Agenda, decisions and minutes

Virtual Meeting (At present, members of the public are not able to attend), Audit and Governance Committee
Tuesday, 1st December, 2020 2.00 pm

Venue: Virtual Meeting

Contact: Ann Holmes 01248 752518 

Items
No. Item

Due to connection issues experienced by the Vice-Chair who was chairing this meeting in the absence of Councillor Peter Rogers, the Committee’s Chair, Councillor R. Llewelyn Jones was elected Chair to start the meeting. Subsequently, after the connection issue was resolved Councillor R.Llewelyn Jones was formally elected to serve as Vice-Chair for the duration of the meeting.

 

1.

Declaration of interest

To receive any declaration of interest by any Member or Officer in respect of any item of business.

Minutes:

No declaration of interest was received.

2.

Minutes of the Previous Meeting pdf icon PDF 207 KB

To present the minutes of the previous meeting of the Audit and Governance Committee held on 13 October, 2020.

Minutes:

 

The minutes of the previous extraordinary meeting of the Audit and Governance Committee held on 13 October, 2020 were presented and were confirmed as correct subject to the following amendments –

 

           Replace “two” with “to” in the first line of the first bullet point under item 3.

           Replace “interest incurred” in the second line of the second bullet point under item 3 with “interest received.”

           Replace “distrusted” in the first line of the third bullet point under item 3 with “distributed.”

           To note that the sentence in the fourth paragraph under item 3 beginning “Mr Howse reported the External that a level of materiality was set at £3.7m which would apply to any local authority in Wales……” does not read well and is incomplete.

 

Arising thereon –

 

Mr Dilwyn Evans, Lay Member referred to the fact that he had raised a point of clarification on the Statement of Accounts at the previous meeting with regard to interest received  specifically a disparity between the figure for interest received in the draft Statement of Accounts presented  to the Committee’s 1 September, 2020 meeting and the figure shown in the version of the Statement of Accounts presented to the 13 October meeting and had queried why the change in the amount of interest received was not reflected in the Comprehensive Income and Expenditure Account. Assurance was given that an explanation for the anomaly would be provided in due course but this had not been forthcoming. The Director of Function (Resources)/Section 151 Officer apologised for the oversight in not responding and confirmed that he would provide the requested clarification following the meeting.

3.

Isle of Anglesey County Council - Covid 19 Response and Recovery - Interim Assurance pdf icon PDF 115 KB

To present the report of External Audit.

Minutes:

The report of External Audit incorporating the findings of work undertaken remotely by Audit Wales to assess the Council’s response to the Covid-19 emergency and its approach to recovery was presented for the Committee’s consideration.

 

Mr Jeremy Evans, Audit Wales reported that the findings of the report are based on committee meetings observed by Audit Wales, documents  reviewed in the form of agenda papers and internal documents supplied by the Council, and meetings held on-line with key officers and councillors. Some of the key conclusions drawn include the following –

 

           The Council has taken measures to keep staff and the public safe invoking its emergency planning arrangements in March 2020. Going forward, the Council is using a mix of working at home, in the office and on site. As further Council services have been reintroduced, additional actions have been taken to provide a safe environment for the public and staff alike.

           Looking forward, the Council has always recognised that Information technology plays an important role in delivering services and the 2020/21 budget identifies further investment in IT to support the delivery of services.

           Whilst there has been the odd example of growing pains in transferring formal democratic meetings to a digital platform, the Council has adapted well to its new meeting environment and has shown a commitment to making the new arrangements work.

           Staff members’ willingness to be redeployed and undertake different work or roles has supported the communities on the Island and contributed to the resilience of Council services.

           The Council has made significant efforts to communicate to a wide range of audiences.

           The Executive has received detailed reports that estimate the early financial impact of the Covid-19 pandemic as well as identifying future pressures on council services.

           The Council continues to work with the full range of partners to support the Island’s communities and wider region.

 

The Committee took assurance from Audit Wales’s interim findings clearly set out in the report and no questions were raised on the content.

 

It was resolved to accept and to note the interim findings of Audit Wales as presented in the report.

 

NO PROPOSALS FOR ADDITONAL ACTION WERE MADE

4.

Update on Internal Audit Strategy and Priorities 2020/21 pdf icon PDF 308 KB

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Audit and Risk providing an update as at 16 November, 2020 on the work of Internal Audit  since the last report to Committee on Internal Audit activity in September, 2020 together with the priorities for the short to medium term was presented. The report was a shortened version of the usual quarterly update report in line with the requirements of the Meetings Strategy during the emergency period.

 

The Head of Internal Audit and Risk –

 

           Updated the Committee on the assurance work completed since the last update with reference to the table at paragraph 6 of the report. Of the audits listed, three had resulted in a Substantial Assurance rating; two had resulted in a Reasonable Assurance rating and a further two audits – Management of School Unofficial Funds and Leavers Process had resulted in a Limited Assurance rating.(The Limited Assurance reports were issued separately to the Committee’s members and relevant Portfolio Holders). A further two audits not listed in the table relating to Education Grants – the one in relation to the Pupils Development Grant 2019/20 and the other in relation to the Financial Pressures around the Teachers Pay Award had also been finalised and both attracted Substantial Assurance.

 

In elaborating on the Action Plan and the status of the risks/issues identified by the Management of the School Unofficial Funds Limited Assurance audit, the Head of Audit and Risk advised that although oversight of school unofficial funds is the responsibility of school governing bodies there is a reputational risk associated with such funds and there have been instances both local and national where fraud and mismanagement have occurred. Given that they are linked to fund raising activities and can involve significant amounts of money school unofficial funds are considered high risk in terms of the potential for fraud. Against this background therefore the Internal Audit undertook to assess the situation in Anglesey and the audit was carried out in collaboration with the Learning Service. The Officer highlighted the audit as a good example of the collaborative audit culture which the Internal Audit Service  has been seeking to develop -  the Learning Service having responded proactively to the risks/issues raised meaning that a great deal of progress has been made in addressing them. The Senior Education Manager confirmed that the level of collaboration had been excellent and that the Service would continue to progress matters over the coming months. The Portfolio Member for Education also expressed his thanks to both services and urged members in their capacity as school governors to avail themselves of the planned training on the effective management of school funds (the absence of training being one of the  risks/issues raised) when arrangements are confirmed.

 

The Head of Audit and Risk similarly guided the Committee through the Leavers Process Limited Assurance audit report and confirmed that Human Resources had likewise been proactive in responding to the risks and issues raised by the audit.

 

           Reported on work in progress as  ...  view the full minutes text for item 4.

5.

Anglesey Schools Data Protection Evaluation Report -First Evaluation Visit to Anglesey Primary and Secondary Schools by Schools Data Protection Officer July 2020 pdf icon PDF 1 MB

To present a report by the Schools Data Protection Officer.

Minutes:

The report of the Schools Data Protection Officer which provided an analysis of schools’ position in respect of compliance with requirements under data protection legislation, mainly under the General Data Protection Regulations (GDPR) was presented for the Committee’s consideration. The report gave a summary of the Schools Data Protection Officer’s findings following the first visit to primary and secondary schools and outlined the next steps to take to ensure that all schools meet data protection requirements as soon as possible.

 

The Schools Data Protection Officer provided background information to the evaluation visits to 45 out of 46 primary and secondary schools on Anglesey which took place between October, 2019 and February, 2020 and referred to the outcome of those visits which in summary found that -

 

           Day to day information management practices within schools are generally acceptable but the majority of schools have not adopted current key policies and documents as a number of these policies were not created for schools prior to the appointment of the Schools Data Protection Officer. It is essential that current core policies and documents are adopted as soon as possible.

           There is a need to ensure that specific, effective and robust data protection processes are in place in line with key policies and documents.

           There is a need to ensure that schools have ROPA (Record of Processing Activities) including data flow maps and an Information Register in place that are kept up to date.

           There is a need to ensure that schools have suitable and up to date Privacy Notices available and shared with individuals.

           There needs to be appropriate agreements in place with high level data processors and also with individual schools.

           More work is required around the use of consent.

           The training plan needs to be updated and schools need to ensure that their staff have completed the online module.

           Work needs to be done to ensure that all school governing bodies are aware of their data protection responsibilities and how to ensure that schools comply.

 

Given that the process of beginning to have policies, processes and practices in place to comply with data protection legislation has started within schools the Schools Data Protection Officer was able to provide Reasonable Assurance in her assessment of the position. However, there remains more work to be done to ensure all schools are on the same level and operating consistently across the Island. Mindful that Covid-19 has had a significant impact on the implementation of the steps to be taken and the work programme for approving and adopting the policies as well as the related training and awareness raising, the Officer updated the Committee on the progress made since July 2020. She also outlined what she had identified as the next steps to be taken (detailed in section 26 of the attached long report) to ensure that all schools operate in accordance with requirements and achieve what is expected of them as Data Controller who is ultimately  ...  view the full minutes text for item 5.

6.

Treasury Management Mid-Year Review 2020/21 pdf icon PDF 1 MB

To present the report of the Director of Function (Resources)/Section 151 Officer.

Minutes:

The report of the Director of Function (Resources)/Section 151 Officer updating the Committee on the Treasury Management 2020/21 mid-year position was presented for the Committee’s consideration.

 

The Director of Function (Resources)/Section 151 Officer summarised  the main points for the Committee in terms of borrowing and investment activity at the mid-year point  with particular reference to the impact of Covid 19 and confirmed compliance with the treasury and prudential indicators set in the Council’s Treasury Management Strategy Statement 2020/21.

 

Points noted included the following –

 

           That it remains the Council’s priority to ensure security of capital and liquidity and to obtain an appropriate level of return which is consistent with the Council’s risk appetite. Where possible, the Council makes use of its own cash funds to finance capital expenditure and does not borrow more than, or in advance of its needs. However, the ability to externally borrow to repay the reserves and balances if needed is important.

           The Council held £42.224m of investments as at 30 September, 2020 (£20.208m at 31 March, 2020). Due to large sums of grants received from Welsh Government to help deal with the Covid crisis and the availability of call accounts to the Council, this has resulted in the Council holding balances in call accounts over and above the limits approved within the Annual Investment Strategy included in the TMSS 2020/21.Although this could not be foreseen counterparty limits will be assessed and reviewed when producing the TMSS for 2021/22.

           Given that security of funds is a key indicator of the Council, other local authorities are seen as the most secure way of investing funds giving greater return than most bank call accounts. The table at paragraph 5.9 of the report shows a list of investments made to other local authorities during the first half of the financial year.

           Whilst no borrowing was undertaken during the first half of the financial year, it is anticipated that borrowing will be undertaken during the second half of the financial year. There will be a borrowing requirement to fund part of the 2020/21 capital programme and this will be through internal borrowing and external borrowing. The latter is in relation to funding the £4.449m capital costs of new vehicles as part of the conditions of the waste contract awarded to Biffa. The Council has projected year end borrowing of £128.9m and will have used £11.7m of cash flow funds in lieu of borrowing.

           No debt rescheduling has been undertaken to date in the current financial year.

           There are some changes to the financing  of the capital programme due to an expected significant underspend in capital schemes in 2020/21 primarily the 21st Century Schools Programme and the Housing Revenue Account. As at 30 September, 2020 £11.471m of capital spend had taken place against the original capital budget of £49.466m with a projected year end position of £33.755m expenditure on the capital budget. Details of how the projected underspend affects the capital funding arrangements are provided  ...  view the full minutes text for item 6.

7.

Audit Letter: North Wales Regional Pooled Funds in relation to Care Home Places for Older People pdf icon PDF 115 KB

To present the report of External Audit.

Minutes:

The report of External Audit with regard to regional pooled funds in relation to care home places for older people was presented for the Committee’s consideration. The report in the form of two letters, the one to the Chief Executive of Anglesey County Council and the other to the Director General for Health and Social Services raised value for money issues in respect of the current North wales pooled funding arrangements in relation to care home places for older people.

 

Mr Jeremy Evans, Audit Wales reported that Audit Wales recently completed two reviews looking at residential and nursing care in North Wales, specifically in Conwy County Borough Council and Denbighshire County Council. Whilst the reviews looked primarily at local arrangements they also raised some specific concerns about the North Wales regional pooled fund in relation to care home places for older people which is a partnership between all six North Wales councils and Betsi Cadwaladr University Health Board. The review concluded that the current arrangement whereby the funding from the relevant organisations is initially deposited into a pooled fund administered by Denbighshire County Council and returned to each contributor 24 hours later although it meets the minimum compliance with Welsh Government standards, does not offer value for money, nor any of the intended  benefits of a pooled fund. Whilst Audit Wales has not tested the arrangements in other regions it understands that they are of a similar nature. The information and proposals for improving the pooled fund arrangement have been shared with Anglesey Council as a partner in the fund.  Welsh Government has been apprised of these concerns and has been asked to provide assurance with regard to the actions it intends to take to better support the delivery of pooled funding in Wales.

 

The Director of Function (Resources)/Section 151 Officer advised that the Social Services and Well-being Act 2014 requires local authorities to enter into a pooled funding agreement for care home accommodation for older people. Given the value of the North Wales regional pooled fund (around £100m), entering into such an arrangement needs to be carefully considered, the risks assessed and procedures agreed beforehand. In the absence of prior consultation with the councils, and a lack of clarity regarding the objectives of the pooled fund in relation to care home accommodation services for older people, the six local authorities and BCUHB discussed their obligations in terms of meeting the minimum technical requirements under the Act and, based on a model implemented by the Cardiff region, came to the arrangement described in  the Audit Letter whereby contributions are deposited into a pooled fund  and returned on the same day.  Whilst the Authority is meeting its legal requirements, as part of ongoing discussions pressure is being brought to bear on Welsh Government by the local authorities through BCUHB to review the Act and to clarify what the pooled fund is expected to achieve. There are risks to the Council in contributing to the pooled fund and being involved in joint  ...  view the full minutes text for item 7.

8.

Forward Work Programme pdf icon PDF 178 KB

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Audit and Risk incorporating the Committee’s Forward Work Programme to April, 2021 was presented for the Committee’s consideration.

 

It was resolved to accept the Forward Work Programme without amendment.

9.

Exclusion of Press and Public pdf icon PDF 738 KB

To consider adopting the following –

 

“Under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test.”

 

Minutes:

It was resolved Under Section 100 (A)(4) of the Local Government Act 1972 to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.

10.

Cyber Security Annual Report 2019/20

To present the report of the Head of Profession (HR) and Transformation.

Minutes:

The report of the Head of Profession (HR) and Transformation incorporating the Cyber Security Annual Report for 2019/20 was presented for the Committee’s consideration. The report summarised the cyber threats facing the Council and provided an overview of some of the mitigations the Council has in place to counter these threats.

 

The IT Service and Performance Management Manager reported that as with any other internet connected organisation the Council’s network is subject to attack and the large volume of information held by the Council including sensitive data means that it is imperative that the risk of a successful cyber-attack is reduced as much as is reasonably possible. Cyber-attacks vary in their approach and complexity but are consistent in their intent to disrupt, damage or steal. The risk of cyber-attack is recognised by the Council and is recorded as such within the Corporate Risk Register which is monitored by the Senior Leadership Team.

 

The IT Service and Performance Management Manager guided the Committee through the annual report with reference to the various types of cyber attackers and their motivations and the different forms which cyber-attacks can take, and he outlined in general terms the mitigations the Council has in place to reduce the organisation’s vulnerability to cyber-attacks and security incidents along with the assurance which these provide.

 

The Committee in considering the report highlighted the following –

 

           The importance of cyber security awareness training as more services are delivered digitally and a significant proportion of the workforce operate online. Specific reference was made to individuals such as the Lay/Co-opted members of the Council’s committees who have access to information but who may not necessarily be captured by the Council’s ICT cyber security protocols or training. The IT Service and Performance Management Manager confirmed that he would raise the issue of non-councillor and non-officer cyber security training with the Human Resources Service.

           Whether any quantitative assessment of the success of the mitigation measures has been undertaken. The IT Service and Performance Management Manager advised that the additional resource with which the service has been provided is intended to improve reporting capacity and to bring together the various techniques for identifying an event in order to provide an overall picture.

 

It was resolved to accept the report and to note the assurance provided therein.

11.

Exclusion of Press and Public pdf icon PDF 116 KB

To consider adopting the following –

 

“Under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test.”

 

Minutes:

It was resolved Under Section 100 (A)(4) of the Local Government Act 1972 to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.

 

12.

Corporate Risk Register Update

To present the report of the Head of Audit and Risk.

Minutes:

The report of the Head of Audit and Risk incorporating the revised Corporate Risk Register was presented for the Committee’s consideration.

 

The Risk and Insurance Manager reported that the Covid 19 pandemic has brought about an unprecedented change to daily life and has resulted in the refocusing of priorities and consequently impacts on the perceived level of risk. All corporate risks have been reviewed since the Corporate Risk register was last presented to the Committee in February, 2020 with a particular emphasis on any impact that the Covid-19 pandemic may have on those risks. Likewise, each service risk register has also been reviewed in light of the impact of Covid-19 and any resulting significant changes to risks have been reflected in the corporate risk register.

 

The Officer highlighted the changes/amendments to the Corporate Risk Register in light of the review which are summarised as follows 

 

           Risk YM10 (impact of welfare reform on demand for services) has been closed and replaced with YM45 (Impact of poverty on demand for services) in recognition of the fact that poverty is not limited to those receiving Universal Credit.

           In addition to YM45 above, four other new risks have been added to the register – YM43 (Covid-19 related) and YM44 (visitor economy related), YM46 (fraud related) and YM47 (tree management related).

           That due to changing circumstances and/or increase/decrease in control activity the level of residual and/or inherent risk has changed for YM4 (health and safety), YM9 (impact of major event), YM11 (safeguarding),  YM13 (demographic change), YM15 (schools modernisation), YM29 (Gypsies and Travellers) and YM38 (IT resilience)

           The top (red) risks to the Council have been identified as YM9 (impact of major event), YM28 (cyber security), YM38 (IT resilience), YM40 (Brexit related) and YM41 (Funding related), YM43 (Covid-19 related).

 

In response to questions by the Committee, the Risk and Insurance Manager clarified the rationale for redefining YM10 in the introduction of new risk YM45 and explained that YM44 is connected to improving infrastructure, facilities and amenity provision in response to increased visitor numbers which issue came to the fore over the summer.

 

It was resolved to note the amendments to the Corporate Risk register as part of the Council’s arrangements for managing its risks and to take assurance that the Senior Leadership team has recognised and is managing the risks to the achievement of the Council’s priorities.

 

NO PROPOSAL FOR ADDITIONAL ACTION WAS MADE