To receive an internal audit update report from SWAP.
Minutes:
The Chairman invited Sally White, SWAP representative, to present the Internal Audit Reports to the Committee.
Members were informed that an ongoing “reasonable opinion” had been offered as a result of the recent reviews undertaken. However, two “limited assurance” opinions had been issued, these were the Pension Key Controls and ICT Network Boundary Defences and could be considered significant corporate risks. There were also three previous significant corporate risks. These were Category Management, Procurement Exemptions and the Pension Fund Review. Follow up work was being undertaken on Category Management and Procurement Exemptions and SWAP would report on progress against those in due course. For the Pension Fund Review, SWAP were not yet assured issues had been resolved as minimal progress had been made. The audit had progressed from no assurance to limited assurance. However, SWAP had confidence that improvements would be made and again they would update the Committee in due course. Follow up work would also be undertaken on the Pensions Payroll Reconciliation Project. Regarding the ICT Network Boundary Defences audit, Wiltshire Council ICT Assistant Director would be taking action to mitigate the risks swiftly with a further update and report to follow at a future date.
The Audit Plan coverage detailed on Page 32 of the Agenda Pack was then highlighted which provided information on audit coverage across the Council. It was noted that SWAP had been providing a list of outstanding management actions to the Committee. But from the April Committee onwards it was hoped that they could present the data graphically, and this could be used as a performance measure.
Members were then given the opportunity to discuss the report and ask questions to SWAP and Council officers. Adult Social Care was raised with regard to its inclusion within the Audit Plan coverage and Members expressed concerns surrounding procurement and staffing costs. It was highlighted that the area of adult transformation was undergoing significant work, and it was suggested that Members could attend the Health Select Committee or read the reports included within their agenda packs for further insight. SWAP also confirmed that they would be liaising with the council’s Corporate Directors and could explore the addition of work respecting brokerage and the care market.
The Wiltshire Pension Fund audits were then discussed, and Members sought further details on the differences between the responsibilities of the Pension Fund and the Committee concerning the issues identified. In response, officers confirmed that although the Committee was charged with ensuring that governance was adhered to, the Wiltshire Pension Fund Committee (WPFC) had a greater understanding of the topics being scrutinised and as such, it would be best for the Committee to receive a formal report from the WPFC updating Members on such matters. The Committee suggested the Chairman of the WPFC attend to provide assurance. It was further clarified that it was the responsibility of the Corporate Leadership Team (CLT) and Fund managers to assess risk profiles when the market landscape changes and to meet any challenges arising through the agility of risk management frameworks which officers noted was a key part of the WPFC’s role as overseers and decision makers. SWAP highlighted that a previous audit of the Fund has issued a rating of “no assurance” and as such, the recent rating of “limited assurance” was an improvement, however the scope of their audit was wide and had raised a number of issues which would take some time to rectify. Despite this, SWAP were reasonably confident that the issues identified were being actioned and any further work would be brought forward to the Committee when appropriate. The Chairman requested that a report from the WPFC to the Committee was added to the Forward Work Plan. Members also suggested that the Chairman of that Committee should attend when the report was discussed.
Risk was discussed by Members, and officers advised that it was a management responsibility to assess risk and these were discussed by the Corporate Leadership Team (CLT). There were performance frameworks in place. SWAP also had a key role assessing risk, reviewing the risk registers and taking those into account when forward planning.
The ICT Network Boundary Defences audit was then explored with Members seeking clarification on the details provided on Page 37 of the Agenda Pack. Members expressed concern regarding the results of the review and sought reassurance that it was being handled as a matter of urgency considering the potential vulnerability of the Council in the interim. Officers highlighted that there was a plan in place which looked at prioritising the higher identified risks but emphasised that as some of the items were working with older firmware, compatibility was an issue and as such, some the risks would take a longer time to rectify than others. However, it was reiterated that the plans were agile and could respond robustly if/when any problems arose. Furthermore, back-up facilities were in place off site which were isolated and could be used to retrieve information as a contingency plan. Officers stressed that since the cyber security attacks in the wake of the Novichok incident a significant program of replacement had been undertaken, particularly around core services and protections, and the risks identified in the audit were a part of this program. Members requested that a report be brought to a future meeting on this issue and that this should also include action plans which would include disaster recovery.
Members further questioned the risk management frameworks and if the right areas of work were being prioritised. Officers noted that a cyber security framework review had been undertaken which had looked at 20 controls and had highlighted the boundary defences for future review, hence the audit. The breadth of SWAP’s experience and knowledge was highlighted, and Members were reassured that CLT were assessing their risk register quarterly on how they delivered against the Business Plan, the performance around that and what could threaten the delivery of the Business Plan. The results of that review were then taken to the next appropriate Cabinet meeting which Members were welcome to attend and pose any questions to. Members were reminded that there was a skills audit for Committee Members planned for the next meeting, which could then result in training which would ensure that Members were equipped with the full understanding required, enabling them to ask the right questions to gain assurance.
The role of the Overview and Scrutiny Management Committee (OSMC) with regard to risk and performance was then discussed. It was explained that the Scrutiny Team alongside CLT support the work of the OSMC who had recently undergone a peer challenge which encouraged Members to constructively challenge one another and found that the OSMC delivered robust scrutiny. The role of the Audit and Governance Committee was to ensure that a framework of governance was in place. It was suggested that the Chairman may consider attending OSMC meetings to gain further understanding of their processes and to ask any pertinent questions for reassurance if appropriate.
Members briefly discussed the VAT changes regarding sport and leisure, and it was confirmed that there were suitably qualified and experienced officers who kept abreast of changes in the regulations, and that the Council would ultimately benefit from the change as a windfall would be received as a result and it would not impact on the processes or the charging of customers. HMRC reviewed compliance in this area.
At the conclusion of the debate, a proposal was made by Cllr Mark Connolly and seconded by Cllr Gavin Grant. After which, it was:
Resolved
1) The Committee noted the January 2023 Internal Audit Progress Report.
2) The Committee requested that a report on the ICT Network Boundary Defences work and disaster recovery come to the next meeting of the Audit and Governance Committee.
3) The Committee requested that a progress report from the Wiltshire Pension Fund Committee on the Pension Fund Controls audit come to the next meeting of the Audit and Governance Committee.
Supporting documents: