Agenda and draft minutes

Apologies for absence are recorded above.

Members of the Audit Committee are asked to consider whether they have an interest in any of the matters on the agenda and, if so, to formally declare that interest.

There were no declaration of interest made at the meeting.

The Minutes of the last meeting of the Audit Committee held on 17 February are attached

It was agreed:

That the Minutes of the last meeting held on 17 February 2026 be approved as a correct record and signed by the Chair.

There were no matters arising from the Minutes of the Last Meeting

Report from the S.151 Officer attached

Appendices attached

The Senior Auditor presented a report from the Section 151 Officer detailing the work undertaken by Internal Audit between 1 January and 31 March 2026. The report outlined progress made in completing the 2024/25 Internal Audit Plan and commencing the 2025/26 Audit Plan. It enables Members to monitor the performance of the Internal Audit service, raise any matters for further consideration, and provides an opportunity to request additional information or propose areas for further or follow?up audit work.

The conclusions drawn from the report are:

·         Work on the 2025/26 plan is progressing, with 17 reviews ongoing and 3 reports at draft stage. All audits from the 2025/26 plan have commenced.

·         3 final audit reports have been issued during the quarter 4 period.

·         7 first follow up exercises and 6 second follow up exercises have been completed between the period 1 January to 31 March 2026.

Those present were given the opportunity to ask questions and the following points were raised:

·         Councillor Bernstein referred to the KPIs that were set out in the report and the fact that 72% had been met and asked what this said.

It was explained that this was the first year that the KPIs had been recorded. There was room for improvement, but the implementation of recommendations was out of the control of Internal Audit.

·         Councillor Moss referred to the 3 audit reports that had been issued during the last quarter and the fact that they had all been limited assurance and asked if there was any reason for this.

It was stated that there was no reason.

·         Councillor Moss referred to the guidance which will be issued to schools and asked if the auditors were seeing commonality on school audit reports?

It was confirmed that there were common areas and these had been picked up in the guidance that was being issued by the schools finance team.

·         Councillor Moss asked what could be done to ensure that more audits were completed.

It was explained that the team try to complete as many audits as possible throughout the year and were on track to complete another 9. It was stated that there would always be incomplete audits to carry over at the end of each year. The number of days spent on audits had reduced year on year

·         Councillor Berry asked whether the Audit Committee would receive reports of the Governance and Assurance Board and what would happen if targets weren’t achieved.

Any recommendations that were outstanding were monitored monthly at the Governance and Assurance Board that was attended by the Directors, Assistant Directors and heads of service. The Internal Audit team follow up on outstanding recommendations.

·         Mr Webster referred to the ICT reviews and asked if any had been undertaken.

It was reported that Salford Council provide 20 days of support to Bury in relation to ICT audits, but no reviews had been done for the 25/26 financial year as work undertake during 24.25 had still been being finalised. The work for 26/27 had  ...  view the full minutes text for item AU.132

Report from the S.151 Officer attached

The Risk Manager submitted a report of the S.151 Officer which provided an updated position with regards to the risks identified and assessed on the Council’s Corporate Risk Register up to 28 February 2026

26 risks were currently present on the Corporate Risk Register and had been identified as those that have the potential to disrupt the Council’s strategic objectives and service delivery.

The report presents all relevant information and scoring of these risks, an overview being:

17 risks are currently rated as Significant (risk score 15-25)

7 risks are currently rated as High (risk score 8-12)

2 risks are currently rated as Moderate (risk score 4-6) 

0 have increased in score

4 have decreased in score

21 have remained static

1 is newly introduced

3 are proposed for closure

Members were given the opportunity to ask questions, and the following points were raised:

• Councillor Moss raised the following questions.

In relation to CR28 Asylum & Immigration, what is the justification for the reduction in the Likelihood score from 4 to 3. 

In relation to CR41 Cyber Crime & Digital Threats, what is the justification for the reduction in the Impact score from 4 to 3. 

In relation to CR4 Digital Transformation, what is the justification for the reduction in the Likelihood score from 3 to 2

The following information was provided:

CR28 – of all the mitigating actions. A complete staffing structure is now in place, alongside clearly defined pathways, which significantly reduces both risk and impact. Data from the past year provides strong evidence of a reduction in fast-track decision making by the Home Office, with decisions becoming more stable and predictable. This has enabled the service to plan more effectively for families moving on from Home Office accommodation. At a national level, Bury has been placed on a maintain and replace model for asylum dispersal. This means there is an agreed cap on bed spaces within the, and no additional properties will be procured beyond this limit. Arrivals through the Ukraine schemes have decreased significantly, and the council has a dedicated Migration Officer supporting the managed closure of the Ukraine pathway within the next 18 months.

It should also be noted that this justification was completed in February 2026, prior to the conflict involving Iran. While there is currently an increased level of global risk, there is no Homel Office confirmation of this stage that the UK has been directly impacted by displacement related to this situation.

CR41 – The reason for the reduction in the impact score is because of the additional investment the Council agreed last financial year to improve our data recovery and backup software. These systems have now been fully procured and installed. This, combined with our Cyber Security management arrangement with Salford City Council means that we are more prepared for when, not if, a cyber-attack occurs. The steps we have taken have included ensuring that we have up to date scenario planning for different types of cyber threats and have upgraded our digital  ...  view the full minutes text for item AU.133

Report from Forvis Mazars attached

The External Auditor’s Annual Report was presented to the Committee.

It was explained that the report was for information and confirmed that the External Auditors, Forvis Mazars, had completed the work in relation to the 2024/2025 financial statements.

Report from the S.151 Officer attached

Appendices attached

The Senior Internal Auditor presented a report of the Director of Finance setting out the context of the Internal Audit Service and explaining the approach to the compilation of the 2026/2027 Internal Audit Plan. 

The plan was set out at appendix B of the report.

Those present were given the opportunity to ask questions and the following points were raised:

• Councillor Berry referred to Anti Social Behaviour not being included and asked why this was.

It was explained that this was lower down the priority list.

• Mr Webster referred to the 10 days that were set out for IT and asked if this was correct.

It was explained that this was the case. Salford Council had requested in the SLA that 10 days be committed initially but more could be requested if required and would be provided at the same rate.

• Mr Webster referred to Audit work that wasn’t carried out from the previous plan and asked how this would be prioritised.

It was explained that the next priorities would be homelessness, MP casework, finance & assurance, educated at home, facilities management and school grid system.

• Councillor Moss referred to the assurance of core financial systems and processes.

It was reported that time spent in relation to the unit 4 system implementation would be recorded throughout the upgrade process.

Questions were raised in relation to time allocated on carry over work and it was explained 20 audits were carried forward with 101 days allocated.

It was agreed:

1. That the report be noted.

2. That the Annual Audit Plan 2026/2027 be approved.

Report from the S.151 Officer attached

Appendix attached

The Senior Auditor presented the Counter Fraud Plan, which sets out the programme of work the team aims to deliver during 2026/27. The plan has been developed using the team’s experience and knowledge of work undertaken in previous years and is intended to be kept under continuous review and further developed as required.

The team has established contacts within councils across the Greater Manchester Combined Authority and in other regions nationally. Through networking and liaison with these teams, the team is able to identify emerging fraud risks and areas being targeted by fraudsters, as well as learn from work and developments undertaken elsewhere. This intelligence will be used to inform the team’s work and to identify areas for potential inclusion in future counter fraud plans.

Those present were given the opportunity to make comments and ask questions and the following points were raised:

• Councillor Green referred to the work involved with investigations and asked if there were sufficient resources available to deal with increased risks.

It was explained that a business case was being prepared to request more resources and if successful it was hoped that results would be seen within 12 to 18 months.

It was agreed:

That the Annual Counter Fraud Plan 2026/2027 be approved

Report from the Head of Performance, Delivery and Compliance and Data Protection Officer attached

The Head of Performance, Delivery and Compliance and Data Protection Officer presented a report  updating the Audit Committee on the Council's Information Governance activity for 12 months up to 28 February 2026. As mentioned in previous reports to Audit Committee, these reports now focus on the Council's performance in the delivery of Information Governance.

The report set out the figures in relation to the number of Subject Access Requests (SAR), Freedom of Information Requests (FOI), and Environmental Information Reviews (EIR) received in the 12 month period and the timelines for responding to the requests.

There had been:

299 SAR received

1261 FOI requests received

27 EIR received

It was reported that there has been new software purchased to manage FOIs, EIRs, SARs and Data Breaches. This will be implemented from 1 May 2026 and provide further efficiencies in the process that should reflect in the performance figures going forward.

The report also set out details of the number of Council-related data breaches, outlined the actions being taken to improve performance in this area, and provided members with an update on GDPR training for staff and Members. This included information on non-compliance and the steps being taken to ensure completion of the training.

Those present were given the opportunity to ask questions, the following points were raised:

·         Councillor Berry referred to FOI requests that had been compiled with the use of AI and asked whether this had led to an increase in more complex requests being received.

The Head of Performance, Delivery and Compliance and Data Protection Officer explained that this was not something that had been discussed but will be considered.

·         Councillor Bernstein asked if the number of SARs, FOIs and EIRs received by Bury Council was in line with other Metropolitan Councils of a similar size.

It was explained that it would be in line with other local authorities and that work was being done with the ICO to benchmark across councils.

·         Councillor Rubinstein referred to the GDRP training and non compliance and asked what was being done in relation to this and what sanctions were being put in place.

It was reported that the reasons behind the non compliance were being looked at and different options. There is a proposal in development to develop the training into a cyclical process completed at a particular part of the year. This will provide opportunity to understand compliance and analyse actual progress. In addition, work is ongoing to improve data recording and reporting by developing a live data dashboard on training compliance.

·         Councillor Staples-Jones referred to the quality of responses provided to Freedom of Information requests and asked whether efforts were being made to ensure responses were sufficiently comprehensive to prevent further requests being submitted.

It was explained that the new software that was being introduced would ensure that the responses were as thorough as they could be.

·         Councillor Staples Jones also referred to the GDPR training and asked if examples of where things had gone wrong locally should be included.  ...  view the full minutes text for item AU.137

Report from the S.151 Officer attached

The Senior Auditor presented a report setting out the Council’s Internal Audit Charter.

It was explained that the purpose of Bury Council’s internal audit Charter is to define internal audit’s purpose, authority, and responsibility.

The Charter establishes the internal audit activity’s position within the council and reporting lines; authorises access to records, personnel, and physical property relevant to the performance of audit work; and defines the scope of internal audit activities.

The Charter also covers the arrangements for the appointment of the Head of Internal Audit and internal audit staff, and identifies the nature of professionalism, skills and experience required.

The work of internal audit has been governed by the Institute for Internal Auditors Global Internal Audit Standards, that become mandatory for the UK public sector from April 1st, 2025.

Internal Audit has adapted its governing documents and other processes to achieve conformity to the new Standards.

The Standards are mandatory for all internal auditors working in the UK public sector.

Internal Audit is subject to external quality assessments every 5 years, and the assessors consider the Charter’s conformity with the Standards as part of the work. The most recent review was carried out in 2024.

It was agreed:

That the internal Audit Charter 2026/2027 be approved.

Report attached

Appendix attached

The Audit Committee received a report providing an update in relation to the Member’s Discretionary Grants scheme.

It was reported that the majority of Elected Members had donated their £1000 discretionary grant in accordance with the scheme.

It was agreed;

That the contents of the report be noted

To consider passing the appropriate resolution under Section 100(A)(4) of the Local Government Act 1972 that the press and public be excluded from the meeting during consideration of the following items of business since they involve the likely disclosure of the exempt information stated.

It was agreed:

That the press and public be excluded from the meeting under Section 100 (A)(4), Schedule 12(A) of the Local Government Act 1972, for the reason that the following business involves the disclosure of exempt information as detailed against the item

Report from the S.151 Officer attached

A confidential report was submitted for information and the Committee were given the opportunity to make comments and ask questions.

It was agreed:

That the report and information received at the meeting be noted

Report from the S.151 Officer attached

The Senior Auditor introduced the report which was provided for information only.

The report related to the status of investigations as at 31 March 2026.

Members were given the opportunity to seek clarification and challenge any parts of the report.

It was agreed

That the report be noted.