Agenda and minutes

Venue: Pittville Room - Municipal Offices. View directions

Contact: Saira Malin, Democracy Officer 

Items
No. Item

1.

Apologies

Minutes:

Councillor Payne had given his apologies and Councillor Harvey had advised that he would be late and subsequently arrived at 6.45pm.

2.

Declarations of interest

Minutes:

No interests were declared.

3.

Minutes of the last meeting pdf icon PDF 90 KB

11 January 2017

Minutes:

The minutes of the last meeting had been circulated with the agenda.

 

Upon a vote it was unanimously

 

RESOLVED that the minutes of the meeting held on the 11 January 2017 be agreed and signed as an accurate record.

4.

Public Questions

These must be received no later than 12 noon on the fourth working day before the date of the meeting

Minutes:

No public questions had been received.

5.

Cyber security report pdf icon PDF 116 KB

Tony Oladejo, ICT Audit and Compliance Manager (see recommendation)

Minutes:

Tony Oladejo, the ICT Audit and Compliance Manager referred members to the report, as circulated with the agenda.  It was no longer safe to assume that firewalls and security systems would protect against cyber-attacks all of the time and as such the key objectives were: prevention, detection and recovery.  Preventative measures included ICT Policies Framework, next generation Firewalls, Micro segmentation and user awareness training.  The detection methods being deployed included improved infrastructure and monitoring and scan and isolation capabilities would be implemented in early 2017.  As it was accepted that at some point the council would be compromised, recovery measures were vital and meant having a Disaster Recovery Plan in place and recent testing had been successful.  There were also Business Continuity procedures in place, with plans having bene recently improved and training given to relevant officers.  The committee were advised that Public Services Network (PSN) compliance for all four partner councils had recently been achieved, though this was an annual assessment and would be repeated in January 2018.  New Data Protection requirements would come into force in May 2018 and whilst many of the requirements would remain the same, the fines were likely to be more significant. 

 

The ICT Audit and Compliance Manager and Corporate Governance, Risk and Compliance Officer, gave the following responses to member questions:

 

·         The collective (4 councils) approach to PSN was undertaken for the first time this year, with the aim of making the process more efficient.  Whilst this proved challenging, an action plan was now in place and PSN was an ongoing process in any case . All 4 Councils have now received its annual PSN compliance certificates which were awarded by Cabinet Office to January 2018.

 

·         A backing-up myriad was undertaken on a daily basis and involved taking a snapshot of all data sensors and back-up to a secure location.  Staff awareness and training in relation to dealing with suspect emails was ongoing and guidance notes detailing what to look out for were being developed at the moment.  Information was available on the intranet, which members were able to access via Citrix and/or the iPad and members were advised that they should not be forwarding emails received to their Councillor email account to their personal email addresses. 

 

·         Verified back-up procedures were undertaken on a daily basis by designated officers and senior officers undertook reconciliation of that data.  Full restoration had ban carried out as part of a recent training exercise.

 

·         Whilst obliged to respond to Freedom of Information requests the council needed to proceed with caution in relation to any pertaining to IT so as not to compromise security.  Exemptions could be applied but the council would need to evidence the security risks.

 

·         The council did comply with all cyber essentials.

 

·         Network switches were tested daily and any anomalies were tested.

 

·         PSN had previously insisted that the council use gcsx accounts but at the time this requirement was not deemed necessary for councillors.  PSN has since announced that the Internet was sufficiently secure  ...  view the full minutes text for item 5.

6.

Audit committee update pdf icon PDF 1 MB

Grant Thornton (no decision required)

Minutes:

Sophie Morgan from Grant Thornton introduced the Audit Committee update as circulated with the agenda.  The update outlined progress and set out a timetable for upcoming work, as well as setting out some technical matters which may be of interest to members of the committee. 

 

Sophie Morgan and the Deputy Section 151 Officer gave the following responses to member questions:

 

·         The main statements in the accounts, including the Comprehensive Income and Expenditure Statement, and the Movement in Reserves statement, would look different following the changes to the CIPFA’s 2016-17 Code of Practice on Local Authority Accounting but they would include comparative numbers for the previous year and would include some narrative.  The accounts would be more in line with Cheltenham’s internal reporting structure under the change to the Code.

·         Thought needed to be given to how these changes would be communicated to all members of the council.  There was a suggestion that the presentation normally delivered as part of the formal agenda could instead be delivered as part of a member seminar, ahead of the Audit Committee meeting.

·         Expenditure would be categorised differently in 2017-18 but it was hoped that the narrative would be helpful. 

 

Members were advised that the latest Grant Thornton report ‘The Income Spectrum’ included a case study of Cheltenham Borough Councils purchase and lease of Delta Place.  This would be circulated electronically to all members.

 

No decision was required. 

 

7.

Audit Plan pdf icon PDF 269 KB

Grant Thornton (no decision required)

Minutes:

Peter Barber from Grant Thornton introduced the Audit Plan as circulated with the agenda.  The plan provided an overview of the scope and timing of the audit and included similar risks to those set out in the plan for the previous year.  A key development this year was the requirement to bring forward the approval and audit of the financial statements to the 31 July by the 2017-18 financial year in line with the upcoming national change to the deadline.  This meant that the September meeting of this committee would move to July in 2018.  For the purposes of planning the audit Grant Thornton had determined overall materiality to be £1,646,000 (2% of the Councils gross revenue expenditure), however, due to public interest, the levels for some transactions was lower.  A number of significant risks had been identified and it was noted that these risks were in line with other Councils, and also reflected the change to the presentation of the accounts.  The VFM conclusion was based on specific criteria, as set out in the plan and the significant risk associated with this was the MTFS, though again, this would be true for many councils given the current economic climate.  The findings of the interim audit work were detailed on pages 16 and 17 of the plan and the only issue that had been identified was that the journal entries of the Deputy Section 151 Officer were not regularly reviewed.  The management response was included on page 22 of the plan and it was noted that the recommendation for journal authorisation had been implemented.  

 

In response to a member question Peter Barber advised that a company called Hazlewoods was responsible for auditing Gloucestershire Airport Limited as a separate company.  From Grant Thornton’s perspective, and at this point in time, they simply checked that the Airport was properly reflected in the council’s accounts.  However, if anything any issues were identified as part of the discussions which were ongoing at the moment, then the plan would be updated to reflect this.  

 

No decision was required.

 

8.

Annual Internal Audit Plan 2017/18 pdf icon PDF 110 KB

Internal Audit (see recommendation)

Minutes:

The Acting Head of Audit Cotswolds introduced the Annual Internal audit Plan as circulated with the agenda.  The plan which had been developed in January/February and in consultation with the Senior Leadership Team and Grant Thornton, set out the risk based assurance and consultancy work planned for the coming year (2017-18).  However, whilst this showed the preferred work, members were reminded that it could evolve in response to any issues that were identified through this time.  It was also noted that no counter fraud related audit work had been included in this plan and that the plan would carry through to the South West Audit Partnership once the transfer was complete.    

 

The Acting Head of Audit Cotswolds gave the following responses to member questions:

 

·         It was envisaged that the same team of officers would be supporting Cheltenham once the transfer to SWAP was complete, but this could not yet be confirmed. 

·         The SWAP Director was expected to attend the next meeting of the committee.

·         A review of Gloucestershire Airport Limited could be added to the plan if required.

 

Upon a vote it was unanimously

 

RESOLVED that the Internal Audit Plan for 2017-18 be approved.    

9.

Internal Audit monitoring report pdf icon PDF 149 KB

Internal Audit (see recommendation)

Minutes:

The Acting Head of Audit Cotswolds introduced the Internal Audit Monitoring report, as circulated with the agenda.  This report was designed to provide ‘through the year’ comment and assurance on the control environment and summarised work that had been concluded or was progressing.  The committee were advised that Audit Cotswolds staff were due to meet with South West Audit Partnership to discuss terms and conditions the following day (23 March). 

 

In response to a member question, the Acting Head of Audit Cotswolds advised that the review of key contracts including tender processes, plus review of contractor use as part of the Contract Management audit was work that was undertaken in 2015-16.  The findings had gone to the Procurement Team and a follow-up piece of work was now in progress.  She hoped to be in a position to bring a report to the next meeting of this committee.

 

Upon a vote it was unanimously

 

RESOLVED that the Internal Audit Monitoring report be noted.

10.

Counter Fraud Unit Report and Regulation of Investigatory Powers Act 2000 (RIPA) Update pdf icon PDF 72 KB

Counter Fraud Unit (see recommendation)

Minutes:

The Counter Fraud Team Leader introduced the report as circulated with the agenda.  After two years illustrating the financial sustainability and undertaking feasibility work, the Counter Fraud Unit will be a permanent service shared across the partner councils and Tewkesbury Borough Council.  Work will also be undertaken for Gloucestershire County, Stroud District and Gloucester City Council’s, ensuring a county-wide approach.

 

Future reports, which would be tabled with this committee on a bi-annual basis, will provide comment and assurances over the counter fraud work being undertaken by the unit and would be Cheltenham specific. 

 

This report also provided an update in relation to RIPA and the Council’s existing policies and arrangements. 

 

The Counter Fraud Team Leader gave the following responses to member questions:

 

·         With the increased resources of the Counter Fraud Team it would now be possible to look at more areas and assist / add value than had been possible in recent years.  This could include Planning and Licensing.

·         A project is underway to review internal systems and overlay information which could help to identify anomalies between departments. 

·         A key consideration for the team would be avenues for recouping costs, improving cost schedules and raising debts rather than relying on the court system only. 

 

Upon a vote it was unanimously

 

RESOLVED that the Counter Fraud Unit report be noted.

 

11.

Annual Risk Management Report and policy review pdf icon PDF 103 KB

Corporate Governance, Risk and Compliance Officer (see recommendation)

Additional documents:

Minutes:

The Corporate Governance, Risk and Compliance Officer introduced the Annual Risk Management report and policy review, as circulated with the agenda.  This policy formed an integral part of the council’s corporate governance arrangements and enabled better decisions and successful delivery of projects with risk being managed at every stage.  There had been a small number of amendments to the policy, which were mainly cosmetic and were shown as track changes.  Additional guidance on lower level risks that did not meet the criteria for the Corporate Risk Register has also been included.  

 

The Corporate Governance, Risk and Compliance Officer gave the following responses to member questions:

 

·         In simple terms, the wording relating to risk CR105 meant that consideration would be given to strengthening the reserves in response to any underspends or windfalls before funding of a project was considered.

·         The risk register was a living document which was updated every month by the relevant officer responsible for manging the risk, in consultation with the relevant Cabinet Member.  SLT and Exec Board reviewed the register monthly and referred any comments to the risk manager and had previously gone to Cabinet on a quarterly basis but there was now a suggestion that this should instead be agreed informally.  It would be for this committee to decide if it was comfortable with this approach or whether it wanted Cabinet to consider an alternative approach.

 

Members were in agreement that there should be a formal record of the risk register having been seen and accepted by Cabinet and/or the relevant Cabinet Member, but were comfortable with Cabinet deciding how they wanted to do this in the future.  The Chairman would have a discussion with the Leader and agree an approach with which both were comfortable.

 

Upon a vote it was unanimously

 

RESOLVED that the Risk Management Policy 2017-18 be approved and that the Chairman agree a process with the Leader by which the risk register can be formally reviewed and agreed by Cabinet and/or the relevant Cabinet Member in the future.     

12.

Revised Code of Corporate Governance pdf icon PDF 116 KB

Corporate Governance, Risk and Compliance Officer (see recommendation)

Additional documents:

Minutes:

The Corporate Governance, Risk and Compliance Officer introduced the revised Code of Corporate Governance, which had last been approved by this committee in June 2016.  CIPFA / Solace published a new framework in 2016 which had necessitated the production of a new Code of Corporate Governance to reflect the new framework and had also allowed for the code to be aligned with the partner councils and reworded to make it easier for staff to understand.  There were seven core principles in the framework and these were set out in the report, as well as in the diagram on the second page of the Code.  Members were reminded that the Annual Governance Statement formed part of the accounts and Audit Cotswolds/SWAP would be looking at how the council had adhered to the Code. 

 

There were no member questions.

 

Upon a vote it was unanimously

 

RESOLVED that the revised Code of Corporate Governance be approved.

 

 

13.

Work Programme pdf icon PDF 52 KB

Minutes:

The work plan had been circulated with the agenda.  No amendments were required.

14.

Any other item the chairman determines to be urgent and requires a decision

Minutes:

There were no urgent items for discussion.    

15.

Date of next meeting

14 June 2017

Minutes:

The next meeting was scheduled for the 14 June 2017.