Report of: The Internal Auditor, BDO

Purpose of report: To update the Audit and Governance Committee.

Recommendation(s): That the Committee resolves to:

1.    Notes and discusses the report.

The Internal Auditors had submitted a report to update the Audit and Governance Committee. The Internal Auditor (GD) and the Internal Auditor (JT) were present to respond to questions.  

The Internal Auditor (JT) summarised the report and highlighted the progress made against the audit plan. The Committee heard that the draft fire safety follow-up report was awaiting management comments and progress is ongoing in relation to the fieldwork for audits of the medium-term financial strategy, leisure contracts, and data analytics. The Internal Auditor (JT) also informed the Committee that work is ongoing to plan the remaining two audits relating to cyber security and ODS client and commissioning. Finally, Members understood that the audit plan for 2026/27 is being developed in conversation with the Group Finance Director.  

The Committee considered items 9 and 10 together as follows.  

The Chair commented on the outstanding record of incomplete reports in relation to income generation and GDPR, which had been overdue since the 23/24 audit.  

The Revenues Service Delivery Manager updated the Committee on progress made on the overdue recommendations relating to the use of council payment cards. Members heard that only £615.17 remains outstanding as unapproved spend which relates to only two officers who are currently on long-term sick leave; efforts to find alternative way to approve these transactions is ongoing. Furthermore, the average spend per month is now averaging around £3700. Regarding monitoring and security of payment card usage, the Revenues Service Delivery Manager explained that action is being taken based on the Internal Auditor’s recommendations and that a list of agreed restricted spend is being agreed; this will be reported at the next Committee. In relation to securing accommodation, the Committee were informed that a process is now in place whereby management accountants will pay hotels and accommodation suppliers through invoicing and PO processes, rather than via use of payment cards. As this is a recent change, it will be evident in the reports delivered to the next Committee.  

The Group Finance Director noted his confidence in the Revenues Service Delivery Manager’s actions and ability to act in line with the auditor’s recommendations. In relation to the overdue income generation recommendation, the Committee heard a summary of longstanding issues relating to the procurement of a new asset management system; assurance was provided that this is being actioned urgently and a retender is in progress. The Group Finance Director suggested that relevant service managers be present at the next meeting of the Committee to respond to recommendations relating to property, recruitment, and retention.  

The Internal Auditor (JT) explained that correspondence had been provided by the relevant managers since the publication of the agenda to confirm that recommendations are now completed in relation to recruitment and retention and selective licensing; evidence of this would be presented at the next meeting of the Committee.  

The Chair requested that the Head of People attend the next meeting of the Committee. 

The Director of Law, Governance and Strategy (Monitoring Officer) provided a response in relation to GDPR recommendations, noting that the retention schedule is now complete and is due to be published shortly. The record of processing activity (ROPA) and data sharing lists are also complete. The Committee were informed that outstanding work lies with the IT department. Finally, the Director of Law, Governance and Strategy (Monitoring Officer) explained that the new corporate system is being procured to support training and should be live in March; this will including data protection training and an FOI specific module. The Senior Information Governance Officer clarified that the ROPA and data sharing lists would only be published internally.  

In relation to the recommendation to combine the data sharing lists and the retention schedule, the Director of Law, Governance and Strategy (Monitoring Officer) explained that it is not currently possible due to the mismatched means by which data is currently captured. The Senior Information Governance Officer corroborated this and outlined the difficulties in achieving the recommendation given the variable private and public data contained.  

The Revenues Service Delivery Manager, in response to the recommendation regarding data analytics, also informed the Committee of delays and committed to providing an update in March. 

Councillor Ottino emphasised that responsible officers should be present to respond to the Committee’s questions regarding outstanding and overdue recommendations. Councillor Smith agreed and also suggested that the relevant Cabinet Members be invited to attend.  

The Committee reviewed and noted the report.