To elect a Chairperson to the Governance and Audit Committee. The person appointed Chair of the Committee must be a Lay member.

RESOLVED:

G Chapman was appointed Chairperson.

To elect a Vice-Chairperson to the Governance and Audit Committee. The person appointed as Vice Chair can be any member of the Committee.

RESOLVED:

A Bagley was appointed Vice-chairperson.

To receive declarations of personal and prejudicial interest (if any) from Members/Officers in accordance with the provisions of the Members’ Code of Conduct adopted by Council from 1 September 2014.

None

To receive for approval the minutes of the Committee of the 27/04/2023

RESOLVED:

The Minutes were approved subject to the following amendments:

That RESOLVED needed to be added to Minute 62.

That we should be mindful these are public documents and care should be taken to not use abbreviations without first spelling them out.

That on page 6, paragraph 5, the sentence should be amended as follows: “Looking at the information around the service user perspective and outcomes.”

The Senior Democratic Services Officer - Committees presented the report, noting that its purpose was to provide Members with an update on the Governance and Audit Committee Action Record.

The Chairperson drew attention to the item on Corporate Complaints from 15 March 2022. He requested an update on the specific matter of how school complaints were recorded.

The Senior Democratic Services Officer – Committees indicated that he had spoken to the Director of Education about this matter, and that there aren’t many, if any, complaints being made to schools. He proposed that an email could be sent to Members to update them on the current situation rather than bring a report to the Committee.

In response to this, a Member drew attention to concerns expressed at a public meeting about school transport in Cornelly and suggested this was the kind of thing that should be considered a complaint about schools.

The Chairperson suggested all these matters could be considered as part of the substantive agenda item on Corporate Complaints.

A Lay Member drew attention to the need to be clear about what is and is not an ‘ongoing activity’ and an ‘action’. An action can only be done once and cannot be an ongoing activity or business as usual.

Another Lay Member indicated that he was not sure the tracker was picking up all the actions discussed in meetings, and that there was a risk that actions were being lost.

He was pleased discussions last time about the prioritization of the audit plan had been followed through but, again, he thought it important that the action was drawn out, noting how it was resolved and whether it is closed. He added that the reconciliation of the days in the audit plan was talked about last time, that was a potential action, but it wasn’t captured in the Action Record. There could be benefits to having more detail in the Action Record going forward.

The Chief Officer - Finance, Performance & Change indicated that officers went through the minutes after every meeting of the Committee and then made sure they tracked through onto the Action Record. Officers tried to put things on the tracker that spread over more than one meeting so that they didn't lose sight of them, but she was happy to be advised by Members as to the best way forward.

The Lay Member came back to suggest that if there was scrutiny of the Committee, it would be necessary to evidence how Members were tracking and holding to account those with responsibility for matters within the purview of the Committee.

The Chairperson suggested the Senior Democratic Services Officer – Committees and other officers could consider the issues raised and make tweaks to the Action Record for the next meeting.

RESOLVED:

The Committee noted the Action Record and provided comment upon it, as appropriate.

The purpose of this report was to submit to the Committee one report – namely, the Bridgend County Borough Council Outline Audit Plan 2023 (Appendix A) - from Audit Wales.

The Outline Audit Plan specified the statutory responsibilities of the external

Auditor and set out details of the audit team and key dates for delivering the team’s activities and planned outputs.

A Detailed Audit Plan will be issued in July 2023 following the completion of planning work.

In addition to work on financial statements, there will be Performance audit work on Assurance and Risk Assessment, local work on Highways and Transport, and two thematic reviews on commissioning and

contract management and financial sustainability in local government.

The fee scheme for the year was published in January 2023. This sets out fee rates and also highlights the impact of the revised auditing standard ISA 315 on financial audit. More details of the revised auditing standard and what it means for the work undertaken by Audit Wales is set out in Appendix 1.

Members drew attention to a couple of issues, namely: how choices were made on what to focus on, and whether there might be savings in the long-term if there is more reliance on technology to carry out audit work.

In response, a representative from Audit Wales discussed the rigorous and robust assurance and risk assessment process they undertook to produce their plan for the year.

In response to the issue about fees and technology, a representative from Audit Wales indicated that technology might facilitate changes in fee schemes over the long-term. He indicated, for example, that they were trying to promote the use of data analytics, so applying analytical techniques to the Ledger. This could help auditors get through the audit a bit quicker because it can assimilate and arrange data in a far better way than through spreadsheets.

The Chairperson drew attention to the fact that fees were always going up and it was clear that this year it is likely there will be an inflationary increase in the fee of 5% and an additional cost of 10% and this was happening when there was a local government settlement of 7% and service delivery was extremely difficult in most local authorities in Wales.

In response to this, a Member asked how much we paid now per year and what would it be with an additional 15% on top?

The Chief Officer – Finance, Performance and Change indicated she would circulate the figure to Members.

RESOLVED:

The Committee noted the Audit Wales Governance & Audit Committee Report at Appendix A.

This report informed the Committee of the matters arising from the audit of the 2021- 22 Statement of Accounts. The audited Statement of Accounts were approved by the Committee on 26 January 2023. Following completion of the audit, Audit Wales made a number of recommendations. Their letter is attached at Appendix A.

Appendix 1 of the Audit Letter set out six recommendations following the audit of the Council’s Statement of Accounts. Officers have taken on board the recommendations, and progress against those recommendations is also noted in the Appendix. Audit Wales will conduct a review of those recommendations during their audit of the 2022-2023 Statement of Accounts.

A Member drew attention to the issue of duplicate payments. Testing of eighteen expenditure transactions identified one duplicate payment, and further testing of an additional thirteen potential duplicate payments identified a further two duplicates. The value of the three duplicate payments identified totalled £4,884.71.

The Member was concerned about the management response to this given how many possible duplicate payments there could be every year. Three out of thirty-one is virtually 10% and 10% of all payments would be a large number. He wanted to know what practices have been put in place to pick up duplicate payments that were not considered in the sample and asked what happens when duplicate payments cannot be recovered.

The Group Manager – Chief Accountant indicated that the council processed a huge volume of payments and transactions during the year and there were processes whereby before payment runs are issued, there are a number of checks done to look for as many duplicates as possible. They looked at things like identical invoice numbers, dates, descriptions, etc, but unfortunately a number of these, as were identified in that sample, have fallen through those checks. He indicated that they needed to go back and see how checks could be strengthened so the Council isn't paying twice for anything.

The Chief Officer – Finance, Performance and Change indicated there were recovery processes in place, and she made a commitment to summarise them and send them to Members.

A Member noted that recipients of duplicate payments must be under an obligation to return the money and wondered if contracts could be strengthened with conditions obliging repayment in those circumstances.

A Lay Member drew attention to the discussion later in the meeting on the Audit Plan and in particular, the review of financial systems, a rolling programme of audits adopted. He stressed that it would be good to know what the programme looks like and where payments fit in the cycle. Payments could be a good contender for review.

Another Member drew attention to the issue of surplus assets and the example highlighted in the report.

The Group Manager – Chief Accountant confirmed the Council holds the assets discussed and they aren't sold assets. He indicated that the appropriate process will be applied moving forward for any assets declared surplus to the Council’s needs.

A representative from Audit Wales, referring to  ...  view the full minutes text for item 76.

The purpose of this report was to provide the Committee with an updated Corporate Risk Assessment 2023-24.

There are currently 11 risks on the Corporate Risk Register and every one of those risks has been reviewed by the Corporate Management Board.

Mitigating actions remain in place with no changes made to the categorisation of the risks since the review in January 2023.

It was noted at a previous meeting that Members wanted to see improvements in the presentation of the document. A new risk management software program is being tested currently and this could improve the quality of the report so that we can look at targets, dates and action plans and also make it clearer where changes have been made to the corporate risk assessments. It is hoped that a new report will be available for Members when the Corporate Risk Assessment is next presented to the Committee.

As part of the process of highlighting the risks for Members, the Group Manager, ICT made a presentation on cybersecurity.

To highlight the importance of the issue, and a specific current concern, he drew attention to the fact that the Council’s email security gateway blocks 450 phishing emails per day.

Using the National Cyber Security Centre’s 10 Steps to Cyber Security to structure his presentation, he discussed issues as follows:

1.     Risk Management – taking a risk-based approach to securing data and systems.

2.     Engagement and Training – collaboratively building security that works for people in the organisation.

3.     Asset Management – knowing what data and systems we have and what business needs they support.

4.     Architecture and Configuration – designing, building, maintaining and managing systems securely.

5.     Vulnerability Management – keeping systems protected throughout their lifecycle. It should be noted that a recent regional internal audit of this area of work received an audit opinion of substantial assurance.

6.     Identity and Access Management – controlling who and what can access systems and data.

7.     Data Security – protecting data where it is vulnerable.

8.     Logging and Monitoring – designing systems to be able to detect and investigate incidents.

9.     Incident Management – planning a response to cyber incidents in advance.

10.Supply Chain Security – collaborating with suppliers and partners.

In response to the presentation, a Member asked how we back up our systems. The Group Manager, ICT responded by saying the Council’s systems were run, day-to-day, out of the data centre in Bridgend, but the Council also has a co-hosting agreement with Rhondda Cynon Taff. All the Council’s data was held on a live synchronous backup at the Rhondda Data Centre.

Another Member discussed the issue of training and keeping up with developments such as AI, false QR codes, and the misuse of personal identities. The Group Manager, ICT responded by highlighting this was an ever-changing threat and that it is necessary to address the issue of how we educate staff about cybersecurity. He suggested he could speak to his line manager and the Chief Officer – Finance, Performance  ...  view the full minutes text for item 77.

This report informed the Committee of the Section 151 (s151) Officer’s (Chief Officer – Finance, Performance and Change) assessment of the Council as a ‘Going Concern’ for the purposes of producing the 2022-23 Statement of Accounts.

Following amendments to the Audit Standards under which the Council’s external auditors undertake their audits, the Council’s auditors have sought assurance that the Council has evidenced it has completed a ‘going concern’ assessment, which underpins the preparation for the annual Statement of Accounts.

This report confirms the assessment of the Council as a going concern as required by the Chartered Institute of Public Finance and Accountancy’s (CIPFA’s) Code of Practice on local authority accounting.

In response to the report, a Member drew attention to the handling of cash flow, a representative from Audit Wales thought the report very valuable in the context of the financial distress of some local authorities in England, and the Chairperson and officers discussed issues around the payment system for the revenue support grant from the Welsh Government.

In addition, the Chairperson drew attention to theCouncil’s Code of Corporate Governance, which was updated during the financial year and

approved by Cabinet on 7 February 2023. He noted that the Group Manager – Chief Accountant had assured him that the Code would be considered by the Committee in September.

RESOLVED:

The Committee accepted the outcome of the assessment of the Council’s going concern status for the purpose of preparing the 2022-23 Statement of Accounts.

This report provided the Committee with the Audit Wales Audit Enquiries Letter, which asks a number of questions of those charged with governance and management of the Council. The letter is attached at Appendix A. 

The Governance and Audit Committee are asked to agree the response and approve its return to Audit Wales.

The Chairperson drew attention to two issues:

1.     The response to the question about fraud and wondered if that covers the national fraud initiative or any counter fraud issues such as housing benefit. The Group Manager – Chief Accountant indicated he would consult with the fraud officer to see if the response could be strengthened. The representative from Audit Wales indicated that the question was concerned with material fraud.

2.     In the section on Enquiries of Management – in relation to laws and regulations, he asked what the purpose was of asking these broad questions. The representative from Audit Wales acknowledged the question was pretty broad but the focus is on trying to focus on material issues that could have an impact on the accounts. In that sense, it is about any potential litigation.

A Member indicated that it was not unreasonable to expect that a local authority was compliant with relevant laws and regulations.

RESOLVED:

Subject to a review of the responses, the Committee noted and agreed the responses to Audit Wales’ Audit Enquiries Letter as attached at Appendix A.

The purpose of the report was to reflect on the Council’s self-assessment for 2021-22 and present the Governance and Audit Committee with a proposed approach, process, and timeline for the development of the self-assessment for 2022-23.

In summary, the plan is to populate a report very similar to last year’s. That report received positive feedback, including from the Welsh Government.

The draft self-assessment report will be presented to the Governance and Audit Committee on 26 July 2023.

Following an engagement and consultation process over the summer, it is proposed that the final self-assessment will be presented to Cabinet and Council in September 2023.

The Chairperson drew attention to the consultation process to note that it needed to be open and transparent, and asked if the final self-assessment changes as a result of the consultation over the summer that it comes back to Governance and Audit Committee before going on to Cabinet and Council.

The Corporate Policy and Public Affairs Manager confirmed, given there wasn’t a focus on the content, they weren't intending to do an in-person, nor a formal 8-to-12-week, consultation; and also, that if there were substantive changes, the report would come before the Committee again before going to Cabinet and the Council.

RESOLVED:

Subject to comments made by Members, the Committee agreed the proposed processes and arrangements for the corporate self-assessment 2022/23.

The purpose of this report was to provide the Committee with an update on the current process and a proposal on the way all corporate complaints will be monitored, recorded, and reported going forward.

Whilst it will not be feasible to incorporate all Stage 1 and Stage 2 complaints into a central system, there are ways to improve the way complaints are reported to the Committee on an annual basis, to ensure full visibility across the organisation. It is proposed that all Directorates will provide their Stage 1 and Stage 2 data to the central team to enable this to be collated with the data already held centrally and included in

the annual update report to the Committee.

A Member, noting how much work had gone into considering this issue, drew attention to three matters:

1. How the Council takes account of cases that go on to the Ombudsman.
2. How the Council deals with abusive, persistent, or vexatious complaints; and
3. That it would be helpful to have more information on where problems are coming from, in terms of electoral wards.

The Chief Officer – Finance, Performance and Change confirmed that complaints that go on to the Ombudsman need to be included in the data. It was crucial that the Council is fair and has made every attempt to address a complaint before steps are taken to classify it as vexatious. She acknowledged that it could be helpful to get more information on location of the complainant for example, to enrich the data set.

A Member noted there could be much to learn about handling complaints from other local authorities or the private sector.

Another Member drew attention to the fact that society looks at a complaint as a negative thing, but they can be viewed in a positive way as well. He wondered if the Council had a way of extracting positives and service improvements from a complaint.

The Chief Officer – Finance, Performance and Change thought this a key point. She acknowledged that the whole point of dealing with complaints is to make sure that people are happy with the outcome, but also that the organisation learns as a result of it. If there is something that has not been done well, or if there's an idea that comes forward which could improve things, then the Council needs to learn from that.

The Chairperson made a couple of observations to conclude this agenda item: firstly, that a complaint was an opportunity to improve service delivery; and secondly, there could be an issue of under-reporting of complaints, especially in respect of those received by Councillors. He thought this was an issue that needed to be looked at, to ensure they are fed into the corporate process.

He noted that the Committee would receive a bi-annual report on complaints and hoped they would discuss good practice outputs.

In response to the issue of the under-reporting, and specifically complaints made to Councillors, a Member noted that inputs in the referral system could be  ...  view the full minutes text for item 81.

The Deputy Head of the Regional Internal Audit Service (RIAS) introduced the report and stated that its purpose was to provide Members of the Committee with the Annual Internal Audit Strategy and Risk Based Plan for 2023-24 for approval.

A Lay Member asked if the Chief Officer – Finance, Performance and Change was happy with the plan. She responded by pointing out that the two representatives from RIAS had attended two meetings of the Corporate Management Board (CMB) when they were putting the plan together and they had been again recently to check that the areas that are planned for the current financial year are the key risk areas. As such, the CMB is content with the plan as it stands. There will be further regular meetings and if the plan needs to change then work will be redirected to those risk areas which are a priority.

Another Lay Member drew attention to the thirty-four audits with an opinion and asked if that included the carryover from last year. The Deputy Head of RIAS confirmed they were included in the thirty-four.

He added that, although he understood the need to be flexible, it would be useful to see a more detailed plan, highlighting such issues as when work will be done and how many days of the team’s resources are allocated to certain line items.

In response to this, the Head of RIAS highlighted that the next stage of the plan’s development, once approved by the Committee, would be to engage with Directorates about the requirements for each piece of work. Once that stage was completed it would be possible to provide Members with a much clearer indication of the issues highlighted by the Lay Member.

The Head of RIAS added that the Committee would receive updates on a regular basis in terms of the progress against the audit plan. That will happen on a quarterly basis and there will be a progress update on each line of each ordered job. In terms of days allocated per audit, he saw that as an operational matter and the key issue was ensuring that objectives were covered and making sure that the key controls are covered in that particular area of review. Those matters would be discussed with the relevant manager in more detail when the the scope of a particular audit job is determined.

The Chairperson concluded this item by commending the team on producing a realistic work plan for the year. He noted, referring to parts of the next report, that there had been a commitment to conduct sixty-one audits last year and eleven didn’t get done. This year, there would be thirty-four audits with an opinion and thirteen with none. He noted that he was pleased with that because he was concerned previously there was a tendency to over-commit and under-deliver, and for a team that could be soul-destroying. He thought the report now reflected quite clearly the capacity of the team and gave some flexibility if anything new  ...  view the full minutes text for item 82.

This report was introduced by the Head of RIAS and its purpose was to provide the Head of Internal Audit’s Annual Opinion on the Council’s control environment in relation to governance, risk management and internal control and to inform the Committee of the work and performance of Internal Audit for the Financial Year 2022-23.

From the work undertaken during the financial year 2022-23 and considering other sources of assurance, the Head of Internal Audit’s annual opinion on the adequacy andeffectiveness of the Council’s framework of governance,risk management and control for 2022-23 is of reasonable

assurance.

Table 2 of the report illustrated that one audit review identified control issues which meant that only limited assurance could be provided. This was in respect of Abercerdin Primary School, and the reasons are discussed in the report.

A Member drew attention to the section of the report on recommendations, and in particular, one where, having accepted the identified risk, a recommendation had not been accepted. In response to the discussion on this matter, it was agreed that the Chief Officer – Finance, Performance and Change would work with the Head of RIAS on the Council’s escalation process in these circumstances, including the possibility of referring specific matters to the Committee.

In response to a discussion about the training of the regional audit team, the Chairperson suggested it might be useful to have some statistics on what has been undertaken. The Chief Officer – Finance, Performance and Change added that there were modules that were relevant to the work of the Committee, and it could be useful to receive information on those to evaluate any risks that could arise from training.

Another Member drew attention to the issue of reactive work or referrals and the impact it has on planned work. The representatives from RIAS indicated that they built an element of time into the audit plan for such referrals and were willing to amend or reconsider the scope of planned work to accommodate such work. It should be noted that there were only two specific pieces of work that came under that heading last year.

A Lay Member asked about the number of days between draft and final reports being issued. The report indicates that it took 32.5 days, and he wanted to know if that was calendar or working days. The Deputy Head of RIAS explained that it was calendar days but that they were going to change that to working days in the future.

The Chairperson concluded this item by discussing two issues:

1. Abercerdin Primary School. He requested that the proposed follow-up review be conducted as soon as possible, with a view to the Committee receiving the report in September. He indicated that if the outcome was the same it was incumbent upon the Committee, given the serious concerns, to call the school in as the situation cannot continue.
2. Outstanding Recommendations and Target Dates. He noted there were 16 outstanding recommendations and 66 future target dates and that it would  ...  view the full minutes text for item 83.

The purpose of the report was to provide Members with the updated Forward Work Programme for 2023-24.

The Deputy Head of Finance noted that the Code of Corporate Governance would be added to the agenda of the September meeting, and the Corporate Fraud Report and the Draft Statement of Accounts (unaudited) would be added to the agenda for July’s meeting. It was noted that a Member Development Briefing on the Statement of Accounts had been organised for 13^th July. It was also noted that the issue of complaints would be added to the agenda for the November meeting.

The Chairperson commented that given the length of some agendas the meeting might need to be split into two, or there should be a discussion about organising a special meeting to deal with some issues.

A Member asked about doing additional deep dives into issues. The Chief Officer – Finance, Performance and Change responded by noting that what had been agreed was that deep dives into identified areas of risk could take place in meetings where the Corporate Risk Assessment is on the agenda.

Another Member asked if it could be possible to carry out a review of the Capital Programme, not its content but the governance issues around it. 

In particular, he stressed the issue of forecasting because there have been some high-profile projects with very last-minute increases. He stressed that he had concerns that delegated authority could tie the hands of the Council. He was looking for an assurance that we had a consistent and robust approach to identifying capital projects, forecasting them, and understanding risk. His issue was around the accuracy and timeliness of forecasting and how that informs the capital programme.

The Chief Officer – Finance, Performance and Change responded by indicating she did not know if Audit Wales were going to do work in this area but wondered whether RIAS could look at it first and report their findings to the Committee. A deep dive could follow when the issues are known.

With the agreement of Members, she noted that she would talk to the representatives of RIAS about drawing up a project brief to take this forward.

RESOLVED:

Subject to the amendments proposed in the meeting, the Committee considered and approved the updated Forward Work Programme for 2023-24.

To consider any other items(s) of business in respect of which notice has been given in accordance with Rule 4 of the Council Procedure Rules and which the person presiding at the meeting is of the opinion should by reason of special circumstances be transacted at the meeting as a matter of urgency.

The Chairperson noted that an Annual Report would be prepared on the work of the Committee.