Agenda and minutes

Audit Committee - Tuesday, 29th October, 2024 7.00 pm

Please let us know if you are planning to attend and have any access requirements or other needs which we need to take account of.

Venue: Council Chamber - Town Hall. View directions

Contact: Phil Llewellyn  Democratic Services

Items
No. Item

AU.28

APOLOGIES FOR ABSENCE

Minutes:

The Chair welcomed all to the Meeting.

 

Apologies were received from Councillor Gartside (and Councillor McBriar who was scheduled to attend as a substitute for Councillor Gartside).

AU.29

DECLARATIONS OF INTEREST

Members of the Audit Committee are asked to consider whether they have an interest in any of the matters on the agenda and, if so, to formally declare that interest.

 

Minutes:

No Declarations of Interest were received.

AU.30

MINUTES OF THE LAST MEETING pdf icon PDF 257 KB

The Minutes of the last meeting of the Audit Committee held on 25th September 2024 are attached for approval.

Minutes:

The Minutes of the Meeting held on 23rd September 2024 were agreed as a correct record.

 

Under Matters Arising, in terms of the questions from Cllrs Berry and McBriar, which were carried forward from the July Meeting, Louise Kirkman provided responses to both, advising:

 

CR5 – Increasing Demand Pressures and the question raised about the demand on A&E and if this was due to a lack of GP appointments across the Borough.It was acknowledged that  GPs were extremely busy, and their phone lines were be very much in demand. However, worries about people being unable to get an appointment was not the case in Bury, with the most recent GP appointment data  from July 2024 showing that 45% of appointments were provided the same day, and 72% of people got an appointment within less than a week. The number of appointments provided each month was now 94,000 per month compared to 64,000 a month only 2 years ago. Data was also shared which didn’t suggest that people were accessing A&E at Fairfield rather than using their GP, with use of A and E by Bury residents has been lower every month so far this year when compared to last year.

 

The other area question related to risks reflecting as being On Target, yet remaining as Static on the risk register. This often suggests that although risk management activities are proceeding as planned, they haven’t yet reduced the risk level and this could happen for a number of reasons which were outlined, and in summary On Target reflected the progress of mitigation activities relative to the planned approach, while a Static score often indicated that the risk was being contained rather than actively reduced. The goal was to reduce all risks to the target level, and all Risk Owners and Responsible Officers of the Risks present on the Corporate Risk Register were actively seeking to achieve this, ensuring regular reviews and monitoring, with effective mitigations put into place when possible.

 

Following discussions at the last meeting on the Statements of Accounts for 2021-22, 2022-2023 and 2023-2024, the Chair noted that there were no formal updates on the agenda, and requested that Karen Murray and Neil Kissock provide verbal updates on the latest position on each set of accounts.

 

Karen Murray advised that in terms of 2021-22, there was still some work outstanding relating to information on the existence of RAAC in the Council’s buildings. Information had been provided relating to buildings where the Council hadn’t yet undertaken inspections so didn’t know the position, so the financial impact of this uncertainty was not yet known. In addition,  they were yet to receive the evidence for the rest of the property portfolio to understand how the Council has determined there was no RAAC present.  

The External Auditors were also still working to understand how officers knew the related party disclosure in the accounts were complete. Some additional evidence had been presented in the last week but some of the  ...  view the full minutes text for item AU.30

AU.31

Deep Dive - Security & Resilience

See associated report on pages 87-96.

Minutes:

Kate Waterhouse and Andrew Carter were present to assist the Committee with a Deep Dive into Security & Resilience (Risk Reference CR3), a supporting report for which was also within the agenda for the meeting, which highlighted the importance of cyber security in local government, the key potential impacts, together with some case studies of the financial impact from recent attacks on UK based organisations.

 

Members of the Committee asked questions focussing on:

 

·         Procurement – the risk of corruption of hardware being purchased by the Council – it was explained that frameworks were in place that ensured that all equipment was purchased from reputable suppliers.

·         Movers and Leavers – what was the cost of assets not returned? The Leavers process was harder to manage, as Movers equipment stayed within the Council, but processes were in place to assist with Leavers, such as geo locking of devices, with a process being written at the present time also. Comms would also be carried out to advise users of the need to inform IT if they needed to use devices abroad. Costs of assets not returned were not currently available, but would be identified and communicated going forwards.

·         Prosecution of individual officers – this would be unusual, and would most likely arise from a malicious incident, such as sale of data to a private company.

·         Failed Log-ins – Accounts may be blocked if wrong passwords entered several times, or log-ins attempted from two devices at the same time, or someone was trying to log on from a different country.

·         Immutable Back-ups – Significant progress made, some Service Desk changes were still ongoing.

·         Phishing – Officers agreed to look at improvements, such as users marking items as ‘Spam’. Existing processes such as items being placed in Quarantine were noted.

·         Suppliers failure and impact – Such as staff not getting paid because of faulty software – liability wise this would be looked into, but after a successful cyber- attack heightened stipulations were placed on providers.

 

It was agreed:

 

That the information be noted and officers be thanked for their attendance.

 

AU.32

Corporate Risk Register pdf icon PDF 273 KB

Additional documents:

Minutes:

Louise Kirkman presented a report which provided an updated position with regards to the risks identified and assessed on the Council’s Corporate Risk Register.

 

24 risks were currently present on the Corporate Risk Register and had been identified as those that had the potential to disrupt the Council’s strategic objectives and service delivery. These risks had been identified as those of a genuine corporate nature and were summarised as follows:

 

 16 risks were currently rated as Significant (risk score 15-25)

 8 risks were currently rated as High (risk score 8-12)

 1 risk had increased in score o

 0 had decreased in score

 20 have remained static

 2 had been newly introduced

 1 was proposed for closure

 

One risk was proposed for closure, being CR32 - General Election  which had been completed since the last review so was no longer relevant.

 

One risk reflected an increased likelihood: CR30 – Staff Safety. The Risk Owner had advised that there was an increasing trend in incidents of violence and aggression against staff. This is a pattern was not unique to Bury. Given the trend in the data it felt appropriate that the risk likelihood score was increased.

 

Two new risks had been introduced, the first was CR34 and related to the Sure Maintenance Contract, the service had declined significantly in recent months. Housing had placed the contractor under an improvement plan, as data was showing that customer service was in decline and the number of properties without appointments for servicing had increased substantially. This would put therefore put them at risk of not meeting their statutory duties. It was also reported however that improvements had been noticed very recently following changes introduced by the company.

 

The second new risk was CR35 and related to Insurance Cover across the Council. Following a tender exercise last year, it was found that there were a substantial number of properties held that had an inadequate valuation or unavailable information, resulting in the tender process being withdrawn and delayed until this year. Insurance cover may be inadequate and we may be over or under insuring based on the current valuations. Over the summer, some insurance cover relating to the Bradley Fold Trading Estate had been withdrawn and so with this and the tender exercise, it was felt that this could be a risk posed to the Council if adequate property valuations were not provided. The Insurance Team had a working group in place to address the issues and ensure that relevant mitigating controls were in place to reduce the risk and ensure that the tender process ran smoothly. An inherent risk score field has been added to the Risk Register at this review, which demonstrated the level of risk that existed before any controls or mitigations were applied.

 

Members discussed the additional risks and report submitted, with Louise Kirkman advising that she would arrange an answer to Cllr Berry’s query about School Streets (how many and how may scheduled over the next 12 months) for submission to Democratic  ...  view the full minutes text for item AU.32

AU.33

Information Governance Update pdf icon PDF 587 KB

Additional documents:

Minutes:

Julie Gallagher presented a report on Council’s Information Governance activity up to the end of September 2024, which highlighted improvements in training compliance, performance at responding to requests for information and dealing with data breaches in terms of Information Governance.

 

The report gave an update on progress in implementation and review of the ICO recommendations from 2021, including creation of a Policy and Compliance Team and an updatred Information Governance Framework. A full update on the ICO recommendations and actions taken by the Council would be presented to the Audit Committee at its meeting in February 2025. 

The report also gave details of figures relating to Subject Access Reviews (SARs) and SAR reviews, statistics relating to Freedom on Information (FOI), Environmental Impact Reviews and DPO Reviews, Data breaches, and Complaints, included those upheld by the ICO.

Details were also shared of attendance by Officers and Members in terms of mandatory training and non-compliance and actions taken.

During discussion of the report and questions it was confirmed that as previously advised, Members were Data Controllers and needed to register with the ICO, and even if Members had an existing registration in another role they should still register in their capacity as a Councillor. It was also advised that the report covered January to September, but if more regular updates were required these could be arranged on a quarterly basis.

 

It was agreed:

That Audit Committee note the performance from 1 January 2024 to 30th September 2024

 

 

 

 

 

AU.34

Quarter 2 Internal Audit Progress Report pdf icon PDF 261 KB

Additional documents:

Minutes:

A report was submitted which outlined the work undertaken by Internal Audit from 1st June to 30th September 2024 which included the progress to date to complete the annual audit plan 2023/24 and to deliver the work from the 2024/25 audit plan.

 

The majority of work outstanding from the 2023/24 plan had now been completed and work on 2024/25 plan was progressing. Work on 2023/24 plan was concluding with three reviews ongoing and two reviews at draft report stage.  

 

Work on 2024/25 plan had commenced, with nine reviews ongoing and two having been allocated to auditors. Seven audit reports had been issued during the period, and nine first follow up exercises and six second follow up exercises havd been completed between the period 1st June and 30th September 2024. Additionally,  four management requests for ad-hoc work were ongoing or had been allocated to auditors.

 

During discussion of the report, he Chair highlighted that six of the seven reports had only given limited assurance, which was concerning, and the Chair also referenced the workload of the Departments and of the high number of audits carried forward.

 

 

It was agreed that:

 

Members note the report and the work undertaken by Internal Audit.

AU.35

EXCLUSION OF PRESS AND PUBLIC

To consider passing the appropriate resolution under Section 100(A)(4) of the Local Government Act 1972 that the press and public be excluded from the meeting during consideration of the following items of business since they involve the likely disclosure of the exempt information stated.

 

Minutes:

It was agreed: That the press and public be excluded from the meeting under Section 100 (A)(4), Schedule 12(A) of the Local Government Act 1972, for the reason that the following business involves the disclosure of exempt information as detailed against the item.

AU.36

INTERNAL AUDIT REPORTS

Minutes:

A report was submitted for information only and appended to the report were those reports which had been highlighted in the Internal Audit Progress report which was delivered in the open session earlier in the meeting.

 

Full versions of Limited Assurance audit reports were attached, and summary versions of all other Assurance rated reports and first & second follow ups were attached. 

 

The report was exempt from publication as it may contain information which was likely to reveal the identity of an individual and / or may contain information relating to the financial or business affairs of any particular person (including the Authority).

 

It was agreed that:

 

1.            Members note the report. 

2.            That the information and clarification following discussion be noted by the Committee.

 

 

 

AU.37

Internal Audit Special Investigation Reports

Minutes:

A confidential report was submitted for information only on Special Investigations carried out by the Internal Audit Team.

 

It was agreed:

 

That the report and information received at the meeting be noted.

 

AU.38

Counter Fraud Progress Report and Business Rates Report

Minutes:

Members received a report which provides an update on the Annual Counter Fraud Plan 2024/25 and the work undertaken by the Counter Fraud Team during the period 1st July 2024 to 30th September 2024 which contained confidential information.

 

It was agreed:

 

That the report and information received at the meeting be noted.

 

At this point of the meeting the Chair raised two matters as follows:

 

·         Recruitment of Independent Members was being investigated and an update would be provided to the Committee.

·         Following a request to consider a change to the meeting start time from the Municipal Year 2025/26 onwards, Members discussed the potential for a 6pm start time instead of 7pm, and following discussion agreed that a start time of 6.30pm would be a suitable time, and also noted that meetings should not continue beyond three hours from the start time.