Report of: The Internal Auditor, BDO

Purpose of report: To update the Audit and Governance Committee on progress made against existing recommendations.

Recommendation(s):

·       That the Committee notes and discusses the report.

The Internal Auditor (BDO) had submitted a report to update the Audit and Governance Committee on progress made against existing recommendations. 

The Internal Auditor was present to respond to questions. 

Melissa Hope, the Organisational Development Manager, was also present.  

The Internal Auditor summarised the report, noting it as a routine report which assesses the progress of implementation against outstanding recommendations. The Committee heard that the Internal Auditor was generally content with the progress being made however, emphasised that some recommendations are taking longer to close and timeframes have been adjusted in response. Recommendations on matters relating to GDPR, risk management, and recruitment and retention were listed as examples which remain outstanding.  

The Insurance, Risk Management and Business Continuity Officer explained, in relation to risk management, that the service risk register review was completed earlier this month and sent to BDO on 16 July. Due to publishing timeframes for this meeting, this was not included in the report. The Internal Auditor confirmed it would be reported on at the next Committee in October. 

The Organisational Development Manager, in relation to recruitment and retention, explained that the necessary policy is ready and awaiting CLT and union approval. It was confirmed that this would be completed by the extended deadline and had been delayed by the introduction of the positive action policy which was signed off at Council on 14 July 2025. The two policies will be launched simultaneously. The Committee also heard that the Council is in the process of procuring a new HR and payroll system which will be due in 2028. 

The Chair expressed concern over the timing of installing a new HR system given the upcoming changes resulting from local government reorganisation. It was queried whether this was the appropriate time to be investing money in new systems. The Organisational Development Manager explained that the existing contract cannot be extended, and therefore the Council must adopt a new system. The Committee were assured that legal colleagues are being consulted to ensure that the potential impacts of local government reorganisation are considered within any new contract. The Director of Law, Governance and Strategy explained that when any new local authority is formed, statutory instruments are used to ensure that existing contracts persist. It was emphasised that until such time as local government reorganisation takes hold, business must continue as usual and contract issues will be addressed in the future. The Chair noted issues relating to contract organisation in Buckinghamshire and Nottinghamshire following local government reorganisation and emphasised concern. The Chair queried whether break contracts had been considered, to which the Organisational Development Manager noted that alternative options had been considered at senior levels.  

Councillor Munkonge, in relation to pages 90 and 91 and data protection, asked why it was noted in the management comments that the recommendation could not be assessed by BDO. Councillor Munkonge also asked whether, given the recent cyber incident, whether August is still a realistic deadline. The Director of Law, Governance and Strategy explained that BDO have been sent the majority of the necessary data and returned some questions which the Council has not yet been able to respond to. It was confirmed that this would be actioned by September as the Council recovers from the impacts of the cyber incident and the deadline was likely realistic but would be reviewed if necessary. The Committee also heard that the audit focused on GDPR and did not assess Freedom of Information matters, other than in relation to training.  

Councillor Munkonge, noting that Oxfordshire County Council uses two Internal Auditors, asked whether Oxford City Council are considering a similar option. The Group Finance Director Nigel outlined government advise which suggests that the Chair of the Audit Committee could be an independent member, however noted that as yet, this Council had not acted on this option. The Committee heard that the Bill which may require this has not been enacted yet but is currently progressing through Parliament. Once this is a legal requirement, the Council will consider the option. The Group Finance Director also explained that the Council has not been identified the need to use two Internal Auditors.   

The Audit and Governance Committee noted the report.  

The Organisational Development Manager and the Revenues Service Delivery Manager left the meeting and did not return.