Agenda and draft minutes

Apologies had been received from Councillor June Nelson with Councillor Sital Punja substituting.

Apologies had also been received from Councillor Henry Higgins.

None.

RESOLVED: That the minutes of the previous meeting be agreed as a correct record

Officers introduced the item, outlining the report and appendices.

The 2024/25 accounts had a backstop date of the end of February. There were some dependencies within the accounts. It was noted that confirmation of the Council’s EFS application was awaited before final updates were made to the Statement of Accounts. It was highlighted that the recommendation was to delegate approval of the Statement of Accounts to the Corporate Director of Finance in consultation with the Chair, pending the outcome of the EFS application, which was expected in approximately one week.

The 2024/25 audit opinion would be disclaimed, reflecting sector-wide challenges. Returning to ‘clean’ accounts was estimated to take approximately two to four years.

Progress against recommendations noted within the GRIP showed improving RAG statuses but substantial work remained.

EY outlined their two appendices:

• the Audit Results Report, which summarised the results of audit work on the financial statements for 2024/25; and
• the Draft Auditor’s Annual Report, which summarised the overall results of the audit to date and consideration of the Council’s value for money arrangements and any significant weaknesses.

Both would be updated to reflect the final position once the accounts were updated and approved. EY thanked officers for their cooperation.

In relation to the 2024/25 audit, EY had identified four significant weaknesses in the Council’s Value for Money arrangements:

1. Financial sustainability: low reserves, a significant DSG deficit, and a large budget challenge
2. Quality of financial/ performance information, including impacts of the Oracle implementation
3. Finance team capacity
4. Implementation of Oracle Fusion

Seven statutory recommendations had been reported in July 2025, related to:

• Developing and delivering savings and transformation plans
• Reviewing service delivery models for efficiency and value for money
• Managing the DSG deficit
• Improving forecasting
• Fixing Oracle issues and associated processes
• Strengthening the finance function
• Maintaining pace on finance modernisation and GRIP

In the Draft Auditor’s Annual Report, EY had issued an additional non-statutory recommendation asking the Council to reassess whether the assumptions and forecasts underpinning the 2025/26 budget were sufficiently robust to support the conclusion that a balanced budget was set and to consider further actions if that could not be demonstrated.

EY described the Council’s financial position as critical, and unsustainable without corrective action and EFS. Reserves were very low; the DSG deficit was significant; and the ability of the Council to absorb further shocks was limited. It was also highlighted that Internal Audit has been unable to provide overall assurance for 2024/25, which heightened concerns in relation to governance and control.

EY raised concerns that the Draft Auditor’s Annual Report (issued on 27 November 2025) had not been considered by Members prior to this meeting.

The audit opinion for 2024/25 Council accounts will be disclaimed, citing incomplete procedures and lack of assurance over prior years following earlier disclaimers.

EY noted that the Audit Results Report had considered arrangements during 2024/25 (up to 31 March 2025), and there had been actions since then which would be referenced in updates on the GRIP and FMP. Early-year forecasts of  ...  view the full minutes text for item 188.

Officers introduced an update on the GRIP, reminding Members that the GRIP consisted of three core workstreams: financial governance, directorate governance and constitutional governance. The report summarised the progress since the last Audit Committee meeting.

The forecast position from Month 6 through to Month 9 had remained stable, which officers regarded as a positive development. Spend controls had been in place since before Christmas. Budget development for 2025/26 had embedded learning from this year’s issues, with savings delivery plans developed for proposals where appropriate. The Council will start the budget?setting and MTFS process significantly earlier next year.

Officers confirmed EFS progress was ongoing. The final Local Government Finance Settlement (announced the previous day) provided long?awaited clarity on national DSG deficit treatment: Councils will receive 90% of the DSG deficits in Autumn 2026, with further support anticipated thereafter. This significantly reduced local financial impact.

Significant preparatory work was underway to get ready for the 2025/26 audit.

The Council had increased transparency and oversight by reporting performance to Cabinet, Select Committees, and Full Council. A Governance Masterclass for senior managers had been delivered; and a Governance Toolkit was now available on the intranet. Officers emphasised the need to begin business and financial planning earlier than in previous years.

Members asked whether the budget?holder training programme had been tested for effectiveness. Officers responded that training had been rolled out to ensure understanding that financial responsibility extended beyond the Finance team. It was too early to meaningfully assess outcomes. Additional training will occur as part of Oracle process changes and the new EPM rollout. Cultural and behavioural change was expected to take time and would require repeated reinforcement.

There would be a two-stage process including a learning and development session with senior managers to understand changes within Oracle and changes to reporting budgets. At the start of the FMP, the aim was always to start 2026/27 monitoring on Oracle and so there would be training before month 2. The FMP was in two parts, the finance part and the Oracle part.

Members asked whether EY’s recommendations on Oracle were being integrated. Officers confirmed that improvements were underway around access, authorisation levels, and procure?to?pay processes. The Council was moving away from legacy processes to Oracle?standard methods. Integration between HR and Finance systems was being strengthened to ensure organisation and staffing data flowed correctly into Oracle. EY’s Oracle?related recommendations had been positively adopted, particularly those around price and quantity controls, HR–Finance integration, and improving technical configuration.

Members asked why many process, access, and governance issues appeared to be addressed after go?live. Officers explained that the original implementation effectively ‘lifted and shifted’ the legacy Oracle R12 configuration into Oracle Fusion, replicating old limitations. The Council was now correcting this by moving to a more standard, optimised Oracle configuration. Rather than rushing mid?year changes, officers intentionally aligned improvements with the start of the new financial year for stability and to avoid compounding past mistakes. Oracle improvements must be phased  ...  view the full minutes text for item 189.

Officers introduced the Finance Modernisation Programme (FMP) update. The programme had been established to respond to findings from past internal audits and external audits and was designed to address weaknesses in financial management; improve the Oracle system and related processes; strengthen the Council’s capability to manage and understand its financial performance; and provide sustainable, reliable insight into the Council’s financial position.

Officers summarised that Phase 1 centred on strengthening internal basics and addressing previously identified control weaknesses. This included:

Financial Management & Core Controls:

Addressing balance sheet risks; validating accounting transactions; enhancing accuracy of reporting; and improving audit readiness.

Improving Budget Monitoring:

Training delivered to all budget holders; simplified budget?monitoring processes; corrections to pay forecasting and other mis?forecasting issues; and introduction of good?practice standards for monitoring and forecasting.

Reducing Oracle Burden:

Tackling data and access risks; reducing manual admin effort and requisition workload; increasing system availability and reducing errors during monthly resets; and improving user understanding of Oracle.

The strategic vision of the finance function was to build a strong foundation of consistent processes, accurate data, and reliable systems; develop continuous improvement as a cultural norm; move Finance from correcting numbers to interpreting them, offering insight and analysis; to become trusted advisors to support organisational decision?making; and to ensure staff have clear expectations, strong support, career paths, and relevant training.

Current work in Phase 2 included:

Audit Readiness (2025/26):

Continuing work to strengthen controls and processes ahead of the next audit cycle.

Planning, Budgeting & Reporting:

Oracle improvements and a new forecasting system, ensuring staff can access the right reports and rely on them, and strengthened MTFS modelling and forward planning.

Financial Clarity:

Improving strategic insight; and identifying weak areas and shaping support frameworks.

Officers highlighted the importance of clear financial and performance accountability as well as a coherent leadership culture across senior officers, linking financial, performance, HR, and risk responsibilities.

Officers presented a detailed forward plan covering January to June:

Current Period – Foundations:

Included reviewing organisational hierarchies for budget reporting; Corporate Directors validating structures for future monitoring; and ensuring system setup aligned to how services actually manage budgets.

March:

Included reviewing licensing costs and ensuring only staff who required monitoring access were licensed.

April:

Included finalising reporting elements for launch at start of financial year.

May–June (Month 2 Execution)

Included execution of Month 2 budget monitoring in Oracle – the first full cycle of new arrangements (core target of FMP); and tracking return on investment and resolving identified issues.

Officers stressed that success depended on clear communication; trained change champions; business?led training; and avoiding a repeat of past mistakes.

Officers described extensive work on mapping skills across all finance roles and Member learning needs. Oracle changes would require continuous training, and it was important to ensure that new starters were consistently trained. A new framework had been established to strengthen professional capability across the finance function.

Officers outlined current constraints. These included:

Capacity Pressures:

Finance was simultaneously running EFS, audit readiness, budget monitoring reforms,  ...  view the full minutes text for item 190.

Officers presented the Risk Management report.

As at 28 January 2026 there were 225 risks recorded on the risk register. 22 red risks were live at the time of reporting. Four red risks were closed in?period. Seven risks were downgraded (from red to amber/ green). Three risks were added to the Corporate Risk Register (one new risk; two escalated from amber). There was only one unscored risk, which had been added on the same day the report was run. This was scored shortly afterwards. Five risks were overdue for review, a substantial improvement from 41 in November. 32 risks had overdue actions, significantly reduced from 107 in November.

Officers emphasised that this represented significant and sustained improvement in risk management. Notably, improvements had arisen from stronger governance, not from chasing outstanding updates. Directorates were proactively engaging, supported by new business managers.

Officers presented the Strategic Risk Register, which covered cross?cutting, corporate risks. This register was owned by CMT and linked into the wider performance dashboard. It will undergo a full review at the start of next year.

In terms of further improvement, Members asked what may still be missing or inconsistent within the risk framework. Officers highlighted:

Consistency Across Services: some services were highly proactive in reporting emerging risks; others showed signs that they may not always escalate issues promptly. Directorate?level governance meetings now challenged services on any.

Timely Risk Closure & Action Completion: while risks were now logged promptly, the next step was ensuring faster action planning, faster action completion, and faster downgrading or closure when mitigations take effect. A new focus for next year will be KPI development to monitor the duration that risks remained high; speed of action implementation; and evidence of risk score movement (up or down).

Members asked about cyber risk following incidents in other London authorities. Officers noted that Hillingdon had provided mutual aid support to the impacted boroughs due to the severity of the incident.  The Tri?Borough cyber incident had originated from an unauthorised individual joining a Teams call, gaining unintended system access. Hillingdon has since strengthened internal controls, including requiring officers to check attendee lists on virtual meetings, encouraging cameras on where possible, briefing senior managers to treat unfamiliar participants as potential access risks. Hillingdon maintains close coordination with the National Cyber Security Centre, other London boroughs, and central government. External reviews had given significant assurance over cyber controls. The Council monitored cyber threats daily, with increased vigilance applied where national threat levels rise. Cyber awareness training and phishing simulations were mandatory and reinforced through regular communications and directorate briefings.

Members asked what “PEEPs” stands for. Officers confirmed it referred to Personal Emergency Evacuation Plans.

Members proposed that risk summaries relevant to each service area could be shared quarterly with the Select Committees to improve risk?based scrutiny and assist Members in identifying priority areas. Officers confirmed this was already planned via the developing corporate performance dashboard. The intention was for Select Committees to receive risk subsets  ...  view the full minutes text for item 191.

Officers introduced the Internal Audit progress report. Five audit reports had been finalised since the last Committee meeting. Four audit reviews were currently at draft stage. Fieldwork had now commenced for all but one of the audits in the current year’s Internal Audit Plan. A number of reviews were close to completion, with draft reports expected by the end of the month, to be finalised before year end. The Head of Internal Audit Opinion will be drafted post year end.

Officers highlighted the part?limited/ part?reasonable assurance rating issued for the Savings Programme. The limited assurance element related to savings development work undertaken in December 2024 for the 2025/26 savings programme. Several savings lines were written off early in the year. The reasonable assurance reflected improvements in ongoing in?year monitoring, including a new Savings Tracking App; regular updates and challenge sessions; and strengthened governance around whether savings remain deliverable.

Internal Audit did not formally audit the early development of the 2026/27 savings programme due to timing, but officers confirmed that improvements were observed in real time and issues raised in the 2025/26 audit appeared to be actively addressed. A full audit of 2026/27 savings development was included in next year’s Audit Plan.

Members asked why a planned HR-related review was removed. Officers explained that Internal Audit relied on access to evidence and engagement from the service. If a service was unable to provide this due to significant vacancies, sickness, or project pressure, an audit conducted at that time would simply return “No Assurance” due to lack of evidence, adding no value. Instead, timing was reconsidered, or alternative audit methods explored.

Members noted several older management actions. Officers responded that the Council had previously paused its follow?up process, resulting in a backlog in 2023. Many historical actions had now been cleared. Where actions remained overdue, new dates were set only after discussion with services, and reasons recorded. Some actions had been superseded by wider system or process changes. A new automated follow?up system was being introduced next year whereby extensions will be automatically escalated to the relevant Corporate Director and then to CMT. Repeated extensions would be visible corporately, increasing challenge and accountability.

Members queried whether KPIs could distinguish between recommendations still within deadline and recommendations overdue or repeatedly extended. Officers confirmed Internal Audit was already reviewing its KPIs and monitoring arrangements for the next financial year. The new automated system will allow more granular monitoring, including overdue actions, extensions, and time from due date to completion. The Internal Audit Team is also seeking to automate its own internal KPIs.

The Chair noted that, where items were repeatedly extended or remain amber/ red, the Committee may request relevant officers to attend and explain delays.

Members asked whether giving ‘reasonable’ assurance rather than ‘limited’ on monitoring savings was justified given that not all savings are being delivered. Officers explained that Internal Audit did not give assurance that outcomes will be achieved; it gave assurance on whether  ...  view the full minutes text for item 192.

Officers introduced the item, which included the Internal Audit Charter; Draft Internal Audit Plan 2026/27; and Internal Audit Standards Compliance & Quality Improvement Action Plan.

The Internal Audit Charter set out the purpose, authority, and responsibilities of Internal Audit, as required by the Global Internal Audit Standards. The Charter was unchanged from the previous year, having already been updated last year to conform to the latest global standards. It formalised Internal Audit’s mandate and responsibilities.

Officers highlighted that the Draft Annual Plan 2026/27 was risk-based, highly flexible, and should change throughout the year as risks evolved. It was noted that Internal Audit must be dynamic and respond to emerging risks, service requests, and new areas of assurance need.

The plan included:

• Planned assurance reviews – assessing risk areas and the controls mitigating them.
• Planned advisory reviews – supporting services during change or process redesign.
• Ad hoc advisory work – frequent in 2025/26, including project group participation.
• Grant claim verification – independent checks required for funding.
• Follow?up work – supported by a new automated process under development to connect to Power BI dashboards for visibility across CMT and directors.

Several planned reviews were highlighted, including:

• Project management – ensuring projects had plans and oversight
• Directorate Governance – testing whether governance improvements were embedded in practice across directorates
• Business & Financial Planning – reviewing whether directorates had robust business plans and whether mid?year progress reporting aligns with agreed outcomes
• Spend Control Panels – reviewing the operation of new spend controls, including whether spend was going through the correct routes
• Budget & Savings Monitoring – reviewing budget holder ownership, forecasting quality and confidence, and savings delivery scrutiny.
• Company Governance – reviewing governance for Hillingdon First and the Hillingdon Care Company, ensuring benefits, oversight, and collaborative working remain aligned to corporate expectations.

Members were content that the plan covered a wide and relevant range of topical areas already discussed earlier in the meeting. The Committee approved the Internal Audit Plan 2026/27.

Officers presented the Global Internal Audit Standards. Internal Audit was required to comply with the Global Internal Audit Standards and to discuss annually the purpose and mandate for Internal Audit. Essential conditions reflected the role and responsibility of the Audit Committee.

Officers had self-assessed compliance as generally achieving the standards. Areas marked partially achieved related mostly to evidence not yet available (for example, Audit Committee involvement in future appointments of the Head of Internal Audit which cannot yet be evidenced), and further work to strengthen Internal Audit’s use of technology.

Appendix A set out the roles and responsibilities of CMT and the Audit Committee, as required by the standards. The Committee must review these annually. If the Committee chose not to comply with a required element, Internal Audit must formally disclose non?compliance on an ongoing basis.

Appendix D outlined proposed amendments to the Committee’s Terms of Reference.  This was not yet a formal ToR review, but an invitation for Members to commence one if desired. Members indicated they wished the review process to  ...  view the full minutes text for item 193.

Officers introduced the Quarter 3 Counter Fraud progress report.

The team had achieved £3.5million savings in Q3, bringing the year-to-date total to £10.1million, exceeding the year-to-date target of £8.8 million.

On housing fraud, 29 additional properties had been recovered in Q3, bringing the year-to-date total to 84.

10 cases of emergency accommodation had been closed due to non-occupation, resulting in savings of £268,000 (26 closures year-to-date).

15 businesses had been identified as liable but unlisted for business rates resulting in a billings total of £733,000.

The Counter Fraud Team had been shortlisted for the Public Sector Fraud Awards in two categories, Local Excellence, and Team of the Year. The nominations were based on 2024/25 outcomes with the award ceremony due to take place in two weeks.

National Adult Social Care data matching had returned to the National Fraud Initiative (NFI) for the first time in 10 years, following legislative changes enabling matching for fraud purposes.

Over 130 live investigations into property recovery continued, and the team must maintain the current high recovery rate, which forms a major part of the Council’s fraud?related savings.

A new Power BI Counter Fraud dashboard was nearing completion (due late Q4 / early Q1). Officers intended to replace lengthy narrative reports with data?driven, visual performance reporting from Q1-Q2 onwards.

Members commended the team for their award nominations.

Members queried the distinction between cashable savings (approximately £849k) and notional savings (approximately £7.9million). Notional savings had two elements. First was business rates retention, only 30% was retained by the Council with the remaining 70% returned to government. Therefore, some revenue gains cannot be counted as direct cashable inflow. The second was related to tenancy fraud. The national tenancy fraud formula defined notional savings which represented nationally recognised avoided costs. Each recovered property avoided significant expenditure on temporary accommodation (approx. £26–27k per property).

Members queried why asset leasing and lettings were not explicitly referenced in the fraud categories. Officers clarified that these areas were covered indirectly under multiple fraud categories, including money laundering or internal fraud. Any fraudulent activity relating to leasing and lettings would fall into these categories and be investigated.

Members commended the high quality of reporting, the team’s performance, and the widely green KPI performance. The Committee expressed appreciation for the team’s work and wished the team good luck at the upcoming Public Sector Fraud Awards.

RESOLVED: That the Audit Committee noted the Counter Fraud Progress Report for 2025/26 Quarter 3

Officers introduced the Counter Fraud Operational Workplan for the upcoming year. The operational framework remained stable year?to?year and was underpinned by the Council’s overarching Counter Fraud Strategy.

The framework outlined the strategic operating model, governance structure, and delivery methodology of the Counter Fraud Team. No major changes had been made to the framework for 2026/27.

Officers highlighted that Appendix A set out a risk assessment of potential fraud risks that could affect the Council in the year ahead. These risks reflected analysis of 2024/25 activity; insights from the Council’s Corporate Risk Register; and horizon scanning for emerging fraud risks in the public sector. These risks are not unique to Hillingdon, they were common across the public sector.

Appendix B contained the detailed operational plan for 2026/27. Officers emphasised that the plan was entirely risk?based, ensuring Counter Fraud resources were targeted where they deliver the greatest benefit. The highest?risk, highest?demand areas continued to be Social Care, Housing, and Revenues.

The plan included a balanced mix of proactive activity (e.g., intelligence?led operations, data?matching, tenancy checks), and reactive investigations arising from referrals and intelligence.

The plan was designed to support delivery of the 2026/27 financial target of £9.4 million.

Officers noted that the year’s plan included a new addition of a full explanation of the savings methodology, showing exactly how each category of saving) was calculated. This was provided to increase transparency.

The Committee welcomed the clarity of the methodology appendix and reiterated appreciation for the team’s work.

RESOLVED: That the Audit Committee noted the Counter Fraud Annual Operational Plan for 2026/27

Members considered the work programme.

Officers confirmed that apologies had also been received from Councillor Henry Higgins.

The Chair noted the dates of the upcoming meetings.

EY highlighted that there may be a need to alter the date of the February 2027 meeting to better suit presentation of accounts and audits to the Committee, as the current planned date of 10 February 2027 was after the backstop date for 2025/26 audits of 31 January 2027. It was suggested that this meeting be moved to before the Christmas break. A new date would be confirmed in due course.

RESOLVED: That the Audit Committee noted the dates for Audit Committee meetings