Agenda and minutes

Members are asked to declare any interests in the items under consideration and in doing so state:

(1) the type of interest concerned either a

(a)   personal interest

(b)   prejudicial interest

(c)    disclosable pecuniary interest (DPI)

and

(2) the nature of the interest concerned

If any member requires advice on declarations of interests, they are advised to contact the Head of Democratic Governance in advance of the meeting.

There were no declarations of interest on this occasion.

To agree the minutes of the last meeting of the Audit Committee held on 2 March 2023 as a true and correct record.

Resolved: That the minutes of the meeting held on 2 March 2023 be signed by the Chair as a true and correct record.

To consider a progress report on individual risks identified in the Council’s Strategic Risk Register.

The Committee considered a deep dive into the Strategic Risk “Technology” which included the sub-risks (a) ‘Cyber Threats’, (b) ‘Non-compliance with data protection legislation’ and (c) ‘Inability to undertake business critical activity due to software failures’.

(a)    Cyber Threats

(c)    Inability to undertake business critical activity due to software failures

Mr Tony Doyle, Head of ICT Services, presented an update in relation to sub-risk a and c. He informed members that cyber threats represented the most substantial element of the risk and that even large organisations could not be completely immune from cyber-attacks. Work at the Council therefore focussed on how to reduce the threat posed. As part of this the Council was conducting a pilot programme called “Phish It” which would use new software to identify phishing emails. This pilot would be undertaken with the IT team during July 2023, following which it was planned that the software would be implemented across the Council from September 2023.

It was also reported that the Council had undertaken discussions with Lancaster University regarding the undertaking a ransomware test attack. It was hoped that such a test would allow the Council to assess its response and inform future cyber security planning.

Mr Doyle also reported that the Council had a new cyber security insurer who had outlined the additional help they could provide to the Council to protect against cyber threats. This included regular scanning of the Council’s systems to identify potential weaknesses.

Increased software system resilience was also reported, with HR and payroll being moved to cloud based systems. Mr Doyle added that the contracts with the suppliers of cloud hosting had been written to ensure that the Council maintained control regarding access and authentication.

The Committee discussed safeguards for business critical systems with Mr Doyle explaining that all the Council’s services were encouraged to consider how they would operate without IT systems, including paper based working. It was recognised that in some areas this presented a significant challenge and therefore IT regularly reviewed the safeguards in place. In the event of a significant cyber attack Mr Doyle reported that the Council had two data storage sites, with backed-up power supplies to ensure their operation in the event of attacks on the power system. The Council conducted daily back-ups of its data to the storage sites and IT services regularly conducted exercises on data recovery.

(b)   Non-compliance with data protection legislation

Mr Mark Towers, Director of Governance and Partnerships, presented an update in relation to the sub-risk. He reported that the primary mitigation was undertaken by the Council’s Data Protection Officer (DPO) and their team. This team work to ensure data protection legislation was complied with both at the Council and its wholly-owned companies. In addition to the DPO was responsible for undertaking audits across the Council into data protection compliance in areas where breeches had bene identified. The DPO also regularly reported on data protection issues into meetings of the Corporate Leadership Team to ensure awareness at the highest levels  ...  view the full minutes text for item 3.

To provide the Audit Committee with a summary of the work completed by Risk Services in quarter four of the 2022/23 financial year.

Ms Tracy Greenhalgh, Head of Audit and Risk, presented the Risk Services Quarter Four 2022/23 report. The report outlined that performance had been good during quarter four, with some areas exceeding expectation.

An update was provided regarding outstanding Priority One recommendations it was reported that, in relation to the Driving at Work audit the recommendations were being worked on urgently and it was foreseen that these would be resolved through improvements to the staff driving app. The Committee noted that the recommendations in this audit had been made due to incorrect usage of the driving at work app and Ms Greenhalgh confirmed that an update on progress against the recommendations would be brought to a future meeting for members to consider the outcome of the audit in more detail.

The Committee also discussed the audit of the Payment Sense Card Payment System. Ms Greenhalgh explained that normally financial systems would be audited together, however this system had been reviewed separately due to concerns raised by the Director of Resources due to the system being newly introduced.

It had been noted that following the audit of Leisure Services the recommendations from a report by Lancashire Constabulary remained under consideration, the Committee queried why this had been the case. Ms Greenhalgh explained that the recommendations from the police would be considered but that their were issues surrounding costs and resourcing that would need to be resolved to implement all of them.

The monitoring of the implementation of priority one recommendations was discussed by the Committee. Members noted that in a number of cases the timescales for the implementation of recommendations had been extended and expressed concern that this could lead to drift in services responses. Ms Greenhalgh explained that all extensions of timescales had been agreed between audit and service managers. Further to this all progress on priority one recommendations was reported to the Corporate Leadership Team to ensure that drift did not occur and all recommendations were implemented in a timely manner.

The 9.3% of cases of fraud identified following the Single Person Discount matching exercise against the Electoral Register the Committee noted that this had set a benchmark for the future levels to be measured against. Ms Greenhalgh added that in the first instance the fraud had been treated as error, but that action would be taken it future cases were identified.

Resolved: That the Risk Service Quarter Four report be noted.

This report sets out the individual and collective outcomes of the audit reviews undertaken in the year ended 31st March 2023. It also provides an audit opinion on the control environment based on this audit work.

Ms Tracy Greenhalgh, Head of Audit and Risk, presented the Annual Audit Opinion which sets out the individual and collective outcomes of the audit reviews undertaken in the year ended 31 March 2023 and provided an audit opinion on the control environment. Overall Ms Greenhalgh reported that the report provided the opinion that the audit environment was adequate.

A programme of planned audit work for 2023-24 was also presented. The report also set out that going forward the greatest area of risk for the Council was financial sustainability and that this remain an area of focus for the Committee in 2023-24.

The Committee discussed Ms Greenhalgh’s work in addition to her responsibilities in relation to audit and what impact these would have upon her role. Ms Greenhalgh explained that all the areas under her role as Head of Audit and Risk were related and that regular one-to-one meetings with the Director of Resources allowed for the identification of any issues.

Resolved:

1.      That the report be noted;

2.      That the timetable for audit follow-up work in 2023-2024 be noted.

The purpose of this report is to provide Audit Committee with the opportunity to review and approve the Annual Governance Statement for 2022/23.

Mr Mark Towers, Director of Governance and Partnerships, presented the draft Annual Governance Statement to the Committee. The statement set out the Council systems of governance and control for 2023-2024. Mr Towers reported that the document had been reviewed for 2023-2024 and updated following feedback from the Audit Team, the Scrutiny Leadership Board and members of the Cabinet. Improvements had included the addition of links within the statement to supporting documents. He added that the statement’s action plan would be brought to the January 2024 meeting of the Committee to show progress and allow members consideration of the work being undertaken.

In relation to the supporting documents contained within the statement, the Committee noted that the Whistleblowing Policy was dated 2017. Mr Towers explained that this had been recognised and would be an area that audit would be asked to review and update during 2023-2024.

Members highlighted that the statement also made no reference to the delays experienced in signing of the accounts since 2020, and asked that details of this be included. Mr Towers agreed that this should be included and stated they would consult with the Director of Resources regarding how to achieve this.

Resolved: That the Annual Governance Statement 2023-2024 be approved, subject to the inclusion of details of the progress to sign off the Statement of Accounts since 2020.

To receive a verbal update on progress to sign-off the annual statement of accounts from the External Auditor, Deloitte.

Ms Nicola Wright, External Auditor, Deloitte, provided a verbal update on the progress to sign off the 2020-2021 and 2021-2022 Statements of Accounts. She reported that it had been planned to bring the 2020-2021 accounts to the meeting but these had been delayed due to capacity issues experienced. However it was now planned that the accounts would be presented to the July 2023 meeting of the Committee for consideration. Following this the 2021-2022 accounts would be brought to the September 2023 meeting of the Committee.

It was also reported that discussions had also begun on the timetable for the preparation of the 2022-2023 accounts. It was noted that although the deadline for signing off the 2022-2023 accounts would be September 2023, nationally experienced issues that had delayed the accounts in previous years meant that a further delay could be expected in 2023.

Resolved: That the update be noted.

A requirement of the Public Sector Internal Audit Standards is that a Quality Assurance and Improvement Programme is implemented for the internal audit team and approved by senior management and the Audit Committee.

Ms Tracy Greenhalgh, Head of Audit and Risk, presented the Internal Audit Quality Assurance and Improvement Programme 2023-2024. The programme provided assurance on the effectiveness of the internal audit function at the Council and identified improvement work that would be undertaken in 2023-2024.

Resolved: That the Internal Audit Quality Assurance and Improvement Programme 2023-2024 be approved.

To set out the modular training programme for the Audit Committee during the 2023/24 Municipal Year.

Ms Tracy Greenhalgh, Head of Audit and Risk, presented the Audit Academy Training Programme 2023-2024. The programme set out the areas that would be covered by the academy in 2023-2024, with Ms Greenhalgh highlighting that the training would seek to give members knowledge of the key documents that would be considered by the Audit Committee.

The Chair welcomed the programme as set out and encouraged members of the Committee to attend as many sessions as possible.

Resolved: That the Audit Academy Training Programme 2023-2024 be approved.

To consider the Committee’s updated Action Tracker.

The Committee gave consideration to the updated Action Tracker and noted the updates provided.

To note the date and time of the next meeting of the Committee as XXXX, commencing at XXX

The date and time of the next meeting was noted as Thursday, 27 July 2023 at 6pm.