noted the reports and provide feedback on the content and level of assurance received.

Officers addressed the strategic risk register. Risks had remained consistent with previous reports, but new KPIs had been included. A new dashboard had been developed with more KPI information. These indicators had been integrated into the strategic risk report to ensure consistency and accuracy.

Officers explained that data was extracted directly from the risk management system to ensure accuracy. This data was reviewed by the Corporate Management Team prior to being presented to the Audit Committee.

The Chair highlighted the ongoing financial risks and the Committee's concern about these issues.

Internal Audit Charter

New global internal audit standards required compliance by 01 April. The Internal Audit Charter had been updated to reflect these standards, including more information on the role of the Audit Committee and senior management. The Charter ensured the independence of internal audit and included guidance from the Institute of Internal Auditors (IIA) and the Chartered Institute of Public Finance and Accountancy (CIPFA). Officers noted that additional changes would be made to the Charter based on new guidance. The Chair emphasised the importance of the Audit Committee's role in supporting internal audit.

Members inquired about the roles and expectations in the updated charter. Officers clarified that the majority of the charter reflected existing practices, with additional focus on independence and support from the Audit Committee.

Internal Audit Strategy

Officers presented the Internal Audit Strategy for the next three years. The strategy focused on compliance with global internal audit standards, key financial controls, governance, transformation, and digital initiatives. Officers highlighted the importance of data quality in internal audits. The strategy would be updated as needed based on emerging risks and priorities.

The Chair expressed approval of the Internal Audit Strategy and emphasised the need for strong business cases to ensure financial benefits.

Members raised concerns about the volume of data and its usability. Officers explained the pyramid of data approach, focusing on key indicators at the top and detailed data at lower levels.

Members asked about the construction of dashboards and performance indicators. Officers explained that the business intelligence team sources data from various systems and external sources.

Internal Audit Plan

Officers introduced the Internal Audit Plan which was risk-based and divided into quarters. Officers explained that quarter one was relatively fixed, while quarters three and four were more likely to change based on emerging risks and priorities. The plan included data quality audits for each directorate, spread throughout the year. The plan would be tracked and monitored through progress reports.

The Chair noted their satisfaction with the plan and encouraged the Committee to approve it. The Chair emphasised the importance of focusing on key risk areas and adapting the plan as needed.

RESOLVED: That the Audit Committee:

1. Noted the IA Strategy and Charter; and

2. Approved the IA plan for 2025/26

Officers introduced the Internal Audit progress report for quarter 3. Officers highlighted the completion of three reasonable assurance reports, two advisory reports, two limited assurance reports and one no assurance report since the last meeting.

On advisory reports, one related to culture and was focused on the perception of culture across the organisation, interviewing staff members, and reviewing actions taken since the All Staff Survey. Findings indicated a consistent perception of culture, with no significant negativity despite ongoing transformation.

The other advisory report related to directorate governance, due to limited capacity within directorates to focus on governance areas. The review aimed to develop a framework and proposals for improving governance at the directorate level.

The no assurance report related to rent arrears. There were issues with poor documentation, lack of collaboration between services, and poor management oversight. Actions were being taken to address these issues.

On limited assurance reports, one related to HRA rent arrears. Similar issues as rent arrears, with actions already being taken to address them.

The other limited assurance report related to Contract Management Oversight. This focused on preparing for the Procurement Act and ensuring contracts are up to date and monitored.

Six reports were currently in draft. Officers were finalising terms of reference for community safety and the safety valve audits. The looked after children audit had been shifted to Q1 of the next year.

Members asked about the addition of the Rural Activity Garden Centre review. Officers explained that it was a high-level advisory review to understand the activities and future development of the Rural Activity Garden Centre.

Members inquired about the data quality report and its findings. Officers explained that the report from July of the previous year had four high findings, particularly around linking between systems. These were currently still due for review.

Officers emphasised the importance of addressing the high number of no and limited assurance reports. Officers also highlighted the need for management to proactively address issues rather than waiting for audit reports.

Members expressed concern about the number of no and limited assurance reports but acknowledged the importance of identifying and addressing issues. Members highlighted the importance of taking staff survey results seriously and improving governance during times of transformation.

Members asked for clarification on the implementation of lead responsibility for risk management. Officers noted the role of risk officers and the establishment of a Directorate and Governance Group.

Officers emphasised the need to balance priorities between transformation and routine risk management tasks.

RESOLVED: That the Audit Committee noted the IA Progress since the last Committee meeting

Officers introduced the Counter Fraud Operational Plan for 2025 to 2028.

Officers noted closer alignment between the Counter Fraud and Internal Audit teams, which had made a significant difference. Both reviewed the other’s plans before presenting them to the Corporate Management Team, and subsequently to the Audit Committee.

Officers noted that the report gave the Committee a strategic and operational overview of the service's approach. The fraud risk assessment had been refreshed, with 27 risks listed. The plan was fully risk-based, focusing on three main areas: housing, social care, and revenue.

Officers explained that low-level fraud activity and non-fraud related work were being transferred back to service areas, allowing the team to focus on higher-risk areas. Bespoke projects in social care around direct payments and care were now included.

The work plan was data-driven, with reviewed KPIs and increased targets. The capital target for 2025/26 had been set at £8.8 million, a 10% increase from the previous year. Appendix D of the report outlined the methodology for recording savings.

Members noted lower-risk fraud work being passed back to service areas and asked if there was a checklist of actions to complete. Officers noted that there were various meetings to discuss this. Officers were also looking at digital methods of improving this. Training and support would be offered where necessary.

Members asked about staffing levels, and if the team had enough capacity to meet increased targets. Officers noted that they did have the necessary staff.

The Chair acknowledged the ambitious plan and targets and expressed confidence in the team’s ability to exceed previous targets and achieve the necessary savings.

RESOLVED: That the Audit Committee:

1. Noted the Counter Fraud Annual Operational Plan for 2025/26; and

2. Suggested any amendments/ comments.

This item was taken before item 10.

Officers presented the Counter Fraud Strategy.

The strategy was being presented for input and feedback from the Audit Committee before being presented to Cabinet for formal approval in March.

The core fundamentals of the strategy have been in place since 2017, and included a risk-based approach, partnership and engagement, protection and deterrence, and innovation and modernisation. Those fundamentals remained in the reviewed and updated strategy.

Innovation and modernisation were a key focus moving forward. Governance around this included weekly stand up meetings. New technologies were being looked into in a move towards going paperless. Digital processes were being looked into to support efficiencies.

The Chair acknowledged the effectiveness of the strategy to date and noted that the Committee were happy to endorse it.

RESOLVED: That the Committee:

1. Noted the Counter Fraud Strategy 2025 to 2028; and

2. Suggested any amendments/ comments prior to submission to Cabinet for approval.

Officers introduced the Counter Fraud progress report for quarter 3.

The team had achieved £2.5 million in savings for Q3, bringing the year-to-date total to just over £9 million. 28 properties had been recovered, bringing the year-to-date total to 90. Officers expected to surpass 100 properties by the time of the annual report. There were currently 128 live cases under investigation, with a sustained 40-50% increase in cases since COVID. Nine emergency accommodation units had been closed for non-occupation, saving £172,000.

Officers had conducted activities during International Fraud Awareness Week and started an awareness programme in adult social care, engaging over 100 staff members.

The team had been shortlisted for the Local Excellence award, and the Counter Fraud Manager for Housing had been shortlisted for Pioneer of the Year. The awards ceremony was due to be held on 12 March 2025.

Future plans included reviewing the operating model of counter fraud and adapting to the authority's financial challenges. The savings target had increased by 10%, with a focus on high-risk areas of fraud and transferring low-level cases back to services. There had been a small reduction in resources by three FTEs, with one vacancy never filled. This will create capacity for other work in social care and ensure the service remained lean, efficient, and effective.

Members asked about the turnaround time for recovered properties to be reallocated. Officers explained that the process involved the repairs department and the Council's allocation policy and added that the void turnaround has been audited and KPIs were monitored.

Members inquired about learning from identified cases to tighten processes moving forward. Officers explained that the fraud team worked closely with the relevant departments to address issues and improve processes. Weekly tracking of issues and monthly meetings with the responsible officers helped resolve operational problems.

Members raised concerns about beds in sheds and unlisted properties. Officers explained that the focus was on identifying properties that should be paying Council Tax and referring other issues to the appropriate services, i.e. Private Sector Housing and Planning.

Members congratulated the team on the four prosecutions related to Blue Badge fraud.

Members emphasised the importance of maintaining an efficient and effective service, despite the need for savings. Officers assured that the new operating model was efficient and effective, and any changes in the future will be discussed.

Members emphasised the importance of investing in the Counter Fraud team to save money for the Council. Officers agreed and stated that they were comfortable with the current structure and would discuss any future investment opportunities.

The Chair congratulated the Counter Fraud team on their achievements.

RESOLVED: That the Audit Committee:

1. Noted the Counter Fraud Progress Report for 2024/25 Quarter 3; and

2. Suggested any comments/ amendments.

Officers highlighted a provisional date of 20 March for the next Member training session, subject to Member availability.

RESOLVED: That the Audit Committee noted the dates for Audit Committee meetings.