Agenda item

To present the report of the Head of Audit and Risk

The report of the Head of Audit and Risk which provided an update on the status of the outstanding issues, risk and opportunities that Internal Audit has raised was presented for the committee’s consideration.

The Principal Auditor presented the report and provided an overview of its key points. As of 31 August 2025, seventy-three outstanding actions were being tracked, with ten assessed as “major” (amber) and sixty-three as “moderate” (yellow) risks. A detailed analysis of the current status of the outstanding major related issues, risks and opportunities was provided at Appendix 1 to the report.

The following matters were raised by the committee –

·      The committee enquired whether a revised timescale had been set for the overdue moderate rated action raised by the audit of Direct Debit Processes.

The Director of Function(Resources)/Section 151 Officer explained that most individuals billed for business rates by the Council do not make any payments due to their eligibility under the Small Business Rates Reduction Scheme, resulting in a relatively small number of payees. While the Council offers direct debit payment, applicants must currently  complete a form. To support transition to a paperless system, staff will collect payment  details over the phone and forward the form for processing. However, bank authorisation and separate plans for each income stream need to be developed. Although the Council Tax direct debit scheme is paperless,  the Business Rates scheme remains manual because of the low number of transactions which has not made it a priority. Additionally, the Payments team is also working on other projects to ensure compliance with the Payment Card Industry Data Security Standard (PCIDSS).

In response to a follow-up question about extending the timescale for overdue actions and whether a mechanism exists for escalation to prevent “action creep,” the committee was informed that each action has a designated owner and a target completion date. A user dashboard within the 4action system provides a real time snapshot of progress, enabling effective tracking and reporting. Action completion dates may be extended but only if the service can demonstrate a legitimate reason, taking into account the associated level of risk. For major rated issues/risks that have not been resolved twelve months after the original completion date, action owners are asked to provide an update to the committee explaining the delay. Greater flexibility is afforded to moderate (Yellow rated) actions, with each case assessed on its own merits and risk evaluated. Amber rated issues/risks are subject to internal audit’s own escalation process.

Responding to a question about the status of the two PCIDSS related actions listed in Appendix 1 of the report both of which had a target completion date of 30 September, the Director of Function(Resources)/Section 151 Officer explained that the Council has recently moved to an automated system for taking payment card details which is PCIDSS compliant with the exception of the Leisure Services and Oriel Ynys Môn. Solutions for telephone card payments taken by these services are being reviewed.

·      A member of the committee referred to the three asset management related actions listed in Appendix 1 all of which had a target completion date of 1 October, 2025. He requested that the committee be notified by e-mail as to whether this deadline was met.

It was resolved to accept the Council’s progress in addressing the outstanding internal audit issues/risk/opportunities as satisfactory.

Additional action: Head of Audit and Risk to notify the committee’s members by e-mail whether the three asset management related actions with a due date of 1 October 2025 were completed by this deadline.