Audit Committee – 5 July 2017

 AGENDA

1.       Substitutions (if any).
2.       Declarations of Disclosable Pecuniary Interests and Personal or Personal and Prejudicial Interests (if any).
3.       To take the minutes of the meeting held on 11 April 2017 as a correct record and authorise the chairman to sign.
4.       Audit Committee Terms of Reference Review.
5.       Internal Audit – Annual Report 2016-17.
6.       Sickness Absence. – Report of the Director: Business Development.
7.       Annual Governance Statement 2016-17
8.       Information Governance and IT Security Assurance 2016-17 – Report of the Director: Business Development.
9.       Internal Audit – Audit Plan 2017-18 Update.
10.     Audit Committee Forward Plan 2017-18.
11.     Any other items which the chairman decides are urgent by reasons of special circumstances which must be specified.

Note:  Reports are by the Director: Governance and Partnerships unless otherwise stated.

MINUTES

PRESENT: – Councillor Glover in the chair

Councillors T Foster (Vice-Chair), Clark, Gosling, Kirk, Oldfield and K Vickers.

Also in attendance was a representative of KPMG (the council’s external auditors).

The committeemet at the Civic Centre, Scunthorpe.

472     DECLARATIONS OF DISCLOSABLE PECUNIARY, PERSONAL OR PERSONAL AND PREJUDICIAL INTERESTS – There were no declarations of interests made at the meeting.

473     MINUTES – Resolved – That the minutes of the proceedings of the meeting held on 11 April 2017, having been printed and circulated amongst the members be taken as read and correctly recorded and be signed by the chairman.

474 (1)  AUDIT COMMITTEE TERMS OF REFERENCE REVIEW – The Director: Governance and Partnerships submitted a report that reviewed the committee’s terms of reference.

The report acknowledged that Audit Committees were a key part of governance arrangements and could make a real difference to the way public services were run.  They provided an independent, high-level resource supporting strong public financial management and governance.

The Chartered Institute of Public Finance and Accountancy (CIPFA) publication – Audit Committees, Practical Guidance for Local Authorities and Police (2013 edition) set out guidance on the function and operation of Audit Committees in local authorities.  The committee’s terms of reference reflected this professional guidance and reflected changes such as the introduction of the Public Sector Internal Audit Standards.  As reported in April 2016 the self-assessment carried out by the Audit Service Manager concluded that the Audit Committee operated in line with the guidance.

The terms of reference of the Audit Committee were contained in the council’s constitution.  It was considered good practice for them to be reviewed annually to ensure that they keep up to date with the regulatory changes and the needs of the council. 

Appendix A to the report outlined the proposed terms of reference.  The terms of reference continued to reflect the purpose and activity of the committee and they had been updated to reflect changes to the regulatory environment.

The Director responded to members’ questions on aspects of her report.

RECOMMENDED TO COUNCIL – That the changes to the committees terms of reference, as outlined in Appended A of the report, be approved.

475  (2) INTERNAL AUDIT – ANNUAL REPORT 2016-17 – The Director: Governance and Partnerships submitted a report that provided an opinion on the adequacy and effectiveness of the council’s internal control environment based upon work carried out by Internal Audit in accordance with the approved 2016-17 audit plan.  It also considered the effectiveness of the audit service.  This provided the Audit Committee with an important source of assurance when considering the Annual Governance Statement.

The requirement for Internal Audit was supported by statute in the Accounts and Audit Regulations 2015 and the Local Government Act 1972.  The Accounts and Audit Regulations stated that a “relevant body must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into public sector internal audit standards for guidance.”

Internal Audit operated in accordance with the Public Sector Internal Audit Standards (PSIAS) which defined the way in which the Internal Audit Service should be established and undertake its functions.  The PSIAS define internal audit as:

“an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.  It helped an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

As set out in the standards there was a requirement under PSIAS 2450 that the Chief Audit Executive must provide an annual report to the Audit and Governance Committee, timed to support the Annual Governance Statement.  This must include:

  • an annual internal audit opinion on the overall adequacy and effectiveness of the organisation’s governance, risk and control framework (i.e. the control environment);
  • a summary of the audit work from which the opinion is derived (including reliance placed on work by other assurance bodies);and
  • a statement on conformance with the PSIAS and the results of the internal audit Quality Assurance and Improvement Programme.

A copy of the Annual Report and Opinion was attached to the report and its main findings are summarised below.  This was the first year the internal audit function has been carried out through shared service arrangements and significant progress had been made in creating a unified approach whilst delivering its responsibilities.

Section 2 of the Annual Report referred to the work carried out from which the audit opinion was derived.  It also laid out amendments to the in-year plan due to the changes in the council’s risk profile and priorities.

As referred to in Section 3 of the Annual Report, satisfactory assurance could be provided on the council’s governance, risk and control framework.  This view had been formed based upon the work on internal audit and although areas of improvement had been identified, no issues of serious concern were identified that would impact on the overall operation of the control environment.

As referred to in Section 4 of the Annual Report, the Audit Team complied with the standards in all material respects, and had effective arrangements in place for monitoring quality.  The key challenge identified from the reviews was ensuring compliance with the standards and ensuring that there was sufficient audit coverage when there remains pressure on audit budgets at a time for significant change.

The Director responded to members’ questions on aspects of her report.

Resolved – That following consideration of the report and appendices, and discussion of their content, the committee agreed that the Internal Audit Annual Report for 2016-17 provided sufficient assurance on the adequacy and effectiveness of the council’s internal control environment.

476     (3)      SICKNESS ABSENCE – The Director: Business Development submitted a report that informed the committee of sickness absence levels and the 2016-17 year-end position.

In June 2016, the audit committee received a report on sickness absence during 2015/16 and agreed that there was continuing assurance that the risk to capacity due to sickness absence was being managed through adequate controls.

The committee requested a further report on sickness absence be submitted detailing the 2016/17 year-end position.

The report stated that the average number of working days lost due to sickness absence in 2016/17 was 9.36 days against a target of 8.25 days.  This indicated just over a nine per cent increase in sickness absence levels compared to 2015/16.  However, it was noted that nearly half of the workforce (43 per cent) did not have any periods of sickness absence during 2016-17.  In addition, long term absence due to cancer-related illness and treatment accounted for 0.4 days of the average number of days lost, which if excluded would reduce the annual average figure to 8.97 days per full time employee.

The report showed the number of full time equivalent days lost due to short term (up to 20 days) and long term (over 20 days) for 2015-16 and 2016-17.  The report also informed members of the average length of absence and the most common reasons for absence.

The report also identified the contained actions that were being taken to support good levels of attendance and achieve a reduction in sickness absence.

The Director responded to members’ questions on aspects of her report.

Resolved – That following consideration of the report and discussion of its content, the committee agreed that there was continued assurance that the risk to capacity from sickness absence was being managed through adequate controls.

477  (4)  ANNUAL GOVERNANCE STATEMENT 2016-17 – The Director: Governance and Partnerships presented the Annual Governance Statement 2016-17 for members consideration and approval.

The Accounts and Audit Regulations 2015 required the council to publish with its final accounts an Annual Governance Statement (AGS).  The AGS set out the council’s governance arrangements in place and considered their effectiveness.  The council’s governance arrangements were set out in its Code of Governance which were approved by the Audit Committee in September 2016.  The Code was based upon guidance provided by the Chartered Institute for Public Finance and Accountancy (CIPFA) and the Society for Local Government Chief Executives (SOLACE) “Delivering Good Governance in Local Government – a framework” (April 2016).

Sources of assurance to support the statement were gathered throughout the council in the form of annual self- assessment prepared by Directors.  These assessments provided an evaluation on how the Directorates comply with each of the seven principles contained in the Code of Governance.  Assurance was also provided from regular reports on various issues to the Audit Committee.  Independent reviews carried out by internal audit in key areas such as risk management, corporate governance and fundamental financial system work were important sources of assurance.  External audit reviews and inspections contributed as sources of assurance.

The AGS 2016-17 was attached to the report at appendix A.  It showed that the council had well-established governance arrangements that were monitored and reviewed on a regular basis.  Although no significant governance issues were identified, the AGS identified areas that were being considered as Corporate Risks for 2017/18.

The AGS for 2016/17 represented the culmination of internal and external assurance sources.  Therefore, the Statement would need to be updated to reflect the outcome of the final accounts audit process prior to resubmission to the committee alongside the audited accounts.

It is a requirement that the Annual Governance Statement was approved by the Audit Committee and signed by the Leader of the Council and the Head of Paid Service.

The Director responded to members’ questions on aspects of her report.

Resolved – (a) That following consideration of the report and appendix and discussion of its content, the committee agreed that the Annual Governance Statement for 2016-17 provided a sufficient level of assurance on the adequacy of governance arrangements throughout the council to allow the committee to fulfil its role, and (b) that the Annual Governance Statement for 2016-17 be approved and a further update be submitted to the committee to consider alongside the audited accounts in September 2017.

478  (5)  INFORMATION GOVERNANCE AND IT SECURITY ASSURANCE 2016-17 – The Director: Business Development submitted a report that provided the committee with an annual position statement on the council’s Information Governance and ICT Security functions.

An annual assurance report was presented to the committee in June of each year detailing the current position of the council’s Information Governance and ICT Security arrangements.

Since June 2016 further improvements had been made to the control frameworks for Information Governance and ICT security or previous good standards have been maintained.  Key developments included:

  • At the end of March 2017 the fifth NHS Information Governance Self-Assessment was made at the level required to maintain the council’s access to certain health information.
  • The annual IT Security Health Check was carried out over the summer as part of our Public Services Network (PSN) compliance application.  All security remediation actions were carried out immediately.
  • The council successfully received its annual PSN compliance certificate in January 2017 without qualification or challenge from the assessor.
  • The Information Governance and ICT Security Policy Framework and associated policies had been reviewed and would be released when they have been combined into a single framework with those policies in place at North East Lincolnshire Council.
  • The Humber Information Sharing Charter had been successfully reviewed by the Humber Steering Group.  This group worked across sectors to implement consistent policies enabling organisations to work closely together under a common framework.
  • A campaign to raise awareness of Information Governance and IT Security good practice had been produced and rolled out to both councils.  This comprised of six weekly council wide messages, an electronic booklet containing all messages and a week-long screen saver.

Members learnt that the following other ICT Security enhancements had been made:

  • Enhanced Microsoft patch management
  • New Mobile Device Management software
  • Implemented a secure email file transfer system called MoveIT
  • Widened the scope of external IT Health checks
  • Improved training and awareness for users

Awareness of the importance of the Freedom of Information (FOI) legislation was promoted via communications and discussions at senior management meetings.  Performance on FOIs was now reported monthly to all directors.  The purpose was to maintain appropriate council response times in line with legislative requirements.  This had a positive impact and improved our response time in line with our statutory duty.

If concerns about privacy are raised with the Information Commissioner’s Office (ICO) as the regulator of the Data Protection Act they could ask to see the council’s associated Privacy Impact Assessment (PIA).  The council had successfully submitted its first PIA to the ICO who were satisfied with the council’s PIA process and who were reassured about the privacy concerns raised.

The use of the Corporate Records Store was now embedded into council process and the recent further rationalisation of buildings had seen additional records placed into storage there.  Security had been enhanced at the facility with the implementation of external CCTV and more alarm sensors.

There had also been no challenge from the ICO about how the council was taking care of information.

The Director responded to members’ questions on aspects of her report.

Resolved – That following consideration of the report and discussion of its content, the committee agreed that the report provided sufficient assurance on the adequacy of the council’s Information Governance and IT Security arrangements.

479  (6)  INTERNAL AUDIT – AUDIT PLAN 2017-18 UPDATE – The Director: Governance and Partnerships submitted a report that updated the committee on its audit plan.

At the committee held on 11 April 2017, the Head of Audit and Assurance presented the outline audit plan.  It was reported to members that the detailed plan would be presented at the next meeting to allow time for the new senior management team to consider priorities under strategic and operational risks.

The Audit Plan was attached to the report as an appendix.  It outlined the areas of work to be undertaken by Internal Audit within the 1250 audit days allocated.

The plan allowed 100 audit days for contingency.  It was anticipated that this contingency would be available for additional audit work as new areas of risk emerge during 2017-18.

The Director responded to members’ questions on aspects of her report.

Resolved – That following consideration of the report and appendix and discussion of its content, the Internal Audit Plan for 2017-18 be approved.

480  (7)  AUDIT COMMITTEE FORWARD PLAN 2017-18 – The Director: Governance and Partnerships submitted a report on the committees forward plan for 2017-18.

Members heard that Audit Committees were a key part of governance arrangements and could make a real difference to the way public services were run.  They provided an independent, high-level resource supporting strong public financial management and governance.

Each year a forward plan of reports was presented for approval.  Appendix A to the report showed the proposed forward plan for 2017/18 and how the reporting areas would provide members of the committee the assurances they required to fulfil the committee’s terms of reference.

In addition to the reports identified in Appendix A, further areas may be identified throughout the year and reported to the committee during 2017/18.

The council was moving towards a three lines of assurance model where:

  • the first line represented managers responsible for the delivery of operation and services;
  • the second line related to assurances provided by those responsible for the oversight of management activity and separate from those responsible for delivery  (such as finance, HR, legal services, risk management); and
  • the third line represented assurance from those with independent oversight (such as internal and external audit).

Currently the committee received most of its assurance from the “third line of defence” as well as assurances provided by financial services (such as those relating to treasury management).  As the council developed its assurance model then it was anticipated that the committee will receive additional reports from other providers of assurance particularly in the following areas of the committee’s remit:

  • To maintain an overview of the council’s constitution and governance arrangements in respect of contract procedure rules, financial regulations and the shared services programme with North East Lincolnshire Council, including the joint committee established thereunder;
  • To consider the council’s compliance with its own and other published standards and controls; and
  • To consider the council’s arrangements to secure value for money and review assurances and assessments on the effectiveness of these arrangements.

The Director responded to members’ questions on aspects of her report.

Resolved – (a) That following consideration of the report and appendix and discussion of its content, the committee agreed that the Forward Plan for 2017-18 provided sufficient scope to provide an appropriate level of assurance on the adequacy of the council’s internal control and governance arrangements, and, (b) that the Forward Plan for 2017-18 be approved, with scope to receive additional reports as identified by the Director: Governance and Partnerships during 2017-18.

481     (8)      TREASURY MANAGEMENT AND INVESTMENT STRATEGY ANNUAL REPORT 2016-17 – The Director: Governance and Partnerships submitted a report on the council’s treasury performance in 2016-17.  The benchmark for measuring performance was measured against the Treasury Strategy set by the council at its meeting on 23 February 2016.

The report explained that each year the council approved a treasury management and investment strategy which was prepared in line with –

  • The CIPFA (Chartered Institute of Public Finance and Accountancy) – Code of Practice in the Public Service Fully Revised 2011;
  • The Prudential Code Fully Revised Second Edition 2011;
  • The Local Government Finance Act 2003, and
  • Department for Communities and Local Government (DCLG) Guidance

The code of practice required that Council received a report on treasury management strategy at the start of the financial year, at mid-year and at year end.  The Audit Committee received progress reports at each meeting and an annual report on the outturn position.

The Code also required the Council to maintain suitable Treasury Management Practices (TMPs), setting out the manner in which the organisation would seek to achieve its Treasury Management policies and objectives, and prescribing how it would manage and control those activities. As part of this ongoing process the Treasury Management Practices adopted by the council were reviewed on a regular basis.

The Director in her report outlined the annual strategy under headings which covered – the Strategy for 2016-17, the Investment Strategy; the Borrowing Strategy and how the Council Performed, including key investment and borrowing statistics.

The Director responded to members’ questions on aspects of her report.

Resolved – (a) That following consideration of the report and appendix and discussion of its content, the committee agreed that the Treasury Management and Investment Strategy Annual Report for 2016-17 provided sufficient assurance on the effectiveness of arrangements for treasury management; (b) that the Treasury Management performance for 2016-17 financial year be noted; (c) that the Treasury Management Policy Statement, included at Appendix 4 of the report be noted, and (d) that the Treasury Management Practices, included at Appendix 5 of the report be approved.