Report of: the internal auditor BDO

Purpose of report: to present the findings of an audit to provide assurance that the governance arrangements put in place increase the likelihood that the Council will get value for money from its investment in its wholy-owned companies Oxford City Housing Ltd, Oxford Direct Services Trading Ltd, and Oxford Direct Services Ltd.

Recommendation: to discuss and note the report.

The Committee considered the report of the internal auditor BDO setting out the findings of an audit to provide assurance that the governance arrangements put in place increase the likelihood that the Council will obtain value for money from its investment in its wholly-owned companies Oxford City Housing Ltd, Oxford Direct Services Trading Ltd, and Oxford Direct Services Ltd.

Gurpreet Dulay, internal auditor, presented the report and explained that the audit review had looked at, but was not limited to, the following areas:

·       The robustness of the business case supporting the set-up of the companies

·       The governance arrangements for the companies

·       The capacity and capability of the company boards

·       The reporting arrangements to allow the Council, as shareholder, to monitor performance of the companies

·       The extent to which the companies had sought external advice with technical issues such as tax

He said that the audit review had identified a total of 12 risks; 8 of which were categorised as medium and 4 which were categorised as low as detailed in the report. 

The Committee discussed each risk and the associated recommendations in turn.

1A / 1B / 1C – the business case and ongoing business plans of both companies do not demonstrate that the Council’s investment will deliver value for money to the Council (medium risk)

The Committee observed that as the Council’s Medium Term Financial Plan was based on the Direct Services companies delivering a cost reduction it was important to ensure that this saving was taken into account.     In addition the cost base in the Direct Services Business Plan did not include all of the additional costs associated with operating as a company. Some of these, such as corporation tax were subject to external pressures and variations which could have significant implications for the Business Plan.

2B – the Council has not sought appropriate external advice on company structures, TUPE requirements or tax legislation (low risk)

The Committee emphasised the need to ensure that a system was in place to monitor the level of compliance associated with Teckal status and for that information to be reported to the shareholder.

3A / 3B – there is no contract in place setting out how the Council will supply support services to the companies or clear processes for pricing, monitoring and invoicing for staff time and use of the Council’s assets such as IT, property and equipment (low and medium risk)

The Committee were satisfied with the responses to the proposed recommendations.

4A – the reporting and scrutiny arrangements between the Council and the two companies are insufficient (e.g. reporting against business plan) (medium risk)

The Committee acknowledged the concerns raised about the arrangements in place for the companies to report financial and performance information to the shareholder.  The Head of Financial Services assured the Committee that shareholder meetings would be held on a quarterly basis and that the document templates for formal reporting were under development.

5A / 5B – the financial relationship between the Council and both companies –  ...  view the full minutes text for item 45

Report of: the internal auditor BDO

Purpose of report: to set out the summary of the internal audit review of Fusion

Recommendation: to discuss and note the report.

The Committee considered the report of the internal auditor BDO setting out the summary of the internal audit review of Fusion Lifestyle

Gurpreet Dulay, internal auditor, recommended that

Fusion and the council should address the reasons why the stakeholder/ customer panel meetings were not working well at all sites. He also recommended that the council monitor Fusion’s staffing changes to ensure these did not have an impact on services.

The Committee noted that Fusion’s performance data would now appear in the quarterly performance report considered by the Scrutiny Committee.

The Committee noted the report.

Report of: the internal auditor: BDO

Purpose: to inform the Committee of the reports and recommendations from audits identifying medium-level risks.

Recommendation: to consider and note the report: Cyber Crime.

The Committee considered the report of the internal auditor: BDO setting out the reports and recommendations from audits identifying medium-level risks.

Gurpreet Dulay, BDO, introduced the report and along with the Chief Technology & Information Officer answered questions.

The Committee noted:

·         security measures in place were reasonable, practical and effective and all reasonable practical steps were taken to secure personal data;

·         the new General Data Protection Regulations would impose a new set of requirements with considerable financial penalties and the impact and requirements (including resources) for the council were being evaluated;

·         automated processes for applying patches and updates to critical software were in place and monitored to ensure these worked as expected: patches were applied in accordance with good practice;

·         standards for security and updates on portable devices were in development and would be rolled out.

The Committee resolved tonote the report on Cyber Crime/ Cyber Security.