Agenda and minutes

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Audit and Governance Committee held on 21 September, 2017.

Arising thereon –

ICT Business Transformation Manager to report on the approach to dealing with the threat of malicious hacking activities.

The minutes of the previous meeting of the Audit and Governance Committee held on 21 September, 2017 were presented and were confirmed as correct.

Arising thereon –

•           The Committee sought clarification of progress or otherwise with deciding to renew the Orchard Housing Information Management System

The Committee was informed that a decision had been made to extend the existing Orchard system and to work with the supplier to make better use of the Business module.

•           The Committee sought clarification of whether the Corporate Scrutiny Committee had considered the Internal Audit review report of School Transport to whose attention the Audit Committee had referred the matter.

The Committee was informed that the matter is scheduled to be considered by the Corporate Scrutiny Committee at its meeting to be held on 31 January, 2018.

•           In accordance with the Committee’s request at its meeting held on 21 September, 2017 the ICT Business Transformation Manager reported on the Council’s approach to dealing with the threat from malicious hacking activities and other forms of cyber-crime.

The ICT Business Transformation Manager reported that cyber threats are increasing as testified to by a number of press reports. This year’s cyber-attacks have reached unprecedented levels and are likely to be exceeded again next year. Attacks can be perpetrated by state actors or by individuals; they can be low level where the likelihood of success against an organisation such as a local authority is very low, or sophisticated. The Council has to ensure that IT is sufficiently protected against the whole spectrum of attacks. An emerging threat is that posed by Ransomware which is typically delivered by e-mail and associated links. In light of such a threat, user awareness training is critical for all individuals who use the technologies within the Council to ensure they remain vigilant about e-mails, attachments and what they contain or ask for. Phishing attacks for example seek to induce individuals to disclose sensitive information whilst a whaling attack is one that is targeted at senior officers. The Council subscribes to national bodies and organisations to receive alerts and updates in relation to cyber security and is a member and attendee of Cymru Warp, a national community of IT security officers who share and exchange information and experiences. Additionally, all staff are to be provided with training on cyber security and data protection via the e-learning portal. The ICT service is also looking to strengthen capacity to take a proactive approach to ICT security monitoring. Hopefully, the picture presented will help the Committee gain a better appreciation and understanding of the risks the Council faces whilst also being assured that it has in place an array of measures to obstruct potential attacks.

The IT Service and Performance Manager reported on the technologies deployed by the Council to deal with the various levels of threats faced by it, the nature of the attacks it has experienced and how it has successfully defended against these attacks to minimise and/or avert ensuing loss and/or disruption.  ...  view the full minutes text for item 2.

To present the report of the Audit and Risk Manager.

The report of the Head of Audit and Risk which provided an update on Internal Audit’s progress with regard to service delivery, reviews completed, follow up action taken and implementation of management action was presented for the Committee’s consideration.

The Head of Function (Resources) and Section 151 Officer summarised the main points as follows –

•           That 3 internal audit review reports were finalised in the period as detailed in paragraph 3.2 of the report. Two of the reports – Licensing Services and Council Tax and Non Domestic Rates resulted in a Substantial Assurance opinion and Reasonable Assurance opinion respectively.  The third Internal Audit Review report in relation in Sundry Debtors resulted in a Limited Assurance opinion and in accordance with agreed practice, the Committee has been provided with a copy of the full report separately to the agenda.

•           That a second follow up review of Building Regulations Fees – Inspection and Enforcement Regimes was carried out. Although this report had a Reasonable Assurance rating and would not normally be the subject of a formally reported follow-up, no progress had been made in implementing the management actions at the first follow up visit. The second follow-up review confirmed that from the four risks raised, actions have been partially implemented to address all risks and the priority ratings have been reassessed to take into account the actions implemented to date. The Building Control Team has demonstrated good progress in implementing the actions agreed to address the risks identified and the rating remains as Reasonable Assurance for the arrangements for governance, risk management and/or internal control.

•           That the graph at section 5.3 of the report shows that the Council has steadily improved its performance in implementing Internal Audit recommendations over the last 12 months, notwithstanding a slight trailing off of performance over the last month.

•           That to date, 41% of the Internal Audit Operational Plan had been completed with a further 31% currently work in progress. Due to a significant slippage of work from 2016/17, the retirement of the Senior Fraud Officer and the long-term absence of a Senior Auditor, the resource available to complete the Operational Plan for 2017/18 has been reduced. Consequently, the Head of Audit and Risk has undertaken a risk assessment with Heads of Service and the Head of Function (Resources)/ Section 151 Officer. Audit reviews have been prioritised to ensure resources are targeted to the areas of highest risk.

•           That the Committee should periodically review its terms of reference for appropriateness. In accordance with the Committee’s Forward Work Programme, the terms of reference were due to be considered at the Committee’s September meeting. It was determined that the review be postponed until the December meeting after publication of the new CIPFA guidance expected in November, 2017. However, CIPFA has confirmed it will now publish the guidance in December, 2017. Therefore, it is recommended that the review of the terms of reference be further postponed until the Committee’s February, 2018 meeting.

The Head of  ...  view the full minutes text for item 3.

To present the Annual Audit and Completion of Audit Letters 2016/17.

The Annual Audit Letter for 2016/17 along with the notice of the certification of the completion of the audit of the 2016/17 accounts were presented for the Committee’s information.

The Audit Letter confirmed the following –

•           That the Council complied with its responsibilities relating to financial reporting and use of resources

•           That the Auditor General is satisfied that the Council has in place appropriate arrangements to secure economy, efficiency and effectiveness in its use of resources

•           That the Auditor General issued a certificate confirming the completion of the audit of accounts on 29 September, 2017

•           That to date external audit work on the certification of grant claims and returns has not identified significant issues that would impact on the 2017/18 accounts for key financial systems.

It was resolved to accept and to note the external audit documentation.

NO ADDITIONAL ACTION WAS PROPOSED

To present the report of the Head of Function (Resources) and Section 151 Officer.

The report of the Head of Function (Resources) and Section 151 Officer incorporating a review of the Treasury Management position at mid-year 2017/18 was presented for the Committee’s consideration.

The Head of Function (Resources) and Section 151 Officer reported on the main points as follows:

•           That the Treasury Management Strategy Statement (TMSS) for 2017/18 was approved by the Council on 28 February, 2017. There are no policy changes to the TMSS; the details provided in the mid- year review report updates the position in the light of the updated economic position and budget changes already approved.

•           The table at 5.2 of the report shows the revised estimates for capital expenditure in comparison to the capital budget. The current estimate for capital expenditure is behind the original estimate mainly due to the New Highways to Wylfa being delayed until the next financial year and the Holyhead Strategic Infrastructure still awaiting WEFO funding. However, there are no significant changes to the financing of the capital programme to report at this stage.

•           The table at 5.4.2.1 of the report shows the Capital Financing Requirement (CFR) which is the underlying need to borrow externally to fund capital expenditure. The Council is currently slightly below the original forecast CFR due to the forecast underspend in the 21st Century schools programme meaning less borrowing will be undertaken in 2017/18. The table also shows the expected debt position (or operational boundary) over the period. The Council is at present £47m approximately within the boundary.

•           Section 6 of the report outlines the position with regard to the Council’s investment portfolio for 2017/218. A full list of investments as at 30 September, 2017 is provided in Appendix A to the report. The approved limits within the Annual Investment Strategy were not breached during the first six months of 2017/18.

•           The projected CFR for 2017/18 is £138.1m.The Council has projected year end borrowing of £118m and will have used £20.1m of cash flow funds in lieu of borrowing. This is a prudent and cost effective approach in the current economic climate but will require ongoing monitoring in the event that upside risk to gilt yields prevails. Whilst no borrowing was undertaken during the first half of the financial year, it is anticipated that borrowing will need to be undertaken during the second half of the year. Paragraph 7.3 gives details of two separate long term loans with the PWLB that matured during the first six months of the financial year.

•           No debt rescheduling has been undertaken to date in the current financial year.

•           Paragraph 9 of the report outlines activity since the end of Quarter 2, principally the arrangements made with regard to borrowing £5m from Tyne and Wear Pension Fund South Shields.

•           Section 11 of the report provides an update on TM related matters in relation to revised CIPFA codes and regulations under MIFID ll  - these govern the relationship that financial institutions conducting lending and borrowing transactions will have with  ...  view the full minutes text for item 5.

To present the report of the Head of Function (Resources) and Section 151 Officer.

The report of the Head of Function (Resources) and Section 151 Officer incorporating the Risk Management Policy and Guidance was presented for the Committee’s consideration.

The Insurance and Risk Manager reported on the outcome of the review of the Risk Management Strategy and Framework which was undertaken by the Head of Audit and Risk and the Risk and Insurance Manager in conjunction with the Senior Leadership Team and Heads of Service during Quarter 2. The review highlighted areas where improvements can be made mainly in relation to fully embedding risk management processes within the Council’s working practices so that it becomes an integral part of informed decision making rather than a tick-box paper exercise, as well as the steps being taken or already implemented  to ensure the improvements take place. The review also found that Elected Members and Officers are not always fully informed of the risks involved when taking decisions; neither has training on risk management been offered to Elected Members although senior and middle managers have received the training.

The Committee considered the information presented and made the following points –

•           The Committee having considered the Risk Management Guidance noted that the document sets out an approach to risk that appears to be onerous in terms of its complexity and level of detail. As such, it could be off-putting to managers and could reinforce the impression of risk management as a tick-box exercise rather than as a practice to be applied in a meaningful way as part of day to day operational activities and decision making. The Insurance and Risk Manager said that the guidance has been put together with the support of an external consultant and is pitched at a level which it was agreed Management required at the time; an abridged version covering the principal considerations is available on the Council’s intranet site.

•           In light of the recent flooding event the Committee sought clarification of the process for reviewing the risk of reoccurrence or if flooding does reoccur, the steps that will be taken to reduce the impact on the Council. The Chief Executive confirmed that the Council has commenced the lessons to be learnt process after the flood; the Head of Function  (Resources) and Section 151 Officer said that with regard to the Council office building specifically, the review of what happened will generate a lessons learnt log which will in turn feed into the relevant risk register.

•           The Committee sought clarification as to what level of decision making does the Risk Management process come into effect i.e. whether there is a risk to the Council in any way from decisions that may be taken at a more junior level. The Insurance and Risk Manager said that risks are assessed according to impact and likelihood against agreed criteria using descriptive scales; having made this assessment it is then a matter for Management and the level of authority and scope to act which an individual has. The Head of Function(Resources) and Section 151  ...  view the full minutes text for item 6.

To present the report of the Audit and Risk Manager.

The Committee’s Forward Work Programme to September, 2018 was presented for the Committee’s consideration and review.

With regard to the Children’s Services Improvement Plan, Councillor Richard Griffiths as the Corporate Scrutiny Committee’s representative on the Children’s Services Improvement Panel confirmed that regular progress reports are being made to the Corporate Scrutiny Committee and that progress is currently on target.

It was resolved to accept the Work Programme as presented.

NO ADDITIONAL ACTION WAS PROPOSED.