Agenda and minutes

In the absence of Councillor Euryn Morris the Deputy Chair, Councillor Margaret M. Roberts was elected to serve as Deputy Chair for this meeting of the Governance and Audit Committee.

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Governance and Audit Committee held on 19 September 2024.

The minutes of the previous meeting of the Governance and Audit Committee held on 19 September 2024 were presented and were confirmed as correct.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the committee action log was presented for consideration. The report updated the committee on the status of the actions agreed upon to date since the introduction of the action log at the 18 April 2024 meeting.

The Head of Audit and Risk confirmed that all items due to be completed by this meeting had been completed. She confirmed with regard to item 8 on the log that the Council’s Chief Digital Officer would now be briefing the committee on Artificial Intelligence and the associated risks and mitigations in a session which subject to the committee’s agreement will take place at 1:00 p.m. immediately prior to the next meeting on 11 February 2025. The committee indicated that the proposed arrangement was acceptable.

The Corporate Planning, Performance and Programme Manager advised with regard to item 10 on the log that work to monitor the number of people in economic inactivity as part of the Council’s population trends dataset is in progress. The Economic Development service has commissioned an external company, Quod to undertake a socio- economic analysis of the Island’s population including economic inactivity. A report on the North Anglesey region has been published and was presented to the Executive in July 2024 and a report for the whole of the Island is in progress and is expected to be published by the end of December 2024. The information is also available through Welsh Government and Data Cymru which publishes data in respect of population and migration annually.

The Corporate Planning, Performance and Programme Manager further updated the committee on item 13 on the log which related to progress against the governance matters identified by the 2023/24 assessment process and he confirmed that the seven issues identified are receiving attention and are in progress. He referred to the arrangements with regard to conducting a panel performance assessment in November 2025 and to the progresses of the Procurement Strategic Plan through the Council’s internal democratic processes as part of the work of ensuring compliance with the Procurement Act 2024. With regard to the Council’s assets, the publication of a smallholding asset management strategy has been delayed to allow further work to be undertaken including a review by a cross party task and finish group.

It was resolved to note the actions detailed in the action log table and to confirm that the Committee is content that the actions have been implemented to its satisfaction.

Additional action – The Corporate Planning, Performance and Programme Manager to provide the committee with a link to access the Quod Anglesey socio-economic analysis and impact report when published.

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer seeking nominations to the North Wales Corporate Joint-Committee’s Governance and Audit Committee was presented for the Committee’s consideration. Attached to the report for information were the terms of reference for the North Wales CJC’s Governance and Audit Committee along with an introduction to the role and role description of lay members serving on the committee.

The report was presented by the Director of Function (Council Business)/Monitoring Officer who outlined the requirements with regard to the composition of the North Wales CJC’s Governance and Audit Committee and advised that its membership will consist of nine members six of whom will be county councillors one from each of the constituent North Wales councils and three lay members. Each of the CJC’s constituent councils has been asked to nominate a councillor from its own Governance and Audit Committee as its principal nominee together with a second councillor to act as substitute to ensure that a quorum can be achieved when the principal nominee is unavailable. Additionally each of the constituent councils have been asked to consider whether they wish to nominate a lay member to serve on the Governance and Audit Committee. The Director of Function (Council Business)/Monitoring Officer further advised that while there was now one remaining lay member place available, the committee still could nominate more than one lay person and in that event the appointment would be made based on merit in accordance with a public process. 

Having considered the matter and following discussion, it was resolved –

• To nominate Councillor Geraint Bebb to serve on the Governance and Audit Committee of the North Wales Corporate Joint Committee as principal nominee.
• To nominate Councillor Keith Roberts to act as substitute in the event of the principal nominee’s unavailability.
• To nominate Mrs Sharon Warnes to serve as a Lay Member on the Governance and Audit Committee of the North Wales Corporate Joint Committee.

To present the report of the Director of Function (Council Business)/ Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer incorporating the Annual Letter from the Public Services Ombudsman for Wales (PSOW) 2023/24 for the Isle of Anglesey Council was presented for the committee’s consideration. The Letter summarised the performance of the Council in relation to the service complaints received and their outcomes during 2023/24, cases involving the Ombudsman’s intervention and complaints made under the Code of Conduct for Members.

The headline messages in the Annual Letter were presented by the Director of Function (Council Business)/Monitoring Officer. Those showed that there had been an increase in the number of service complaints made to the PSOW although the number of investigations remained nil. Of the 38 complaints made about the Council in 2023/24, 9 or 24% related to its handling of complaints. There has also been increased reliance on intervention by the PSOW with 24% of complaints (10 complaints) having been resolved in this way which represents the highest level of intervention in Wales. While services deal with their own complaints, they rely on support, guidance and advice from the Corporate Information and Complaints Officer. This post has been vacant for some time and the vacancy is considered to be a contributory factor in the deterioration in complaints handling performance although the post is now being filled on a temporary basis by an agency appointment. Mitigating actions to provide resolutions had been identified and were set out in the report.

The following were points of discussion by the committee –

• The substance of the complaints made to the PSOW and whether they were serious
• Whether early intervention and resolution of 10 complaints by the PSOW is significant and reflects on the Council’s approach to complaints handling.
• Whether there are any indications of an improvement in complaints handling performance and response midway through 2024/25.

The committee was further advised as follows –

• That most of the complaints made to the PSOW were in relation to the Council’s normal day to day business and none were deemed serious enough to warrant an investigation by the PSOW.
• That the resolution of 10 complaints by early intervention and actions arranged by the PSOW shows that matters could have been put right early in the process had the Council taken the same approach to those complaints and acted accordingly.
• That an assessment of whether complaints are simply complaints or complaints about the way complaints have been dealt with has not been made based on the data made available to Scrutiny and the Executive because the scope of that information is narrow and the information has not been published.

It was resolved -

• To note and accept the Annual Letter from the Public Services Ombudsman for Wales (PSOW) for 2023/24.
• To authorise the Director of Function (Council Business)/Monitoring Officer to write to the PSOW to confirm that the Governance and Audit Committee has given formal consideration to her Annual Letter.
• To provide assurance that the Council will continue to monitor complaints thereby providing Members with the information  ...  view the full minutes text for item 5.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Committee’s Effectiveness Review Action Plan was presented for consideration. The report provided an update on progress with implementing the recommendations made by CIPFA following its review of the Governance and Audit Committee’s effectiveness in 2024.

The Head of Audit and Risk confirmed that with regard to the 10 recommendations made and 13 actions proposed to resolve the recommendations, ten have been fully implemented, two have been noted and one action remains in progress which is the provision of training for officers reporting to the committee.

It was resolved to note the actions detailed in the table within the report and to confirm that the Governance and Audit Committee is content that the recommendations have been implemented to its satisfaction.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 28 November, 2024 on the audits completed since the previous update as at 31 August 2024 was presented for the committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward. Members of the committee were provided under separate cover with copies of the assurance reports finalised in the period in relation to Partnerships Oversight (Reasonable Assurance), Counter fraud controls within Revenues refunds (Reasonable Assurance) and Cybersecurity Assessment Framework Review (Reasonable Assurance).

The Head of Audit and Risk provided an overview of the three assurance reports completed during the period confirming that in each case an action plan has been formulated and agreed with management to address the issues /risks raised. She referred to Internal Audit’s short to medium term priorities including work in progress as summarised in the schedule at paragraph 18 of the report along with the priorities for the longer term. Other developments in the form of changes to Internal Audit Standards were highlighted.

Reflecting on the risk of fraud and the adequacy of counter fraud controls, the committee sought assurance that the Council has in place appropriate mitigations and controls to manage the risks posed by Artificial Intelligence especially in a home working environment where staff may be more vulnerable to AI generated cyberattacks, impersonation and false identities which could compromise security.

The Head of Audit and Risk advised that knowing one’s employees is a recognised way of mitigating fraud and that that is easier in smaller sized council such as Anglesey. The Council’s hybrid working arrangements where staff are physically present in the office for part of the working week aids familiarity as does its primarily traditional, people based approach which means the risks from AI are reduced in that regard.

It was resolved to note the outcome of Internal Audit’s work, the assurance provided and priorities going forward.

To present the report of the Deputy Chief Executive.

The report of the Deputy Chief Executive incorporating the Towards Net Zero Strategic Plan Annual Report for 2023/24 was presented for the committee’s consideration. The annual report documented the Council’s progress in managing the risk of climate change and in delivering the annual objectives of the plan during 2023/24. Included as appendix 1 to the report was an analysis of the 2023/24 emissions data submitted to Welsh Government under its annual net zero reporting programme along with a breakdown of both external and council budgets within the Towards Net Zero action plan at appendix 2.

The report was presented by the Climate Change Manager who provided an overview of the highpoints of the year and main actions from the Towards Net Zero action plan for 2023/24 including a reduction of 19.7% in the Council’s total carbon emissions compared  to the maximum emissions in 2021/22, ongoing decarbonisation of Council properties supported by £14m of Welsh Government grant funding over 3 years, the addition of 28 new carbon neutral homes to the Council’s housing stock, extension of the EV charging network and active travel routes, the establishment of a new tree nursery near Llangoed and the delivery of climate change training to elected members and senior managers. The main messages to be taken from the report are that the number of Council schemes within the Towards Net Zero Strategic Plan have increased but there remain significant challenges to achieving the net zero target by 2030, the amount of external funding secured has exceeded expectations and the Council’s carbon emissions continue to reduce but further work is needed.

The following were points of discussion by the committee –

• Acknowledging the progress made internally by the Council, questions were asked about the Council’s ability to decarbonise its supply chains and the extent of its influence in this respect. It was suggested that it might be helpful for the report to distinguish between the Council’s internal carbon emissions outcomes and sustainability performance and those of the supply chain without duplicating data.
• Whether the Council is able to specify maximum emission levels for supplier vehicles in order to encourage the transition away from petrol/diesel usage without discouraging potential bidders for contracts.
• The extent to which the Council’s dependency on external grant funding is a risk to its achieving its net zero goals.

The committee was further advised that as the Council’s carbon emissions are broken down into four main categories – Buildings, Transport, Waste and the Supply Chain within Welsh Government’s reporting arrangements, it is possible to establish which emission sources are within the Council’s direct control and which come within Scope 3 which are classified as indirect emissions and where the Council’s influence may be weaker. The Council does seek to ensure that all supply chain data that is monitored is correctly recorded e.g. expenditure on transport is recorded under transport rather than under the supply chain so as to avoid duplication. While the Council intends in the long-term to hold discussions with suppliers with  ...  view the full minutes text for item 8.

To present the report of the Director of Education, Skills and Young People.

The report of the Director of Education, Skills and Young People Learning setting out the key information governance issues with regard to Anglesey’s schools for the period November 2023 to November 2024 was presented for the committee’s consideration. The report provided the School Data Protection Officer’s statement and overview of Anglesey primary, secondary and special schools’ compliance with the legal requirements in handling school information including the UK General Data Protection Regulation, Data Protection Act 2018, and the relevant codes of practice. The report also provided details of actions taken since the last report in November 2023 including achievements against the Schools Data Protection Development Strategy 2023-24 together with the content of the Schools Data Protection Development Strategy 2024/25 and progress to date.

The report was presented by the Schools Data Protection Officer who advised that based on her assessment she was able to provide reasonable assurance regarding Anglesey schools’ compliance with data protection requirements and she provided an overview of the evidence which supported this conclusion and briefed the committee on the next steps.

The following were points of discussion by the committee –

• While the need for schools to monitor their own compliance with all data protection policies was accepted, questions were asked about the continuation of the annual audit visits to schools which were not conducted in the reporting period.
• The role and involvement of school governors in schools data protection self-regulation

The Schools Data Protection Officer confirmed that no data protection audits took place in 2024 except for one school that had not been visited in 2023. She advised that it was decided to postpone the audits in 2024 pending the introduction of new legislation and that the audits would recommence once the Data (Use and Access) Bill becomes law and schools have had time to implement any changes and can be monitored for their compliance with any new requirements. Also, schools were considered to be in a good place in terms of basic compliance and had been visited three times since 2019. In the meantime schools have been provided with a Data Protection Checklist to support them with monitoring their compliance.

She further advised that a presentation has been made to school governing bodies on the main requirements and expectations on schools with regard to data protection obligations. School governing bodies have a role as data controllers and as such have a responsibility to ensure compliance. Reports following audit visits are also shared with governing bodies. The majority of school governing bodies have appointed a data protection lead/champion and training for school governors is incorporated within the Learning Service’s further work programme.

It was resolved –

• To accept the Schools Data Protection Officer’s report and statement.
• To endorse the Schools Data Protection Officer’s proposed next steps as set out in the Schools Data Protection Development Strategy 2024/25 to enable schools to fully operate in accordance with data protection requirements.

To present the report of the Head of Regulation and Economic Development.

The report of the Head of Regulation and Economic Development incorporating the Council’s Annual Health and Safety Report for 2023/24 was presented for the committee’s consideration. The report provided an overview of health and safety activity at the Council during the period including an analysis of accidents and incidents together with key achievements. Also included was an action plan for the following year.

The report was presented by the Principal Corporate Health and Safety Advisor who referred to two major issues as having required significant actions during the year the one being the presence of reinforced autoclave aerated concrete (RAAC) in two of the Authority’s schools and the other the outbreak of bird flu and he explained how these were dealt with. He confirmed that the number of accidents/incidents reported to the Council over the reporting period had risen and that the number of incidents of violence and aggression towards the Council’s staff and within schools where pupil behaviour is a developing issue particularly in the primary sector, had also increased. He outlined some of the factors that have contributed to these outcomes including changes in attitudes and behaviour post Covid and how these matters are being addressed. A strategic action plan to support continuous improvement in   the management of health and safety was set out which the committee was asked to approve.

The Chief Public Protection Officer confirmed the Principal Corporate Health and Safety Advisor’s analysis regarding the pressures on public facing staff including Public Protection as a front line service and the increase in incidents of aggression towards staff in the period since the pandemic.

The following were points of discussion by the committee –

• The approach towards tackling poor pupil behaviour in primary schools
• Whether the rise in incidents of aggression and abuse towards the Council’s staff needs to be escalated to a significant risk and recognised as such.
• Whether the increase in the number of slip, trip and fall accidents has cost implications for the Council

The committee was further advised that reported incidents of challenging pupil behaviour in schools are referred to the Learning Service and may result in support from the Early Intervention Team. The Council has in place policies to deal with violent incidents and abuse against staff including a Risk of Violence Marker system which identifies individuals who may pose a risk to staff; where the abuse is verbal over the phone the Managing Contact – Unacceptable Actions by Customer Policy allows staff to inform the client that their behaviour is unacceptable and to terminate the phone call. Where incidents are in a public building the perpetrator may be excluded from entry.

The Director of Function (Resources)/Section 15 Officer advised that the Council is insured for public liability and that in claiming for compensation, a claimant has to show that the Council has been negligent in not ensuring the safety of a public area/building for which it is responsible for example. The Council and its insurers routinely deal with slips, trips, and  ...  view the full minutes text for item 10.

To present the report of the Head of Profession (HR) and Transformation.

The report of the Head of Profession (HR) and Transformation detailing the Council’s response to external audit reports and associated recommendations published by regulators was presented for the committee’s consideration. The report provided assurance that the recommendations attached to external reports have been given due consideration by the Council’s services and that those that are relevant to the Council are being implemented in a meaningful way.

The report was presented by the Corporate Planning, Performance and Programme Manager who confirmed that the Council had implemented 20% of the recommendations, 68% of responses are on track and 12% are behind schedule. He provided the committee with an update on the status and progress of the three recommendations that were behind schedule. In response to a query by the Chair regarding the absence of timescales for work in progress, the Corporate Planning, Performance and Programme Manager advised that recommendations which are optional in national reports where it is a matter for the council to determine whether implementing them would add value or not are not usually attached to a timescale. However recommendations in reports that are specific to Anglesey do carry a timescale and the Council internally would set a timescale for their implementation as appropriate.

Alan Hughes, Performance Audit Lead (Audit Wales) commented that it is useful to have a timeline for each task in an action plan as setting milestones will help to track progress over time and identify tasks that have required more time than anticipated to complete.

It was resolved to accept the report along with the responses and updates as an accurate reflection of the Council’s work against the related recommendations.

Additional action agreed – that for future reports, updates on the progress of responses to recommendations be accompanied by a timescale for the completion of the work.

To present the report of Audit Wales.

The report of Audit Wales providing an update as of 30 September 2024 on the delivery of its work programme in relation to work at the Isle of Anglesey County Council and nationally, was presented for the committee’s information. The report also provided an overview of the regulatory work being undertaken by Estyn and CIW.

The report was introduced by the Head of Audit and Risk who provided a summary of the contents. Mr Alan Hughes Performance Audit Lead (Audit Wales) brought the committee up to date on progress with specific pieces of financial and performance audit work.

It was resolved to note the report and the assurance provided.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Committee’s updated Forward Work Programme and Training Programme for 2024/25 was presented for the committee’s consideration.

The Head of Audit and Risk highlighted the rescheduling of the Treasury Management Mid-Year Review report from December, 2024 to February 2025 due to ongoing financial audit work as the only change to the work programme.

It was resolved to accept the Forward Work Programme 2024/25 as meeting the Committee’s responsibilities in accordance with its terms of reference.

To consider adopting the following: -

“Under Section 100(A)(4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test”.

It was considered and was resolved under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Paragraphs 14 and 18 of Schedule 12A of the said Act and in the Public Interest Test presented.

To present the report of the Head of Profession (HR) and Transformation.

The report of the Head of Profession (HR) and Transformation incorporating the Annual ICT Cyber Security Report for 2023/24 was presented for the committee’s consideration. The report provided an update as at 31 March 2024 on the Council’s activities with regard to cyber security risk mitigation during 2023/24.

The report was presented by the Lead IT Security Engineer who outlined the contents and provided an overview of the cyber security challenges facing the Council and the actions taken thus far to overcome these challenges, the handling of security alerts and how these were resolved along with current cyber security projects.

The following issues were raised by the committee and were discussed with the ICT officers present for the item –

• The timeliness of resolutions and responses of third party application suppliers to security vulnerabilities and whether this can be addressed/improved through contract specification or by withholding payment when delay results in regulatory failure.
• Ongoing and/or emerging risks in relation to the migration to Windows 11.
• The capacity of the ICT service in terms of staff and resources and whether costs can be reduced through collaboration and/or co-operation.
• Staff security awareness and the lessons to be learnt from exercises/campaigns that test staff on their knowledge and awareness of security issues.

Having considered the report and received Officer clarification and assurances with regard to the matters raised, it was resolved that the Governance and Audit Committee –

• Notes the challenges highlighted in the report.

• Confirms that it is satisfied that the Council’s activities regarding cyber security adequately address the risks and priorities of the Council.
• Takes assurance that reasonable measures are in place to manage cyber threats to an acceptable level.