Agenda and minutes

The Members had before them:

A.         The Agenda papers (previously circulated); and

B.        The Minutes of the meeting held on 12 September 2014 (previously circulated).

None.

An apology was received from Mr N Desmond.

Members of the public wishing to take part should notify the Director of Resources in writing or by e-mail indicating the nature and content of their proposed participation no later than 9.00am on the working day before the meeting (in this case 11 December 2014). Further details are available on the Council’s website. Enquiries can be made through the telephone number/e-mail address below.

None.

RESOLVED that the Minutes of the meeting held on 12 September 2014 be confirmed as a correct record and signed by the Chairman.

Further to Minute no. 317, the Committee received an update to the draft Disaster Recovery Internal Audit Report with particular reference to the Frameworki (FWi) system.

The report set out details of the formal review of the FWi system in 2012, the fundamental issues resulting from that review, the short term actions and the work started following the review and the options going forward for further business resilience.

The Head of Systems and Customer Access reported that the current operational environment for the FWi system would be managed at minimal cost, and the new service provider for ICT infrastructure would be commissioned to cost a scheme to re-host FWi and provide a disaster recovery service, in line with the suggested service improvement plan, at the earliest opportunity.

The Commissioning work, engaging with Hewlett Packard (HP) to deliver operational support for the Council systems, and the Digital by Default strategy, would see substantial change in the way systems were designed and delivered to the Council. The limitations of the two existing computer rooms in County Hall and Wildwood, specifically, the lack of fire suppressant, were well understood and could be built into the arrangements for recovery of systems, such that the risk of loss of service through fire could be tolerated.

The Digital by Design was making greater use of services provided externally in the Cloud, reducing the risk of loss from disruption to central resources.  Similarly, opportunity existed to seek hosting services external to the Council via the contract for support with HP. Deployment of services away from the Council through current and developing technologies would reduce the risk of loss on the Council to a point where the Council could accept the risk.

In the ensuing debate, the following principal points were raised:

·         The Head of Systems and Customer Access stated that the negotiations with HP, the chosen provider were in their final stages and he anticipated that the contract would be signed next week

·         Had the Council received any advice from the fire service in relation to provision of fire suppression equipment in the mainframe computer room?  The Head of Systems and Customer Access commented that he had not received any advice of this nature from the fire service. However officers from property services had advised him that due to changes to the guidance, fire suppressant equipment was no longer a requirement

·         In response to a query, the Head of Systems and Customer Access explained that testing of the system did take place at present but other priorities tended to take precedence. The new contract would include provision for testing which would include better standby and call out arrangements

·         What steps had been taken to mitigate the risks associated with disaster recovery in the interim period before the contract was signed and implemented? The Head of Systems and Customer Access advised that the Council did not have a contingency measure for systems recovery using an external provider in the short term as it would be too  ...  view the full minutes text for item 323.

The Committee considered the progress made against the recommendations put forward by the Information Commissioner's Office (ICO) following their visit.

The report indicated that in February 2014, the Information Commissioners Office (ICO) undertook a consensual audit of Worcestershire County Council, looking specifically at three areas which included: Data protection governance; security of personal data; and data sharing. The result of the audit was that the ICO had a 'very limited assurance' that processes and procedures in place were delivering data protection (DP) compliance.

Following the audit, the ICO presented the Council with a report and a list of recommendations. These recommendations had provided the focus of the work the organisation now undertook to bring it up to an acceptable standard. These included: Ensuring a robust governance structure; Review of Policies; New policy development; Cultural Change.

The Head of Community and Environment concluded that there remained a considerable amount of work to do, both in terms of delivering against the ICO recommendations as well as changing our culture in order to raise the awareness and importance of how the Council looked after, managed and dealt with information. However the Council had a team that were committed to driving this forward and a Governance Structure that ensured that the whole organisation top down was pulling in the same direction on Information Management. The ICO was planning to return during 2015 to undertake a follow up audit where it was the Council's objective to be able to demonstrate the significant progress that had been made.

In the ensuing debate, the following principal points were raised:

·         The key issue resulting from the audit was a lack of compliance with the data protection requirements. The Registration, Coroner and Corporate Information Services Manager advised that progress had been made following the audit to embed a change of culture in the organisation in relation to data protection

·         The Council would be liaising with more external agencies as a result of the commissioning process. It was therefore important that data protection systems were improved

·         Was there a possibility that the Council could be fined by the Commissioner's Office for its lack of compliance with data protection and did the Council have funds available for such an eventuality?  The Registration, Coroner and Corporate Information Services Manager stated that the last fine that the Council had received was approximately 2-3 years ago. She was not aware of any internal funding that was available to the Council for such eventualities. The audit was requested by the Council to ensure that it had the requisite practices and procedures in place. The Commissioner's Office would undertake a further audit in June 2015 to assess the progress the Council had made in improving its practises and procedures

·         The Committee were pleased to see the progress that had been made to improve the Council's approach to data protection, security of personal data, and data sharing. 

RESOLVED that the progress made against the recommendations put forward by the ICO following their visit be noted.

The Committee considered the latest refresh of the Corporate and Transformation Risk Registers.

The report indicated that the Corporate Risk Register and the Transformation Risk Register were key documents in the Council’s approach to risk management. They captured the key strategic risks to the delivery of the corporate objectives and provided a context through which directorates construct their own risk assessments and were used to inform decision making about business planning, transformation and service delivery.

As part of a review conducted earlier this year the resulting outcomes were approved by Future Fit Programme Board (FFPB) in May 2014. Since then, work had continued to further embed both existing and new processes for managing risk across the organisation.

The review resulted in a number of fundamental changes to the way risks were managed and reported, including:

·         The number of corporate risks were reduced from 24 to 10 with some risks being combined to provide a more focused approach and others being devolved to directorate level risk registers

·         The introduction of a Transformation Risk Register (TRR) to run in parallel with the Corporate Risk Register (CRR) where both contain four 'Shared Risks' that impact both corporately and on organisational transformation

·         The CRR was revised to include further detail on activities undertaken during the reporting period to control or mitigate individual risks therefore providing better assurance that risks were being managed actively

·         'Risk Appetite' was included as part of the overall risk assessment based on a five point scale ranging from low to high; the inclusion of risk appetite enabled the Council to determine the amount of risk it was willing to take to achieve its strategic objectives and to enable tolerance levels to be set that ensure risks remain within the agreed parameters and the Council was not exposed to unnecessary risk.

The CRR and TRR were updated quarterly and reported to Cabinet and Future Fit Programme Board respectively on a twice yearly basis.

In the ensuing debate, the following principal points were raised:

·         The controls currently in place as set out in the register did not seem to be specific enough for staff to be able to implement at an operational level. The Risk and Business Continuity Manager replied that the controls set out in the register were generic in nature but there were more specific plans that underpinned this document. The Chief Financial Officer added that a balance needed to be struck between providing members of the Committee with sufficient information to understand the nature of the controls and producing a concise document

·         In response to a query, the Risk and Business Continuity Manager confirmed that there was an appropriate level of staffing within individual projects in Children's Services to sustain Business as Usual and to deliver transformation

·         The representative of the Head of Legal and Democratic Services would provide members with details of the governance arrangements for the Social Work Workforce Board.

RESOLVED that:

a)    The latest refresh of the Corporate and Transformation Risk Registers be agreed; and

b)  ...  view the full minutes text for item 325.

The Committee considered the Annual external Audit Letter 2013/14 produced by Grant Thornton.

The Chief Financial Officer introduced Helen Lillington from Grant Thornton, the external auditor to the Council. He commented that Grant Thornton had issued an unqualified audit opinion on the statement of accounts. He thanked Grant Thornton for their work and noted the very positive relationship with the Council and the high quality of their audit work at a lower fee.

Helen Lillington on behalf of Grant Thornton attended the meeting to discuss their findings. She highlighted the following main points:

·         She confirmed that Grant Thornton was able provide an unqualified audit opinion on the accounts including the Value for Money opinion and the Pension Fund

·         There had been a number of formal objections to the accounts and following discussions with the objectors, it had been agreed to combine them into a single objection. This objection was currently being audited by Grant Thornton

·         The external auditor was required to undertake a whole of government audit of accounts on behalf of the government. This audit drew together the accounts for all public bodies, following a prescribed format. The only area of the accounts that did not comply with this guidance related to cash and accruals and was not considered to be significant in nature.

In the ensuing debate, the following principal points were raised:

·         It was queried how the external auditor had provided an unqualified opinion on the audit despite the accounts not been concluded as a result of an outstanding objection. Helen Lillington advised that the external auditor was permitted to provide an opinion on the accounts if it was considered that the issues raised by objectors would not have a material impact on the accounts or the value for money audit. The external auditor was required to follow a formal process for the consideration of an objection to the accounts which included issuing a statement of reasons. The audit could not be concluded until these had been resolved 

·         There was a danger that by issuing an opinion on the accounts, the external auditor was pre-judging the issues raised in the objections. Helen Lillington responded that the objections had been combined into a single objection. The matter was complicated because it was necessary to liaise with the external auditor for Herefordshire Council. However the issues raised in the objection were not considered to be significant and would not have a material impact on the opinion of the accounts. The Audit Commission allowed the external auditor a period of 9 months in which to resolve objections to the accounts 

·         Was the external auditor in a position to inform members of the cost of the audit work associated with investigating the objections to the accounts? Helen Lillington advised that she was not able to confirm the total fee at this stage. However she had been in consultation with the Audit Commission and the County Council and they were aware of the potential implications for the fee variation. It was necessary  ...  view the full minutes text for item 326.

The Committee considered the Counter Fraud Report 2014/15.

The report indicated that the Council's counter fraud arrangements demonstrated its continued commitment to strong governance and best use of resources. The Council's response to Central Government's expectations for tackling fraud and corruption was reflected in the Annual Counter Fraud report which included a draft 2015/16 Counter Fraud Plan.  It was important that the Council maintained its counter fraud response and resilience as the changes to Council service delivery continued to evolve.

In the ensuing debate, the following principal points were raised:

·         The report indicated that a low level of fraud had been detected. Was this as a result of internal controls not being good enough and therefore fraud not being detected? The Senior Manager – Internal Audit and Assurance commented that most fraud was detected through whistle-blowing or concerns raised by staff, not necessarily as a result of the implementation of controls. However, by working closely with officers, he anticipated that there would be more success detecting fraud in the future

·         Was the external auditor satisfied that the Council's counter fraud controls were satisfactory? Helen Lillington from Grant Thornton, the Council's external auditor commented that the Council's controls had been audited and no issues had been raised. The Senior Manager – Internal Audit and Assurance added that the Council was not complacent and every effort was being made to improve internal controls

·         Point 3 of the introduction to the report should be amended to read Worcestershire not Lincolnshire

·         Had there been an update on the data-matching process?  The Senior Manager – Internal Audit and Assurance commented that one area of concern had been highlighted as a result of this work. The data-matching process had been extended this year to look at direct payments.

RESOLVED that the content of the Counter Fraud Report 2015/15 be noted.

The Committee considered a system for publishing Internal Audit reports.

The report indicated that prior to being published, it was intended that Internal Audit reports should be subject to the following stages:

a)    Draft audit report issued to relevant manager and Head of Service. The report was populated at this stage with:

•           Management response;

•           Responsibility and timescale;

•           Recommendation implemented (officer and date);

b)    The relevant Head of Service approved individual reports;

c)    Final report issued to relevant director for information;

d)    Summary of finalised limited assurance audits to be issued to Strategic Leadership Team as required. This would present an opportunity to discuss audits where there were significant financial implications or potential reputational impact;

e)    Consideration of whether a report would require redaction prior to being made public. The Head of Legal and Democratic Service's advice to be sought where appropriate;

f)     Quarterly Internal Audit Progress reports would include details of those audit reports to be published following approval of the report. The Audit and Governance Committee would be able to request to review individual reports where required.

In the ensuing debate, the Senior Manager – Internal Audit and Assurance advised that he was in the process of consulting with the Head of Legal Services with regard to the redaction of audit reports. It might be that certain audit reports should not be published if the level of redaction rendered them meaningless due to a requirement to consider commercial interests and confidentiality clauses. The Chief Financial Officer added that in such circumstances, it would be possible to provide members of this Committee with a copy of the confidential reports.

RESOLVED that the proposed system for publishing Internal Audit reports be noted.

The Committee considered the draft Internal Audit progress report 2014/15.

In the ensuing debate, the following principal points were raised:

·         A measure of the progress of the Superfast Broadband project had been the number of people who had upgraded their contract. It was suggested that a better measure would be the level of satisfaction of customers with the service provided to them

·         The Senior Manager – Internal Audit and Assurance explained that the 80 days of investigative audit work related to work associated with whistleblowing allegations and other investigative work such as missing cash. There was also proactive work including the use of Fiscal software to analyse key financial data relating to payments

·         The Senior Manager – Internal Audit and Assurance commented that the Annual Governance Statement was being reviewed in response to the challenges and changes the Council was facing. To support this period of change effectively, the Council required strong corporate and governance arrangements. The audit would include a benchmark analysis of the 2013/14 Annual Governance Statement (AGS) against best practice observed across the sector to ascertain whether the governance process could be improved. Helen Lillington from Grant Thornton added that one of the key aspects of the Statement that was being reviewed was whether it was complete. There was a lack of evidence in the present Governance Statement to show that limited assurance work had been completed.  She was satisfied that the work had been undertaken but evidence of this work needed to be more transparent

·         The Senior Manager – Internal Audit and Assurance explained that 15 audit days for Freedom of Information (FOI) requests related to whether FOI and Environment Information Requests (EIR) are responded to in accordance with legislation including the required timescales set out in the Act

·         The Joint Commissioning Unit – Contract Management (Residential and Nursing Care) had received a limited assurance. What were the issues associated with this audit opinion? The Senior Manager – Internal Audit and Assurance stated that this was an audit completed in the previous year but included as part of the follow up on previous high recommendations. The issues included the target for the planned number of visits was not being met

·         The Senior Manager – Internal Audit and Assurance explained that the 10 audit days for Local Enterprise Projects related to the control environment including governance arrangements. There was also some overlap with the European Funding audit which made reference to the Worcestershire and North Worcestershire LEPs

·         In response to a query, the Senior Manager – Internal Audit and Assurance pointed out that the Open for Business – Partnership Arrangements audit work included an evaluation of what constituted a partnership arrangement, policy framework, register of partnerships and the consideration and documentation of risks

·         The Senior Manager – Internal Audit and Assurance stated that the Design Services Contract – Term Shared Professional Services Contract should be removed from the list of internal audit reports to be published

·         Concern was expressed about the use of agency workers and in  ...  view the full minutes text for item 329.

The Committee received an update on the Internal Audit Commissioning arrangements.

The Senior Manager – Internal Audit and Assurance advised the Committee that consideration was being given as to whether to keep the Internal Audit service in-house, to commission it to a private sector company, or to create a shared service with another Council. Discussions were currently being held with Warwickshire County Council to explore shared service arrangements as a possible option. The Committee would be kept informed of progress.

In the ensuing debate, the following principal points were raised:

·         What was the total cost of the Internal Audit service to the Council? The Senior Manager – Internal Audit and Assurance commented that the service cost £330,000 per annum but the Council was looking for opportunities to reduce costs, add value, increased efficiency and service improvement

·         What was the timescale for the Commissioning process? The Senior Manager – Internal Audit and Assurance stated that discussions would continue with Warwickshire County Council with a view to finalising a business case which would include an agreed starting date. The advantages of joining forces with Warwickshire were that it would give this Council access to shared knowledge and skills and provide increased resilience for both authorities. The business case for this proposal would address the reporting requirements of the Committee.

RESOLVED that the update on the Internal Audit Commissioning arrangements be noted.

The Committee considered its work programme.

In the ensuing debate, it was queried as to when the Committee would receive an update on the objection to the accounts. Helen Lillington from Grant Thornton explained that an update would be brought to the next Committee meeting on 20 March 2015 as part of the External Audit Plan 2014/15.

RESOLVED that the work programme be noted.