Agenda and minutes

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Governance and Audit Committee held on 4 December 2025.

The minutes of the previous meetings of the Governance and Audit Committee held on 4 December 2025 were confirmed as correct, subject to amending the resolution under item 14 to read as follows, and to delete the reference to abstentions by Councillors Euryn Morris and Margaret M. Roberts:

“It was resolved that the committee was unable to accept the conclusions of the Audit Wales report but noted and accepted that the Council will implement the action plan in response to the recommendations.”

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the committee action log was presented for consideration. The report updated the Committee on the status and progress of the actions and decisions it had agreed upon.

The Head of Audit and Risk confirmed that since the previous meeting actions 10,  20, 26, and 27 have been completed.

In response to a request for an update on the development of policy guidance for the Council’s use of AI (action no. 24 on the log), the Director of Function (Resources)/Section 151 Officer explained that following comments received on the draft policy, it has been decided to divide the original document into two separate policies - one covering the general use of AI (e.g. for queries) and another addressing the use of AI within the Council’s formal systems and processes. Both policies have been reviewed by the Interim Data Protection Officer and Information Governance Manager and will be considered again by the Leadership Team at its meeting on 9 February.

It was resolved to note the actions detailed in the action log table and to confirm that the committee is content that the actions have been implemented to its satisfaction.

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer which sought the committee’s view on the proposed amendment to the Council’s Constitution to provide for the final approval of the Council’s Annual Governance Statement (AGS) by the Governance and Audit Committee in place of the Council, was presented for consideration.

The Interim Legal Services Manager/Deputy Monitoring Officer reported that the annual governance statement forms part of the Council’s annual accounts and fulfils the requirement to publish a statement on internal control. She noted that the Council had recently approved changing the Constitution to delegate approval of the annual accounts to the Governance and Audit Committee to increase efficiency and meet the earlier authorisation deadline of 30 September 2026.

Welsh Government recommends that the Statement on Internal Control which for the Council is the AGS, is published when the unaudited accounts are signed and dated by the responsible financial officer which reduces the time available to address any matters raised by the Governance and Audit Committee and to produce an amended, accurate and bilingual version at a time when there are already pressures in preparing the accounts. If approval remains with the Council, the meeting scheduled for 9 September 2026 would need to be moved or an extraordinary meeting convened.

Delegating authority to the Governance and Audit Committee aligns the AGS approval timeline with that of the annual accounts, providing a more efficient process. The report will remain publicly available in the usual way, and when the draft AGS is published at the end of June, a copy will be circulated to all Members for comment.

It was resolved to support the proposed amendment to the Council’s Constitution to provide for the final approval of the Council’s Annual Governance Statement by the Governance and Audit Committee in place of the Council.

To present the report of the Director of Education, Skills and Young People.

The report of the Director of Education, Skills and Young People which provided the Governance and Audit Committee with annual assurance on the effectiveness of information governance and data protection in the Council’s maintained schools during 2024/25 was presented for consideration. The report summarised key activities and outputs, identified  risks, mitigation measures, future priorities, and an overall assurance opinion.

The Director of Education, Skills and Young People reported that during the reporting period, the Schools Data Protection Officer role was covered on a temporary basis (on average one day per week or more when required) due to the long-term absence of the substantive postholder. Due to the limited capacity, work has focused on statutory duties, incidents and high risk issues rather than proactive audit or development activities. The priority has been to maintain statutory compliance, manage live risks and incidents, provide consistent advice and support to schools and act as a central escalation and assurance point.

Based on the work completed, the temporary DPO offers reasonable assurance that schools generally have appropriate data protection policies and procedures in place. Day to day information handling is largely sound, incidents and breaches are being identified and managed appropriately and escalation routes to corporate services and the SIRO are functioning effectively.

The Director of Education, Skills and Young People also highlighted the strategic risks identified, confirming that they are recognised, proportionately managed and escalated where necessary. While key controls are in place to support ongoing compliance, they  would benefit from further strengthening. The issues identified are consistent with previous reports and remain manageable with continued focus and appropriate resourcing.

In discussing the report, the committee raised the following issues –

·      The long-term plan for ensuring capacity within the Schools DPO role

·      The generalised nature of the report and lack of concrete data to evidence outputs, making it difficult to measure progress or improvement

·      Whether issuing a reasonable assurance opinion despite identified strategic risks suggests that the threshold for reasonable may be set too low.

·      The absence of quantified risks and overall lack of preciseness in the information presented.

·      Concern that the 20% temporary replacement for the Schools DPO hours is inadequate with some members feeling that statutory compliance has been maintained more by good fortune than by robust oversight.

The Director of Education, Skills and Young People responded to the issues raised confirming that the Schools DPO remains a permanent post within the Council structure. The intention going forward is to stabilise the Schools DPO capacity and support more proactive assurance activity, bringing in additional support where required. The lack of detailed data in the report reflects the limited capacity during the period and the need to prioritise statutory and high risk work. He agreed to include the requested data and greater detail in the next annual report.

He noted that the temporary Schools DPO has drafted the report and has provided ongoing support for schools and that her reasonable assurance opinion is trusted. The report aims to set out clearly what has  ...  view the full minutes text for item 5.

To present the report of the Director of Function (Resources)/Section 151 Officer.

The report of the Director of Function (Resources)/Section 151 Officer incorporating the Treasury Management Strategy Statement (TMSS) for 2026/27 was presented for the committee’s consideration. The TMSS outlines how the Council will manage borrowing, investments and cashflow in the coming year and it supports the Council Plan, Capital Strategy and Medium Term Financial Plan. Its publication is required under the Local Government Act 2003 and CIPFA Prudential and Treasury Management Codes.

The Director of Function (Resources)/Section 151 provided an overview of the report outlining the economic context, the Council’s current borrowing position and the proposed borrowing and investment strategies. He confirmed that external borrowing will only be undertaken when required and that borrowing in advance of need will continue to be avoided. Debt rescheduling will be considered only where it offers a financial benefit. Internal borrowing will continue to be used where cash balances allow, as this reduces interest costs. However, external borrowing is expected to increase as reserves decline.

He highlighted that the Capital Strategy sets out three scenarios – base, ambitious and ideal each of which increases the Council’s underlying need to borrow. Tables 7a and 7b show the revenue implications for the General Fund and HRA under each scenario. The revenue impact remains manageable under the Base scenario but rises under the Ambitious and Ideal cases.

Regarding investments, the Council’s priorities remain security, liquidity and then yield. The Council will only invest with low risk, highly creditworthy institutions, with daily monitoring of credit ratings. The Council’s risk appetite remains low.

The Prudential and Treasury indicators set out in Appendix 11 to the report ensure that the Council’s treasury management activities and capital investment plans remain affordable and prudent.

The Director of Function (Resources)/Section 151 provided the following clarifications in response to questions from the committee –

·      Early repayment of some existing loans could remove high interest charges and reduce  revenue costs. However, many PWLB loans carry early repayment penalties which can exceed the potential savings from refinancing to a lower interest rate. The position is monitored and kept under review.

·      Quarterly treasury management reports and the mid-year review monitor the Council’s  performance against the prudential and treasury indicators, which set limits on the Council’s borrowing and debt levels.

·      The contract with the Councill’s treasury management advisors ends on 31 March 2026 and will be reviewed, including the specification for member training on treasury management or whether alternatively, the training may be provided in-house.

·      The MRP budget for 2026/27 is based on the previous year’s capital programme and reflects 2025/26 capital expenditure and the level of borrowing held at that time. MRP is only charged when a project is completed. The budget also factors in the expected shift from internal borrowing to external borrowing which affects interest costs. The reduction in cash balances available for investing is also reflected as it will lower investment income.

·      The base case capital expenditure for 2026/27 includes commitments for new HRA housing developments, a new HRA extra care facility, Shared Prosperity fund  ...  view the full minutes text for item 6.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 21 January 2026 on the audits completed since the previous update as at 21 November 2025 was presented for the committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward. Members of the committee were provided under separate cover with a copy of the one  assurance report finalised in the period in relation to the Physical and Environmental Control of Data Centres (Reasonable Assurance).

The Head of Audit and Risk presented the report and summarised the outcome of the audit review completed in the period noting that it was positive. The audit had been undertaken by external IT audit specialists from Salford City Council who raised five recommendations. However, when assessed against the Council’s risk management matrix, only one was rated as moderate and required management attention with the remainder rated as minor (green) and reported to the service for advice only. She outlined the assurance ratings and their definitions and explained that the auditor applies professional judgement when determining the most appropriate level of opinion. This includes considering the overall level of risk exposure and potential impact on the organisation as a whole. The ultimate determinant is  the response to the key question.

In response to a query by the committee about the ratings, colour codes and the extent of  auditor judgement and subjectivity involved, she confirmed that there is a quality assessment process in place whereby the auditor’s findings are reviewed by the Principal Auditor and then approved by the Head of Audit and Risk through a three stage process. The Council’s assurance ratings and definitions align with those proposed by CIPFA’s Internal Audit Special Interest Group.

In response to a further question about why the IT Audit – IT Asset Management audit had been postponed until 2026/27 at the request of the Chief Digital Officer, the Head of Audit and Risk clarified that the postponement was due to capacity and workload pressures within the ICT service team, including several priority projects and actions. She confirmed that the audit will be incorporated into the 2026/27 audit plan, that its original inclusion was not prompted by any specific concerns and that there were no risks in delaying the audit.

It was resolved to note the outcome of Internal Audit’s engagements, the assurance provided and its priorities going forward.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the revised Strategic Risk Register following its comprehensive review in 2025 was presented for the committee’s consideration.

The Head of Audit and Risk provided an update on the work undertaken to date noting that through the Council’s insurance contract with Zurich Municipal, Zurich Risk Solutions are supporting  the Council on a wholescale review of its approach to managing risk. This work has included a review of the strategic risk register which has been reduced from 16 risks to 11. The Executive Manager (Leadership Team) who is now responsible for maintaining the strategic risk register is continuing to work with the Leadership Team on the revised register. This activity is running alongside the review of the Council’s risk appetite. The fully developed strategic risk register will be presented to the committee once the work is complete.

The Head of Audit and Risk confirmed that the strategic risk register is being continuously updated. In response to a question about how common it is to adjust both likelihood and impact when moving from inherent to residual risk, she explained that while likelihood often changes due to controls, impact can also change in certain circumstances where effective controls may reduce the severity of the outcome. She referred to YM1 in relation to finances and financial management noting that if the risk of reduced or insufficient funding to provide statutory services were to materialise, the Council’s practice of holding 5% of the annual budget in reserve would reduce the impact by enabling services to continue for a longer period.

It was resolved to note the work that has been undertaken to date as part of the wholescale review of the strategic risk register.

To present the report of the Head of Digital, Performance and Modernisation.

The report of the Head of Digital, Performance and Modernisation which provided an update on the work undertaken by the Council against the identified improvement areas within the Annual Governance Statement and Self-Assessment and Performance (Wellbeing) reports for 2024/25 was presented for the committee’s consideration.

The Strategic Performance and Projects Manager updated the committee on the progress of the six identified improvement actions, highlighting where progress was behind schedule and explaining the reasons for the delay. In response to a query about the status of improvement action 2 (Implement agreed outstanding actions from the Procurement Improvement Plan), he clarified that this was the first update on the listed actions. An Improvement plan is in place to meet the requirements of the Procurement Act 2023. Although resource issues have affected the delivery of the plan to date, a permanent Procurement Manager has now been appointed which is expected to support implementation and help bring the action back on schedule.

The Strategic Performance and Projects Manager further explained that actions rated Green are ongoing but are expected to be completed within the planned timescale, with appropriate steps in place to ensure delivery. For those actions currently behind schedule, he confirmed they will continue to be monitored through the monitoring of the annual delivery plan and service delivery plans. However, he advised that he could not provide absolute assurance that these actions would be completed on schedule, given their current status.

It was resolved to accept the responses and updates as an accurate reflection of the Council’s work against the identified improvement areas.

To present the report of Audit Wales.

The report of the Head of Digital, Performance and Modernisation incorporating the Audit Wales Annual Audit Summary for the Isle of Anglesey County Council 2025 was presented for the committee’s consideration. The summary outlined the main findings from the 2024/2025 financial and performance audit work undertaken at the council to fulfil Audit Wales’s responsibilities under the Public Audit (Wales) Act 2004 and the Wellbeing of Future Generations (Wales) Act 2015.

In reviewing the audit summary, the following matters were discussed by the committee–

• The arrangements in place to ensure Audit Wales delivers value for money
• The timeliness of Audit Wales’s work, noting that its three year performance audit completion average between 2022 and 2024 was 78% .
• The presentation of the summary report, with a request that the inclusion of visual graphics be reconsidered.
• Progress in addressing the uncorrected misstatement form the audit of the Council’s 2024/25 accounts.

In response, Audit Wales’s Performance Audit Manager explained that the Audit Wales Board oversees whether Audit Wales is making efficient use of its resources. Audit Wales fees are benchmarked against those of other UK public sector audit agencies. He referred to a University of Sheffield report from August 2025 which found that audit costs in England have risen considerably more than those in Wales over the past three years. He also noted that Audit Wales fees are scrutinised annually by the Senedd Finance Committee.

The Performance Audit Manager acknowledged that there have been timeliness issues. Following the pandemic organisations were given the space and time to focus on frontline delivery and capacity was stretched both within organisations and within Audit Wales. Timeliness has since improved and this improvement is reflected nationally. He confirmed that he would report back the request regarding the presentation of the report.

The Financial Audit Manager confirmed that a method has been agreed for correcting the uncorrected misstatement from the audit of the Council’s 2024/25 accounts and that she understood the corrected figures would be included in the 2025/26 draft accounts.

It was resolved to note the report and to note also that the committee takes assurance from its content.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the committee’s Forward Work Programme for 2025/26 updated to reflect the most recent changes, was presented for the committee’s consideration.

The Head of Audit and Risk suggested and it was agreed that the Audit Wales Q3 Programme and Timetable Update would be circulated directly to the committee’s members once finalised as the next committee meeting is not scheduled until May. Additionally she confirmed that the Panel Performance  Assessment report had been rescheduled for consideration at the May meeting.

The Head of Audit and Risk invited any requests for training, and in response a request for refresher training on the Council’s annual accounts was made.

It was resolved to confirm the Forward Work Programme for 2025/26 as meeting the committee’s responsibilities in accordance with its terms of reference.