Agenda and minutes

In the absence of the Vice-Chair, Mr Dilwyn Evans, Lay Member was elected Vice-Chair for this meeting of the Audit and Governance Committee only.

To receive any declaration of interest by any Member or Officer in respect of any item of business.

Councillor Richard Griffiths declared a personal interest in respect of item 3 on the agenda on the basis that he was related to an officer in the Housing Service.

To present the minutes of the previous meeting of the Audit and Governance Committee held on 23 July, 2019.

The minutes of the previous meeting of the Audit and Governance Committee held on 27^th July, 2019, were presented and were confirmed as correct.

To present the report of the Head of Housing Services.

The report of the Head of Housing Services providing information on the work of the Community Housing Service with regard to tenant profiling was presented for the Committee’s consideration. The information was presented following the submission of an internal audit report to the Audit and Governance Committee meeting of 23 July, 2019 which raised the lack of tenant profiling as an “Issue/Risk.” The Committee had requested that the Head of Housing Services attend its next meeting to provide an update on the tenant profiling position.

The Head of Housing Services reported that he appreciated the Committee’s concern that not as much progress as hoped for had been made with tenant profiling and that there were valid reasons why this was so. The Officer accepted that making sure that the information which the Service holds regarding its tenants is current and up to date is vitally important in ensuring that the services provided are appropriate and meet the needs of tenants.

The Service Manager (Community Housing) informed the Committee that each council property is recorded on the Service’s Orchard Client Relationship Management System and as well as holding information about each tenant, the Orchard system also captures tenancy history, arrears information, officer interactions, tenancy breach recording and financial inclusion analysis. Having accurate tenant profiling can support the department to develop future services alongside existing services, such as the response to Universal Credit. Operationally, tenant profiling is the responsibility of the customer service team which consists of six full time equivalent officers who deal with day to day maintenance response queries, first contact response for housing allocations, and homelessness in addition to tenant profiling. Customer care staffing levels have fluctuated throughout the year which has been a barrier to capturing tenant profiling on a continuous basis. Homelessness presentation levels have increased thus resulting in more incoming calls to the customer care team in order to support those who are, or are threatened with becoming homeless. Also, the customer service team currently operates from two offices split into three officers at each location per working day. Working from two offices is viewed as a challenge; having a dispersed team with fluctuating staffing levels means that the team’s priority has been responding to incoming calls. Going forward, the Housing Senior Management team has agreed to have the Customer Care team working from one location with discussions underway to determine the most suitable office in the long-term. Once the team is settled in a single location, one officer will concentrate on profiling per day. The majority of tenants continue to contact Housing Services by phone meaning the service is continuously reactive to calls. From January, 2020, the focus will be on a 2 year plan whereby tenants will be able to report issues and manage their tenancies on a digital platform linked to the Orchard system. As further assurance to the Committee, Housing Services work closely with the Department for Works and Pensions, the O’Toole Centre and Citizens Advice on issues in connection with Universal  ...  view the full minutes text for item 3.

·        To present the Statement of the Accounts 2018/19.

·        To present the report of External Audit on the Financial Statements.

4.1       The report of the Director of Function (Resources)/Section 151 Officer incorporating the Final Statement of the Accounts for 2018/19 following audit was presented for the Committee’s consideration.

The Director of Function (Resources)/Section 151 Officer reported that the statutory deadline for the completion of the 2018/19 audited accounts has again been met. Improvements which the audit process identified last year have been made and are continuing. All issues that have arisen throughout the audit were dealt with promptly and in a satisfactory manner.

The Officer said that details of the main amendments to the draft accounts are set out in External Audit’s report on the Financial Statements below. All amendments which have been agreed as requiring restatement by the auditors, Deloitte have been processed and are contained within the Statement of the Accounts. The amendments to the draft Statement were not significant and have been largely confined to amendments to a small number of disclosure notes and the Cash Flow Statement. At this stage no financial changes have been made to revenue or capital meaning that the main financial statements remain the same. The Auditors’ report highlights an ongoing uncorrected misstatement from 2017/18 in connection with the accounting treatment of the pension’s lump sum for unfunded historic pension costs. This relates to differing interpretations of the accounting arrangements for the lump sum paid in 2017/18 for these costs which led to a saving of approximately £200k. This was not amended due the differences in the Authority’s and the Auditor’s interpretation of written guidance on the issue.

Following their work on the Statement of the Accounts, the Auditors have made 3 recommendations in relation to accounting and payroll control; 1 recommendation in relation to IT and 1 recommendation in relation to corporate controls which are detailed in their ISA 260 report.

With regard to the uncorrected misstatement, the Officer clarified that in 2017/18 the Authority made a lump sum payment of £3.66m to the Gwynedd Pension Fund to cover the three years to 2019/20 on the basis that this sum would be invested and the Authority would receive a discount (the return on investment as part of the pooled pension fund monies being greater than had the Authority invested the sum on its own). The Auditors are of the view that the payment should have been charged to the revenue account as expenditure in 2017/18 in the year it was made. The Authority takes a different view and consequently it was agreed that in order to lessen the impact of the payment on the Council’s general fund balance, a negative reserve be created which will unwind over the course of the three years meaning that by next year the sum will have disappeared from the accounts.  

4.2       The report of External Audit on the audit of the Financial Statements for 2018/19 (ISA 260 report) was presented for the Committee’s consideration.

Mr Ian Howse, Engagement Lead for the Financial Audit confirmed that subject to the satisfactory completion of outstanding work as  ...  view the full minutes text for item 4.

To present the Annual Report of the Senior Information Risk Owner.

The report of the Senior Information Risk Owner (SIRO) providing an analysis of the key information governance (IG) issues for the period from 1 April, 2018 to 31 March, 2019 was presented for the Committee’s consideration. The report also included assurance of on-going improvement in managing risk to information during the period.

The Director of Function (Council Business)/Monitoring Officer and designated Senior Information Risk Owner (SIRO) reported on the main points as follows –

•           29 data security incidents were recorded during the reporting period (20 in 2017/18) of which 26 were at Level 0-1 (near miss or confirmed as a data security incident but no need to report to the Information Commissioner’s Office (ICO) and other regulators) and 3 at Level 2 (data security incidents that must be reported to the ICO and other regulators as appropriate).The report provides an analysis of the nature of the incidents.

•           1,052 requests under the Freedom of Information Act were received during the reporting period which contained a total of 7,532 questions.

•           There were 20 requests for an Internal Review of an FOIA response. In 9 cases the review upheld the original response; 1 case was not upheld and a new Section 1 response was sent, and 1 request was refused as a response had been sent prior to the receipt of the request for an internal review.

•           6 appeals were lodged with the ICO in the period. In 4 cases the Council was asked to send a response; 1 case was withdrawn and in 1 case the Council’s response was upheld.

•           8 Data Protection Act complaints were made and investigated – 2 pre and 6 post GDPR. No DPA complaints were investigated by the ICO.

•           46 Subject Access Requests were received with 81% of responses being sent within the statutory deadline for SARs and complex SARs.

•           The Investigatory Powers Commissioners Office (IPCO) oversees the conduct of covert surveillance and covert human intelligence sources by public authorities in accordance with the Police Act 1997 and the Regulation of Investigatory Powers Act 2000 (RIPA). The RIPA regime aims to ensure that directed surveillance is carried out in a way that is compliant with human rights. The Council makes very little use of covert surveillance and covert human intelligence sources (Appendix 1 to the report refers). The Council’s processes and practices were inspected by the IPCO during September 2018 and this   confirmed that the Council’s compliance level meant that no physical inspection was necessary with the IPCO requiring only that the Council undertake a review of its extant CHIS authorisation, make minor amendments to the Council’s policy documents and provide refresher training for authorising officers and applicants.

•           Following on from the initial period of GDPR implementation, analysis of the Council’s data protection assurance documents suggested key areas for further development and investigation. These elements were incorporated into a Data Protection Plan for the Year (Appendix 2 to the report).The Plan seeks to address issues which present the highest  ...  view the full minutes text for item 5.

To present the report of the Head of Function (Council Business)/Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer providing information on issues arising under the Council’s Concerns and Complaints Policy for the period 1 April, 2018 to 31 March, 2019 was presented for the Committee’s consideration. The report also included Social Services complaints but only those where the complainant was not a service user. Service user complaints are dealt with under the Social Services Representations and Complaints Procedure and are reported annually to the Corporate Scrutiny Committee.

The Director of Function (Council Business)/Monitoring Officer reported on the main points as follows –

•           During the period covered by the report, 62 concerns were received and 76 complaints were made. Of the 76 complaints, one (Housing) remains open as the required works have not been completed and another (Planning) is on hold as the Council is waiting to hear from the Public Services Ombudsman for Wales (PSOW). Therefore, 74 complaints have been investigated and responded to during this period. The number of complaints received remains at around the same level as in 2017/18.

•           Of the 74 complaints dealt with during the period, 16 were upheld in full, 7 were partly upheld and 51 were not upheld.9 complaints were escalated to the PSOW, 5 were rejected by the PSOW and 4 complaints (Resources) were resolved by early resolution. Each of the 9 complaints escalated to the PSOW had been through the internal process. A breakdown of the concerns and complaints by service is provided in the report.

•           The overall rate of responses to complaints issued within the specified time limit (20 working days) was 92.6%. 9% of the complaints received (up from 5% in 2017/18) resulted from escalated concerns which continues to indicate that services are dealing effectively with concerns thereby limiting formal complaints.

•           The Concerns and Complaints Policy places an emphasis on learning lessons from complaints and thereby improving services. Enclosure 1 to the report explains what lessons have been learnt and any practice which has evolved as a consequence of these findings.

•           Where the complainant remains dissatisfied with the Council’s response to a complaint, the Concerns and Complaints Policy includes the option of escalating the complaint to the PSOW. There were 18 complaints relevant to this process within the timescale of the report lodged with the PSOW – only 1 was considered sufficiently serious to warrant an investigation; this was a Highways matter which was dealt with by way of the Council agreeing to an early voluntary resolution.

•           During 2018/19, 1 code of conduct complaint was received by the PSOW against a County Councillor but was closed after initial assessment. There were no investigations against County Councillors.

•           Whilst there were no formal language related complaints during the year, 4 expressions of concern were received and recorded relating to the matters documented in the report. All 4 issues were resolved without being escalated into formal complaints.

•           During 2018/19, 1 whistleblowing concern under the Council’s Whistleblowing Policy was received and is noted in  ...  view the full minutes text for item 6.

To present the report of the Head of Function (Council Business)/Monitoring Officer.

The report of the Director of Function (Council Business)/Monitoring Officer was presented for the Committee’s consideration. The report provided details of compliance for the second round of policies introduced for acceptance via the Council’s Policy Portal management system as well as the Learning Service’s compliance levels for the first round of policies. The data presented is based on the information available at 16/17 and 19 July, 2019.

The Director of Function (Council Business)/Monitoring Officer reported on the main points as follows –

•           That 8 policies – Data Protection Policy; IT Security Policy, Financial Procedure Rules, IT Acceptable Usage Policy, Safeguarding Policy, Officers’ Code of Conduct, E-mail  and Instant Messaging Usage Policy and the Whistleblowing Policy – were made available  for acceptance  between 2 July, 2018 and 3 June, 2019 as determined by the Senior Leadership Team (SLT).The final policy in the current series – Equality and Diversity Policy – was introduced for acceptance on 29 July and the six week acceptance period will close on 9 September, 2019.

•           Details of compliance levels for the 8 policies both across the Council and by service are   provided in Appendix 1 to the report. Average compliance for all policies across the Council is 95% which is the same as last year. This is compared with an average of 87% at the end of the six week acceptance period set for each policy which is an improvement on last year’s 79%.

•           That it was reported last year that compliance in Children’s Services had improved significantly with an average compliance rate of 99% as at 24 July, 2018 compared with an average of 57% at the end of the six week acceptance period. The service has continued to improve and has achieved a compliance rate of 100% for all 8 policies and 100% at the end of the six week acceptance period for the last 4 policies.

•           A significant improvement can also be seen in Adults’ Services as at July, 2019 with the service achieving a 92% compliance average compared with 78% as July, 2018.The Learning Service staff have been part of the corporate process since July 2018 and were required to catch up by accepting the first 7 policies in addition to accepting the second round of policies as they are released for acceptance. Appendix 2 sets out the service’s compliance levels showing an average compliance rate of 99%.

•           Following review by the SLT, the number of policies in the core set will be reduced from 16 to the 9 policies listed in paragraph 4.1 of the report. These 9 policies will be subject to acceptance only once in every 2 year period but will be available throughout that time for new staff.

•           The Policy Portal relies on the Council’s Active Directory (AD) and includes around 1,000 active users. The Portal’s reliance on the AD was recognised as a weakness from the outset with this Committee raising concerns that staff who are not AD users are not included  ...  view the full minutes text for item 7.

To present the report of the Head of Service (Regulation and Economic Development).

The report of the Director of Place and Community Well-being incorporating the Corporate Health and Safety Annual Report for 2018/19 was presented for the Committee’s consideration. The report followed the format and guidance developed by the Welsh Local Government Association which provide a series of headings for reporting health and safety performance which should  assist in identifying the commitment, ability and direction of the management of occupational health and safety.

The report included data on all accidents and incidents reported in 2018/19 classified into minor, serious and RIDDOR (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations) which are incidents which meet specific criteria that require reporting to the Health and Safety Executive. The table at page 7 of the report provides an analysis of incidents by type broken down further into sub-categories for certain incidents. The tabular format allows comparison with the data for the previous three years.

The Committee was informed that the data shows that violence and aggression and falls appear to be the most significant type of incident. With regard to violence and aggression (total number of incidents – 287compared with 237 in 2017/18), the highest number of incidents are those involving challenging behaviour where the intent to harm may not be present (106).  Abuse from members of the public is also a significant figure (103 incidents compared with 53 in 2017/18). Whilst the majority of these involve telephone calls some include face to face incidents. The increase may be attributable to a combination of factors including societal pressures, the economic climate and increased demand for the services provided by the Council. Falls incidents relate mainly to school pupils and clients in homes with the majority not being due to supervision issues or issues with the environment. The “Another Kind of Accident” category also shows a high number of incidents (135) and includes awareness reports of situations such as “hoarding” in housing stock; possible safeguarding issues and information provided by external agencies which may impact on the Council’s duty of care. This will be reviewed to establish whether these incidents may be recorded as near miss incidents or whether an additional method of recording is required.

In discussing the report, the Committee raised the following matters –

•           The Committee sought clarification of what determines whether an incident is reported as a RIDDOR incident, whether all such incidents are very serious and whether the Council benchmarks its performance in this respect against other authorities. The Corporate Health and Safety Advisor clarified that there are specific criteria which determine whether an incident is reportable as RIDDOR and he gave examples of incidents that meet the RIDDOR definition e.g. injuries to workers which result in their incapacitation for over 7 days. Occasionally, an incident will be serious but will not be reportable to RIDDOR but would be subject to a more in-depth internal investigation. Investigating RIDDOR incidents is one of the Service’s performance targets. Under RIDDOR, injuries to non-Council workers which results in them being taken directly to hospital  ...  view the full minutes text for item 8.

To present the report of the Head of Audit and Risk.

The report of the Head of Internal Audit and Risk which provided an update on Internal Audit’s latest progress with regard to service delivery, assurance provision, and reviews completed was presented for the Committee’s consideration.

The Head of Audit and Risk reported as follows –

•           That three Internal Audit reports were finalised during the period two of which resulted in a Substantial Assurance rating – these were Grant Certification Audits in relation to Rent Smart Wales and the Pupil Development Grant. The third review relating to Corporate Safeguarding produced a Reasonable Assurance rating and identified 4 major issues/risks that need to be addressed. The issues/risk were designated major because of their potential impact in this area. However, overall the review concluded that the Council has implemented a number of effective controls to manage the risk of serious safeguarding error causing or contributing to harm to those who it has a responsibility to protect and consequently, Internal Audit was able to provide reasonable assurance of the governance, risk management and control in this area.

•           That three reports with a Limited Assurance rating are scheduled for a follow-up review as detailed in paragraph 15 of the report. Two Follow-up reviews are currently in progress – Primary Schools Income Collection (first Follow-Up) and Sundry Debtors (second Follow-Up) .The Follow-Up to the Logical Access and Segregation of Duties review has been postponed pending the completion of the Payroll/Payments function restructure.

•           That the Council’s IT Service has confirmed that the “4 action” corporate action tracking system upgrade to which Internal Audit’s quarterly reports have referred to in recent months has now been configured and is being tested. This process has identified some issues which are currently with the supplier for resolution. These have been chased up and it is hoped they can now be progressed.

•           That there has been little change with regard to the Operational Plan for 2019/20 in the six weeks since the last Committee update. Although progress has been hampered by the holiday season, a number of draft reports have been issued which are awaiting management response and work has continued on several audits as detailed in paragraph 19 of the report as well as a consultation piece on staff car loans.

In considering the report the Committee queried whether in view of the potential impact of the 4 issues/risks identified in an area as sensitive as safeguarding, the review should have resulted in a Limited Assurance thereby ensuring it would be formally followed up and the outcome reported to this Committee.

The Head of Audit and Risk clarified that Internal Audit had worked very closely with Senior Management with responsibility for safeguarding as well as with the Education Service and schools and that the actual picture is more positive than the corporate monitoring position reflects. In practice, DBS checks and renewals are being undertaken and the issues identified pertain to routine housekeeping around DBS e.g. lack of formal meeting minutes for the strategic safeguarding board, and the  ...  view the full minutes text for item 9.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk on the status and detail of the outstanding risks that the Internal Audit Service has raised was presented for the Committee’s consideration.

These were detailed in Appendix A to the report and contained also a progress update from the Managers responsible for addressing the issues/risks documented.

The Principal Auditor reported as follows –

•           That there are no High or Red Issues/Risks currently outstanding, and performance in addressing Amber rated issues/risks has improved since the previous update in July with the overall implementation percentage for High/Red/Amber issues/risks at 92%.

•           That there has also been a small improvement in performance for the Medium/Yellow risks with an overall reduction in the number of outstanding actions by 5, spread across services.

•           As at 11 August, 2019 the implementation rate was 100% for High/Red issues/risks; 83% for Amber issues/risks; 97% for Medium issues/risk; 80% for Yellow risks/issues.

•           That 2 Follow-up review – Sundry Debtors and Schools Income Collection are currently underway and these two reviews account for 6 out of the 9 outstanding Medium Issues/Risks.

•           That confirmation has been received that the required action under item 9 in Appendix A – PCI DSS Compliance relating to the Transformation Service has now been completed.

•           That implementation of the new upgraded corporate action tracking system provides an opportunity to review the Internal Audit Service’s’ reporting framework to ensure that the information provided to senior management and the Audit and Governance Committee is in line with the new audit approach and is useful, concise, relevant and timely. As it will be easier to configure the new system’s reporting parameters from the outset rather than make changes once operational, it was considered prudent to consult with the Committee about its reporting requirements prior to the upgrade so that these can be built into the system. It is anticipated that the new system can be configured to more easily report on areas as listed in paragraph 14 of the report - that currently require significant manual intervention.

The Committee in considering the report and the type of information it would like to be provided with under the new action tracking system indicated that whilst incorporating all the elements in paragraph 14 would be useful, the separation of red and amber risks would be particularly helpful.

It was resolved that the Audit and Governance Committee –

•           Notes the Council’s progress in addressing the outstanding Internal Audit recommendations and risks, and

•           Supports the inclusion of the elements noted in paragraph 14 of the report as part of future reporting to the Committee under the new 4action actions tracking system.

NO ADDITIONAL ACTION WAS PROPOSED

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating an updated Internal Audit Charter was presented for the Committee’s consideration and approval.

The Head of Audit and Risk reported that although the Audit Charter is not due for full formal review until April, 2020, a review conducted to ensure its continued appropriateness has identified the two following minor changes –

•           The amendment of all references to the Head of Function (Resources)/Section 151 Officer within the document to reflect the re-designation of the post as Director of Function (Resources)/Section 151 Officer.

•           The addition of Paragraph 30 to reflect CIPFA’s Statement on the Head of Internal Audit (2019).

It was resolved to approve the amendments to the Internal Audit Charter.

NO ADDITIONAL ACTION WAS PROPOSED

To present the report of the Head of Audit and Risk.

The Committee’s Forward Work Programme was presented for review and was approved with the following amendments –

•           New item for the Committee’s December 2019 meeting – Introduction of Risk Based Verification (RBV) – Housing Benefits/Council Tax Reduction.

•           Re-scheduling of the Annual ICT Security Report 2018/19 from the Committee’s September to its December, 2019 meeting.

NO ADDITIONAL ACTION WAS PROPOSED

To consider adopting the following:-

“Under Section 100(A)(4) of the Local Government Act 1972, to exclude the press and public from the meeting during the discussion on the following item on the grounds that it may involve the disclosure of exempt information as defined in Schedule 12A of the said Act and in the attached Public Interest Test”.

It was resolved Under Section 100 (A)(4) of the Local Government Act 1972 to exclude the press and public from the meeting during the discussion on the following item on the grounds that it involved the disclosure of exempt information as defined in Schedule 12A of the said Act and in the Public Interest Test presented.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the revised Corporate Risk Register was presented for the Committee’s consideration.

The Head of Audit and Risk reported that in May, 2019 the Senior Leadership Team (SLT) reviewed the corporate risk register and considered that a number of risks were no longer relevant and that some risks could be amalgamated being mindful also of the recommendations made during the recent Zurich Municipal Risk Management Health Check about the Corporate Risk Register being overpopulated with risks. The outcome of the SLT’s review resulted in the net closure of 19 risks – these comprised of risks where significant progress has been made to mitigate the risk, risks of a similar nature which have been merged, and risks that are no longer considered a risk because circumstances have changed. Details of the individual risks thereby affected are provided in the report. The SLT has identified the top (red) residual risks to the Council as YM28, YM40 and YM41. Additionally, the SLT has also agreed that rather than reviewing the entire corporate risk register quarterly, it will review a small number of risks every month.

The Committee considered the information presented and raised the following matters –

•           The Committee queried how the SLT would determine which risks it would be reviewing each month.

The Head of Audit and Risk clarified that risks have been prioritised according to their inherent and residual risk rating with priority being given to Red Inherent/Red Residual risks followed by Red Inherent /Amber Residual risks; Red Inherent/Yellow Residual risks and Red Inherent/Green residual risks. Whilst mitigating actions are key to reducing residual risk it is considered that Red inherent risks need to be monitored on a regular basis.

•           The Committee queried whether the Council is happy to tolerate 3 major risks that remain Red as residual.

The Head of Audit and Risk clarified that there are times when a risk will remain red and that it is not unusual for a risk register to contain red inherent and red residual risks. This reflects the Council’s risk appetite as set out in the risk matrix but does not mean that the risks are not being managed.

•           The Committee discussed the use of the term “catastrophic” to describe the highest  level of impact were a risk to materialise and whether it overstated the potential effects; the Committee queried whether it would be sensible to focus on identifying measures to reduce any residual risks to below the catastrophic level. 

The Head of Audit and Risk explained that the use of the term catastrophic is not uncommon; she clarified that with all risks, the SLT has determined that the amount of resources that it is willing/able to put in to manage risks is at the level reflected in the risk matrix which is the level it is willing to tolerate.

•           The Committee queried at what point did the Council intend to introduce measures to mitigate Brexit.

The Committee was informed  ...  view the full minutes text for item 14.