Agenda and draft minutes

Audit and Assurance Committee
Friday, 5th January, 2018 10.30 am

Venue: Conference Room A, Cumbria House, Botchergate, Carlisle

Contact: Jackie Currie  Email: jackie.currie@cumbria.gov.uk

Items
No. Item

32.

APOLOGIES FOR ABSENCE

To receive any apologies for absence

Minutes:

Apologies for absence were received from Mr K Hamilton and Mr N Marriner.

 

33.

MEMBERSHIP

To note any changes to the membership of the Committee

 

 

Minutes:

Mr F Cassidy replaced Mr K Hamilton and Mrs E Mallinson replaced Mr N Marriner as members of the Committee for this meeting only.

 

34.

DISCLOSURES OF INTEREST

Members are invited to disclose any disclosable pecuniary interest they have in any item on the agenda which comprises

 

1          Details of any employment, office, trade, profession or vocation carried on for            profit or gain.

 

2          Details of any payment or provision of any other financial benefit (other than from the authority) made or provided within the relevant period in respect of any expenses incurred by you in carrying out duties as a member, or towards your election expenses.  (This includes any payment or financial benefit from a trade union within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992.

 

3          Details of any contract which is made between you (or a body in which you have a beneficial interest) and the authority

 

(a)       Under which goods or services are to be provided or works are to be executed; and

 

            (b)       Which has not been fully discharged.

 

4          Details of any beneficial interest in land which is within the area of the authority. 

 

5          Details of any licence (alone or jointly with others) to occupy land in the area of the authority for a month or longer. 

 

6          Details of any tenancy where (to your knowledge)

 

            (a)       The landlord is the authority; and

 

            (b)       The tenant is a body in which you have a beneficial                                                         interest.

 

7          Details of any beneficial interest in securities of a body where

 

(a)       That body (to your knowledge) has a place of business or land in the    area of the authority; and

 

 

(b)       Either –

 

(i)      The total nominal value of the securities exceeds £25,000 or one            hundredth of the total issued share capital of that body; or

 

(ii)     If that share capital of that body is of more than one class, the total nominal value of the shares of any one class in which the relevant person has a beneficial interest exceeds one hundredth of the total issued share capital of that class.

In addition, you must also disclose other non-pecuniary interests set out in the Code of Conduct where these have not already been registered.

 

Note

 

A “disclosable pecuniary interest” is an interest of a councillor or their partner (which means spouse or civil partner, a person with whom they are living as husband or wife, or a person with whom they are living as if they are civil partners).

Minutes:

There were no disclosures of interest made at this meeting.

 

35.

MINUTES OF PREVIOUS MEETING pdf icon PDF 132 KB

To confirm as a correct record the minutes of the meeting of the Committee held on 25 September 2017 (copy enclosed)

 

Minutes:

RESOLVED that,     the minutes of the previous meeting held on 25 September 2017 be agreed as a true and accurate record.

 

36.

EXCLUSION OF PRESS AND PUBLIC

To consider whether the press and public should be excluded from the meeting during consideration of any item on the agenda.

Minutes:

RESOLVED that,     the press and public be not excluded from the meeting during consideration of any items of business on the agenda.

 

37.

RISK DEEP DIVE - CYBER RISK AND INFORMATION GOVERNANCE pdf icon PDF 408 KB

To receive a presentation from the Assistant Director – Business Services (copy enclosed)

 

Minutes:

The Audit and Assurance Committee received a presentation on Cyber Risk and Information Governance from the Assistant Director – Business Services which covered the following:-

 

·         Aims

 

Ø  To provide assurance that the risks were understood, assessed and continually monitored and managed

Ø  To provide information on actions taken to mitigate cyber risks and information governance

 

·         Corporate Risk Register

·         Impact

 

Ø  Reputational

Ø  Financial

Ø  Service Delivery

 

·         Cyber Security

·         Data Held

 

·         Wannacry 2017

 

Ø  County Council’s Response

Ø  Liaison with partners

Ø  The 10 steps to cyber security

 

·         Managing the risk

 

Ø  Measures taken

Ø  Governance and policy framework

Ø  Training and awareness

Ø  ICT – visible and invisible

Ø  Business continuity

Ø  Disaster recovery

Ø  Emergency planning

 

·         Next steps

 

Members felt that one of the basic failures for cyber risk was the ‘person weakness’ and asked what the County Council was doing to mitigate this risk.

 

The Assistant Director said all staff were required to undertake mandatory  ICT Security training annually.

 

Members noted this and asked whether it would be possible for this to also become mandatory training for members.  The Assistant Director AGREED to speak to the Group Leaders about this (Action: AR).

 

The Chair asked what controls were in place to protect the County Council’s system from sites/apps which the members used at home.  The Assistant Director reassured members that risks were still managed in the same way for members and system and network checks were continuously carried out.

 

Members asked how the County Council monitored viruses and trojans trying to penetrate systems.  The Assistant Director explained how this was done and detailed how these were tracked and escalated, if required.

 

Members had some concerns about the use of social media such as twitter and Facebook and wondered whether the use of these was leaving the council more vulnerable to a cyber attack.  They also felt that Windows 10 was very vulnerable to attack and asked how the council was managing this.

 

The Assistant Director said staff and members were expected to apply the same vigour to the social media sites as they do to everything else, however, the ownership and probity of data and information posted on these sites was an issue.  He also outlined plans for the saferoll out of Windows 10 to users.

 

The Assistant Director – Transformation said plans were in place for social media training to be given to members and AGREED to speak to colleagues in the Communication Team about this and provide members with a written response (Action: PR).

 

Members raised concerns about the security of access to Cumbria House via the back door. They felt this was vulnerable and needed tightening up.  The Assistant Director AGREED to speak to colleague in Facilities Management to reiterate the message about the need for vigilance (Action: AR).

 

The Chair thanked the Assistant Director for his informative presentation.

 

38.

2017/18 - QUARTER 2 CORPORATE RISK REPORT pdf icon PDF 109 KB

To consider a report from the Corporate Director – Resources and Transformation (copy enclosed)

 

Additional documents:

Minutes:

The Committee considered a report from the Corporate Director – Resources and Transformation which provided members with an update on progress with the 2017-18 corporate risks for the second quarter to 30 September 2017. 

 

All of the corporate risks had been reviewed and approved by the Corporate Governance Group, Corporate Management Team, Directorate Management Teams and individual risk owners.

A range of activity had been undertaken during Quarter 2 aimed at further strengthening the Council’s approach to risk management. These were set out below.

 

·         Response to Internal Audit Annual Report 2016/17 - at the last meeting of Audit and Assurance on 12 September 2017, members received the management response to the Internal Audit Annual Report for 2016/17. The response included a high level action plan outlining improvements in the corporate arrangements for operational risk management, performance management and development, approval and maintenance of policies, procedures and other guiding documents.

 

Work was progressing well with all aspects of the action plan. Key activity aimed at strengthening the Council’s approach to risk management that had been undertaken during quarter 2 and included commencing the refresh of the Risk Management framework documents to provide clarity around risk management expectations at all levels throughout the Council. 

 

·         Internal Audit of Operational Risk - the Internal Audit of Operational Risk Management which commenced during Quarter 1 had continued.  Early findings from this work had been shared with the lead officers for risk to further inform improvement activity to ensure effective risk management arrangements.  The final outcome of this audit was awaited.  The headline findings of the audit and any actions required in response would be included in a future risk report to Audit and Assurance. 

 

·         Review of Performance & Risk Management Framework- the work to review the Performance and Risk Management Framework was well underway with research into best practice and approaches adopted in other authorities being undertaken; as well as engagement across the Council with all directorates on the future approach.  The timescale for Cabinet agreeing the new framework had been moved to Spring 2018 so that the new framework aligned with the new Council Plan.

 

Improvements would still be introduced before March to support greater visibility on the Council’s performance priorities and how these issues were being addressed.

 

·         Cyber Threat - work to ensure the newest risk on the register (Cyber Threat) was managed continued.  Policies, procedures and business continuity arrangements were being improved and managed.

 

·         Amey Lessons Learned Report & Action Plan - members would receive a comprehensive update on progress with all the Amey Lessons Learned Actions as part of the regular updates to the Committee on the Annual Governance Statement Action Plan.  Those actions relating specifically to risk management arrangements were progressing in line with the Action Plan agreed with Members.  This included identification of the Council’s most “significant” contracts and the risks associated with these particular contracts.

 

Zurich Municipal (ZM) had been commissioned to undertake an assessment of each of three of the most significant contracts and these assessments would be  ...  view the full minutes text for item 38.

39.

ANNUAL GOVERNANCE STATEMENT: ACTION PLAN - 2017/18 PROGRESS REPORT pdf icon PDF 95 KB

To consider a report from the Corporate Director – Resources and Transformation (copy enclosed)

 

Additional documents:

Minutes:

Members considered a report from the Corporate Director – Resources and Transformation which reminded them that on 25 September 2017, the Committee approved the Annual Governance Statement for 2017/18.  The Statement highlighted governance issues that were considered to be significant, with actions to tackle those issues set out in an associated Action Plan for 2016/17. The report presented a progress update on the 2017/18 Action Plan.

 

The review of corporate governance 2016/17 identified two significant governance issues, which related to Children’s Services and the Amey Litigation.  The Action Plan for 2017/18 set out the work to be undertaken to manage these issues. 

 

Appendix 1a of the report referred to the Children’s Services matter and progress in the last quarter.  The Corporate Director advised that the report from Ofsted in relation to Children’s Services was imminent and would be published by the end of January 2018.

 

Appendix 1b of the report referred to the significant governance issue relating to Amey and was the Lessons Learned Action Plan agreed by the Audit and Assurance Committee on 12 September 2017.  It was agreed then that progress would be reported quarterly to the committee as part of the reporting of progress on the AGS Action Plan during 2017/18. This was the first progress update to Audit and Assurance Committee on this aspect of the Action Plan.

 

It was important that progress with the Action Plan received the appropriate oversight and monitoring at a corporate level through the Corporate Management Team and Elected Members. This report provided an overview of progress to date.

 

Members accepted that the current action plan was a ‘high level’ document, and they asked about future plans for reporting the outcomes of the review into contract management to members and that consideration be given to how the progress updates could provide evidence of improved impact and outcomes.

 

The Corporate Director said the focus of the work was ensuring the Council had the right procedures in place and agreed to provide additional narrative in future progress reports to provide greater assurance aligning the actions taken with the achievement of desired outcomes.

 

The Assistant Director – Transformation, the author of the Amey Lessons Learned report, advised members that the Corporate Management Team and Extended Leadership Team were now routinely referencing the lessons learned findings in routine operational and strategic discussions which was a positive indication that learning was being applied and embedded.  He gave assurance that checks and challenges were being undertaken and he would consider how this might be reflected in any future assurance reports to members.

 

RESOLVED that members note the progress made in addressing the issues set out in parts A and B the 2017/18 Annual Governance Statement Action Plan.

 

40.

LOCAL GOVERNMENT OMBUDSMAN – ANNUAL REVIEW LETTER 2017 pdf icon PDF 154 KB

To consider a report from the Corporate Director – Resources and Transformation (copy enclosed)

 

Additional documents:

Minutes:

The Audit and Assurance Committee considered a report from the Corporate Director – Resources and Transformation which provided members with information relating to complaints made to the Local Government Ombudsman (LGO) regarding Cumbria County Council for the year ended 31 March 2017.

 

This was the fourth full year of statistics released by the LGO and this report contained a comparison of activity over the period 2013-14 to 2016-17.

 

When the LGO took a decision on complaints and enquiries received, any decisions were categorised as follows:-

 

·         Upheld – these were complaints that had been investigated and where it had been decided that an authority had been at fault in how it acted, which may or may not have caused an injustice to the complainant. Alternatively, the authority may have accepted that it needed to remedy the complaint before the LGO made a finding of fault.  If the LGO decided that there was a fault that caused an injustice, it would usually recommend that the Council took some action to redress matters.

·         Not Upheld – the LGO had investigated a complaint and decided that the Council had not acted with fault.

·         Advice Given – these were cases where advice was provided explaining why the LGO would not deal with the complaint, for example because the body that was the subject of the complaint was not within the LGOs scope or the LGO had previously looked at the same complaint from the complainant or alternatively another agency was better placed to help the complainant.

·         Closed after initial enquiries – this arose when the LGO had made an early decision not to investigate a complaint.  This was usually because the complaint was outside the LGOs jurisdiction or it was considered inappropriate to pursue.  

·         Incomplete/Invalid – these were complaints that had insufficient information provided by the complainant to enable the LGO to decide what should happen with their complaint or alternatively the complainant had indicated that they no longer wished to pursue a complaint.

·         Referred back for local resolution – the LGO worked on the principle that it was always best that complaints were resolved by the service provider wherever possible. 

 

For the 12 month period to 31 March 2017, decisions were made by the LGO for 49 complaints and enquiries in 2016/17, compared with 56 in 2015/16, 43 in 2014/15 and 48 in 2013/14.

 

Of the 49 LGO decisions received in 2016/17 detailed investigations were carried out for 15 cases.  Of the 15 cases investigated, 8 cases (53%) were upheld finding some fault with the Council’s handling of the complaint; with 7 cases (47%) not upheld.  This was an improved position compared to 2015/16 when 7 out of the 11 cases investigated were upheld (64%).  This showed that although a greater number of cases received a detailed investigation in 2016/17 compared to the previous year, a lower proportion were upheld.

 

When comparing Cumbria’s number of complaints and enquiries received by the LGO with the nearest neighbour comparator group as defined by CIPFA, Cumbria performed  ...  view the full minutes text for item 40.

41.

INTERNAL AUDIT PROGRESS REPORT TO 10 NOVEMBER 2017 pdf icon PDF 189 KB

To consider a report from the Group Audit Manager (copy enclosed)

 

Minutes:

Members considered a report from the Group Audit Manager which provided a summary of the work of Internal Audit for the six months up to 10 November 2017.

 

Key points for members to note were:-

 

·         Work was progressing on the completion of outstanding 2016/17 audit work and work from the 2017/18 audit plan was well underway.

·         The level of risk based audits receiving ‘Reasonable’ or ‘Substantial’ assurance was currently 66%.  This was an increase from the Quarter 1 progress report where 40% of audits had received ‘Reasonable’ assurance. 

·         All internal audits completed in the period had been well received by management with completed action plans in place.

·         The first External Quality Assessment of Internal Audit was undertaken during October 2017 and the outcomes and agreed actions would be reported to the next meeting of Audit & Assurance Committee.

 

Nine audits had been completed to draft report stage and the initial outcomes were reported.  This section responded to the Committee’s request to have an early indication of the outcomes of internal audit reviews.  Should additional information or evidence be received through the closeout process, the initial assessment may be revised prior to finalisation of the report.

 

Audits completed to final report stage at 10 November comprised six risk based audit reviews, four school audits, and two follow ups of previous audits.  The % of reports resulting in ‘Reasonable’ or ‘Higher’ assurance was 66%.  This figure was higher than at the end of Quarter 1 where the figure was 40%. 

 

A further nine audits had been completed to draft report stage.  When these reports were also taken into account, the level of ‘Reasonable/Substantial’ assurance was 62% which remained an increase on Q1 and on a similar period last year (reporting in 2016/17 was up to 30 September where the figure for Reasonable assurance was 55%).

 

Of particular note were the increased assurance levels in relation to the three reported follow up audits (ICT Security and Focus Families – both finalised and Agency Staff – report in draft) where assurance opinions had increased from Partial to Reasonable as a result of improved controls following the original audit reviews.

 

Members asked whether officers had the resources available to enable them to complete the full programme of internal audit work.

 

The Group Audit Manager confirmed that resources were available to enable all internal audit work to progress.  She explained to members that one audit had been cancelled but this was not due to a lack of resources, it was cancelled due to a change in circumstances.

 

The main barrier to completing audits was the capacity of the organisation to respond to audits and this had been raised with the Corporate Management Team.

 

RESOLVED that members note the progress and the outcomes of internal audit work.

 

42.

TREASURY MANAGEMENT STRATEGY

42a

PROPOSED AMENDMENTS TO THE 2017/18 MINIMUM REVENUE PROVISION (MRP) POLICY pdf icon PDF 160 KB

To consider a report from the Assistant Director – Finance (Section 151 Officer) (copy enclosed)

 

Additional documents:

Minutes:

The Audit and Assurance Committee considered a report from the Assistant Director – Finance (Section 151 officer) which summarised the proposed amendments to the 2017/18 Minimum Revenue Provision (MRP) Policy and processes following an in depth review undertaken by Officers in conjunction with specialist external independent Treasury expert advice.  The Council undertook a regular review to ensure the policy continued to be appropriate, prudent, compliant with statutory guidance for MRP and in line with best practice. 

 

Minimum Revenue Provision (MRP) represented the amount which must, by law, be charged to the Council’s General Fund each year for financing of capital expenditure that was initially funded by borrowing (‘debt’).  This was an accounting entry and doesn’t determine what actual borrowing was undertaken and the cash flows relating to that borrowing.

 

The Council’s current MRP policy was first set in 2008/09 in accordance with regulations and statutory guidance and was updated by Council in November 2016.  The update to the MRP policy during 2016/17 was reviewed and accepted by the Audit and Assurance Committee at its meeting on 9 September 2016 and approved by Council in November 2016.  As required by the guidance, the Council’s MRP policy was to be considered and approved at least annually by full Council, as part of the budget setting process.

 

The Council’s current MRP policy took options 1 & 3 from the guidance.  In summary this meant that:-

 

For all capital spend incurred before 1 April 2008 and any spend financed by “supported” borrowing: MRP was calculated as 2% per annum of the outstanding balance (the Capital Financing Requirement or ‘CFR’) at 31 March 2016, this was charged in equal instalments each year, i.e. it was a ‘straight-line’ calculation. 

 

For all capital spend financed by Prudential Borrowing; MRP was charged in equal instalments (i.e. straight line) over the estimated useful life of the asset.  The estimated useful life of an asset was determined in accordance with the Council’s accounting policy on the depreciation of assets.

 

The review identified potential areas of change to the policy and the process by which MRP was calculated for the period 1 April 2009 through to 31 March 2016.  These were considered in detail by officers, focussing on a number of key factors including prudence, audit considerations and risk, and budgetary impact, including future budgetary pressures and resourcing implications of alternative processes.

 

It was proposed to update the MRP policy to include an equal instalment basis for supported and pre 2008 borrowing for the period 1 April 2009 to 31 March 2016 rather than the present reducing balance approach. Although this appeared to be “looking back” to 2009 in practice the Council had considered how it arrived at its present amount of outstanding capital debt liability and decided how it may prudently vary this in the present so that it gradually fell in line with an asset’s broad useful life.

 

The proposed changes do not affect the total amount of MRP the Council would pay but instead result in a prudent re-profiling  ...  view the full minutes text for item 42a

42b

Draft Treasury Management Strategy 2018/19 pdf icon PDF 112 KB

To consider a report from the Assistant Director – Finance (Section 151 Officer) (copy enclosed)

 

Members would also receive a presentation from the Assistant Director alongside this report.

 

Minutes:

Members considered a report from the Assistant Director – Finance (Section 151 officer) which explained that the Council had a statutory duty to produce a Treasury Management Strategy that demonstrated capital investment plans were affordable, prudent and sustainable. The Treasury Management Strategy 2018/19 was currently in development and would be recommended to Council in February 2018 as part of the Revenue Budget 2018/19 and Medium Term Financial Plan.

Following a review of the Treasury Management Strategy 2017/18 and reflecting the current uncertainties within the UK economy, it was recommended that the Treasury Management Strategy 2018/19 retained the Council’s prudent approach to borrowing and investment decisions.

It was proposed that the Treasury Management Strategy 2018/19 be extended to provide the Council with the enhanced opportunity to take strategic and tactical decisions to borrowing and investment opportunities that may arise during the year.

It was further proposed that amendments were made within the Treasury Management Strategy 2018/19 relating to the Minimum Revenue Provision (MRP) Policy to reflect proposed changes to the 2017/18 MRP policy that would continue into 2018/19.

The primary function of the Treasury section within Finance was to:-

·      manage the cash flow planning (both in the short and longer term);

·      to ensure that the Council could meet its revenue and capital spending obligations;

·      manage the Council’s borrowings/long term debt scheduling;

·      manage the Council’s net interest budget.

 

The approval of a Treasury Management Strategy was a statutory requirement for every Council.  Councils were required to demonstrate that capital investment plans were affordable, prudent and sustainable. The Treasury Management Strategy 2018/19 would meet this requirement and was being developed in accordance with a Code of Practice produced by CIPFA.

The economic and financial environment in which the Council’s treasury operations were undertaken remained challenging and interest rates remained low. As a result, it was considered appropriate for the Council to continue to take a prudent approach to its Treasury Strategy but also to take strategic and tactical decisions to borrowing and investment opportunities that may arise during the year, subject to consideration of risks and returns.

This report was supplemented by a presentation which detailed the key components of the proposed Treasury Management Strategy 2018/19.  The presentation covered the following:-

 

·      Treasury Management Functions

·      Treasury Management Strategy Statement

·      Development of the Strategy Statement

·      Consultations

·      Current debt portfolio

·      Borrowing Strategy

·      Investment Portfolio

·      Investment Strategy

·      Minimum Revenue Provision

 

The Chair thanked officers for the report and presentation.  This was a difficult subject area to understand and the document/presentation had made it clearer. 

 

RESOLVED that the Audit & Assurance Committee note the progress in the development of the Treasury Management Strategy 2018/19 to be presented to Council in February 2018.

 

43.

EXTERNAL AUDIT - ANNUAL AUDIT LETTER 2016/17 pdf icon PDF 504 KB

To consider a report from Grant Thornton (copy enclosed)

 

Minutes:

Grant Thornton presented the annual audit letter for Cumbria County Council, which summarised the key findings from the work carried out at Cumbria County Council and Cumbria Local Government Pensions Scheme for the year ended 31 March 2017.

 

Grant Thornton gave unqualified opinions on both the Council’s and the Pension Scheme’s financial statements on 26 September 2017.  Both of these again achieved a high quality standard of financial reporting for 2016/17, and no external audit recommendations were made relating to these.

 

RESOLVED that the report be received and noted.

 

44.

EXTERNAL AUDIT - PROGRESS AND UPDATE REPORT 2017/18 pdf icon PDF 749 KB

To consider a report from Grant Thornton (copy enclosed)

 

Minutes:

Members of the Audit and Assurance Committee considered a report from Grant Thornton which provided them with an update on progress in delivering their responsibilities as the County Council’s external auditors.

 

Grant Thornton had been engaged in certifying the County Council’s Annual Teachers’ Pension return for 2016/17 and this work was now completed.  Turnaround time for this had been shorter than usual and the Council had responded well to this challenge.

 

Harbour Accounts had been completed for the Port of Workington, and Grant Thornton had received the draft statements and their specified procedures had been completed.  The certificate was expected to be produced for this in the near future.

 

RESOLVED that the report be received and noted.

 

45.

EXTERNAL AUDIT PLAN - CUMBRIA COUNTY COUNCIL 2017/18 pdf icon PDF 469 KB

To consider a report from Grant Thornton (copy enclosed)

 

Minutes:

Members considered a report from Grant Thornton, which provided an overview of the planned scope and timing of the statutory audit of Cumbria County Council.

 

Grant Thornton was responsible for forming and expressing an opinion on the financial statements (including the Annual Governance Statement) that had been prepared by management with the oversight of those charged with governance; and the value for money arrangements in place at the Council for securing economy, efficiency and effectiveness in the use of resources.

 

Grant Thornton felt that bringing forward the statutory date for publication of audited local government accounts to 31 July from 2018 would be a significant challenge for local authorities and auditors alike.

 

Grant Thornton had carefully planned how to make the best use of the resources available during the final accounts period, and outlined to members how this would be managed.

 

Grant Thornton was satisfied that if these plans were implemented the audit, and those of their other local authority clients would be completed in sufficient time to meet the earlier deadline.

 

RESOLVED that the report be received and noted.

 

46.

FORWARD PLAN - AUDIT AND ASSURANCE COMMITTEE pdf icon PDF 51 KB

To note the Forward Plan for the Audit and Assurance Committee and agree any additional items (copy enclosed).

Minutes:

The Forward Plan was noted with the following amendments:-

 

20 March 2018         remove the item External Audit – Audit Plan for Cumbria County Council 2017/18

20 March 2018         add Niki Parker as the report author for the Internal Audit External Quality Assessment item

 

47.

DATE & TIME OF NEXT MEETING

The next meeting will be held on 20 March 2018 in Conference Room A at Cumbria House, Carlisle at 10.30am

 

Minutes:

The next meeting will be held on 20 March 2018 at Cumbria House, Carlisle at 10.30am.