Agenda and minutes

The Chair welcomed everyone to the meeting and extended a particular welcome to the two newly appointed Lay Members, Dr Geraint Jones and William Maund who were attending their first meeting of the Governance and Audit Committee. In the absence of the Deputy Chair, Councillor Euryn Morris, Councillor Margaret M. Roberts was elected to serve as Deputy Chair for this meeting only.

The apology for absence was presented and was noted.

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Governance and Audit Committee held on 16 July 2025.

The minutes of the previous meetings of the Governance and Audit Committee held on 16 July 2025 were presented and were confirmed as correct.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the committee action log was presented for consideration. The report updated the Committee on the status and progress of the actions and decisions it had agreed upon.

The Head of Audit and Risk reported on item 19 on the action log noting that the Public Services Ombudsman for Wales Letter 2024/25 will be reissued due to a data issue. As a result, the Letter will now be presented to this committee at its December 2025 meeting. Consequently, the Monitoring Officer’s Annual Complaints Concerns and Whistleblowing report 2024/25 has also been deferred to the December meeting to coincide with the PSOW Letter’s presentation. Regarding item 27 on the action log which relates to the analysis of staff attrition rates, specifically internal movements as opposed to external exits, the Performance and Projects Team Manager has consulted with HR on this matter and has been advised that the current HR system does not easily track staff movements between services. Officers are investigating this further and aim to provide an update at the next meeting.

A member of the committee referred to a previously presented Audit Wales report on the use of performance information - service user perspective and outcomes. He questioned how the report’s recommendations are being followed up, noting that they are not listed in the action log. The Head of Audit and Risk said that the while the Performance and Projects Team Manager monitors the Council’s implementation of external audit recommendations she would ensure they are being monitored.

It was resolved to note the actions detailed in the action log table and to confirm that the Committee is content that the actions have been implemented to its satisfaction.

To present the report of the Head of Regulation and Economic Development.

The report of the Head of Regulation and Economic Development incorporating the Council’s Annual Health and Safety Report for 2024/25 was presented for the committee’s consideration. The report provided an overview of health and safety activity at the Council during the period including an analysis of accidents and incidents together with the Council’s response to those issues. It also listed key achievements and set out an action plan for the following year.

The report was presented by the Chief Public Protection Officer to provide the committee with assurance regarding the Council’s Health and Safety performance.

In considering the report, the committee discussed the following matters –

·      The committee questioned how many of the reported accidents and incidents were attributable to insufficient training or failure to follow health and safety protocols.

The Principal Corporate Health and Safety Advisor explained that while this specific statistic is not recorded, each accident and incident is investigated to determine its cause. He noted that the majority of staff have received the necessary health and safety training,  and that a significant proportion of incidents in the data are not employee related involving pupils in schools or clients in care homes. For employee specific incidents the adequacy of training and the presence of appropriate risk assessments are reviewed. Although the exact figures are not available, in most cases training has been sufficient and protocols have been followed.

In a follow up question, the committee asked whether such information should be tracked and reported, as identifying cases of non-compliance or insufficient training could help prevent future accidents. The Chief Public Protection Officer acknowledged the point and stated that based on the incident data received by the Corporate Health and Safety team, it may be possible to analyse and identify patterns such as training gaps. He confirmed that the committee’s suggestion had been noted.

·      The committee referred to the 2025/26 health and safety strategic action plan which was included in tabular form within the report. Members noted that the proposed actions were very broadly defined, making it difficult to monitor progress effectively. It was suggested that each action should be SMART i.e. specific, measurable, achievable, relevant and timebound.

In response, the Chief Public Protection Officer confirmed that the service is currently developing a more detailed three to four year strategic plan which will include defined targets and measurable outcomes. The plan is intended for presentation to the corporate management board.

The committee welcomed the information and proposed that the completed three year strategic plan incorporating SMART actions be brought to this committee for review in due course.

·      The committee asked whether the reduction in RIDDOR reports during 2024/25 was the result of deliberate action by the Council to mitigate risk or whether it was a matter of good fortune.

The Principal Corporate Health and Safety Advisor responded that the decrease was due to a combination of both factors. He explained that since the pandemic, the Corporate Health and Safety team has taken a proactive approach in sharing information with  ...  view the full minutes text for item 5.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 30 September, 2025 on the audits completed since the previous update as at 30 June 2025 was presented for the committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward. Members of the committee were provided under separate cover with copies of the assurance reports finalised in the period in relation to Managing the Poverty Risk (YM11) (Reasonable Assurance), Continuous Monitoring – Payroll (Reasonable Assurance), and Continuous Monitoring – Creditors (Reasonable Assurance).

The report was presented by the Head of Audit and Risk who provided an overview of the three assurance report completed in the period along with the issues identified. Regarding the Continuous Monitoring – Creditors audit review, she highlighted that since the last review in September 2024, approximately £60,000 in previously identified duplicate payments has been recovered. The Payments Team continues to pursue the £65,000 still outstanding as resources allow. She further noted that this annual exercise is undertaken in collaboration with the Payments Team. This follows a leading software supplier, working with neighbouring councils, quoting approximately £53k for a three year contract to carry out a similar exercise.

During the ensuing discussion on the update report, the committee raised the following matters –

·      The committee questioned the rationale behind assigning a “Reasonable assurance” rating to the Managing the Poverty Risk review. The committee suggested that the issues identified, classified as moderate, were in fact more substantial and the rating should therefore be revised accordingly.

In response the Head of Audit and Risk explained that the Council’s risk assessment matrix is used to evaluate risk, weighing likelihood against impact and that the auditor has deemed the risk to be moderate (Yellow). While appropriate processes and mechanisms are in place for managing the poverty risk, improvements are needed which include ensuring that actions are SMART and strengthening the socio-economic duty within the Tackling Poverty Strategy, particularly by giving greater attention to intersectionality. In response to further queries regarding the availability of action plans, the Head of Audit and Risk clarified that the Council’s Tackling Poverty Strategic Plan is supported by an operational plan which is separate from the action plan developed to address the six issues/risks identified in the audit review. The committee requested copies of both plans.

·      The committee sought clarification of the observation in the Managing the Poverty Risk audit review that staff engagement remains limited. Members queried whether this indicated a deeper systemic risk that should be formally highlighted.

The Head of Audit and Risk explained that the issue stems from the Council’s service delivery plans. While the socio-economic duty is acknowledged within broader strategic plans, it is not sufficiently embedded within the Tackling Poverty Strategy and greater integration between the two is needed. The strategy also lacks adequate consideration of  intersectionality where people affected by socio-economic disadvantage may also face challenges due to race, gender or sexuality.  ...  view the full minutes text for item 6.

To present the report of the Head of Audit and Risk

The report of the Head of Audit and Risk which provided an update on the status of the outstanding issues, risk and opportunities that Internal Audit has raised was presented for the committee’s consideration.

The Principal Auditor presented the report and provided an overview of its key points. As of 31 August 2025, seventy-three outstanding actions were being tracked, with ten assessed as “major” (amber) and sixty-three as “moderate” (yellow) risks. A detailed analysis of the current status of the outstanding major related issues, risks and opportunities was provided at Appendix 1 to the report.

The following matters were raised by the committee –

·      The committee enquired whether a revised timescale had been set for the overdue moderate rated action raised by the audit of Direct Debit Processes.

The Director of Function(Resources)/Section 151 Officer explained that most individuals billed for business rates by the Council do not make any payments due to their eligibility under the Small Business Rates Reduction Scheme, resulting in a relatively small number of payees. While the Council offers direct debit payment, applicants must currently  complete a form. To support transition to a paperless system, staff will collect payment  details over the phone and forward the form for processing. However, bank authorisation and separate plans for each income stream need to be developed. Although the Council Tax direct debit scheme is paperless,  the Business Rates scheme remains manual because of the low number of transactions which has not made it a priority. Additionally, the Payments team is also working on other projects to ensure compliance with the Payment Card Industry Data Security Standard (PCIDSS).

In response to a follow-up question about extending the timescale for overdue actions and whether a mechanism exists for escalation to prevent “action creep,” the committee was informed that each action has a designated owner and a target completion date. A user dashboard within the 4action system provides a real time snapshot of progress, enabling effective tracking and reporting. Action completion dates may be extended but only if the service can demonstrate a legitimate reason, taking into account the associated level of risk. For major rated issues/risks that have not been resolved twelve months after the original completion date, action owners are asked to provide an update to the committee explaining the delay. Greater flexibility is afforded to moderate (Yellow rated) actions, with each case assessed on its own merits and risk evaluated. Amber rated issues/risks are subject to internal audit’s own escalation process.

Responding to a question about the status of the two PCIDSS related actions listed in Appendix 1 of the report both of which had a target completion date of 30 September, the Director of Function(Resources)/Section 151 Officer explained that the Council has recently moved to an automated system for taking payment card details which is PCIDSS compliant with the exception of the Leisure Services and Oriel Ynys Môn. Solutions for telephone card payments taken by these services are being reviewed.

·      A member of the committee referred to the  ...  view the full minutes text for item 7.

To present the report of the Head of Profession (HR) and Transformation.

The report of the Head of Profession (HR) and Transformation incorporating the draft self-assessment report for 2024/25 was presented for the committee’s consideration. The Council is required by the Local Government and Elections (Wales) Act 2021 to publish an annual self-assessment report to show how it has performed, whether its resources are being used efficiently and effectively and how it is managing and mitigating the associated risks.

The report was presented by the Performance and Projects Team Manager who explained the self-evaluation process where each service assessed its performance across four key areas using updated scoring criteria - Needs Improvement, Meets Expectations, Exceeds Expectations and Outstanding. Their assessments were challenged in service review meetings with officers and elected members. Based on this process, the report provides an overall assessment of how well the Council has met its performance requirements, supported by evidence and sets out both actions taken and planned improvements.

In reviewing the self-assessment report, the following matters were raised by the committee –

·      The committee noted the improvement areas identified for 2025/26. It was suggested that to facilitate their progress and completion, each improvement matter needs to be project managed with a clear structure through the use of critical path analysis. This would help define key steps and timelines especially for complex high level projects such as developing a data strategic plan to support the Council’s aim of becoming a data informed organisation. Members emphasised the value of becoming a data driven organisation and the importance of  developing a council wide culture of performance management that applies consistently across all projects.

The Performance and Projects Team Manager clarified that project managers within the Transformation Service are qualified to PRINCE2 level and apply its methodologies when managing strategically important corporate projects. Standardised templates and processes are employed across the Council, including action plans, risk registers and detailed progress tracking. While the self-assessment report provides a high level overview of identified improvement areas and actions, the specific details are contained in individual service development plans which are reviewed and monitored on a quarterly basis.

In a follow up, a member of the committee requested a copy of the project initiation document for the Data Strategic Plan initiative when completed.

·      The committee questioned why all identified improvement actions have a completion deadline of March 2026.

The Performance and Projects Team Manager explained that the improvement areas are broad in scope and the associated actions will be carried out throughout the year with the intention that all will be completed  by March 2026. The committee will receive a mid-year progress update. In response to a question about whether the timescale is realistic, the Officer noted that while some actions are well positioned to be completed, others require further discussion and input from other services. However, the actions are considered achievable within the proposed timeframe.

·      The committee asked how the identified improvement areas reconcile  with services that have self-assessed as exceeding expectations, and whether completing all the improvement actions would result in services  ...  view the full minutes text for item 8.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Annual Counter Fraud, Bribery and Corruption Report for 2024/25 was presented for the committee’s consideration. The report outlined the activity that Internal Audit carried out during 2024/25 to minimise the risk of fraud, bribery and corruption occurring within and against the Council and provided examples of attempted fraud against the Council in the period.

The Head of Audit and Risk presented the annual report outlining the Council’s counter fraud activities in 2024/25. The Council’s approach has been guided by CIPFA’s Code of Practice on Managing the Risk of Fraud which sets out best practice for counter fraud work in local government , based on five principles and by the Fighting Fraud and Corruption Locally: A Strategy for the 2020s which also focuses on five pillars of activity/strategic objectives. These were detailed in Appendix 2 of the report and have informed the Council’s counter fraud work and the development of a delivery plan for counter fraud activity. A progress update on the delivery plan was  provided at Appendix 3. The results  from the Council’s Fraud Reporting Tool which went live in November, 2024 were detailed in Appendix 4.

It was resolved to note the activity carried out during 2024/25 to minimise the risk of fraud, bribery and corruption occurring within and against the Council and the assurance provided on the effectiveness of the Council’s  arrangements to minimise the risk of fraud.

To present the report of the Head of Audit and Risk

The report of the Head of Audit and Risk setting out the Council’s recent progress and outcomes in respect of its participation in the National Fraud Initiative was presented for the Committee’s consideration.

The Head of Audit and Risk presented the report which detailed the NFI reports received by the Council between January and March 2025 (61 separate reports), the data matches they contained (3,034 individual matches) and the service areas to which they related (as outlined  in Appendix 2 of the report – NF1 2024/15 Outcomes Summary). The financial outcomes from these reports, analysed by Internal Audit in conjunction with the services were detailed in the table at Appendix 2.

A member of the committee raised concerns about Council Tax premium avoidance. The Director of Function(Resources)/Section 151 Officer outlined the investigative process for such cases. He also confirmed that the Council prioritises NFI matches with higher reliability  such as those containing national insurance numbers.

It was resolved to confirm that the committee takes assurance from the report that the Council, taking account of the need to priorities its resources, is seeking to actively embrace opportunities provided by the National Fraud Initiative to use data analytics to strengthen both the prevention and detection of fraud.

To present the report of Audit Wales.

The Audit Wales report, which updated the committee on the progress of its work programme both locally and nationally as of 30 June 2025  was presented for the Committee’s information. The report also provided an overview of ongoing regulatory work by Estyn and CIW.

Mr Carwyn Rees, Audit Wales Performance Audit Manager reported that pandemic related restrictions had caused a backlog of work. However, good progress has since been made on the 2023/24 and 2024/5 performance audit programmes, with the former now completed and work underway on the 2025/26 programme. As a result, the performance audit programme is well positioned to return to timescale.

In response to a question from the Chair regarding the progress of the audit of the 2024/25 accounts,  Rachel Freitag, Audit Wales Financial Audit Manager  confirmed that the audit is on track to be completed by the end of October. The Director of Function  (Resources)/ Section 151 Officer added that the date for the committee to meet in October to consider the audited accounts is yet to be confirmed.

It was resolved to note the report and the assurance provided.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the committee’s Forward Work Programme for 2025/26 was presented for the committee’s consideration.

The Head of Audit and Risk advised the committee of two changes to the Forward Work Programme, namely the deferral of the annual review of the risk management framework and strategic risk register update to the December 2025 meeting along with the Annual Letter of the Public Services Ombudsman for Wales 2024/25 and the Annual Concerns, Complaints and Whistleblowing Report 2024/25.

It was resolved to confirm the Forward Work Programme for 2025/26 as meeting the committee’s responsibilities in accordance with its terms of reference.

To consider adopting the following:-

“Under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test.”

It was considered and resolved –

“Under Section 100 (A) (4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.”

To present the report of the Head of Profession (HR) and Transformation.

The report of the Head of Profession (HR) and Transformation incorporating the Annual ICT Cyber Security Report for 2024/25 was presented for the committee’s consideration.

The Lead Security Engineer presented the report outlining the cyber security threats faced by the Council over the past year. It detailed how these threats were addressed and managed through existing mitigating and operational controls designed to detect and prevent malicious activity. The Lead Engineer summarised the main points of the report highlighting the most significant cyber security challenges which the Council experienced in 2024/25.

The ensuing discussion included the following points –

·      The status of current cyber security projects with the committee noting that a progress update would be helpful.

·      The adequacy of existing cyber security measures

·      Resource requirements and limitations

·      The potential for outsourcing as a means of reducing long-term pressure on the Council

·      Whether the reported statistics indicate any monthly or quarterly trends in cyber threats

·      The extent to which investment in cyber security measures has led to a reduction in impact

·      The frequency of cyber security awareness training provided to staff

Officers responded to the specific issues raised and provided general assurance, stating that projects and activities are prioritised in areas where risk can be most effectively reduced, following risk assessment. The request for a projects update was acknowledged and noted. They confirmed that investment in IT services has increased significantly over recent years from £1.6m in 2017/18 to £5.1m in 2024/25 which represents a significant investment for the public sector. They noted that substantial progress had been made during this period, and that a business case has been developed to secure additional resources. It was emphasised that cyber security is not a one off project but an ongoing endeavour requiring continuous attention and investment.

It was resolved that the Governance and Audit Committee –

·      Notes the challenges highlighted in the report.

·      Accepts that the activities regarding cyber security adequately address the risks and priorities of the Council.

·      Takes assurance that reasonable measures are in place to manage cyber threat to an acceptable level.