None.

Report of: The Group Finance Director

Purpose of the report: To present a proposal for the adoption of a revised Risk Management Strategy and Toolkit detailed in Appendix 1 and to provide an update on the ongoing review of the Corporate Risk Register, and the current risks in the Service Risk Register.

Recommendation(s): That the Committee resolves to:

1.    Note the outcome of the review of the Risk Management Strategy and Toolkit, indicating that they are satisfied with the risk management process and approve it.

2.    Note the review of the Corporate Risk Register being undertaken by the Corporate Leadership Team and risk owners and receive the risk register for review at its next meeting in order that it can be satisfied that corporate risks are identified and managed.

3.    Review the Service Risk Register.

Nigel Kennedy, Group Finance Director, and Roger Martin, Insurance, Risk Management and Business Continuity Manager, were present to answer questions. 

Councillor Harley sought clarification regarding the headings on point 14 of page 10 of the report, to which the Insurance, Risk Management and Business Continuity Manager explained that this was caused by a six-month gap in reporting during 2024 when a report did not go to the Committee.   

Councillor Smith and Councillor Railton joined the meeting. 

The Chair invited the Insurance, Risk Management and Business Continuity Manager to summarise the report.  

The Insurance, Risk Management and Business Continuity Officer reminded the Committee that prior to the document enclosed in appendix 1, the risk management strategy and toolkit had not been updated since 2023. The report defines risks as that which may jeopardise the achievements of the Council’s priorities and provides the services identified in its business plans and delivery of statutory duties. The Committee understood that the report outlined the roles and responsibilities of those within the Council, it divided risks into categories, and it analysed the Council’s risk appetite through classifications of low, medium and high. The Insurance, Risk Management and Business Continuity Manager noted that the Corporate Leadership Team had approved the contents of the report. In regards the Corporate Risk Register, the Committee also heard that a review is ongoing to ensure the correct identification and assessment of risks in relation to areas such as financial sustainability, civil emergency response planning, and devolution. The outcome of this review is expected at the next meeting of the Committee. Finally, the Insurance, Risk Management and Business Continuity Manager noted the contents of the service risk register.  

The Chair thanked the Insurance, Risk Management and Business Continuity Manager and invited questions from the Committee.  

Councillor Ottino asked several questions: 

• Whether more information on the origins and history of the red risks noted on page 10 of the report could be provided to support the Committee’s understanding. 

• Whether clarification could be provided around the definitions of the risk categories noted on page 32, and how officers determine these.  

• Whether distinction could be made between ‘local’ and ‘regional’ media in the consideration of the adverse publicity risk on page 34.  

The Insurance, Risk Management and Business Continuity Manager clarified that within the service risk register, risks currently identified as red have remained so since the previous report, however a review is expected shortly, at the request of the Risk Management Group. The Committee therefore understood that these categorisations may change. In response to Councillor Ottino’s second question, it was explained that a scoring system based on percentages is utilised to assess the probabilities of risks occurring by officers, however the Insurance, Risk Management and Business Continuity Manager agreed that this can be a challenging matter to assess and committed to reflecting on the terminology used. Finally, in regards the adverse publicity risk noted on page 34, the Committee learned that the differentiation between local and regional media is not strictly defined, but  ...  view the full minutes text for item 34.

Report of: The Internal Auditor, BDO

Purpose of report: To inform the Audit and Governance Committee of progress made against the 2024/2025 internal audit plan.

Recommendation(s):

·       That the Committee notes and discusses the report.

Yasmin Ahmed, Internal Auditor from BDO, and Josie Woodward, Internal Auditor from BDO, Nerys Parry, Director of Housing, Richard Wood, Housing Needs and Strategy Manager, and Toni Henderson, Corporate Fire Safety Manager, were present to respond to questions. 

The Internal Auditor (YA) introduced the contents of the report, noting who would present each item. The Committee were informed that satisfactory progress had been made on the 2024/25 Internal Audit Plan, noting the completion of the Homeless Prevention report, Data Protection report, and Fire Risk Assessments. It was explained that the QL Optimisation review, the Affordable Housing Project Management Report, and Data Analytics Report were in progress. The Committee also understood that an Income Generation Review is due to start in April and that all reports would be presented to the Committee at the next meeting.  

The Committee acknowledged the progress update.  

The Internal Auditor (YA) presented the Homelessness Prevention Report which focused on the design and effectiveness of the arrangements the Council has in place to support homelessness and secure accommodation in line with the Homelessness Reduction Act 2017.  

The Committee heard the headline findings of the report: 

• In regards housing subsidy, the Council recovered 27% of temporary accommodation costs due to Housing Benefit subsidy rules resulting in a £1.3m deficit over the last 5 years. There is also £112,000 of rental arrears which are unlikely to be recovered due to a surge in homelessness applications. Information regarding this was detailed.  

• The Councils target of 21 days to complete personal housing plans to support the placement of homeless persons in temporary accommodation has experienced delays; delays of up 74 days were noted.  

• The Council has historically not held any formal contractual arrangements with hotel providers for temporary accommodation; it has relied on basic booking terms and informal agreements. There is now a temporary accommodation framework in place which the Council is required to tender against.   

The Housing Needs and Strategy Manager thanked the Internal Auditor (YA) and summarised the Council’s response to the findings. The Committee heard that during the reporting period the Council experienced a high increase in demand for homelessness support which resulted in a large increase in number of people in nightly charge accommodation with very short notice. As a result, urgent procedures were developed, as noted in the report. The Housing Needs and Strategy Manager detailed the collaborative links between the Housing Benefit and Housing Need teams which have improved following the introduction of new processes such as auto-reporting. In regards hotel placements, the Committee was informed of the difficulties of ensuring housing benefit claims are submitted when organising late night placements with little information from homeless persons. Staffing levels and training have been addressed to support delays with response times in line with the new procurement framework. Finally, the Committee heard how tendering relationships with hotels have been improved, and details of the longer-term larger scale bookings which have been implemented following Cabinet approval.  

The Chair thanked officers and invited the Committee to ask questions.  ...  view the full minutes text for item 35.

Report of: The Internal Auditor, BDO

Purpose of report: To inform the Audit and Governance Committee of the results of an assessment of the Council’s compliance against key parts of UK GDPR.

Recommendation(s):

·       That the Committee notes and discusses the report.

This report will be published as a supplement item.

Alex Russell, Internal Auditor from BDO, and Emma Jackman, The Director of Law, Governance, and Strategy, were present to respond to questions.  

The Internal Auditor (AR) explained that the report focused on 4 areas when assessing how the Council complies with UK GDPR requirements including policies and procedures, staff roles and responsibilities, records of processing activities, responses to subject rights requests, and third-party data sharing.  Further detail on each category was provided to the Committee and the following key findings were highlighted: 

• Gaps in the Council’s record of processing activities were identified.  

• Retention schedules were allocated a medium risk rating as there had not been a review since July 2021. 

• Statistics for completion of data protection training amongst Council staff were not sufficient but a new HR system is being implemented to monitor this more effectively.  

• Only 42 of the 114 entries relating to third-party data sharing were demonstrated to have equivocal data sharing agreements; some of these records were not sufficiently maintained. 

• Gaps in data privacy impact assessments were identified. 

The Chair invited the Director of Law Governance, and Strategy to respond.  

The Director of Law, Governance, and Strategy informed the Committee that internal audits of service areas are being conducted by the Information Governance team to assess how data protection is audited within the Council; this has identified the need for the actions as outlined in the BDO audit and therefore were already in scope to be addressed and reported to the Corporate Management Team. The Committee were provided information regarding the data protection team, which has only one dedicated officer responsible for managing data protection measures and highlighted that the team had been focusing on dealing with ICO concerns in relation to FOIA, which were now performing strongly. As a result, attention is turning to data protection and the implementation of the report’s recommendations.  

In regards the record of processing activities, Councillor Harley questioned the concept of consent and anonymisation of data, asking what the Council does to ensure this is applied when necessary. The Director of Law, Governance, and Strategy noted that actions depend on the nature of and purpose of the information held but provided several examples to demonstrate the protection of data between departments and the use of data protection notices. It was also confirmed that personal data is anonymised when appropriate in a manner which would prohibit an individual to be identified, unless for example it is a necessary condition of reporting to central government.  

The Chair referred to pressures noted around FOIs in the management response when asking whether there have been accommodations made within the Council’s budget to appoint additional staff to support data protection responsibilities. The Director of Law, Governance, and Strategy informed that Committee of current issues with staff availability and assured members that considerations are being made around hiring, especially in the context of a recent spike in FOI requests.  

Councillor Smith referred to the management response’s commitment to reviewing all audits and asked whether the report noted  ...  view the full minutes text for item 36.

Report of: The Internal Auditor, BDO

Purpose of report: To inform the Audit and Governance Committee of the progress made against the recommendations.

Recommendation(s):

·       That the Committee notes and discusses the report.

The Internal Auditor (YA) and Philip McGaskill, Revenues Service Delivery Manager, were present to respond to questions. 

The Internal Auditor (YA) summarised the report for the Committee, noting that recommendations from the 2023/25 plan relating to recruitment and retention are still in progress. In regards Data Analytics, one recommendation is also still in progress in connection with purchase card transactions which is being monitored and reviewed regularly. Recommendations linked to Income Generation and Building Control have both experienced delayed deadlines but are due for implementation in June 2025. Three recommendations relating to accounts payable are in progress, with a revised due date of April 2025. Finally, a collection of recommendations regarding Data Protection are upcoming. The Internal Auditor (YA) also reassured the Committee that reviews will be conducted for Homelessness Prevention and Data Protection, alongside the ongoing review for Fire Risk Assessments. The Committee understood that further updates would be provided at the next meeting. 

The Revenues Service Delivery Manager responded to the report and informed the Committee that as of the day prior to this meeting, issues with the reporting module which had been preventing the reporting of KPIs, had been fixed. As a result, the Committee were assured that from 1 April 2025, monthly reporting of control figures would be possible. In regards Council spending on credit cards, the Revenues Service Delivery Manager explained the delays behind rectifying the issue, noting that ongoing steps were being taken to implement new processes for approvers and addressing historic transactions. It is expected that this matter should be resolved by the next meeting of the Committee. 

The Chair commented on the issue of cardholders not always being aware of relevant pin numbers, to which the Revenues Service Delivery Manager explained that each case is individual which adds complexity and elongates the process of resolving the matter. 

Councillor Smith questioned whether the choice of staff to physically cut up old cards could be constituted as a form of fraud. The Revenues Service Delivery Manager explained that this is occurring when a member of staff no longer believes they need the card, or it has expired. The Internal Auditor (YA) clarified that this is not linked to fraud but any actions which constitute spending against Council policy would be. The internet Auditor (YA) and the Revenues Service Delivery Manager confirmed that they have not identified any record of suspicious activity or fraud in relation to the cards after talking to relevant manager and checking records; therefore, they do not assess there to be a risk of fraud.  

The Committee noted the report.  

The Revenues Service Delivery Manager left the meeting.  

Yasmin BDO Report of: The Internal Auditor, BDO

Purpose of report: To inform the Audit and Governance Committee of the Internal Audit Plan for 2025-2026.

Recommendation(s):

·       That the Committee notes and discusses the report.

The Internal Auditor (YA) was present to respond to questions. 

The Internal Auditor (YA) summarised the report to the Committee, noting that the Internal Audit Plan for 2025-26 has been developed following meetings with the operational delivery group, consisting of all heads of service within the Council, and the Council’s trading company representatives (ODS and OX Place). The Committee heard that a more collaborative approach will be taken in the future to develop more thematic reports to avoid the duplication of any work across multiple audit plans. A roles and responsibilities document will be developed to outline these workstreams. The Internal Auditor (YA) assured the Committee that the plan is flexible and will be continually reviewed.  

Councillor Smith sought to clarify that there would be a joint internal audit with ODS, to which the Internal Auditor (YA) explained that the decision had been made, with the Group Finance Director and ODS lead, that more collaborative working would be preferable. The Group Finance Director noted the benefits of this approach which included avoidance of duplicated work and ease of payment systems assessments within the end-to-end processes shared between the Council and ODS.  

In regards the Strategic Plan, the Chair asked whether recruitment and retention is a focus which could be addressed sooner. The Internal Auditor (YA) noted that the issue was last discussed within the 2023/24 work plan and the recommendations from that period are still being followed up on. As such, it is too soon to pursue a review in 2025/26.  

The Chair also asked whether considerations of local government reorganisation should be factored into the work programme to which the Internal Auditor (YA) reiterated that the programme is under constant review, and emerging risks could be integrated once more guidance is available. The Group Finance Director informed the Committee that further information on local government reorganisation would not be available until November, by which time it may be too late to amend the audit plan.  

The Committee noted the report.  

The Chair thanked the Internal Auditor (YA) for the multiple reports submitted to this meeting. 

Report of: The External Auditor, Ernst & Young

Purpose of report: To inform and update the Committee.

Recommendation(s):

·       That the Committee notes and discusses the report.

Andrew Brittain, External Auditor from EY, and Bill Lewis, Financial Accounting Manager, were present to respond to questions.  

The External Auditor summarised the report as a public facing document required under the NAO Audit Code to outline the results of the audit work for the 2023-24 year. The Committee understood that the audit opinion within the report was signed prior to the back stop date required by government legislation at the end of February, and that the report also contains value for money commentary and conclusions.  

The Chair invited the Committee to ask questions.  

The Chair referred to page 128 of the report which stated that there was a delay caused by Oxford City Council data availability and queried the context of this. The External Auditor explained that delays in accessing information relating to investment properties impacted upon the audit opinion and the Financial Accounting Manager explained that due the amount of data samples required, Council officers were required to gather source data from archives which was an extensive task.  

The Chair also asked, in regards financial sustainability noted on page 147, whether the largest risk affecting the Council in 2023/24 was the ratio of Council tax income as a proportion of net expenditure. The External Auditor confirmed that this was the largest risk in the context of financial sustainability, but not necessarily overall.  

The Chair clarified a point on page 167 with the Financial Account Manager regarding materiality levels.  These are relatively low due to the current position on the accounts with prior years being disclaimed following the implementation of the process to catch up with external audits.    

The Committee noted the report. 

The External Auditor left the meeting. 

Recommendation: to approve the minutes of the meeting held on 20 January 2025 as a true and accurate record.

The Committee approved the minutes of the meeting on 20 January 2025 as a true and accurate record.  

The dates of future meetings are:

·       23 July 2025

·       1 October 2025 (Accounts)

·       21 October 2025

The Committee noted the dates of future meetings.