No apologies were received.

Members are reminded that they must declare their disclosable pecuniary interests and other registrable or non-registrable interests in any matter being considered at the meeting as set out in Appendix B of the Members’ Code of Conduct and consider if they should leave the room prior to the item being considered. Further advice can be sought from the Monitoring Officer in advance of the meeting.

Members were reminded that they must not participate in the discussion or voting on any matter in which they have a Disclosable Pecuniary Interest and should leave the room prior to the commencement of the debate.

The Minutes of the meeting held on the 15 September 2022 are attached for confirmation. 

Contact Michelle Dulson (01743) 257719

A brief discussion ensued in relation to the format of the Minutes and it was agreed by the Assistant Director Legal and Governance to discuss this outside of the meeting.

RESOLVED:

      That the Minutes of the meeting of the Audit Committee held on the 15 September 2022 be approved as a true record and signed by the Chairman, subject to the above.

To receive any questions from the public, notice of which has been given in accordance with Procedure Rule 14.  The deadline for this meeting is 5pm on Friday 18 November 2022.

There were no questions from members of the public.

To receive any questions of which Members of the Council have given notice.  The deadline for this meeting is 5pm on Friday 18 November 2022.

There were no questions from Members.

The report of the Head of Automation and Technology is attached.

Contact:  David Baker (01743) 254118

B.  First line assurance: Audit Report Management Response – Information Security Management and IT Acceptable Usage Policy

The report of the Assistant Director Legal and Governance is attached.

Contact:  Tim Collard (01743) 252756

The Committee received the report of the Head of Automation and Technology – copy attached to the signed Minutes – which provided an update on the actions taken or planned to address the recommendations arising from various audit reports

The Head of Automation and Technology took members through the paper and responded to a number of queries.  It was noted that some dates in the action plan had not been met and did not have new target dates attached to them, also, some actions were marked as green even though the dates were into the following year.  Assurance was sought that the extended dates were nothing to be concerned about.  In response the Head of Automation and Technology explained that those actions marked green were being managed effectively or were progressing on target so even though some of the dates had passed it was because the risk was being managed effectively or that they were no longer deemed to be a potential risk for escalation.

Referring to paragraphs 9.7 and 9.10 on page 25 of the report, it was noted that effective controls were in place for the management of the Council’s telecommunications contract and for the ICT Business Support function.  A query was raised as to whether these controls were being audited, whether they were operating satisfactorily and did not pose any risks for the authority.  In response, the Head of Automation and Technology explained that they posed no risks to the authority and were regularly monitored both internally and with suppliers to ensure those contracts were being managed effectively and to ensure the Council were getting the most effective solutions and prices from its suppliers.  Alternative sources of procurement were also considered.

In response to a query around the security of legacy systems and third-party contractor access, the Head of Automation and Technology stated that nothing was completely safe as there would always be an element of risk, however, as supplier chain attacks were increasing and to ensure the Council’s suppliers were robust, they were looking more closely at the suppliers’ security mechanisms and procedures.  They also identified those accounts that had not been used for periods of time and reviewed them to ensure that they were either disabled or removed completely so that access did not continue. He confirmed that the risk was being effectively managed and that as the legacy systems dropped away, they would become less of a risk.

In response to a query around the security implications of telephony contracts ‘rolling’ beyond their contract end dates, the Head of Automation and Technology explained that there was no security risk in this, the only risk would be if the service were to be turned off you could not then provide that service.  However, they did have an understanding with suppliers so that did not happen, instead, it just moved into an area of recurring billing.  He confirmed that they had regularly quarterly meetings with the suppliers plus regular internal meetings to ensure this did not  ...  view the full minutes text for item 44.

The Committee received the report of the Assistant Director Legal and Governance – copy attached to the signed Minutes – which outlined the Council’s current position and progress made in responding to the Audits for Information Security Management and the IT Acceptable Usage Policy.

The Assistant Director Legal and Governance drew attention to the Table at Appendix A which provided an update on management responses to the two audits.  He explained that the service was in a transitional stage whilst a Head of Governance was sought (who would have overall responsibility for information governance including information security), however he felt that the interim arrangements were working reasonably effectively.  He informed the Committee that a review was currently being undertaken of all the policies that relate to data protection and which would sit under an Information Governance Framework.

Concern was raised at the number of actions overdue and queried whether sufficient progress was being made.  In response to a query around recommendation 8 of the Information Security Management Action Plan set out in Appendix A of the report, the Head of Automation and Technology confirmed that Incident Management was taking place and incidents were being recorded so this action was about ensuring the recoding of incidents was as smooth as possible and that there was a centralized area for recording any such incidents.  Referring to recommendations 5 and 6, reassurance was requested that these matters were being speedily dealt with.  In response, the Interim Data Protection Officer explained that a big part of the delay had been due to a change of officer and gap in post of two months when the previous Data Protection Officer left so a bit of time had been lost however she was now picking up with ICT security colleagues how the data loss prevention software that was available could be used to identify incidents, react to them quickly and to spot patterns of behaviour that might lead to them so they could actually stop them happening.

In relation to recommendation 5 of the IT Acceptable Use Policy Action Plan, concern was raised that this had been marked as significant and members queried whether this was something they should be concerned about.  In response the Head of Automation and Technology confirmed that a system for identifying and recording security events had been identified (Security Information and Event Management – SIEM) so this was now being managed effectively however the risk lay in whether they would continue with that service following the trial coming to an end so some investment would be required.  The Executive Director of Resources (Section 151 Officer) reminded the Committee that they had seen a few papers earlier in the year when there had been security breaches and the Committee expressed concern around incidents happening at the weekend not being picked up until the Monday so as a result there was now a trial in place for 24/7 monitoring however a business case for a long term solution was awaited hence why this  ...  view the full minutes text for item 45.

The report of the Executive Director of Resources (Section 151 Officer) is attached.

Contact:  James Walton (01743) 258915

The Committee received the report of the Executive Director of Resources (Section 151 Officer) – copy attached to the signed Minutes – which provided Members with an economic update for the first six months of 2022/23, along withreviews of the Treasury Strategy 2022/23 and Annual Investment Strategy, the Council’s investment portfolio for 2022/23,the Council’s borrowing strategy for 2022/23, any debt rescheduling taken and compliance with Treasury and Prudential limits for 2022/23.

Referring to the investments that were due to mature in the year (set out on page 10 of the report), a query was raised as to whether this money would be reinvested at the current market rate or would it be used to help deliver a balanced budget.  In response, the Executive Director of Resources (Section 151 Officer) explained that this was entirely separate to the budget process and was about investment of the cash that was held within the Council at any particular time and related more to the levels of creditors and debtors, levels of capital receipts, levels of reserves, CIL, Section 106 etc. 

He went on to explain that in relation to the investment in Highland Council that had been due to expire on 4 October 2022, the likelihood was that there had been some event, for example a large payment, that was due on or around the maturity date.  The treasury team calculate what payments need to be made within the month, for example on the 20^th of the month salary payments for the majority of employees went out, so on the 19^th or 20^th of the month, you would expect investments to mature so that the cash was in the bank to enable those payments to be made.  However, some cash would be invested long term as it would not be required immediately, and the Council could get a better return by tying it up for 12 months.  It was therefore crucial from a treasury management position to know what payments were going out when to ensure there was adequate cash flow within the system.

RESOLVED:

to agree the Treasury Strategy updates as set out in the report.

The report of the Executive Director of Resources (Section 151 Officer) is attached.

Contact: James Walton (01743) 258915

The Committee received the report of the Executive Director of Resources (Section 151 Officer) – copy attached to the signed Minutes – which asked Members to review and comment on the self-assessment of good practice questionnaire attached to the report.  The self-assessment had allowed Members to assess the effectiveness of the Audit Committee and to identify any further improvements that could be made which would improve the Committee’s overall effectiveness.

A brief discussion ensued in relation to item 13 of the self-assessment, for which only partial compliance had been achieved, and which recommended that an independent member be recruited to the Audit Committee.  The Executive Director of Resources (Section 151 Officer) explained that about half of all Local Authorities had co-opted an independent member onto their Audit Committees and that it was also a recommendation of the recent LGA peer review.  Members stressed the importance of any job description being clear about the role and training requirements of the position but they agreed with the suggestion that a suitable external Member be appointed.

RESOLVED:

1.  That the self-assessment of good practice attached at Appendix A and C be approved.

2. That any further work, actions or training required following the refresh of the self-assessment of good practice and the analysis of training requirements attached at Appendix B be identified.

3.  That the necessary input to enable the action plan to be reviewed and revised to improve areas of weakness be provided.

4.  The Committee concurred with the suggestion that a suitable external Member be appointed to the Committee.

The report of the Interim Audit Service Manager is attached.

Contact:  Katie Williams 07584 217067

The Committee received the report of the Interim Audit Service Manager – copy attached to the signed Minutes – which set out the Internal Audit Charter.  The Interim Audit Service Manager reported that adjustments to the Charter were set out in bold, underlined and in italics however there had been no significant changes.

RESOLVED:

That the Audit Committee endorse the Internal Audit Charter as set out at Appendix A to the report.

The report of the Interim Audit Service Manager is attached.

Contact:  Katie Williams 07584 217067

The Committee received the report of the Interim Audit Service Manager – copy attached to the signed Minutes – which provided members with an update of work undertaken by Internal Audit in the two months since the September Audit Committee.

The Interim Audit Service Manager informed the Committee that 42% of the revised plan had been completed which was below previous delivery records.  There had been 6 reasonable, one limited and two unsatisfactory assurance opinions issued.  There had been 125 recommendations, one of which was fundamental.  The Interim Audit Service Manager took members through the rest of the paper and responded to a number of queries.

In response to a query about Much Wenlock Leisure Centre the Interim Audit Service Manager explained that although previous audit recommendations had been implemented, these had not been embedded.  She went on to explain that any service attracting an unsatisfactory audit opinion would have a follow up audit based on the target dates set for action to be completed by as there was little point going in before any actions had been addressed.

Following a brief discussion, it was agreed for the Committee to receive management updates at the February 2023 meeting for the following areas: Acton Scott; Much Wenlock Leisure Centre, Purchase Ledger and the Dog Warden service.  The Executive Director of Resources (Section 151 Officer) informed the Committee that a report about Acton Scott was being taken to Cabinet and requested the Committee take no action on this item until it had been considered by Cabinet.

The Interim Audit Service Manager agreed to follow this up with the Audit Committee Chair outside of the meeting once the Cabinet decision had been made to confirm if a management update was required. In relation to the fundamental recommendation made as part of the Individual Service Fund Audits the Interim Audit Service Manager agreed to obtain an update for the Audit Committee Chair and Vice Chair in March once the recommendation became due for implementation in order for them to determine if a further management update was required.

In response to a query, the Executive Director of Resources (Section 151 Officer) explained that the Dog Warden item had not been presented to this meeting due to staff changes within that service.

In response to a further query, the Executive Director of Resources (Section 151 Officer) explained how the recent staff changes within internal audit had led to a reduction in the percentage of the plan having been delivered and that the training and development of new and trainee auditors had also led to revisions to the plan, however, resources were reflective of what needed covering.  The Committee were satisfied that overall the level of assurance had not been diminished by the reduced staffing levels.

RESOLVED:

1.  to note performance against the 2022/23 Audit Plan.

2.  to receive management updates at the February meeting on the following areas:

-    Acton Scott (no action to be taken until it has been reported to Cabinet)

-    Much  ...  view the full minutes text for item 49.

The report of the Executive Director of Resources (Section 151 Officer) is attached.

Contact: James Walton (01743) 258915

The Committee received the report of the Executive Director of Resources (Section 151 Officer) – copy attached to the signed Minutes – which updated Audit Committee on the appointment of external auditors for Shropshire Council from 2023/24 for a period of five years.

The Executive Director of Resources (Section 151 Officer) informed the Committee that Grant Thornton had been appointed auditor for Shropshire Council and Shropshire County Pension Fund going forward.

RESOLVED:

To note the information provided on the national auditor appointment arrangements with PSAA Ltd, the Local Government Association National Sector Led Body.

The report of the Engagement Lead attached.

Contact: Grant Patterson (0121) 232 5296

The Committee received the report of the Executive Director of Resources (Section 151 Officer) – copy attached to the signed Minutes – which sets out the progress with the audit of the Statement of Accounts for 2021/22, the current findings arising from the audit, and the timeline for the audit opinion being agreed for the accounts.  External Audit’s Interim draft Audit findings report was attached to the report as Appendix 1.

The External Audit Manager took Members through the interim draft report and drew their attention to the delay caused by a challenge around how infrastructure assets were accounted for by local authorities.  The Committee were informed that a Statutory Instrument was expected in late December which would allow the accounts to be finalised and an opinion given. 

In response to a query around the objections received to the accounts, the External Audit Manager confirmed that they were continuing objections from the 2020/21 accounts.  One was in relation to highways work and the other in relation to planning issues.  A more detailed report would be presented to the Committee once they had been completed.  In response to concerns, it was confirmed that the objections were in relation to processes within service areas and were not saying that any numbers in the accounts had been misstated or declared incorrectly and that it was very unlikely that they would lead to a delay in the publication of the accounts.

Concern was raised around the lack of engagement with External Audit by some departments within the Council which had led to delays in the receipt of information however External Audit were working with these areas to help them understand the process and would be running a workshop to engage with other departments going forward to explain the role of external audit and understand what they were looking for.

In response to a query, the External Audit Manager gave an update on the Leavers process.

RESOLVED:

1.  To note the Interim Draft Audit Findings Report

2.  To hold an additional Audit Committee Meeting on Friday 27 January 2023.

The next meeting of the Audit Committee will be held on the 14 February 2023 at 10.00 am.

Following a brief discussion, Members agreed that the next meetings of the Audit Committee would be held on the 27 January 2023 and the 14 February 2023 at 10.00am.

To RESOLVE that in accordance with the provision of Schedule 12A of the Local Government Act 1972, Section 5 of the Local Authorities (Executive Arrangements)(Meetings and Access to Information)(England) Regulations and Paragraphs 2, 3 and 7 of the Council’s Access to Information Rules, the public and press be excluded during consideration of the following items.

RESOLVED:

      That in accordance with the provision of Schedule 12A of the Local Government Act 1972, Section 5 of the Local Authorities (Executive Arrangements)(Meetings and Access to Information)(England) Regulations and Paragraphs 2, 3 and 7 of the Council’s Access to Information Rules, the public and press be excluded during consideration of the following items.

The report of the Assistant Director, Workforce and Improvement is attached.

Contact:  Sam Williams (01743) 252817

The Committee received the report of the Assistant Director, Workforce and Improvement – copy attached to the signed Minutes – which provides an update on the actions to address the recommendations arising out of the Payroll Audit for 2021/22.

      RESOLVED:

      To note the contents of the report.

The Exempt Minutes of the meeting held on the 15 September 2022 are attached for confirmation. 
Contact: Michelle Dulson 01743 257719

RESOLVED:

That the Exempt Minutes of the meeting of the Audit Committee held on the 15 September 2022 be approved as a true record and signed by the Chairman.

The exempt report of the Interim Audit Service Manager is attached.

Contact: Barry Hanson 07990 086409

The Committee received the exempt report of the Interim Audit Service Manager which provided a brief update on current fraud and special investigations undertaken by Internal Audit and the impact these have on the internal control environment, together with an update on current Regulation of Investigatory Powers Act (RIPA) activity.

RESOLVED:

      That the contents of the report be noted.