Agenda and minutes

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Audit and Governance Committee held on 25 July, 2016.

The minutes of the previous meeting of the Audit and Governance Committee held on 25 July, 2016 were presented and confirmed as correct.

Arising thereon –

•           ICT Disaster Recovery

The ICT Business Transformation Manager reported on progress to date with regard to arrangements for ICT disaster recovery with the objective ultimately of ensuring that the Council has a dedicated off- site back-up data centre that will allow its critical business systems to be fully recovered in the event of flood or fire or any other disaster scenario. The Officer said that the Council does not currently have that advanced capability and that information stored in its one existing data centre is backed up by other means. In addition, the equipment which the Council’s systems rely upon does not have the necessary degree of resilience, and although the storage systems themselves are robust and have historically been carefully managed, the arrangements as at present are susceptible to risk and single points of failure.

The Officer explained the enhancements made to the existing data centre as a result of increased investment in ICT over the previous 12 months which was made to improve both infrastructure and business systems as well as the general ICT capability within the Council. In addition investment has also been made in new service technologies to replace the outdated technologies that were in place; the storage system has been replaced with a new state of the art system and new data back- up systems are being implemented as part of the broader aim of moving to a more digital economy in Anglesey to improve the delivery of services to its citizens.

The Officer said that the new technologies which have been purchased specifically to run over two data centres have designed out all the single points of failure meaning that the Council is in a much better position that it was 12 months ago in terms of its ICT arrangements. There is no additional cost overhead because the new technologies’ design is best practice and also because of good procurement practice in their acquisition. These technologies are meant to provide resilience over two data centres without extra cost and will provide the bedrock of the core infrastructure to support the Council’s digital ambitions in future e.g. App Môn. The end objective of these endeavours is to construct a second facility as the ultimate back-up solution which is what the ICT Service has been tasked with doing and for which it has received capital funding to deliver. The build is underway, and the two data centres will together act, and be managed, as a single entity although they will be in physically separate locations. This means that the Council, in the event that it loses use of the current data centre can continue running its entire business from the other data centre and vice versa because all the technologies will be  designed to run over both centres thereby guaranteeing the availability of the Council’s business systems over and  ...  view the full minutes text for item 2.

·        To present the Statement of Accounts for 2015/16.

·        To present the External Audit report on the audit of the Financial Statements.

·      The report of the Head of Function (Resources) and Section 151 Officer incorporating the Statement of Accounts for 2015/16 and Annual Governance Statement 2015/16 was presented to the Committee.

The Head of Function (Resources) and Section 151 Officer reported that the draft accounts for 2015/16 were presented to the Audit Committee at its meeting held on 27 June, 2016 and were subsequently submitted for external audit which process has taken place over the summer months and is now substantially complete . A number of amendments to the draft have been incorporated into the accounts details of which are set out in the Auditor’s ISA 2560 report; a summary of the more significant amendments to the draft statement is provided at paragraph 3.2 of the report. The Officer said that the Audit and Governance Committee is required to recommend the financial statements for approval by the County Council but that there remains an outstanding issue which needs to be resolved before that can take place.

The Head of Function (Resources) and Section 151 explained that as part of the audit of the financial statements the auditors undertake substantive testing of certain areas of the accounts. During that sampling process, the auditors have identified three infrastructure assets totalling £5.336m for which they require evidence to corroborate their existence and ownership. The Officer confirmed that the value of one of the assets in need of supporting evidence is shown as £4m on the accounts, and because of the historical nature of the asset, the Finance Service to date has not been able to provide the evidence required partly because systems have changed over the course of time and partly because of difficulty in accessing paper records the retention of which is time limited. Although efforts to resolve the issue are ongoing and it is anticipated that a resolution can be achieved shortly, the Service at this point has not been able to provide the auditors with the required level of assurance with regard to this item to enable them to certify the accounts without qualification meaning that the Audit Committee is not in a position at today’s meeting to recommend the accounts for approval to the Council at its meeting on 27 September. This is due to the fact that the accounts could change depending on how the outstanding issue is resolved and the outcome in terms of what is shown on the accounts. In the circumstances the Authority could delay approving the accounts until such time as the auditors have obtained the necessary assurance but that could then require convening an extraordinary meeting of the Council or alternatively, the auditors could issue a qualified report. Following discussion with the Chair and the auditors, the Engagement Lead for the financial audit has confirmed that he is satisfied with the work currently being undertaken to resolve the issue and to provide the auditors with the level of assurance they require, and it is therefore recommended that the Committee delegates to the Chair and Vice-Chair  ...  view the full minutes text for item 3.

To present the  SIRO’s Annual Report 2015/16.

The report of the Council’s Senior Information Risk Owner setting out the key information governance issues for the period from 1 April, 2015 to 31 March, 2016 along with current priorities was presented for the Committee’s consideration.

The Senior Information Risk Owner (SIRO) reported that it is an expectation of the role of SIRO that it produces an annual report and the report presented is the first such report by the SIRO in Anglesey and has been used to take stock of the position at the Council. The report includes a summary of information governance issues that have arisen in the past as well as charting the actions taken to date and the plans going forward.

The Officer referred specifically to the following:

•           The Data Security Incidents during the period categorised according to their assessed severity. The number of incidents recorded is set out at Appendix B and comprises of 6 Level 0 to Level 1 incidents (having applied the data security incident methodology to these occurrences it was concluded that 5 were incidents that do not require reporting to the Information Commissioner’s Office – ICO and 1 was a near miss). No Level 2 incidents (incidents that must be reported to the ICO and other regulators) were recorded.

•           That the Council monitors specific Information Governance related Performance Indicators some on a monthly and others on a quarterly basis. These are acted upon on an exception basis and are used to escalate matters as necessary to the attention of the SLT.

•           Specific Information Governance roles have been established within the Council and include Information Asset Owners and Information Asset Administrators whose responsibilities are summarised in paragraph 4 of the report and who have received specialist training to undertake the roles.

•           All the Council’s staff are required to undertake basic Information Governance training which is refreshed every two years. This training commenced in June, 2014 and a process to ensure maximum take up was followed .Compliance close to 90%.

•           A range of key IG policies as set out in paragraph 5.2 of the report have been established and are available on the Council’s intranet. These policies are reviewed and updated by the Corporate Information Governance Board (CIGB). Following the identification of funding, the Council has now procured and is currently implementing a policy management system which will provide the SIRO with assurance that the key IG policies are being read, understood and formally accepted by individual members of staff.  The policy management system will be of wider application the idea being that staff will have available to them a digital library of up to date policies across all corporate services.

•           The Council’s overall data protection compliance has been assessed as a medium risk by Internal Audit. The SIRO is aiming to produce a Statement of Control in the next 3 years subject to the implementation and successful testing of the steps described in the report. The principal factor in respect of the Council’s being able  ...  view the full minutes text for item 4.

To present the Internal Audit Progress Report from 1 April, 2016 to 31 August, 2016.

The report of the Head of Internal Audit on the work of the Internal Audit Service during the period from 1 April to 31 August, 2016 was presented for the Committee’s consideration. The report included a summary of all audit assignments completed during the year; the level of assurance provided; a schedule of follow up audits undertaken together with a list of all Internal Audit recommendations that remain outstanding.

The Internal Audit Manager confirmed that the performance levels of the Internal Audit Section are on target. The Officer highlighted that the implementation rate with regard to High and Medium rated recommendations is now up to 83%.

The Committee noted the update provided by the report and made the following points:

•           The Committee noted and welcomed the Internal Audit section’s performance to date against the key PIs as documented in Appendix A of the report.

•           The Committee noted those areas in Appendix D in relation to Housing Benefit key controls and Corporate Safeguarding where the assurance level was judged to be limited and it raised particular concern that the assurance processes and controls in relation to the latter were deemed to be inadequate as a particularly high risk area involving the care and protection of vulnerable individuals. The Assistant Chief Executive (Partnerships, Community and Service Improvement) said that the Assistant Chief Executive (Governance and Business Process Transformation) has met with all Heads of Service to progress corporate safeguarding. The Committee was agreed that the Corporate Scrutiny Committee be asked to further scrutinise the findings in relation to Corporate Safeguarding.

•           The Committee noted that certain fundamental control issues e.g. the completion of order requisitions prior to the receipt of goods are identified with regularity in audit review findings especially in relation to schools and while accepting that practices sometimes require time to embed, the Committee sought clarification of whether the findings of internal audit reviews in relation to certain establishments e.g. schools require more extensive monitoring. The Head of Function (Resources) and Section 151 Officer said that it is difficult to ensure that every establishment adheres to the rules exactly and uniformly especially in relation to schools where the resources, capacity  and pressures vary from school to school. There is a key role for the governing body to monitor practice and to hold head teachers accountable for ensuring compliance.

•           The Committee noted that the internal audit recommendation in relation to agency staff remained on the outstanding list and it sought assurance that agreed practice in relation to hiring agency staff is now being followed. The Head of Function (Resources) and Section 151 Officer confirmed that this is the case as per the recommendation and that the system needs to be updated to reflect implementation. The Internal Audit Manager said that she would follow the matter up with the Chief Executive.

The Internal Audit Manager said with regard to those areas in Appendix D where the audit review findings resulted in a limited assurance opinion or where progress on  ...  view the full minutes text for item 5.