Agenda and minutes

In the absence of the Deputy Chair, Councillor Euryn Morris, Mrs Sharon Warnes was elected to serve as Deputy Chair for this meeting of the Committee.

On behalf of the Committee’s members, the Chair extended his best wishes to Councillor Trefor Lloyd Hughes, MBE who was unable to attend due to illness.

The Chair announced that with the agreement of the Committee, he would be varying the order of business on the agenda to bring forward items 3 and 9 to allow Audit Wales’s Officers to attend to other commitments. The Committee agreed to the change in the order of business.

To receive any declaration of interest by any Member or Officer in respect of any item of business.

No declaration of interest was received.

To present the minutes of the previous meeting of the Governance and Audit Committee held on 21 September 2023.

The minutes of the previous meeting of the Governance and Audit Committee held on 21 September 2023 were presented and were confirmed as correct.

Arising thereon –

In response to queries raised by the Committee regarding the progress of actions specified in the minutes in relation to a review of the Customer Services training for public facing staff to be conducted by the Leadership Team as per item (3) and the development of a training needs assessment and rollout of suitable training in response to issues raised by the Public Service Ombudsman for Wales as per item (4), the Director of Function (Resources)/ Section 151 Officer advised that he would follow up on the Committee’s queries and report back on the position with regard to progressing those two items.

Additional Action - Director of Function (Resources)/ Section 151 Officer to follow up on the progress of the actions as specified.

To present the report of the Director of Education, Skills and Young People.

The report of the Schools Data Protection Officer incorporating an analysis of the key information governance issues and priorities in relation to Anglesey’s schools for the period February 2023 to November 2023 was presented for the Committee’s consideration.

The report was introduced by the Director of Education, Skills and Young People as providing the Schools Data Protection Officer’s statement along with an overview of Anglesey primary, secondary and special schools’ compliance with legal requirements in handling information including with the UK’s General Data Protection Regulations (UK GDPR), Data Protection Act 2018 and relevant codes of practice. Also included within the report were details of actions taken since the last report in January 2023 and achievements under the Schools Data Protection Development Strategy 2022/23 as well as actions identified for the Schools Data Protection Strategy 2023/24 and progress to date.

The Schools Data Protection Officer confirmed the progress made by schools since the previous report to the Committee with schools having formally adopted the majority of policies and begun the process of monitoring and evidencing their compliance with all data protection policies. More schools have received data protection training during the period both individually and by catchment area which has helped schools improve their practices. More school governors have also received training or have received a data protection presentation by the Schools Data Protection Officer with 25 governing bodies having received such a presentation which highlights the main requirements and expectations on schools as regards data protection obligations.  Significant progress has been made in ensuring that appropriate Data Protection Agreements are in place with regard to the systems, programmes and apps used by schools. Most schools now have suitable and up to date Privacy Notices which have been shared with parents or in the case of general and children and young people’s versions, have been posted on the school’s website. The Schools Data Protection Officer continues to undertake audit visits to individual schools to review data protection compliance and arrangements with 44 of the 45 schools having been visited in the period between March and October 2023. The 45^th school has scheduled a visit for next month.

It is the Schools Data Protection Officer’s view that schools continue to show that they understand their responsibilities and implications as the data controller and the legal expectations that come as a result. Schools also continue to demonstrate that they have a better understanding of the data protection obligations and have been giving more priority to ensuring that actions are taken to comply with requirements under data protection legislation. Further specific pieces of work need to be completed to ensure that all schools are on the same level of compliance and are closer to be fully compliant and can evidence this. As such, the Schools Data Protection Officer is able to provide reasonable assurance with regard to schools’ compliance with data protection requirements.

.

In considering the report the Committee noted the following –

·         That most but not all schools have adopted the  ...  view the full minutes text for item 3.

To present the following –

·      The report of the Director of Function (Resources)/Section 151 Officer – Statement of the Accounts 2022/23.

·      The report of the Head of Profession (HR) and Transformation – Annual Governance Statement 2022/23

·      The report of External Audit on the audit of the 2022/23 financial statements (ISA 260 report)

·         The report of the Director of Function (Resources)/Section 151 Officer incorporating the Final Statement of the Accounts for 2022/23 following audit was presented for the Committee’s consideration.

The Director of Function (Resources)/Section 151 Officer reported that the statutory deadline for the completion of the audited accounts for the 2022/23 financial year was extended to 31 December, 2023 for all Welsh councils. The Isle of Anglesey County Council’s draft Statement of Accounts 2022/23 was presented to the Council’s external auditors, Audit Wales for audit on 30 June. The detailed audit work has now been substantially completed subject to a final review of the post audit amendments made to the accounts. The financial position of the Council is not expected to change further but should any significant issues arise from the review, then Audit Wales will provide a verbal update to the Full Council and retrospectively to this Committee at a future date.

Audit Wales conducted a thorough review, testing and audit of the financial transactions in relation to 2022/23 and the draft Statement of Accounts. The audit testing identified some changes needed and some errors which the Audit team recommended were amended to ensure that the accounts are materially correct. These are documented in Appendix 3 of Audit Wales’s ISA 260 report as a separate item on the agenda. Aside from those, it is the Auditors’ conclusion that the accounts have been prepared in accordance with legislative requirements and the CIPFA Code of Practice on Local Authority Accounting 2022/23; that they give a true and fair view of the financial position of the Isle of Anglesey County Council as at 31 March 2023 and of its income and expenditure for the year then ended and that it is the Auditors’ intention to issue an unqualified opinion on the 2022/23 accounts.  Some of the changes to the accounts include the following -

·           A reduction of £72k in the amount of the value held in creditors for the value of cash the Council holds on behalf of the Isle of Anglesey Welsh Church Act Fund which has impacted on the Council’s revenue outturn for 2022/23 in increasing the underspend for the year from £1.212m to £1.284m.

·           An amendment to Note 5 in the accounts in relation to events after the reporting period to include information about the two schools affected by RAAC which emerged at the start of the 2023/24 academic year.

·           The treatment in the accounts of the net asset position of the Local Government Pension Scheme. The local government pension scheme remeasurement resulted in a net pension asset rather than a significant net liability as has been the case in previous years as a result of the impact of increased interest rates on the discount factor used by the actuary. This was correctly reported on the balance sheet as nil in line with accounting rules and resulted in a write off of the net pension asset of £19.814m which was included in the other comprehensive income and expenditure line on the  ...  view the full minutes text for item 4.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Counter Fraud, Bribery and Corruption Annual Report for 2022/23 was presented for the Committee’s consideration. The report set out the activity carried out by Internal Audit during 2022/23 to minimise the risk of fraud, bribery, and corruption within and against the Council, highlighting some of the current and emerging areas of fraud risk and providing a conclusion on the effectiveness of the Council’s arrangements to minimise the risk of fraud.

The Head of Audit and Risk provided an overview of the report highlighting that at a time of increasing financial pressures, it is more important than ever for all public bodies in Wales to seek to minimise the risk of losses through fraud and support financial sustainability. She referred to the Council’s counter fraud arrangements which were assessed against the five principles contained in CIPFA’s Code of Practice on Managing the Risk of Fraud and Corruption, namely, acknowledging responsibility for countering fraud and corruption; identifying fraud and corruption risks; having in place a counter fraud and corruption strategy; providing resources to implement the strategy and taking action in response to fraud and corruption. The report noted that during 2022/23 28 days of the Internal Audit team’s work was involved in counter fraud activities including 8 days undertaking work for the National Fraud Initiative and 20 days involved with proactive fraud work, general fraud queries and investigations. The report also cited instances of fraud attempted against the Council during 2022/23, how those were dealt with and the actions taken to prevent reoccurrence in future.

The Head of Audit and Risk concluded that good progress is being made with delivering the Counter Fraud, Bribery and Corruption Strategy 2022-25. The continued delivery of the Action Plan (attached as Appendix 1 to the report) will ensure the Council is successful in fighting fraud. A key next step is the development of a Council wide fraud risk assessment which will help improve the Council’s ability to identify potential instances of fraud as well as any weaknesses in its counter-fraud arrangements or areas at higher risk of fraud. This will allow the Council to better target its limited resources and activities appropriately, especially if and when new fraud risks emerge.

In the ensuing discussion the following matters were raised –

·      In accepting the importance of raising awareness of fraud and of having policies to that effect, the Committee wanted to know what controls are in place to prevent fraud occurring in the first place on a day-to-day basis e.g. mandate fraud whereby an attempt is made to change an individual or company’s bank details.

·      The avoidance of the second homes premium payment whereby the second home is cited as the main residence.

·      The occurrence of fraud in relation to Disabled Facilities Grants and how it is perpetrated with regard to the grant.

The Committee was advised that every Internal Audit review examines the controls in place for the area reviewed and makes recommendations for improvement  ...  view the full minutes text for item 5.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk setting out the Council’s current outcomes in respect of the National Fraud Initiative (NFI) 2022/23 exercise was presented for the Committee’s consideration.

The Head of Audit and Risk provided an overview of the NFI exercise process and purpose which is a data matching exercise conducted every two years by the Cabinet Office that aims to detect and prevent fraud and error. The Council along with other local authorities and public sector bodies is mandated to participate. Participants submit data to a secure NFI website at the end of the designated calendar year after which the NFI system matches data in and between public sector bodies to identify anomalies. Potential anomalies called matches are reported to participants to review, investigate, and record outcomes which are then collected and reported on nationally by the Auditor General. Data matches do not in themselves indicate fraud or error but rather identify cases which may require further analysis. For the 2020/21 NFI exercise seven service areas generated almost 97% of the £6.5m of fraud and error identified for Wales with Council Tax discounts (£2.6m) and Blue Badges (£1.4m) being the foremost of those. As part of the 2022/23 NFI exercise, the Council submitted data in relation to Housing, Taxi driver licences, Payroll, Creditors payment history and standing data, Council Tax Reduction Scheme and Council Tax and the Electoral Register. Additionally, the DWP submitted benefit recipient details and the Blue Badge Digital Service submitted Blue Badge Holder details.

Between January and March 2023 the Council received a total of 66 separate reports which contained a total of 2,638 individual matches. To date 8 days have been invested providing the data to the Cabinet Office, analysing, and evaluating matches and working with services to investigate the matches and improve their processes. The report sets out the reports which Internal Audit has analysed and/or co-ordinated the evaluation of which and the service areas to which they relate. The outcomes of that work are detailed in Appendix 1 including the monetary savings made as with duplicate creditor payments (£13,343.21) or estimated as with Housing Waiting List fraud (£4,283) and Blue Badges not cancelled (£194,350). With regard to the latter, following discussions with the senior officer responsible for Blue Badge administration all the 299 NFI matches for this category were identified as examples of a lack of communication between services with Blue Badges not having been closed on the system because the team had not been informed of the permit holder’s death. It was noted in this regard that a further complication is that deaths are registered in the county in which they occur meaning that deaths in Ysbyty Gwynedd including those of Anglesey residents are registered in Gwynedd County. However, that information is not necessarily passed onto the Council in Anglesey through the Gwynedd Tell Us Once process or otherwise with the result that Blue Badges then remain open on the system after the permit holder has passed away.

Due  ...  view the full minutes text for item 6.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 30 November, 2023 on the audits completed since the previous update as at 13 September 2023 was presented for the Committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward. Members of the Committee were provided under separate cover with copies of the three internal audit reports finalised since the last update in relation to the Administration of Teachers’ Pension (First Follow-Up) (Reasonable Assurance); Organisational Resilience (Strategic Risk YM7) (Reasonable Assurance) and the Local Government Pension Scheme (Reasonable Assurance). Two other pieces of work were completed in the period involving an investigation of a contract overpayment and an investigation of internal fraud for which an assurance opinion was not applicable.

The Head of Audit and Risk provided an overview of the reviews completed and their conclusions including the risks/issues identified and actions recommended. She referred to the pieces of work in progress as per paragraph 24 of the report and confirmed with regard to outstanding actions that as at 30 November, two moderate-rated issues/risks were overdue with both being in the Resources service. The Internal Audit service is currently carrying two vacant posts as a result of the departure of a Senior Auditor to a post within Resources and the continuance of a long-term secondment. Nevertheless, good progress has been made with implementing the Annual Internal Audit Strategy for 2023/24 and the Counter Fraud, Bribery and Corruption Strategy 2022-25. Work is also in progress with Zurich Risk Engineering UK to undertake an independent assessment of the Council’s Risk Management Framework which is expected to report in February 2024. Internal Audit is also currently working with the Council’s Training and Development Team to provide counter fraud awareness training across the Council.

In responding to questions raised by the Committee, the Head of Audit and Risk –

·      Confirmed that the service continues to utilise budget savings from vacant posts to commission additional external support.

·      Explained that the Committee is updated twice a year on performance in addressing audit actions including outstanding/overdue actions.

·      Clarified that the piece of work in progress in relation to a complaint about waste removal (Housing Services) is about examining the procurement process in terms of value for money and contract award procedures and that the review of the Visitor Economy and Coastal Areas Income Processes also in progress is about looking at those processes from the perspective of efficiency and security.

It was resolved to note Internal Audit’s assurance provision and priorities going forward.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk setting out the amendments to the Strategic Risk Register since it was last presented to the Committee in February 2023 was presented for the Committee’s consideration.

The Risk and Insurance Manager reported that with the new Council Plan 2023-28 in place, the Leadership Team undertook a review of the strategic risk register as a whole in July 2023 to ensure that the register provided an accurate reflection of the risk to the Council’s strategic objectives. In the same period the system holding the risk registers (4risk) was upgraded and the method by which risks are scored has also been changed to reflect a numeric value only with the highest risk now being 25 rather than A1. There have been some initial challenges with the upgrade process with the result that the register as presented does not have the same level of assurance detail as previously although work to resolve the issues with the software provider is ongoing. The Risk and Insurance Manager referred to the changes to the strategic risks as follows –

·      The redefinition of risks YM1, YM5, YM7, YM8, YM3 and YM14 as per the table at paragraph 8 of the report and the reasons for the change.

·      The closure of risk YM4 in relation to the impact of a cyber-attack on the provision of frontline and support services and its incorporation within risk YM3 in relation to IT failure and the disruption that would cause to service delivery.

·      The addition of two new risks to the register namely YM15 in relation to core collaborative working and partnership arrangements and YM16 in relation to a lack of resources to update business processes affecting the Council’s ability to modernise.

·      The uprating at both an inherent and residual level of risk YM1 – the risk that a real term reduction in Council funding will lead to a reduction in statutory services - from 4 (Likely) to 5 (Almost Certain) because of the economic situation and the financial challenges facing the public sector.

The Committee considered the report and the following matters were discussed –

·      Encouraging services to move systems to the Cloud to strengthen resiliency and eliminate the need for a second data centre as a mitigating action in respect of risk YM3 (The risk that IT failure significantly disrupts service delivery). The Committee questioned whether there might be risks in being over reliant on the Cloud and whether there were disadvantages associated with Cloud provision in terms of cost, security, and access to data. The Committee suggested that a review of Cloud services might be beneficial in providing assurance about Cloud operations.

The Committee was advised that the Council’s IT auditors could be asked to undertake a review of Cloud services.

·      The separation of the roles of the Governance and Audit Committee and Scrutiny in relation to risk management and the detailed evaluation of risks.

The Committee was advised that this Committee’s responsibility is to be assured that management has  ...  view the full minutes text for item 8.

To present the report of Audit Wales.

The report of Audit Wales on its Work Programme and Timetable as of 30 September, 2023 was presented for the Committee’s information. The report provided an update on the progress and status of Audit Wales’s financial and performance audit work comprising of both planned and published studies and included the work of Estyn and Care Inspectorate Wales.

Yvonne Thomas, Audit Wales Financial Audit Manager confirmed with regard to the financial audit work that the audit of the accounts has been largely completed as previously reported and the certification of grant returns in relation to Teachers’ Pension contributions for the 2022/23 financial year is nearing completion as is the certification of the grant return for non-Domestic rates 2022/23 with the aim being that both returns are certified this month.

Mr Alan Hughes, Performance Audit Lead reported on the progress of the Performance Audit programme and confirmed that the Assurance and Risk Assessment review is scheduled to be completed in January 2024 with the review of the Use of Performance Information having now been completed and scheduled to report in the new Year. The fieldwork for the Setting of Well-being Objectives has been completed with the draft report to be issued in the New Year, likewise the Thematic review of Unscheduled Care. Also reporting in the New Year is the Thematic review of the Council’s strategic approach to Digital. The 2022/23 Performance Audit Programme is therefore on track to being completed.

In considering the report the Committee raised the following questions –

·      Whether the Capital Programme Management review will include commentary on how capital projects are managed and run.

The Committee was advised that the review is currently at the scoping stage but that any specific themes which the Committee/individual members might wish the review to look at could be communicated to him and taken back to the centre.

·      The intended outcomes of the review of the Council’s strategic approach to Digital.

The Committee was advised that the review is looking at the extent to which the Council’s strategic approach to digital has been developed in accordance with the sustainable development principle and the five ways of working required to achieve the well-being goals set out by the Well-being of Future Generations Act. As a thematic review, a short local report as well as a national outcomes report will be produced.

It was resolved to note Audit Wales’s Quarter 2 2023/24 Update on its Work Programme and Timetable.

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Committee’s Forward Work Programme and Training Programme for 2023/24 was presented for the Committee’s consideration.

The Head of Audit and Risk guided the members through the changes in the Work Programme and those were noted by the Committee. She confirmed that the Work Programme is aligned with the Committee’s core functions as those are set out in its Terms of reference and she clarified that nothing was scheduled against the Performance Panel Assessment section as that assessment is only required to take place once in an electoral cycle and the assessment report then considered by this Committee.

The possibility of introducing individual self - assessment for members of the Committee by way of one-to-one conversations with the Chair was raised as means of identifying what support individual members might require and wish for in developing their skills and expertise.

The Head of Audit and Risk advised that members of the Committee have already completed a training needs assessment questionnaire on which the Committee’s training programme (included in the report) is based. She suggested, and it was agreed that the questionnaire be re-circulated so that members can provide an update on what they see as their ongoing training needs.

The Chair said that he would consider the proposal regarding having a one-to-one conversation with individual members and the practicability of implementing it.

In response to further questions about the Committee’s self-assessment undertaken with the support of CIPFA, the Head of Audit and Risk provided an update on progress to date and expected reporting arrangements and timetable.

It was resolved - 

·      To accept the Forward Work Programme 2023/24 as meeting the Committee’s responsibilities in accordance with its terms of reference and

·      To note the changes to the dates on which reports will be submitted.

Additional Action – Head of Audit and Risk to re-circulate the Committee’s Training Needs Assessment Questionnaire.