Agenda and minutes

Governance and Audit Committee - Monday, 20th June, 2022 2.00 pm

Venue: County Hall, Usk - Remote Attendance. View directions

Contact: Democratic Services 

Media

Items
No. Item

1.

Declarations of Interest

Minutes:

Item 9 – Update on Unfavourable Audit Opinions: County Councillor I. Chandler declared a personal, non-prejudicial interest in respect of the Passenger Transport Vehicle Maintenance audit opinion as he has three children that travel to school on PTU buses.

2.

Public Open Forum

Minutes:

No Members of the Public were in attendance.

3.

To note the Action List from the previous meeting pdf icon PDF 5 KB

Minutes:

It was agreed that a letter of thanks would be sent by the Chair to former Chair of the Committee, Philip White.

 

There were no actions arising from the previous meeting.

4.

Audit Wales Work Programme pdf icon PDF 214 KB

Minutes:

A quarterly update on the Audit Wales Work Programme as at the end of March 2022 was presented by the Audit Wales Officer; the document shared with Committee and Officers is for information.

 

The Audit Wales Officer provided updates on the 2021/22 performance work programme since the report was published:

 

·         Draft report for Springing Forward Review on Workforce and Assets to be issued to Officers shortly.

·         Summary report on assurance and risk assessment work on the Council’s financial position, its preparations to meet the Local Government and Elections (Wales) Act 2021 and its work on carbon reduction plans in the summer; and.

·         A local risk-based project is yet to be determined.

 

Following presentation of the report questions were invited from Committee Members.  No questions were put forward.

 

 

5.

Annual Governance Statement pdf icon PDF 719 KB

Minutes:

The draft Annual Governance Statement was presented by the Chief Internal Auditor. 

Following presentation of the report, Committee Members were invited to ask questions and make comments.

 

A Member referred to para.49 (overall opinion on the adequacy of the internal control environment) and sought clarity on the definition of the overall opinion of “Reasonable”. The Chief Internal Auditor explained that the definition is based on internal audit opinions.  The Governance Statement is based on a wider elements feeding into the overall opinion (this also takes account non-audit issues).  To assist the reader, it was suggested that the explanatory scale needs a note to clarify that para. 49 applies to internal audit opinions.  It was confirmed that clarification will be added.

 

Referring to para. 51 (64% of the Audit Plan achieved), a Member asked if the Council benchmarks assurance against performance of similar authorities.  It was confirmed that the Welsh Chief Auditors Group benchmarks performance indicators for internal audit teams across Wales to provide an annual performance assessment average which ranks authorities within Wales.

 

A Member referred to para. 48 (fraudulent activities during Covid), the level of fraud being investigated and the limited assurance opinion. The Chief Internal Auditor explained that the Covid grant work has stopped.  Any key concerns have been reported to the Police with no feedback to date. 20 internal audit opinions have been identified, of which 2 were categorised as “Limited assurance”.  The opinion in para. 48 is not related to fraud work.

 

A Member referred to policies and procedures to manage risks and suggested that some require review and update and queried if this could be added to the workplan.  It was confirmed that there is a programme of review, but this is dependent on team resources and vacancies and the need to catch up on Audit work from when the Internal Audit Team was redeployed during the pandemic.  

 

Regarding online privacy notices (para. 127), there is a note to say there has been significant work in 2021/22 that requires amendment.

 

The Deputy Chief Executive referred to the Forward Work Plan and updated the Committee that he would bring forward an Anti-Fraud and Bribery risk assessment report. Consideration will also be given to a programme for review of policies and procedures for managing risks.

 

The Chair provided comments for consideration to the Chief Internal Auditor prior to the meeting. Additionally, he referred to the wording of the last sentence of the executive summary that could reflect that some of the governance arrangements are less than effective.  The Chief Internal Auditor will review that section.

 

Committee Members may provide additional comments to the Chief Internal Auditor by the end of June.

 

Summing up, the Chair commented that the statement provides a reasonable reflection of the state of governance and control across the authority. As per the report recommendations, the Governance and Audit Committee contributed to the appropriateness and content of the draft AGS 2021/22 and subsequently endorsed it.

6.

Annual Audit Plan 2022/3 pdf icon PDF 808 KB

Additional documents:

Minutes:

The Audit Wales Financial Audit Manager for Monmouthshire County Council and Performance Audit Lead presented the Annual Audit Plan 2022/23.  It was explained  that absolute assurance is not sought for the financial statements.  Work is carried out to a level of materiality where an error would mislead or change the user’s opinion of the financial position of the authority. 

 

An update was provided that 2021 grant claims certification work is nearing completion and a draft letter of findings will be provided by the end of June. Grant certification of housing benefits, teachers’ pensions and non-domestic rates will follow in the Autumn. It is hoped to complete the financial audit work by September/October.

 

Following presentation of the report, Committee Members were invited to ask questions and make comments.

 

In response to a question, the Assistant Head of Finance confirmed that the asset valuation element is causing concern.  There is a risk that the financial accounts will be presented to Governance and Audit Committee without valuations being completed.  Discussions on this all-Wales issue continue.  It was clarified that other authorities have presented their accounts with valuation of assets to follow separately.

 

A Member asked how the Committee can assess quality. It was explained that there are annual external quality reviews by the Institute of Chartered Accountants of England and Wales (ICAEW) plus internal peer reviews. It was agreed that the Audit Wales Officer will investigate the use of key performance indicators.

 

Regarding the reference to resumption of onsite activities, Audit Wales teams have resumed working together in the office and visits to client sites have commenced when deemed relevant and efficient.

 

A Member asked if asset valuation includes investment assets.  It was explained that investment assets must be valued on an annual basis and are outside of the scope. It was also queried, given the disparity between the book value and real value,  how would it be ensured that an asset disposal valuation is accurate and value for money.  It was clarified that assets for disposal should be revalued to market value.

 

The Committee noted the Annual Audit Plan 2022/23.

7.

Freedom of Information (FOI), Data Protection Act (DPA) Breaches and Data Subject Access Request (DSARs) Report (twice yearly) pdf icon PDF 262 KB

Minutes:

The Head of Information, Security and Technology presented the report.  Following presentation of the report, Committee Members were invited to ask questions and make comments.

 

A Member sought clarification on the 20-day response time for Freedom of Information (FOI) requests querying if 90% is an internal target.  It was confirmed that the 20-day response time is statutory.  It was explained that the Information Commissioner recognises that this is difficult to achieve and the recommended target is 95%. Our performance is 93% and it was added that during the pandemic staff were redeployed and the Information Commissioner’s Office allowed an explanatory notification to be added to initial FOI requests regarding the potential for delay.  The legacy effect of Covid has affected the ability of services to respond.

 

The Member asked how data breaches are classified and if training opportunities are promoted thereafter.  It was explained that breaches are graded according to harm caused and to whom (e.g.numbers many affected, type of information and vulnerability). Comprehensive training is available and there is collaboration with Department Management Teams (DMTs) to promote and prioritise training.

 

In response to further question, it was explained that there is no specific criteria list to guide when to report to the ICO. The Data Protection Information Governance Manager confirmed that FOI breaches can be unclear. The ICO has a self-assessment checklist to assist. Completing the list provides clarification on the need to report.  A briefing session for Member is tomorrow. 

 

A Member was informed there is an Information Retention Schedule. Some retention is governed by law. The authority also works to the Local Government Classification Scheme which details types of documents and time to be retained. The schedule is linked to the online Information Management System. 

 

A Member referred to FOI numbers and topics and was advised that topics are wide-ranging e.g. planning applications, suppliers, children’s services.  They are published on the authority website.  It was queried how lessons are learned from E mail data protection breaches.  It was explained that often, the wrong person/attachment is selected.  Breaches are discussed, graded, and handled accordingly.  Service areas are noted and used to identify training needs.  Regarding mandatory GDPR training, more detail on numbers completing training was requested.  It was explained that every effort is made to ensure all staff are trained.

 

In response to a question about the Culture surrounding data security, it was explained that there is a slow change and an ongoing commitment to train staff to understand of the importance of information to the authority.    

 

As per the report recommendations, the Committee scrutinised the report and requested clarification of the information within it. Members made suggestions on how to improve the layout of the stats or the level of detail in order to make the data more useful and meaningful.

8.

6 monthly update - Progress Report on Unfavourable Audit Opinions pdf icon PDF 171 KB

Minutes:

The Chief Internal Auditor presented the 6-monthly update on Unfavourable Audit Opinions.  Following presentation of the report, questions and comments were invited.

 

A Member asked about procedures in place to manage risks referring to historic music events held at Caldicot Castle, whilst monetising the asset to maximum extent. The Deputy Chief Executive drew a distinction between events organised by the Council and other events where the venue is hired out to external providers who bring in expertise/services from outside. The Limited opinion referred to previous music events organised by the authority. An update was provided that the Council has a different approach to the organisation of events now.  It was queried if the hire rates could be reviewed without detriment to hirers from the local community.

 

A Member asked for an update on Agency Workers and if the new contract had been finalised.  It was responded that a new contract is in place. Audit requires key controls to be in place for the agency worker system to ensure sound financial management, governance arrangements and risk management etc.  The work has been followed up and the resulting opinion will be presented to Governance and Audit Committee in due course.  It was suggested that the service manager would be able to provide more details. The Member will follow this up.

 

County Councillor I. Chandler declared a personal, non-prejudicial interest as he has three children travelling to school on PTU buses. He referred to the Passenger Transport Unit Vehicle Maintenance risk identified as “High” and the revised opinion to follow in 2022/23. The process was queried between identification as a high risk, limited opinion and moving to a revised opinion to follow up in the current year. It was queried if the service manager works with internal audit to remedy the risk.  The Chief Internal Auditor explained that the level of risk is as perceived by the team when the audit plan is undertaken based on the information available.  The service manager would be better placed to address operational risks.

 

The Deputy Chief Executive explained that dialogue with the SLT (Strategic Leadership Team) and DMTs (Directorate Management Teams) has been  strengthened to support progress, improvement and responsiveness to audit reports. It is a priority that Limited audit opinions are acted upon promptly to avoid two successive limited opinions.

 

A Member asked about attendance management and was informed that some weaknesses were identified initially and an action plan put in place.  The majority of improvements were implemented and the opinion was changed to reasonable.  It was confirmed that an improvement has been noted arising from implementation of the improvements.  The Chief Internal Auditor will provide further information at a future meeting.

 

It was requested that the Committee is provided with the two limited opinion reports in full at the next committee meeting

 

In response to a question about the lateness in presenting opinions from Sept 2021, it was explained that timing of meetings and cancellations had caused delays.

 

In line with the report recommendations,  ...  view the full minutes text for item 8.

9.

Internal Audit Draft Operational Plan 2022/3 pdf icon PDF 300 KB

Minutes:

The Chief Internal Auditor introduced the Draft Internal Audit Operational Plan Following presentation of the report, questions and comments were invited:

 

A Member asked for further information on the audit cycle, and asked how often a secondary school expected to be audited.  The Chief Internal Auditor explained that there would normally be just one secondary school and several primary schools on the audit cycle each year and a secondary school should expect to be audited every 5-6 years depending on the risk profile.  Primary schools should expect to be audited every 5 years. Currently staffing resources are limited so these periods are extended to 8 years.  If a particular issue is identified, audits can be brought forward or unannounced visits conducted.  Other areas are audited every 5 years according to an annual risk assessment.

 

It was questioned how the Committee can judge the adequacy of the  Audit Plan.  The Deputy Chief Executive explained that there is a more detailed working document shared with the SLT to facilitate discussion between Chief Officers and the Chief Internal Auditor whereby emerging risks are flagged and capacity determined. Officers will reflect on how best to improve assurance for Committee Members.  Assurance was provided of good coverage across the organisation.

 

It was clarified that Enterprise doesn’t include Landlord Services; the industrial units and leisure park are a component part of Resources.

 

A Member asked how performance is measured mentioning that of the 975 available days, there are 658 audit days.  The Chief Internal Auditor clarified that quarterly reports  are provided to include progress against the plan, work undertaken, audit opinions issued against the plan. There is also performance assessment based on performance indicators such as progress against plan, timeliness of issue of draft and final reports, turnover in team, response to special investigations etc.

 

The value added by Internal Audit was queried in terms of what control and value for money improvements have been made as a result of internal audit recommendations.  The Chief Internal Auditor will report back in due course.

 

In response to a question, it was explained that Torfaen County Borough Council Internal Audit Team is responsible for the audit of SRS Data Centre.  The outcomes are reported annually and included in the Chief Internal Auditor’s Annual Report for third party assurance.  It was queried what other collaboration risks are outside the organisation and how assurance is obtained.  It was explained that the MCC Audit Team audits all the authority’s systems. It is not involved in the audit of other collaborations.  It was agreed that a list of the key collaborations and arrangements for audit would be brought back to a future Governance and Audit Committee meeting.

 

As per the recommendations, the Governance and Audit Committee reviewed, commented on and approved the Draft Internal Audit Plan 2022/23 on the understanding that any material changes would be brought back before Committee for information or approval.

10.

Self Assessment Process pdf icon PDF 631 KB

Minutes:

The Performance Manager presented a report on the Self-Assessment Process.  After presentation of the report, questions and comments were invited.

 

In line with the report recommendations, Members reviewed the self-assessment process to inform their understanding of the arrangements the council has in place.  

11.

GOVERNANCE AND AUDIT COMMITTEE FORWARD PLANNER 2022 pdf icon PDF 164 KB

Minutes:

The forward planner was noted.  The Governance and Audit Committee Annual Report 2021/22 will be added.

 

The Chair requested that reports include reconciliation with the terms of reference

 

It was confirmed that the Draft self-assessment document will be brought to the next meeting. Strategic Risk Assessment will be reported to six monthly. These elements to be confirmed.

12.

To confirm the date of the next meeting as Thursday 14th July 2022 at 2.00pm

13.

To confirm minutes of the previous meetings held on the following dates: pdf icon PDF 175 KB

·         28th February 2022

·         6th June 2022

Additional documents:

Minutes:

The minutes of the previous meeting were confirmed as an accurate record.