Agenda and minutes

Audit and Governance Committee
Tuesday, 3rd December, 2019 2.00 pm

Venue: Council Chamber, Council Offices, Llangefni. View directions

Contact: Ann Holmes 01248 752518 

Items
No. Item

In the absence of the Chair, Mr Jonathan Mendoza, the Vice-Chair chaired the meeting; Councillor Dylan Rees was elected to act as Vice-Chair for this meeting only. The Chair explained that Councillor Peter Rogers, Chair of the Audit and Governance Committee was recuperating following recent knee surgery. On behalf of the Committee’s members, he wished Councillor Rogers well for a full and speedy recovery.

1.

Declaration of Interest

To receive any declaration of interest by any Member or Officer in respect of any item of business.

Minutes:

No declaration of interest was received.

2.

Minutes of the Previous Meeting pdf icon PDF 383 KB

To present the minutes of the previous meeting of the Audit and Governance Committee held on 3 September, 2019.

Minutes:

The minutes of the previous meeting of the Audit and Governance Committee held on 3rd September, 2019, were presented and were confirmed as correct.

3.

Isle of Anglesey County Council: Annual Audit Letter 2018/19 pdf icon PDF 162 KB

To present the Annual Audit Letter for 2018/19.

Minutes:

The Annual Audit Letter for the Isle of Anglesey County Council for 2018/19 was presented for the Committee’s consideration. The Letter confirmed the following –

 

           The Council complied with its responsibilities relating to financial reporting and use of resources.

           The Auditor General is satisfied that the Council has appropriate arrangements in place to secure economy, efficiency and effectiveness in the use of its resources, and

           On 12 September, the Auditor General issued an unqualified audit opinion on the accounting statements confirming that they present a true and fair view of the Council’s financial position and transactions. The key matters arising from the audit were reported to the Audit Committee’s September 2019 meeting.

 

With regard to the statement in the Audit Letter about the Auditor General wishing to highlight that he is currently undertaking a review of the Council’s financial sustainability, the Director of Function (Resources)/Section 151 Officer advised that the Auditors have conducted interviews with a number of senior staff at the Council as well as relevant Elected Members as part of an exercise they are conducting to review the financial sustainability of all 22 Welsh local authorities. It was intended that the draft findings be presented to the Council by Christmas; once the resulting report has been finalised it will be presented to the next available meeting of this Committee.

 

It was resolved to accept and to note the Annual Audit Letter for 2018/19 without further comment.

4.

Cyber Security Annual Report 2019 pdf icon PDF 430 KB

To present the report of the Head of Profession (HR) and Transformation.

Minutes:

The Cyber Security Annual Report for 2019 was presented for the Committee’s consideration. The report summarised the cyber threats facing the Council and provided an overview of some of the mitigations the Council has in place to counter these threats.

 

The IT Service and Performance Management Manager reported that as with other organisations which hold large volumes of information including sensitive, personal and financial information, cyber security is a significant risk to the Council. Reports of cyber-attacks have become common place in the news with high profile attacks on a weekly or even daily basis. Cyber-attacks vary in their approach and complexity but are consistent in their intent to disrupt, damage or steal. The risk of cyber-attack is recognised by the Council and is recorded as such within the Corporate Risk Register which is monitored by the Senior Leadership Team.

 

The Officer referred to the various types of cyber attackers and their motivations and the various forms which cyber-attacks can take and outlined in general terms the mitigations the Council has in place to reduce and manage the risk including the following –

 

           Malware – malicious programmes or codes that seek to damage or disable computers, servers, networks and other computing devices. All Council computers and servers operate anti-malware software which scans for signatures of known malicious codes and block access if found.

           Software vulnerabilities – bugs or loopholes in software code which if exploited by an attacker can cause the software to behave in an unexpected and undesirable manner. Where software is current and still supported by the supplier, corrected code packages known as updates or patches are made available to address software bugs and close the potential security loophole. The Council was an early Windows 10 adopter following which it also moved away from installing application software on each and every computer (which was a significant burden in terms of managing security updates) to application virtualisation meaning that for each application there is a master copy which runs on a central server and is accessed by all computers or laptops – there is therefore only one copy to keep up to date and manage. The Council further arranges for third party ethical hackers to carry out vulnerability assessments on the Council’s networks.

           Insider threats – accidental staff actions, malicious staff actions or the actions of contractors. The Council has played a leading role in the procurement of a bilingual, all-Wales E-Learning package on cyber awareness; it operates Baseline Personnel Security Standard (BPSS) process requiring all staff who have access to official sensitive data which is derived from the cabinet office to produce proof of identity, nationality and undergo a DBS check. All contractors who either host IT systems or have remote access to Council IT systems are required to sign a Data Processing Agreement; the Council also has various policies in place for the safe use of IT which all IT connected staff are required to review and accept.

           Phishing – act of sending  ...  view the full minutes text for item 4.

5.

Treasury Management Mid-Year Review 2019/20 pdf icon PDF 1 MB

To present the report of the Director of Function (Resources)/Section 151 Officer.

Minutes:

The report of the Director of Function (Resources)/Section 151 Officer on the treasury management position and activity midway through the 2019-20 financial year was presented for the Committee’s consideration.

 

The Director of Function (Resources)/Section 151 Officer highlighted the following –

 

           That there are no policy changes to the Treasury Management Strategy Statement which was approved by the Full Council on 27 February, 2019. The report updates the position in light of the updated economic position and budgetary changes already approved.

           That with regard to its investment portfolio, the Council held £18.551m of investments as at 30 September, 2019 (£14.333m at March, 2019) and the investment portfolio yield for the first six months of the year was 0.62%. A full list of investments as at 30 September, 2019 was provided in Appendix 3 along with a summary of investments and rates in Appendix 4. The approved limits within the Annual Investment Strategy were not breached during the first six months of 2019/20.

           That the Council’s budgeted investment return for the whole of 2019/20 is £0.031m and performance for the year to date exceeds the budget with £0.041m received to the end of Quarter 2 this being due to investing surplus cash with other local authorities creating a better investment return than a bank call account. The table as at 5.7 shows a list of investments made with other local authorities during the first half of the 2019/20 financial year. Given that security of funds is the key indicator of this Council other local authorities are seen as the most secure way of investing funds giving a greater return than most bank call accounts.

           That in terms of borrowing, the Council has projected year end borrowings of £127.6m and will have used £12.6m of cash flow funds in lieu of borrowing. This is a prudent and cost effective approach in the current economic climate but will be subject to ongoing monitoring. No borrowing was undertaken during the first half of this financial year and it is not anticipated that any additional external borrowing will need to be undertaken during the second half of the financial year. There will be a borrowing requirement to fund a part of the 2019/20 capital programme, but this will be through internal borrowing.

           That on 9 October, 2019 the Treasury and Public Works Loans Board (PWLB) announced an increase in the borrowing rate by 100 basis points or 1%. This was done without prior warning meaning that every local authority has to fundamentally reassess how to finance their external borrowing needs and the financial viability of capital projects in their capital programme due to the unexpected increase in the cost of borrowing. Whereas this Authority has previously relied on PWLB as its main source of funding, it now has to fundamentally reconsider alternative cheaper sources of borrowing.

           That debt rescheduling opportunities have been very limited in the current economic climate and none has taken place to date in the current financial  ...  view the full minutes text for item 5.

6.

Internal Audit Update pdf icon PDF 1 MB

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Internal Audit and Risk which provided an update on Internal Audit’s latest progress with regard to service delivery, assurance provision, and reviews completed was presented for the Committee’s consideration.

 

The Head of Audit and Risk reported on the main considerations as follows –

 

           That five reports were finalised during the period which were all grant certification audits  – Pupil Development Grant (Looked After Children); Teachers Pay Awards and Cost Pressures; Pupil Development Grant (Access); Ethnic Minority & Gypsy Roma Traveller Learners Grant and Additional Free School Meals Costs due to rollout of Universal Credit (Copies were provided to the Committee’s members). The first four reviews produced a Substantial Assurance opinion whilst the fifth resulted in a Reasonable Assurance opinion. Internal Audit did not identify any risks for management attention for any of the five reviews.

           A second follow-up review of Sundry Debtors (the original review and first follow-up having resulted in a Limited Assurance opinion) concluded that Management have undertaken much work to address the issues/risk outstanding after the first follow-up thereby enabling Internal Audit to increase the assurance provided to Reasonable. However, in light of the fact that 8 issues/risks remain outstanding (which are in progress of being addressed) and the potential impact these would have in those areas, Internal Audit will follow-up the action plan again in May, 2020.

           That there are two follow-ups of reports with a Limited Assurance rating currently in progress – Primary Schools Income Collection and Direct Payment. There is also a follow-up of a Schools Information Governance Health Check conducted by an external consultant for which an assurance rating was not provided. Two follow-ups are scheduled for the next six months – System Controls: Logical Access and Segregation of Duties, and Sundry Debtors. These may be added to dependent on the assurance provided for reviews conducted throughout the year.

           That management performance in addressing issues/risks and implementing actions continues to improve. There are no High or Red issues/risks currently outstanding and performance in addressing Amber rated issues/risks has improved since the last update to Committee on 3 September with the overall implementation percentage for High/Red/Amber issues/risks at 94%.There has also been an improvement in performance in addressing outstanding Medium/Yellow risks. However progress with implementing the new and upgraded version of the action tracking system has been hampered by an IT compatibility issue which has only recently been resolved.

           That work is currently in progress on six audits form the Operational Plan for 2019/20 as listed in Paragraph 37 of the report.

           That the resource available to the Internal Audit Service has increased by 120 days (which after training and annual leave have been factored in allows for 70 days which can be used on outstanding projects) with the addition on a temporary basis of an accountant from the Accountancy Service, the objective being to provide the employee with a development opportunity in audit services as well as providing Internal Audit with extra  ...  view the full minutes text for item 6.

7.

Review of the Audit and Governance Committee's Terms of Reference pdf icon PDF 627 KB

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Audit and Risk incorporating the Committee’s terms and reference for the purpose of review was presented.

 

The Head of Audit and Risk reported that the Committee’s Forward Work Programme provides for the regular review of its terms of reference which is considered good practice. The last review in September 2018 approved a fully revised and updated terms of reference to bring them into line with the publication of CIPFA guidance. Due to the full revision of the terms of reference in 2018, significant and wide-ranging consultation was conducted to obtain stakeholder views. As no new sector specific guidance has been issued and there have been no other significant changes that affect the terms of reference, limited consultation was conducted with the Director of Function (Resources) and Section 151 Officer and an adviser from CIPFA. No significant changes were identified with the only change being the change in the Director of Function (Resources) and Section 151 Officer’s job title. If that remains the case, the terms of reference can be updated without requiring the Executive’s and Full Council’s approval.

 

Referring to sections 30 to 33 of the terms of reference which covered fraud and corruption, the Officer highlighted that the Committee’s work in this area has hitherto been limited – Internal Audit is currently undertaking a piece of work on fraud and corruption with a view to bringing a report to the Committee’s April, 2020 meeting that will include a fraud risk assessment as well as an overview of fraud for the year.

 

The Committee considered the terms of reference and sought clarification of whether any bodies other than CIPFA has a bearing on Audit Committee responsibilities in Wales. Reference was also made to a presentation by Wales Audit Office to an inaugural meeting of the 22 Chairs of Audit Committees where the guidance provided was in contrast to this Committee’s terms of reference specifically with regard to membership of audit committees

 

The Head of Audit and Risk confirmed that CIPFA is the principal body in terms of producing guidance on the function of audit committees. With regard to the Wales Audit Office presentation she clarified that part of the presentation was in relation to proposals contained within the Local Government and Elections (Wales) Bill which introduces electoral reform and new governance arrangements for local government in Wales which when enacted, is likely to result in changes including to this committee’s membership. Currently, the Audit and Governance Committee’s membership and terms of reference are in accordance with the Local Government (Wales) Measure. In response to a request for an update on the arrangements for the Committee to undertake a self-assessment, the Officer said that as the meeting of the 22 chairs of audit is undertaking a piece of work on the effectiveness of audit committees, it was deemed sensible in order to avoid duplication, to defer to this process. A session where the 22 chairs and the heads of audit met together has identified areas  ...  view the full minutes text for item 7.

8.

Forward Work Programme pdf icon PDF 183 KB

To present the report of the Head of Audit and Risk.

Minutes:

The Committee’s Forward Work Programme was presented for review and was approved without amendment.

9.

Exclusion of the Press and Public pdf icon PDF 388 KB

To consider adopting the following -

“Under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test.”

 

Minutes:

It was resolved Under Section 100 (A)(4) of the Local Government Act 1972 to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.

10.

Risk Based Verification

To present the report of the Director of Function (Resources)/Section 151 Officer.

Minutes:

The report of the Director of Function (Resources)/Section 151 Officer seeking the Committee’s comments on a proposed Risk Based Verification Policy was presented. The report set out how the risk groups were determined for the proposed Policy; its expected savings/benefits and how the policy would be implemented and monitored.

 

The Benefits Manager reported that currently the Benefit Service undertakes the same level of verification for all cases. This is the basic level of checks as stipulated by the now redundant DWP verification framework. As this is labour intensive, it makes it more difficult to give extra focus and limits the ability to review cases where the risk of fraud/error is highest. Although the DWP has allowed authorities the discretion to implement their own risk based verification processes since 2011, the Authority has not undertaken to do so until now. A review of processes and the reduction in Housing Benefit cases has resulted in this being considered again to see if it’s being done in the most effective way.

 

For the purpose of assisting to establish which category of claimants has the greater risk of change an analysis was made of all claimant error overpayment cases calculated in June, 2019 which considered the reasons for the overpayments as well as the profile of the claimant’s situation. An analysis of claims received in March and April 2019 was also undertaken to ascertain which risk group these would fall into. The report sets out the findings of those analyses including the elements of claims that were considered in order to determine the risk group. The impact on the service was assessed and is summarised in the report. In addition, an Equality Impact Assessment was undertaken to see whether the impact of the proposed change in approach will be greater for particular groups of claimants.

 

The Committee discussed the report and in considering the objectives of the new policy in seeking to concentrate resources on those cases where discrepancies/errors are likely to occur i.e. those falling into the high risk category, it expressed some reservations regarding the methodology adopted in relation to the elements of claims considered and it highlighted in particular potential difficulties with the age group analysis and the way in which age range had been determined which it believed could result in an inaccurate risk profile thereby biasing the conclusion reached towards a particular age group .The Committee suggested that the Officers might wish to reflect on this component of the policy before presenting it to the Executive for approval; the Committee further recommended that in the early stages of the policy’s implementation a random sampling of cases from across age groups, earnings and family composition be undertaken in order to test and verify the assumptions made.

 

It was resolved to note the proposed Housing Benefit/Council Tax Reduction Risk Based Verification Policy with the recommendations –

 

           That the age range within the age groups be reconsidered;

           That random sampling on the lines suggested be undertaken once the policy is  ...  view the full minutes text for item 10.