Agenda and minutes

Members are asked to declare any interests in the items under consideration and in

doing so state:

(1) the type of interest concerned; and

(2) the nature of the interest concerned

If any member requires advice on declarations of interests, they are advised to contact the Head of Democratic Governance in advance of the meeting.

There were no declarations of interest on this occasion.

To agree the minutes of the last meeting of the Audit held on 18 January 2018 as a true and correct record.

The Committee agreed that the minutes of the last meeting held on 18 January 2018 be signed by the Chairman as a true and correct record.

To provide an update on cyber threats and actions taken to reduce cyber risks.

Mr Tony Doyle, Head of ICT Services provided an update on cyber threats and the actions taken to reduce cyber risk. He reported that the number and sophistication of cyber security risks had continued to increase over the previous 12 months and highlighted a number of key vulnerabilities and recent incidents.

It was reported that the largest threat was from sophisticated email attacks and that due to continued investment the number of SPAM emails received by the Council had significantly reduced, when globally the number had increased.

The Committee discussed the training provided to Elected Members and employees on Cyber Skills and noted that two sessions had been held with Members to date. It was noted that the training had not been identified as essential for Members, however the Committee considered that it should be due to the scale and consequences of breaches. The training would be rolled out to all employees from April 2018 as part of a mandatory Ipool module. In response to questions, Mr Doyle advised that it was a challenge to balance dealing with operational issues with developing training and ensuring policies were updated accordingly. He added that it would take up to six months for all employees to have completed the training module.

Members queried two operational processes which they believed to be insufficiently robust. Mr Doyle agreed that the processes could be improved and that action would be taken to strengthen security in these areas.

The Committee discussed data storage and the location and resilience of datacentres used by the Council.

Members noted the threat posed by cyber risk and queried if enough resource was being committed to mitigate the risk and were advised that a critical partnership with The Networking People (TNP) had recently been renewed which provided the Council with access to expertise. Cyber Security Risks were fast moving and some of the biggest companies in the world had been unable to prevent security breaches.

The Committee went on to discuss screening of new employees prior to their appointment to ICT Services. Mr Doyle advised that a base security check had been carried out on successful candidates prior to appointment for the previous six years. He added that he was open to suggestions for how to increase the level of checks and Members suggested considering use of reference checking companies.

The Committee agreed to recommend to the Member Training Panel that Cyber Skills training be essential for Elected Members due to the scale and consequences of breaches.

To consider the External Auditor’s report on the certification of grants and returns 2016/2017.

Mr Iain Leviston, Manager, KPMG presented the External Auditor’s report on the certification and returns for 2016/2017. He highlighted the work completed under the Public Sector Audit Appointment certification arrangements on the Housing Benefit Subsidy Claim and it was noted that the result had been a qualified outcome. He assured the Committee that it was not unusual to receive a qualified outcome and that the concerns identified in the previous years had been rectified. However, new concerns had been raised regarding two cases that had used an incorrect effective date.

Mr Leviston added that the outcomes of the work on Pooling of Housing Capital Receipts and Teacher’s Pensions had returned unqualified outcomes.

In response to a question, Mr Leviston advised that the training put in place to remedy previous concerns identified had not been tested, however, the same errors had not been repeated. He added that he did not have details of system processes, but could provide additional information following the meeting.

The Committee agreed to note the report.

To present the updated Internal Audit Charter for approval.

Mrs Greenhalgh, Head of Audit and Risk sought approval for the Internal Audit Charter 2018/2019. She advised that the Charter defined internal audit’s mission, purpose, authority and responsibility and position within the Council.

The Committee agreed to approve the Internal Audit Charter 2018/2019.

To obtain approval for the Internal Audit Plan 2018/2019.

The Committee was asked to consider approving the Internal Audit Plan 2018/2019. The Plan was presented by Mrs Tracy Greenhalgh, Head of Audit and Risk who explained the core areas for review.

In response to questions, Mrs Greenhalgh advised that the demand for audit work regularly exceeded the resource, however, robust risk assessments were undertaken to ensure the correct areas of work were carried out. The Committee noted the additional working being undertaken by Internal Audit with the wholly owned companies of the Council.

Mrs Greenhalgh added that she was confident the service could achieve delivery of the plan and she would report any concerns to the Committee as appropriate.

The Committee agreed to approve the Internal Audit Charter 2018/2019.

To obtain approval for the Fraud Prevention Charter 2018/2019.

The Committee considered the Fraud Prevention Charter and noted that it set out the Council’s Anti-Fraud and Corruption Statement which outlined the Council’s zero tolerance approach when dealing with fraud, corruption and bribery.

In response to a series of questions, Mrs Greenhalgh advised that consideration was being given to increasing the visibility of the officer register of interests, and gifts and hospitality received. She also reported that a joint procurement exercise had been undertaken with Lancashire County Council in order to ensure relevant computer audit expertise was available should it be required.

The Committee agreed to approve the Fraud Prevention Charter 2018/2019.

To provide to the Audit Committee a summary of the work completed by Risk Services in quarter three of the 2017/2018 financial year.

Mrs Tracy Greenhalgh, Head of Audit and Risk provided a summary of the work completed by Risk Services in quarter three of the 2017/2018 financial year to the Committee. She highlighted that a large amount of work was ongoing to reduce the number of Children’s Services Business Continuity Plans from over 15 to four or five. As a result the percentage of business continuity plans in place had reduced but was expected to recover in quarter four.

The Committee noted that the target for identified employees completing fraud awareness training was 100%. The current completion rate was 63% and Mrs Greenhalgh advised that reminders would continue to be sent in order to achieve the target. She added that if the target had not been achieved by the end of March 2018 further marketing could be undertaken.

Members discussed the number of Reportable Accidents for Employees and noted that every report of an accident was fully investigated. In response to a question, Mrs Greenhalgh advised that all factors were considered including footwear and that operational staff were required to wear Personal Protective Equipment as appropriate.

It was noted that the Health and Safety Ipool training had only been undertaken by a small number of Audit Committee Members and issues with accessing the software were reported. Ipool modules were only accessible on personal computers. It was agreed that the information would be sent again to Members of the Committee. It was also noted that completion of training by employees in Adult Services and Children’s Services had been low in relation to fraud awareness training and Mrs Greenhalgh agreed to raise the concerns with the Directors of both services.

The Committee considered the summary of internal audit reports carried out in the quarter in detail and noted the ongoing work around the Growth and Prosperity Team and the outcomes of the Public Health Audit which noted that more emphasis must be placed on recording the outcomes of funding.

Members raised concerns that there were more inadequate assessments within the report than in previous quarters. In response, Mrs Greenhalgh advised that timing was a factor. The Council had taken more risks, however, the risks were known and were being managed. The Rideability Service was specifically referred to and it was noted that the financial system had not been fully put in place at the time of the audit. The Committee would be updated on the progress towards meeting targets within Rideability and it was noted that Members may wish to speak to the Service Manager if suitable progress was not made.

Members also raised concerns regarding the priority two and three recommendations that were the responsibility of managers to implement. The Audit Committee focussed on monitoring the implementation of the priority one recommendations.  Priority two and three recommendation implementation were often considered when future planned audit work was undertaken.

To present the Council’s revised Strategic Risk Register and propose a new way of reporting to the committee.

Mrs Tracy Greenhalgh, Head of Audit and Risk presented the updated Strategic Risk Register 2018/2019 to the Committee for approval. She advised that the register was reviewed annually to ensure it was relevant. In order to further strengthen reporting, in addition to the Risk Register a report would also be submitted to the Committee to reflect the additional work undertaken to mitigate risks. The level of detail that could be contained within the Risk Register was limited and the supplementary report would provide additional assurance to the Committee.

In response to a question, Mrs Greenhalgh advised that it would not be possible to include reference to the previous year in the Risk Register, however, it could be included in the supplementary report to be provided.

The training programme for Audit Committee Members was also discussed and it was noted that training would be provided on interpreting the revised Strategic Risk Register.

The Committee agreed to approve the Strategic Risk Register 2018/2019.

To note the date and time of the next meeting of the Committee as 3 May 2018, commencing at 6pm in Committee Room A, Blackpool Town Hall.

The date and time of the next meeting of the Committee was noted as 3 May 2018, commencing at 6pm in Committee Room A, Blackpool Town Hall.