Transcript

• Okay, good evening everyone. Assalamu alaikum and welcome to the audit committee meeting. My name is Councillor Haran Miah and I'm the chair of the committee. This meeting is being webcast live on the council's website. I'll now ask the committee members present to introduce themselves. Also, can you state any declaration of interest that you may have in the agenda items and the nature of the interest? So, as usual, we'll start from the right hand side.
• Hello, I'm Jill Bailey. I'm the head of legal safeguarding.
• Senior manager, EY.
• Haley Clark, partner, EY.
• Hi, I'm Jonathan Gooding, the external audit partner from Deloitte.
• I'm Paul O'Doo, head of treasury and pensions.
• Dhulraza Qasim, director of finance.
• Asan Khan, head of finance and chief accountant at the council.
• Good evening, David Dobbs, head of internal audit.
• Victoria Lewis, risk management officer.
• Again, I've got no DPIs.
• Mafeeda Busting, Councillor for Island Gardens, no DPIs.
• Good evening, Councillor Ayman Rahman, no DPIs.
• Councillor Kabir Ahmed, no DPIs.
• Councillor Mark Francis from Bo Eastwood, no DPIs.
• Yeah, can I ask Julie Lorrain to introduce herself, please, and then we'll come to this.
• Yes, thank you, chair. Hello, I'm Julie Lorrain, corporate director of resources and section 151, officer of the council, and I'm sorry, I can't be with you, but you'll all be glad because I think the bug I've got may be catching.
• And Jesper Klesius, please.
• Hi, my name is Jesper Klesius, I'm a strategic risk consultant with SSHRC.
• Thank you.
• Good evening, chair, I'm Thomas Ridge, Democratic Services.
• Okay, thank you for the introduction. Now, item number two, unrestricted minutes of the previous meeting. Can I invite members to approve the unrestricted minutes of the meeting held on the 18th of July as an accurate record of proceedings? Yeah, okay, thank you. Yeah, sure.
• I wasn't at that meeting, apologies in person for not being able to make it on that occasion. I did just wanna ask a question, though, just about our processes. So obviously, we have the minutes also of the restricted part of the meeting, and I recall that we also had a conversation at an earlier meeting in the year about whether the restricted parts of the meetings are recorded. Obviously, not for a webcast, but I just wanna know whether that one was recorded as well.
• I think...
• I can check that and get back to you.
• Okay, that's clear. Okay. Item three, auditor's item for consideration. 3.1, planning report to the audit committee on the 2021, 2021, 22, 22, 23. These are on pages 17, 48. Can I kindly invite Jonathan Goodings to present this report, please? I think you have about 10 minutes.
• Okay, thank you, Chair.
• If you need more, we'll allow you.
• You should be fine, thank you. Thank you, Chair. Good evening, everybody. So, as the Chair just said, within your pack, you have an audit planning report for the three open years of accounts. As set out within the report, the Ministry for Housing, Communities and Local Government and the National Audit Office are enacting backstop provisions that are relevant to these open audits. Under the backstop provisions, local authorities will be required to publish their accounts and audit reports for those open years by the 13th of December. Where the audit work for these open years of account is not complete, as we've discussed in previous meetings, auditors would be required to include a disclaimer opinion in audit reports, and we expect that to be the case for these audits for which this audit plan applies. We also expect to include qualifications, as in the past, with respect to known issues. We've identified, for example, in which the authorities identified with respect to the group accounts and pension data. There are a number of things that the authority and we need to do before the 13th of December, and we're progressing those well. For the Council, this includes updating the accounts for any known errors or any matters that arise, completing appropriate internal review procedures and certification of the accounts. And for us as auditors, we need to perform planning procedures, which we've largely done, complete our value for money responsibilities, complete any outstanding work in other areas, including performing certain procedures on the accounts, detailed checking to underlying information, and reporting certain matters to this committee. With regards to value for money, our risk assessment and procedures are progressing and we anticipate being in a position to report to your next meeting in respect of those. Based on the procedures to date, we currently anticipate identifying risks of significant weakness in respect of the identification management of risks, including the maintenance of effective system of internal control, and taking prompt and effective action in maintaining adequate processes and systems to support timely and accurate financial reporting. Regarding the other elements of the report, we confirm the basis of our materiality, which we have set at $24 million, based on 2% of gross expenditure for the authority for those open years of accounts, and for the pension fund at 1% of net assets. The appendices to the report also include a summary of our 2020 unadjusted audit misstatements, reconfirmation of our independence, and comments with respect to our audit fees. I'm happy to take the rest of the report as read and take any questions. Okay, thank you for that nice report. Can I ask, does the committee have any questions or comments it wishes to ask? Before I go to the, we missed one, apologies for tonight's, are there any apologies? Good evening, Chair. There's just one apology. Councillor Ahmad, who's joining the committee, has given us apologies. Okay, so now, any comments or questions to Jonathan? Yes, your question. Thank you. Just sort of revisiting the audit committee 1.22 and 22.23, just in layman terms, there's a lot of sort of technical language involved. Can you tell us what our position is in relation to Deloitte's looking into those in the backstop? So, basically, if you take each of the three years, we've done some work on the 21 audit, but won't have sufficient time to finish it, and we've done very little work on the subsequent two years, 22 and 23. On all three years, we don't expect to complete a full audit, but there are certain specific procedures that we have to do to enable us to meet the new government deadline, which is the 13th of December. We feel that we're in a good position with officers to complete that work, and we should be able to meet that deadline, but that means that you'll get an audit opinion that is disclaimed, which basically, in layman's terms, is saying that we haven't been able to finish the audit. Do you have any more? Yeah, please. Thank you. So, and this is more towards our officers, that disclaimer, will that pose any risks on the council, council's financial position, council's position to borrow money, or any financial activities in relation to the council, or what started going beyond that with EY? You want me to answer that? Julie, okay, you want to come in and answer the question? Yeah, so I can leave officers and auditors to add any context they want to. But essentially, it puts us in a slightly better position than having no audit opinion at all, but not as good a position as having a full audit. One thing I would say and stress to the audit committee is, and I would ask the auditors to comment, the years outstanding are not unique to Tower Hamlets, they've been dealt with. The years outstanding are part of a backlog, I think it's fair to say that all local authorities, certainly in London, are in the same queue, there's only limited capacity from auditors. And I think that's why the government has introduced these very harsh backstop dates in order to get to a position in a couple of years, that's the plan, that everybody will have full audit assurance. So the answer to your question is, provided the qualification, the disclaimer that we receive is consistent with everybody else's in relation to meeting the backstop date, then no, it won't adversely impact Tower Hamlets any more than it would any of the other boroughs who will be affected in the same way. Does that help? Thank you, that's fine. Moving on, can I thank you, Jonathan, for coming and presenting the report, you're free to stay? Oh, that's good, thank you, that's very generous of you, thank you. Okay, moving on, item 3.2, London Borough of Tower Hamlets audit planning report, year ended 31 March 2024, these are on pages 49 to 116. Can I ask our new auditors, Eli, is it Hayley? Can I ask you to present your report, please? You have 10 to 15 minutes, thank you. Thank you, Chair. So I will take the report as read, but I think just reflecting on the fact this is the first audit plan that you are seeing from us and recognising that there's quite a lot of information in here, I will just draw your attention to some of the areas that I think it's important that you consider as part of the paper tonight. And then what I'll do is I'll just ask Dan to perhaps talk you through one or two of the financial statement and value for money risks. I think firstly, before I dive into any of the detail, I think it's important just to understand that as we've been undertaking our planning procedures, we have had regular engagement with management throughout that process. We've recently had a conversation with the Chief Exec and we actually have a conversation scheduled to talk with the Mayor in a couple of weeks as well as part of concluding our planning procedures and risk assessment process. And I do feel like we've actually developed some really good engagement and had some really constructive conversations as we've gone through the process. Management did have a chance to have a look at and comment on the plan prior to submission in the papers. So the first thing that I wanted to talk you through is just on page 7 of our report or page 55 of your PACS. And I think what I'll do is I'll start by saying that as we've identified our risks throughout this plan, we want to recognise that they are just risks at this stage. We are not at this point suggesting that any of these risks are materialising in practice. Clearly, if that is the case, then we will report that to you at a future committee. But this is a risk assessment document. So the overall risk rating that we've assigned to the audit is something that we've referred to as close monitoring. And that effectively is the highest risk rating that we can assign to an audit in line with our risk assessment processes and audit methodology. And there are a number of factors that we've set out on that page that are driving that risk assessment at this point in time. What that does mean, though, is that we have had to put some additional processes in place to facilitate us as an engagement team as we conduct your audit to make sure that we deliver you the right opinion. And that includes additional support from our risk management team, our audit quality team. We've got an additional senior partner whose experience that sits independent to the team that brings Steve and myself and the rest of the team challenge on some of the judgments that we're forming and the work that we're undertaking. And we also have a specific review of your financial statements from a technical perspective as well that's undertaken. Now, that risk assessment does have an impact on a number of elements within our plan in particular, and that's probably why you're seeing probably a heightened number of risks that are feeding through into the financial statement and the value for money sections of the report. One of the areas, though, that it does have an impact on, and I will draw your attention to, is set out on page 11 of our report or page 59 of your pack, and that's in relation to materiality. So I'll just talk through what those different elements mean right now. So planning materiality is basically we take into account the expectations of the users of the financial statements, and that level of materiality is the amount that we consider would influence user of the accounts decision making, essentially, and we've set that at seven million, which represents 0.5% of your gross expenditure figure. It's at the lowest end of the range that we go for as part of our methodology, and we've set out some of the reasons there around why we've considered that, we need to do that, and that's all about the public profile of the council, prior year qualifications in the audit of opinions, and the awaited best value inspection reports as well. The performance materiality, which is in that middle section on that page, we've set out 3.5 million, and that is the level at which we perform our audit testing, and that essentially represents the perceived risk of misstatement across the financial statements as a whole. So are we going to identify any errors and the quantum of those errors? Now, when you're assigned as a close monitoring audit, you would automatically fall to that level, which is 50% of the planning materiality, but I think it's important to know that even if you weren't at that risk rating, there are other factors that have come into play there. So, one, it's a first year audit, so we don't have experience of working with you, so we have to factor that into account. There are a number of findings that have come out of Deloitte's reporting in relation to previous years that we need to factor in. You have had some changes in personnel, and also there are a number of findings that have been coming out of internal audits work as well. So when we take that as a whole, we've formed a view that there is a risk of heightened error across the financial statements, and clearly we'll only be able to evaluate whether that is correct or not once we've worked through the procedures for this year. And then the final element is just the audit differences threshold at 0.35 million. So if we identify any misstatements larger than that, we'll include that and we'll report them to you. So the next element I just wanted to draw your attention to then is just on page 61 of your pack or page 13 of our report, and that's just around the timeline. So we've obviously just had a conversation on the backstop dates and the implications on previous years. I think it's important though that we also talk about the implications for this year. So the 23/24 backstop date is the end of February 2025. However, we need to have completed our procedures well in advance of that so that we can form a view as to what form of opinion we need to be able to issue as an organization. And I think it's important to note that the majority of our team time that does all the hard work on the ground and all that the testing runs to the end of November to then allow us that time. I think it's fair to say that at this stage we are not as far through the audit as we would like to be, and there are a number of factors that are feeding into that. So I do think we just need to highlight that there is a high likelihood that we won't be able to complete the opinion and issue a clean or unmodified opinion by the time we get to the audit committee that I think is now scheduled for the end of January. So it is likely that we will continue to have some form of disclaimer in the financial statements, and that's not just in relation to the opening balances position. That will also be in relation to current year balances as well. What we are doing is we are working with management closely to make sure that we're deploying our team's time in the most effective manner. So what we don't want to do is end up with lots of audit work that's been started and no areas that have been closed down, because clearly we need to build up assurances to a clean opinion over a number of years. So we need to really focus on closing out areas that are going to be additive to that process. We have highlighted a number of value for money risks in here as well, and I'll let Dan talk you through one or two of those. The bit that I just wanted to talk to you about is just obviously as auditors we do have additional discretionary powers that we can use as and when we see fit, and that can include things like statutory recommendations or reporting in the public interest. If we do identify anything that causes us a need to feel like we need to invoke those powers, then clearly we would have a conversation with management and yourselves timely enough to make sure that you're cited on that. If it's okay, I'll just hand over to Dan just to talk through one or two of the risks. Thanks, Chair. So I'll talk through a couple of the risks that we've got on both sides of the works of the financial statements audit and the value for money work. So on page 8, so page 56 in your pack, you'll see that there are 12 risks and misstatements that we've identified. The first five of those are tagged as fraud risk, and that's where we feel that management have the most opportunity or the most incentive to manipulate the financial position. Now we're led by our auditing standards to identify the first four of those, and they're generally pretty consistently applied across our local government audits. Unless we have compelling evidence to rebut any of those, which, as Hayley said, this is our first year working with you, we don't have any of that to rebut those risks. The second risk on that list is in relation to inappropriate capitalisation of revenue expenditure. I just think that that's worth flagging because that is probably the most realistic way that management would or could manipulate the financial position, and that would involve charging revenue expenditure to one of the capital programmes so that makes up £120 million worth of expenditure in the financial statements this year. We've also identified some significant and higher inherent risks which relate to technical accounting issues, some of which you'll be familiar with from the work that Jonathan and his team have done in recent years, so pensions, PFI and PPE valuations. But we've also got a risk around the preparedness for IFRS 16, so IFRS 16 leases is fully adopted by the SITFA code from the 1st of April 2024. So that means that your accounts for next year that we'll be auditing will need to fully disclose that. So we're looking at how ready the council is for implementation date, and we'll be doing work around that for 23/24. There's also a risk around opening balances, as Hayley's pointed out, and that's in relation to the years that haven't been opined on yet. And we've also got a risk around the council's group financial statements. So in previous years the council have acknowledged that they haven't done group financial statements, so this is the first year in which the council have produced those, so we'll be auditing those. We highlight a risk that's quite high up on our radar, with it being the first year, that the amount of work that's gone into that might miss some of the consolidation elements, or the disclosures that are produced may not be correct. Section 2 to our report goes into more detail on all of those risks, but we're going to take that as read for now. In terms of the value for money risks, there are a couple of risks on there that I just wanted to highlight, the first one being the PFI contracts that are coming to the end of their term in the next five years. So we'll be performing the work to see what the council has done to be ready for expiration, and managing the risks that are associated with those, and conversations have already started with officers on that. We've also got a risk in relation to the offset inspection in 2017, and that may feel like a long time ago, given the 2021, '21, '22 and '22, '23 audits haven't been cleared yet, and this is our first look at that, we'll be looking at what the council has done to ensure it retains the improvement since that original disappointing inspection result, and making sure that we're looking at what the council has done to maintain that level. And finally, we will be considering the findings of the best value inspection. Finally, Section 6 talks about the makeup of our team, so you'll see extensive use of experts within that, and around the risks that are set in terms of the technical risks of PP valuations, MRP, PFI and pensions, we've highlighted experts for all of that, and due to the level of risk that we've associated with the council, and also especially in two areas that we've noted on page 47, we've included colleagues from our forensics team, that will be performing some of our audit procedures. Okay, thank you both for that report. Now, does the committee have any questions or comments it wishes to ask? Okay, Councillor Mufi Debustin, please, your question or comments. Thank you, Chair. Thank you for your presentation, really interesting. I had a question about the audit timeline, so I think in the report it makes reference to information not being provided as quickly as you would have liked, it's not phrased like that, but I'm paraphrasing. I was wondering, and it might not be a question for you, it's probably a question for yourselves, what from your perspective is the delay and what's sort of causing that? Thank you. I think Hayley from EY touched on the fact that given the risk rating, it's close monitoring, so that kind of feeds its way through to the level of work that we need to conduct as part of the audit, and that's significant, so sample sizes, testing, review checks, a lot of that is coming through, has come through in the past three, four weeks, so we have got a dedicated team that's working through that. We have added additional resource. We are also trying to manage that with the Deloitte process to ensure that we achieve that 13th December deadline, so there's priorities and managing priorities at play here. We've shared our plans with EY colleagues in terms of expected timelines of completion when it comes to those tasks. It's a bit of a moving feast, so we complete stuff, stuff comes in, so we're constantly reprioritizing workloads. I think, again, Hayley touched on this. What we want to do is work quite closely with EY to ensure that we've got a plan in place that over future years we absolutely get through all the workload, so we've got a clear plan there in terms of what we want to deliver and complete in complete areas, so EY colleagues can sign off on sections, and then in future years building up those assurances for all the balances required, so it's that joint plan that's going to be really critical here, and it's going to be a case of resource issues with EY and resource issues with us and how we manage that together, moving forward. Okay, thank you for that answer. Okay, that's nice. Julie, your comments, please, or questions? Yeah, so I would just like to respond to Hayley's and Dan's introduction. I would echo what they've said. I think it's fair to say, you only have to read the papers this week, that EY have got a bit of a reputation as being tough cookies. I've actually found them extremely pleasant to work with. I was alarmed when I saw the materiality threshold, I'll tell you that. In an open and honest conversation, what I would say to you all is, it is not for the council or the section 151 officers to determine the materiality threshold that auditors set. It is the auditors' privilege to determine that. I hope they will echo or endorse the view I give to you that what they've had from me and the team is complete transparency, whole acceptance of the position we're in. What I would say to you all is, I've been around for a long time because I'm really old. Never in my career have I experienced a materiality threshold like we're experiencing here, and never have I had to take a team through the resourcing requirements that that will demand. And it's alarming sometimes, isn't it, was to me when I read risk of management fraud, I thought, oh, that's me. I have no consent at all that there will be anything that the auditors will find the risks that it's important that they explore and remove. What I would say to you is that the finance team you've got in place are the finance team that to some degree in this risk are a victim of their own success. Had we not resolved the issue and closed the number of accounts we've closed in the period of time we've done it and the current year's position, then the issue of actually you're a heightened risk because you've done it to some extent wouldn't be there. We'd be in a worse position if we haven't. So when we closed all those accounts on our website and drawn to all your attention and in every report we've done, we emphasised to you the risk of error in relation to open and close imbalances and the risk of error of absence of audit activity where we were able to correct issues from one year to the next. So I have complete confidence in the finance team that you've got. I don't envy them. I think it's fair to say the level of testing and sampling and requirement for them to respond is greater than ever it could be. Our mission is to go through this process. All the boroughs will be going through almost exactly this process of limited insurance or disclaimers. What they won't have is the pressure of the level of testing that's going on. And what I would add for the minutes is the level of risk and materiality testing has nothing whatsoever to do with the integrity of the accounting team that are putting together these for you. And their professionalism, as far as I'm concerned, is unquestionable. And I would ask you all to support that. As a finance team, it's in our interest that any statements we publish are a true and fair reflection of the position and whatever that position may be. And I have committed to EY, I will commit to you as an audit committee and the finance team to work 100 per cent to ensure that anything they want to see, any access they need to have, they will get. And I believe I've done that. So I would just ask you all to appreciate a little bit two things. One, the extent to which the finance team will have to work to get us through this, which I have labelled, and I'm not backtracking, the toughest audit in the UK, it's the toughest audit of my career. And also, it doesn't come cheap. We pay in for this. There is a cost to the council of audit fees, looked even today at next year's estimate of audit fees of a million pounds. And when you pay in for something, then there is an expectation on my part that the resource and to deliver the requirements from EY are there as well. We've had to add extra resources into our team. We've done that. The council has put forward the money to do that. So I just wanted to say, please understand that you've got a finance team that is pulling out every single stop to get us through this audit in the most professional way we can. So other than that, I have nothing to say. Thank you for those comments and your compliments. COVID-19, before I come to you, can I ask -- she's got, I think -- Yeah, thank you, Chair. I've just got two questions. So one's sort of really a follow-up to the questions around resourcing. Because, you know, this council has been through a period of intense audit, and that had a real impact on the finance team in terms of energy and morale and all of those things. And I suppose the other thing that has an impact on is all the other finance work that needs to get done. And when we're in a transformation year and there's insourcing of, you know, other entities and stuff, there's some real challenges there financially. So I guess what I'd like to understand is, in terms of those, you know, priorities and work plans, how are you sort of managing all of that and all those kind of conflicting challenges, and what is morale like in the team at the moment? Okay, thank you for that. I'm going to have a question for the auditors after that. Oh, you have one for auditors. You can say it together, yeah. Okay, thank you. So you made reference to the best value inspection in terms of value for money risks as well. So we haven't seen that report as yet. Is that the case for yourselves? Okay, thank you. Yeah, okay. Thank you, Councillor, for recognising that this is quite a challenging year for us. And I think the key thing for us was to plan and make sure, you know, the key priorities are delivered. And as Julie suggested, you know, we are looking to recruit and we have recruited extra support to enable us to get through the audit, and that's going to cost us. But we are trying to manage that, and the key thing is that communication with our auditors. And we do have a good relationship now, so we're planning together as we move forward and also monitoring those costs. In terms of the team's morale, it's much better than it was the last couple of years. And again, you know, having that stable leadership has really helped in terms of that. And I think, again, working with them and engaging with the team is really important for me as the Director of Finance, and we're working through that to the stage. Okay, thank you for that comment. Now, COVID-19, your question or comment, please. Thank you. So can I start by thanking our finance team, able to actually respond and answer two questions from auditors, which alleviates gaps in terms of information, and I think that's a really important factor. And I want to thank especially Julie in her leadership of the team, not to mention Grazek and others within that. I wanted to also pick up on capitalisation. I know Julie gave one set of examples. EY have gone right the way down to 3.5 million. I know officers have made representations, but what's the threshold of your satisfaction to bring or your response to bring it down to 3.5 million, the first thing. And the second thing related to, again, materiality is if this also covers the pension fund as well within that consideration. Thank you, Colby, for your question. Can I ask Hailey to respond, please? I'll take the second question first, if that's okay. So it doesn't cover the this report doesn't cover the pension fund, so that will need to come to the committee separately. And that will have different determinations for materiality set on a different basis. So I'm and I'm not the partner on that audit, so I'm not going to I'm not going to try and comment on that. I guess the first question around our satisfaction at the levels we've set, I guess we've followed our methodology and we've reflected on as we've worked through our acceptance procedures this year. A number of the factors around individuals within the organization, around the public profile of the council, you know, the fact that you have had BVI in doing that, even though we haven't seen the report yet, you have had them in throughout the course of the year. Clearly, there's been a number of years that haven't yet where the audit hasn't yet been finalized. We don't have open imbalances positions. You know, you've got a number of limited assurance reports that are coming free from internal audit. And whilst I think we appreciate some of those identify issues that were a number of years ago, there isn't sufficient evidence to demonstrate at this point in time that those matters have been addressed and all of that has to feed into our assessment. And that's why you're seeing, based on our judgment, these levels of materiality. Thank you for that answer. Okay, thank you. Okay. I think we haven't got any more comments or questions. Thank you. Just an administrative question, really. Okay. So given that, so we've changed the dates of some of the committee meetings in order to fall in line with the audit time scales, but it doesn't sound like you would have completed your audit, Jonathan, or done your work by the 4th of December or Haley, that you'd be in a position to report back to audit committee on where you are with the audit in your, I think you said audit opinion, didn't you? You even have formed an audit opinion by the 30th of January. So do we need to move those dates? That was my only sort of admin question, really. Jonathan, I think, yes, that date is important for us, actually. So we, our deadline is the 13th of December and we need to report to you before that. So our aim is to finish what we need to do before that and report to you in that meeting. Yeah. Do you want to come in? Yeah. And then, yes, so we've, so the audit committee that was scheduled right at the very beginning of January, I think it's been moved to the end of January. And that's because actually it just gives us a little bit longer to formulate once our team stopped at the end of November, formulate a view on where we think our opinion might land, collate our reporting and get that across to you. Because otherwise we'd be doing that sort of early December to make sure we've met a paper deadline ready for that committee at the start of the year. So it's just been moved out slightly further. And what that also allows us is it gives us, you know, another couple of weeks before we need to hit the 23-24 backstop date as well. So we're just trying to create a little bit of contingency and buffer room in there. Yeah. Thank you. Can I ask the comments of the committee are noted? Yeah. Thank you. Thank you to Jonathan for coming and presenting the report and to you, both of you. Okay. Well, you're welcome to stay. We'll see you at the next meeting, hopefully. Okay. Moving on. Item 4, terms, items for consideration. 4.1, internal audit and anti-fraud progress update report. These are on pages 117 to 150. So can I kindly invite David Dobbs to present this report? You have ten minutes, please. Thank you, Chair, and good evening, everyone. I'll take the report largely as read and just draw your attention to the key points. There are three components to this update report. The first one is the report which describes audit progress against the plan which was agreed back in April. It's been slow progress over the first six months of the year, possibly a reflection of the summer period. But I do recognize also there is a need to improve engagement with the audit process and for us to get on top of some of the persistent staffing deficiencies we've had in terms of vacancies and other gaps. In terms of the piece around engagement, what I would say there is that cuts both ways. We've got to work harder to engage our clients with the audit and I think in turn we expect better engagement in response. It's possible people may think the audit process we have at the moment is too inflexible and arduous and we will, of course, look at that and try to improve engagement going forward. However, based on progress to date, I will need to adjust your expectations in relation to the audit plan and its delivery. We've got 73 audits in the plan for the Council and 19 schools. And much in the same way as the external auditor has to deliver a certain quantum of work to deliver a robust audit opinion, it's the same for internal audit. So we need to progress as many audits as we can so that when we report back to this committee, which I think will be back in July next year, that we've completed sufficient audit work to enable me to deliver an audit opinion. And as I mentioned earlier, that will require effort on both sides. This report includes details of the one limited assurance report that was finalised during this period, which relates to the SCN passenger transport service. As if and when there are other limited assurance audit reports, we will, of course, bring them to this committee once they are finalised, which we've previously agreed to do. As we will, if there are any, no assurance audit reports and we'll also bring back summary details of those reports that are consultancy in their focus. The second component of this report is the external quality assessment. And this is a reflection of professional standards which require internal audit to have an external quality assessment at least once every five years. Now, across the London, there was a system whereby this was done on a reciprocal basis by other internal audit teams. So the suggestion that was taken forward by, I think, every other London borough was that there were reciprocal quality reviews. So this would mean, for example, that we would review Croydon's systems and Croydon would review ours and we would both deliver a quality assessment. Now, I didn't think that was particularly satisfactory, so we broke with the rest of London. And I think in view of demonstrating proper independence and accountability, we commissioned an external quality assessment externally through a company called Validere, who won the work through a tender process. Their report, which you see in the pack, concludes that we as a team generally conform and that's all the jargon for that's the highest grade you're going to get. So we generally conform with all of the professional standards for the Institute of Internal Lawyers. That's the highest grading they offer. Nevertheless, you'll see in the report there is an action plan which we've completed and that will show you that we're obviously cognizant of the need to demonstrate continuous improvement. The third component I'll be brief on, which is really just the result of a temperature check in terms of fraud awareness, which we do regularly for the council. And that's really keen in terms of measuring officers' awareness of a knowledge of fraud, particularly around things like if they suspect a fraud, who should they report it to. And these things are key to ensuring a quick response to any suspicions of fraud, eliminating any spurious accusations and making sure that when there is genuine fraud or genuine cause to believe fraud is taking place, it gets the right team to look at it promptly and we can therefore minimise losses and maximise action that we take. I'll pause there. I'm happy to take any questions, Chair. Okay. Thank you for that report, David Dobbs. Now to the committee. Do we have any questions or comments? I can see Mark Francis. Okay. Your question or comment, please. Thank you very much, Chair. Thank you, Ms Dobbs, for the report and all the work that your team's doing as well. So I think I can't remember whether I was serving on the committee when we agreed this as the kind of the work plan for the year ahead. But I think a reflection for next year is that this does feel like quite a lot of work to get through over the course of a single year. And so my first my second observation is around the numbers of those that have come through that are coming back as limited. And that's obviously a bit of a worry. It's not no insurance, but it is still a worry. And the one example that we've got of where we have a final report is the one around passenger transport. And that seems to reveal some quite serious worries or at least risks of there being issues. And it kind of put him to me as a non expert. It points to the fact that perhaps they're similar. That's that's a similar kind of level of risk that is within these other ones that are down as limited as well. So my first question is around the draft reports that so I think there's 10 or so draft reports that are due. And whether we as a committee will get those at future meetings or whether we'll be provided with those in advance of the meetings once they're completed. It does seem to be like the meetings themselves are being sort of chopped and changed around a little bit. So it would be useful to make sure that we're getting the most up to date information as it happens. And then the second thing is around the. OK, so I appreciate I suspect you're not going to get through everything else that's on this on this list. And so it points to the need to prioritize. So I just wondered if you could say a little bit more about how you and your team will be looking to prioritize what those that are on here that you haven't yet begun fieldwork on. Thank you, Mark. David Dobbs. Yeah, thank you, Chairman. Thank you for the question. In relation to the the audit reports that are coming through the system, you're quite correct. So we will we will present them here in summary for once they're finalized. Now, I suppose the issue we have at the moment, which we've already spoken about, is the change in the meeting dates, which means the next meeting is, I think, December and then there isn't one until April. So there's sort of a lag there of some months during which there's going to be a really busy period of audit activity. So in the normal course of events, that April meeting will be one where there's going to be considerable catch up in terms of the progress of internal audit work. So that could be quite a lengthy report because it's going to catch up in that intervening five month period. Now, in terms of the kind of the reports themselves, what I've said to this meeting before is that we provide in summary form. We don't give you the full reports, but I'm quite happy and I'll be completely transparent, happy to supply them once they're finalized outside of this meeting and make them available to members. I've got no issue with that at all. The reason we don't do that for the committee is it makes the papers very lengthy and burdensome, and you would end up wading through probably a lot of irrelevant information. And what we're trying to do here in terms of the summary is actually direct you to what we think are the key findings without giving you absolutely everything and drowning you in detail. So I suppose that's the first point. In relation to the second point, yes, it's going to be challenging getting through the plan. What we said when we did the plan was, and we will do this when we go back to offices, is that this plan needs to be completely flexible. So we did the plan and we compiled it back in January. We now need to look at it again and think about whether or not that risk assessment we did back in January and the plan we presented in April is still valid. We need to discuss that with officers and we need to sort of form a view on that as to what are those priority areas going forward. And it might be that for the second six months of the year, the plan looks markedly different. So there will be a need to revisit this. There will be a need to reprioritize. And we've always been clear at the outset that the plan isn't something that we should have set in stone and tick off and look to do that. We do need to sort of think about what are the risks here and now, what will the risks be in three months and six months and try and get ahead of the game rather than this sort of backward looking piece. So I hope that gives you a bit of assurance around that one. Well, thank you. I can see, Julie, your hand. Do you have any additional comments? I do. So I'd just like to say a few things about the report. First of all, just note my congratulations to David and the team to take the bold step of saying, you know what, we'll get a professional firm to evaluate our approach toward it and then come through that with the highest grade. It takes some doing. So thank you, David, for that. The second thing I would point out is that I think it is really important to be transparent with audits. We will reach a point where the Audit Committee feels assured enough to say we'd like to see all audit reports by exception. So exception being the extremely bad ones and for balance, extremely good ones. So you should automatically see those. My concern at the moment is I have seen that the audits that have taken place that are coming through, there has been such a lag. And I've spoken to David about this, that some of the sampling or the audit areas that were reflected actually are meaningless today. So, for example, there was an audit that you saw into asset disposal. It came through with limited assurance. Fantastic. But we've got a policy of not disposing of any assets. So that related to a position that really isn't something that we all need to get excited about. And I'm really concerned that we bring up to date the sampling of audits. The best balance we can give is I would ask David to make available to Audit Committee members any audit whatsoever that they wish to see at any point, and ensure that the sampling data, the position, the snapshot in time that it covers is made clear to members. One of the things that I'm concerned about is that we can respond to findings relating to a period that isn't now. And I want to know how can we get assurance now. So I have had conversations about that. The second point I would make in terms of the flexibility of the audit plan and your point, Mark. Absolutely right. How are you going to prioritise? Actually, you should prioritise on a risk basis. And there's a real conflict, isn't there, between management seeing internal audit as a management tool, which it is. It's a source of assurance for me. And Audit Committee seeing management directing audits to the places where they perceive management might want them to go. And there's a balance. And that's about trust and confidence that we will achieve over time. So my approach that I would say to all Audit Communities is I have never interfered in any way with the audit plan that David has set. I don't intend to. I intend to let that roll. I intend to let him determine what the risk base is. But we do we will reach a point and we'll know when we're all in a good place the day that we adopt that risk based approach and risks materialised during the year. You can't always plan them ahead. So I would just say anything Audit Committee want to see in an audit report should be made available to them, David, at their request as a matter of course. I'd like to see a repository they've got access to so that they can see them and it is fully transparent. But at the same time, I would ask that we make clear on all audit reports the timing of the samples, the period in time in which we are reflecting the audit findings on. So the conclusion of the audit, the sign off, may well have been some significant time after the original sampling took place and that needs to be made clear. So other than that, I hope David will say we've done several things. A, he's been bold, he's gone outside and he's had an evaluation by an independent person. B, we changed the reporting line of internal audit David. The chief internal audit is a direct report to me. He doesn't report to finance, so we get that segregation. And C, I'd like us with your agreement, Audit Committee, to adopt a risk based approach. And I'd like us to empower David to have some flexibility in prioritising the remainder of the audit plan to focus on the areas of greatest risk. Other than that, that's all I've got to say. Thank you. Okay, thank you for your comments. We have a - okay, Councillor Colby. Oh, okay. Councillor Mofidobastian, your comments or question, please. No, he's given it to you. Thank you. I've got two comments and two questions. So firstly, congratulations on your EQA. I think generally conforms is probably a description that deserves a bit more excitement and credit about it. So well done. And also well done on the fraud survey. I found that very entertaining to read, especially the one person who replied that they wouldn't do anything if they identified a fraud because it wasn't their own. So the two questions. So we heard earlier about the finance team and the pressures that they're under. In terms of the audit list and the number of finance audits on there, how are you going to be able to do the audit field work in quite a challenging time for the finance team? And then my second question is about the SEN transport report. And there was a comment in there about DBS checks. And that's something that we talked about if it was in last committee or the one prior to that. And there seems to be a bit of a rolling theme across that side. And obviously, if that was offset inspected, that would be an immediate fail. And I know that children's services is due to be inspected at the moment. So I was wondering, is there any work being done across all of the different services that have an element of safeguarding in them, whether it's children's or adults around DBS checks as a whole? Okay. Thank you for your question and comments. David Dobbs. Thank you, Chairman. Yeah. So in relation to DBS, this was highlighted by an audit I think last year. There has been an extensive piece of work that's been coordinated by our colleagues in HR to address the issues that the audit identified. This piece of work, as I understand it, has now come to an end. I think some of the issues they found were there was a lot of people who didn't have a DBS check or hadn't had one in the last three years. And we do use a three-year time period that they could get at easily. We could renew their DBS and there wasn't a problem. There was a small number of people who, for whatever reason, were employed by the council but we couldn't contact because they were on long-term sick, they were on maternity leave or they were in a similar situation and therefore their DBS in Tower Hamlets terms, which runs for three years, had expired. And we use that three-year renewal. I don't have the details of the specific ones in relation to this. But I've been speaking to HR in terms of following the findings from that audit and just as Julie said trying to get some real-time assurance there to make sure that any outstanding are in that first quantum of people I mentioned in terms of they simply haven't responded, they are on long-term sick. And we've had assurance there, which I've verified, that the people who are working now or are active for the council in those safeguarding roles do have the appropriate DBS checks in place. Now there'll be an ongoing exercise there to determine where people haven't got a DBS check and they're on long-term sick or they're in some other situation as to whether or not the council wishes to retain them in their roles. And when they return to employment with the council before they engage in any related activity, there will need to be obviously a DBS check carried out. The other thing to say on that is that previously, and you may remember this from the audit, we relied on quite a manual system in terms of performing DBS checks and monitoring. So I think as part of the work that HR are doing, that system is going to be updated to something which is much more automated and I think we're hoping to use some technology that's already in place as another council. So I think the remediation work is looking at those people who haven't had the DBS checks but also thinking about how we can better deploy a technological solution that would put us in a much stronger position to make sure we don't have a recurrence of those issues in terms of the DBS checks, for example. So I think that's my response in relation to that one. I think the other one was around how will we get through the audit plan. Yeah. Councillor, sorry, can you use the mic, please? I was going to say close. I said specifically related to the finance team given the resourcing questions that they're under. So there's a couple of things really, you know, when we're carrying out audits and you've seen the volume of them that are in the plan, we're cognising of people that say I'm quite busy, I'm doing this, do we have to have an audit now? And if we accede it to all of those requests, there wouldn't be any audit work carried out. So we've got to be very careful in terms of working with officers, making sure that where they are busy, where they are occupied with other things, we don't unnecessarily intrude through the audit process. But we provide them with the assurance they want it when they want it. So for colleagues in finance, if we're doing an audit of the general ledger, if we want to do it in May and June when they're closing, it's going to be a non-starter, for example. So we've got to coordinate resources and timing with them in terms of when we carry out any work on finance systems and so on and so forth. And I attend the biweekly finance meetings to make sure we're properly coordinated in terms of arranging audit work but also outstanding findings and anything else that is coming out of the audit. So there's a close coordination there. Similarly, with the other areas of the council where there may be pressures or where we may be getting pushback, we report to the directorate leadership team. So we say to them, well, we're not progressing this audit, this one's gone well, this one's going not so well. And that's just a way of understanding the pressure points and actually looking to senior managers to possibly and where necessary apply the pressure to say we want to get this audit done and dusted, we want to get this completed. Can you please respond to whatever queries or whatever is outstanding? And it all goes to what Julie said, which is in relation to if you get that engagement, if we're getting those responses, you get the timely assurance. If there is a big lag or there's a big lag because somebody moves off onto another project for two months and that delays the audit, you're not getting the timely assurance. And it doesn't benefit anybody essentially. So there is that process where we've got to fine-tune the resourcing when we carry the work out and that relates not just to finance but to all the other areas in the council as well. If we were doing it in children's services and suddenly Ofsted descend, then that would cause a problem obviously. But we do need to be mindful sometimes these pieces of audit work can be quite valuable in, for example, informing inspections, in, for example, informing the work of external audits and so on and so forth. So it's a process that needs a lot of fine-tuning. Okay, thank you for that. Before I come to you, can I pass it to Julie? Julie, can I have your contribution, please? Yeah, so just quickly, I just wanted to respond to the councillors to two questions and one that was asked earlier. So first of all, in relation to DBS checks, committee will recall that at the last meeting we were able to demonstrate movement in the right direction on the corporate strategic risk register of DBS checks. That was as a result of the work that HR have done. We brought in a specific resource to do that. It was CMT that received the alert and immediately put DBS checks onto the strategic risk register. And I can recall coming to this meeting and talking to you around that. We've then seen the risk register reviewed, that risk going in the right direction. The key for me in that is for us to use the latest technology. And one of the big issues for us was the council's systems they had in place for verifying identity, which is the key bit of a DBS check. Forget the queues, the DBS system, that's our job. How quick can we verify that identity? And we did not have the up-to-date technology in place to do that. Even today, as Abdul Razak will confirm, my DLT considered the right technology that will go in place and agreed a fast track route to CMT for a decision to implement that. The second thing I want to say is in DBS, where we identified risks, I just want to be very clear. The risks were in relation to the agency that we use and the agency had failed to pick up DBS checks. That has been corrected. We immediately, and it was over a weekend when this came to our attention, contacted the relevant directors and we took action to ensure that staff were doubled up over that weekend. So that there was no individual person working across that weekend that could have been not in receipt of an up-to-date DBS check. So it's not just about audit, it's about swift, agile operational responses. And that decision was taken by the chief executive over a weekend. So I hope that gives you some assurance. The other thing is in terms of the audit team, I just want to ask you, David, it's not just about finance team resourcing. The committee have asked Abdul that, is he well resourced? From your perspective, can you just brief the committee on the resourcing position of your own team, please? OK, this question is to David Dobbs. Yeah, so I mean, you've heard me report this committee before, we've had ongoing resourcing issues in the team in terms of filling vacancies and that's not uncommon across London. I think there are a number of other boroughs in London that are wanting to migrate to a delivery model which sees them move in-house in terms of using less contract support and less partners. So at the moment we have an in-house team which excluding myself is seven auditors supplemented by a partnering contract with a firm called BDO who operates under my direct supervision. So there is a quantum of resources there. So in terms of quantity, there is a reasonable amount of resources. We're not up to full strength and hence the problems I mentioned earlier in terms of delivering the plan. I think just additional to that, there are what I would describe as other issues as well. So you can have as many auditors as you want but we've got to have people and we've got to have a team that's got the correct mindset, that understand the council, that understand some of the pressures we face, that are able to be flexible and agile and that are able to accommodate officers properly when they're undertaking their work. And again that's a little bit of a shift in working practices that we are trying to bring about but we're not there at the moment. So there does need to be a shift to what I would call more of a consultative mindset and less what I would call internal audit dogma. Thank you Chairman. Thank you. We have a Councillor Coburn, your comments or question please. Thank you Chair. Just if I could pick up on the DBS issue. I think last year or the year before, there's an update service online. It costs £13 a year, I've brought it up before. If we're operating with agencies, an easy win as part of the criteria system for qualification. I wanted to pick up on the notion of internal audits. So I think David, you're the first sort of senior level internal audit individual we've had for a while. And I think it's really important to have that robust approach. So for me the way I see it is it's market testing for the real audits that come and if we don't identify the gaps internally we'll never improve our services. So it plays a pivotal role and I think Julia's Deputy Chief Executive, the other hat on, possibly needs to be even more robust in departments complying and not pushing back on it. And sanctions being put on departments and directors and corporate directors in relation to conforming to internal audits. So I kind of break it down in multiple ways in my conception of what an internal audit is there in terms of the function, in terms of waking departments up to practices that might accumulate to failures. The risks that they take in their everyday practice without knowledge of what's out there or regulation changes. And I think it's of the utmost importance to have that robustness and honesty and transparency and I think it's very important to be in because ultimately every Councillor here is part of the board that runs the Council. Also I think it's important to acknowledge that as a Council we've had huge investment in technology from Power BI to other tools which will assess departments in making one more accurate forecast and operating more transparently. And just want to ask Julie more so than anything else, in terms of the target operating model, how will that impact on sort of the function of auditing and assessment processes? Okay, thank you for that, Corey. So you want Julie to respond? Yes, I did hear Councillor and I'm happy to respond. So the target operating model strengthens our audit function significantly. What it does is it leaves David as Chief Internal Auditor with a direct report to me and he then takes control of all audit activity across the Council because David and BDO are not the only audit activity that takes place. Operationally a number of audits happen for different reasons in accordance with requirements from Children's Services to Revs and Bens. In the new model all of that coordinates under David and I believe that will strengthen the resource available to David and put it in a single point so we get a single picture of audit and assurance activity. And it's not the audit activity I'm interested in, it's the output, it's the assurance that we can all take that we feel. We as an organisation take assurance seriously and I know that each and every one of you on this committee does. So hopefully that answers your question, Kabir, it will be stronger as a result and not diluted in anyway. Thank you. Mark Francis your comment or question please. I'm sure you want to move us on but I just wanted to come back a little bit in relation to these and what was said about these. So I guess inevitably this is going to be a backward looking operation, the point that I think as I understand the corporate directors making is that how far back in time that is looking. And so I looked just now while we were talking about other things just about the last year's report and I can see that there were maybe about half a dozen that were not carried out last year. And there were some that were on the programme for last year that weren't carried out and that have been carried forward either formally or informally, they're kind of moving across. And that's fine and there's some of those obviously which are of interest to us like members inquiries and things like that which I'm interested the field work is going on on that. But the one that is here, that is the final report that's been completed, this does seem to look back for most over a period of 12 months. Like it talks about looking at things that were reported in January 2024 in relation to overtime. It talks about the budget that was noted in March 2024 and there was something else that was said that relates to May. So I do recognise that there's going to be looking back. But I don't know how often passenger transport has been looked at but that seems to me to be a fairly current position or at least an assessment of the current risks rather than anything that's part of the dim and distant history of the organisation. So I think, I mean I'm not personally keen to see draft reports or all of the rest of it, I think that those need to be discussed amongst the team. But I think that once they are final I would be keen at least to see or maybe to be notified that a summary can be made available to members. So I think that would be my request. Thank you Jack. I think your request is fully noted. Okay, thank you. And just a passing comment. Councillor Mark Francis has the highest members inquiry in this council. Thank you. Okay, moving on. The audit committee is recommended to consider and note the following documents. The internal audit progress report including details of the assurance opinions for audits carried out as part of the 2024 and 2025 audit plan. Number two, a report by consultancy Valadira detailing the results of the recent external quality assessment of internal audit. This is appendix B. And finally, results of the recent council-wide fraud awareness survey, appendix C. Thank you. Moving on, item 4.2, risk management. Corporate and directorate risk registers, these can be found on pages 151 to 200. So can I now ask, invite David Dobbs to present this report on the risk management. You have 10 minutes. Thank you, Chairman. Once again, this report comes with three components. Committee members will be accustomed to seeing the corporate risk register. And you have the current corporate risk register at appendix A. This is a key document and I think this is starting to look a lot more dynamic. And it is something which is now moving week on week, month on month because of the updates and the shift in tectonics of the council itself. Now, in my mind, that's a positive development from where we were when I joined the council. So you've got the updated corporate risk register right at the back of the risk register. You will see a couple of risks that are in draft form. Those have been included but still need to be populated and we're working with officers to ensure that they are properly articulated and the control measures are included. So you will see a gap at the back of the risk register which we're aware of and we're addressing. Again, in the interest of transparency, we've included that in the report. In appendix B, you will see the communities director at risk register which has been the subject of a, we call it, spotlight or deep dive. And that's been the subject of considerable updating and shaping simply because of some of the reorganisation work that's been happening in the council recently. So this has been a significant amount of work that my colleague Victoria sat on my right has been undertaking with their directorate leadership team to get this into a semblance of order. And I think it's in reasonable shape now. Now, in relation to this risk register, we normally have a representative from the communities directorate to answer questions. We don't have that this evening. So if there are any questions, myself and Victoria will do our best to answer them but they may have to go back for response outside of the meeting. The third and perhaps most key element of this is appendix C which is a report from Zurich Municipal, the council's liability insurer, which details the summary results of a health check they undertook on the risk management process. And again, much in the same way we went external with the EQA, we've done a risk management audit before but it's a little bit like marking your own homework. So in relation to this, we asked Jesper who's online and I'll invite to speak shortly if you allow it, Chair. We asked him to perform the review externally and you will see a summary report and also an action plan in relation to the work that was undertaken. And the final thing to note is paragraph 3.8. The council's risk management team, which is myself and Victoria, has been shortlisted in the public sector category for an award. So we're pleased about that as well. Chairman, Jesper is online and by your leave, he would like to explain a little bit more and just bring the risk health check report to life. That's fine with us. Okay. Jesper, can we have your comments and contribution, please? Thank you very much. Hi, everyone. My name is Jesper Klesius and I'm a risk consultant with Zurich Insurance. As part of the insurance arrangements between the council and ourselves, there is a risk support fund annually that can be used for external support and external assistance in terms of risk management. Along with David and Victoria, we agreed that we would undertake this risk management health check or maturity assessment. So it's a little bit different from an audit in terms that this is all voluntary and there's no force, nothing to provide assurance per se, but it's more like a snapshot in time to assess the maturity of various aspects of the organisation's risk management approach. What I found from a desktop review of frameworks and through interviews with key stakeholders, especially amongst senior leadership, was that at this moment in time, there is a fairly low level of maturity around risk management, but that is mostly due to the high amount of turnover at both leadership positions and in the risk function. I found that the frameworks and strategies are out of date, but they contain the right elements and it's still a very functional framework. And as I said, it contains all of the right elements to have an effective risk management process in place. The strategy is articulated by leaders that are no longer with the council and that could be an area to look at for the newly formed leadership team once they have had a time to really form and get together. The risk appetite that's mentioned is also out of date and it was created at a time before COVID and have had significant changes in the landscape that local government functions in since then. And that is also an area to look at once the leadership team have gelled and have formed the new corporate identity that should be going forward. What we did find was there's a good level of awareness and knowledge and an emphasis on improvement on risk management from the leadership. Interviewees showed both skills, experience and interest in risk management, but mostly felt that with other pressing issues, it has not been addressed corporately yet how that should look going forward. It hasn't been thoroughly discussed yet. The view from the top down is there's a need for a culture shift towards a more comfort with risk from officers. And this starts with a concerted communication around what is expected from officers and also the behaviors and reactions from leadership when confronted with risks. There's generally an acknowledgement that improvement in this area and to get it to where everyone would like it to be is a journey. It's mentioned that it would take time. Two years is a good marker for how long it will take to get to the point of comfort. But the first steps are well taken with the risk team in place. There's confidence in the actions that are being taken and the plans that are going ahead. And some of the recommendations that we found and that are here now has already been adopted in a roadmap is a key element that will be to prioritize risk management discussions and leadership and committee agendas so that it doesn't get put at the end of the agendas. But it becomes more of an active discussion at committees, at board meeting boards, at management boards and at leadership meetings. There needs to be an agreement about how risk information is used in decision making and reports and make sure that this information is thorough and not as a side note because it's required in the forms to submit reports. There was also confidence that the target operating model would help in emphasizing how risk management would be done in the council and with a strong control from the centre in that area, it will also enable directorates to make better decisions or make appropriate risk-based decisions going forward. One of the recommendations as well was to create a more dynamic risk reporting and focus on showing that direction of travel that Julie also mentioned before. And so that you as an audit committee can see how risks are managed and have the appropriate tools and information to challenge and scrutinize if risks are managed appropriately. It's also recommended that the current risks have a review of detailed review of the controls in place and ensuring that there is a clear understanding of what controls mean so they can show how they influence each risk. So that's a bit of a whistle-stop tour of what the findings were. I think overall, while there is a low level of maturity that's evidenced at this moment, it is on an upward trajectory and it is going to take a bit of time to really improve in these areas. Okay. Thank you, Jesper, for your report. Can I ask the committee members, do you have any questions or comments? Okay. Right. I can see COVID way. Please, your question or comments, please. Thank you. Just wanted to pick up on CSD 0016 and also ASD 0015. Can you explain why the scores are different for adults and children? So the children's risk factor in there, we've measured the sort of getting on to 12 and with the adults, it's 15 and then getting on to six. Sorry, going to 10. Just page references are 15 children's and 162 for the adults. Okay, David, do you want to clarify these? Yeah, please. Yeah, I mean, so just to be clear, these assessments and scores would have been done by the directorates in question, so I don't have line of sight of directly their thinking as far as this is concerned. Now, we can get that clarification, but that will be outside of the meeting. I don't want to speculate now because these are obviously senior people. They have moved slightly, so there has been a change in some of these assessments, so the risk scores differing will be a reflection of different levels of control and different levels of confidence that the officers have. I probably couldn't really speculate beyond that without speaking to the officers directly themselves. Okay, so you will obviously come back with the information. I'd be happy to do so, absolutely. Okay, thank you. We have, I can see Councillor Mark Francis. Thank you, Chair. Thank you for this report as well. So we've had, when I was serving on audit committee previously, a version which was more of a summary than this, and so it is helpful to see it. Those which have a lot of writing are a little bit difficult for me to follow entirely because it's quite small, but I can clearly see the explanation of existing control measures is more detailed, and so I really appreciate that. I wanted also to ask about things or to say something about something that's been added, which is community cohesion, and I should say just for the minutes, I think there's a logical explanation for those that have been removed from this register. But on community cohesion, I really agree with the addition of that one to this register, so I'm going to be looking at that. I mean, that's something I'm certainly feeling as a ward Councillor that there are issues around that. I have somebody in Roman Road going around putting spot stickers on businesses, so there's clearly a kind of, you know, this is something that's developed over the course of the last 12 months or so and does need to be addressed, and so it's good to see there. So will we get an update on the control measures on that one for the next report in January, or will we wait until we get the departmental one on that? So that's my first question. Okay, thank you. One other. No, no, I'll wait. Okay, that's fine. Okay, David. Yes, thank you, Jim. So we will bring the corporate risk register back to the meeting that's arranged for December, I think, yeah. We can't do anything for January. The January one, because it's an extraordinary meeting, can only consider the item that that meeting is arranged for. So we will bring back the corporate risk register for the December meeting. Between now and then, I am optimistic that this risk would be populated and we'll have control measures in place and we will be able to show you what they are to demonstrate that. So we will work with officers to do that, and we have been working with officers to put those things in place. We're not yet out on this and the people transformation risk, but we will certainly do our best efforts to ensure that it's complete prior to the next meeting so we can report it. I recognise the comments you make about there being a lot of words in these reports. At the next meeting we also hope to trial a new style of reporting and then the audit committee can choose whether or not you wish to see all the detail or whether or not a more summary form of reporting is more appropriate in terms of usefulness and analysis of the risks. So we'll also do that. I think part and parcel of some of the information being a little bit unwieldy in the way it's presented is some of the reports we produce. We can amend those. As I said, we'll trial and bring back a new form of reporting for the next meeting. However, as you see in the action plan, we are also looking at whether or not the system we've got is fit for purpose and whether or not J-CAD, the software we use, is something we wish to continue going forward. Whether or not there's a better system out there that is value for money that does a better job for us and provides better quality management information. Thank you, Chairman. Thank you. I think you have a follow-up question. Thank you very much. Thanks for the answer. So, yeah, it wasn't a criticism of the amount of words at all. It's a criticism of my own eyesight, really. I wanted to say something else. So there was civil contingencies has been added to this. COM0002, a failure to meet the council's legal duties under the Civil Contingencies Act, which sounds sensible. And then there's a bit of explanation about controls that are being brought in there. I mean, this seems like a fairly theoretical, hypothetical risk, but one that, you know, perhaps should be reflected. What isn't in here, though, that doesn't appear to have been added so far is around a risk from the best value inspection that's due to report in, presumably, in the next few weeks. So I wondered if you could say a little bit about that. OK, David Dobbs. Well, we have a process of risk identification. So when we're identifying risks, I think the one around community cohesion, the one around people first transformation, we identified or myself and Victoria thought those were possible risks. We take them to the CMT and CMT agree that they can be included. The other risks are, when they appear on the corporate risk register, are promoted, if you like, from the directorate level. So the civil contingencies risk, for example, was one of the ones that was held at the directorate level. They asked that it be promoted and we agreed to propose that and that was agreed with CMT. So there's a system of including new risks, promotions and relegations. In relation to that specific risk, I'm quite content to take that discussion forward and see where that takes us and whether or not that warrants inclusion on the risk register on the basis of those discussions. So that hasn't been put forward so far over the course of the last eight months or so or discussed for inclusion on this register? Yep. When I had the last discussion with corporate management team, there was some discussion about having a generic risk around possible regulatory failings or the results of inspections being adverse. That would relate to the best value inspection, it could relate to housing inspections, it could relate to Ofsted and so on and so forth. And we had a good discussion around that and the decision that was taken was that we wouldn't have that generic risk included. And I think at that point we probably hadn't had the start of the best value inspection either. So I mean it's something I'm prepared to take forward and I think it's worthwhile also reigniting the discussion we had about whether or not there's a generic risk we need to have on there in terms of possible failings being highlighted from inspections and so forth. So I'm quite happy to take that forward. Thank you. I mean it may be that the committee wants to do that, I don't know, but just in terms of like where we are at, where things are at right now, so just so as I understand. So there isn't an analysis within Tower Hamlets Council about whether that poses any risks to kind of business continuity as far as you're aware. Okay, David. Yeah, I mean, I'm not the best place to answer that question, Chair, because I wouldn't know if that exists. I'm not aware it exists, but it may well be well above my pay grade. Okay, thank you. Okay, Councillor Amin, do you wish to ask a question or comment, please? Yeah, question and a comment. Thank you, Chair. Just picking up on Councillor Ahmed's point, can I say that we should aspire to keep our children safer and test the department? And also, what are we doing regarding the risk of cyber attacks? What additional resource might be needed to mitigate the risk? Thank you. Thank you for the question. David Dobbs. So I can only really speak generically about cyber attacks. So a number of councils have fallen victim to cyber attacks. It's been quite debilitating for them. So those are coming to the news almost weekly in terms of their occurrence. So the first thing I would say is, to a certain extent, members should be assured that we haven't fallen victim to a significant cyber attack. And that will be because, in a number of cases, our defences are robust, and it will be because people are attempting to hack our systems, but they can't get through them. So there is an element of assurance there in terms of what you see in front of you. Now, in terms of the detail, it would need somebody with a bit more technical knowledge than I have. But we do have ongoing arrangements in terms of mitigating that evolving threat of a cyber attack. And that would include things like penetration testing, regular patching, and so on and so forth, to make sure all of our software, hardware, et cetera, is up to date. And I think the key thing we do also is, we don't kind of do that as a snapshot. We recognise that it is an evolving threat. So if I reported to you three months ago, in terms of an audit opinion on our cyber defences, it would probably be modified, it would probably change. The arrangements would change probably on a weekly or a monthly basis. So we recognise that, and we recognise it as an evolving threat, and we recognise that in a lot of cases, actually, the people that are bad actors in this situation are often one step ahead of organisations like ourselves. But, I mean, I don't have the technical details. I think Julie may wish to comment further on that. Okay. Julie, would you like to respond, please, about the question from Councillor Armin? Yeah, good question, and one we've visited before. And you will recall that, not so long ago, feels like a lifetime, but not so long ago, we had on our risk register the fact that the Council, had not accommodated all of the recommendations from its pen testing. You've overseen that risk move from red to green. All of the recommendations in relation to the pen test have now been accommodated. I have to say that cyber criminals are one step ahead of where everybody is. We respond to the latest threats. We have seen, in the past few months, some of our third party suppliers fall victim to those attacks. We saw that just a few weeks ago, the Council was safe, but it's not just our direct issues. We need to look at our supply chain and our new contractual amendments will require the ongoing highest standards of latest compliance for cyber protection from all suppliers. And I think that's really critical. So I'm really pleased with the progress ICT have made in relation to this, but we shouldn't sit back because the cyber attack that will get us is the one that nobody knows about yet. So there is no protection. The protections always come after the event, unfortunately. Julia, is that it? Oh, OK. You're offline? OK, we may come back if. OK. Yeah, moving on here. Are there any more comments? Yeah, Councillor Murphy, your comments or question, please. Thank you, Chair. So thank you for the report and congratulations on being shortlisted. And thank you for the health check. I think you said it wasn't an audit, but it looked and sounded like an audit. So let's call it an audit, I think. But yeah, there's some really good recommendations in there and look forward to hearing how those are implemented. I wanted to pick up on something, I suppose, that Councillor Francis alluded to and what we were talking about earlier in terms of the external auditors and their risk assessment of the council and how that aligns with your risk assessment of the council as well. Because obviously there's, you know, an external observer which has taken into account other factors than perhaps the corporate risk register really includes as well. And I know when we look at audit opinion and risk opinion, you take some of those factors into account as well. And just sort of trying to tie all of the different reports together. The fact that the corporate director for communities isn't here today or hasn't sent a deputy in place as well. I think there's, I don't really know how to phrase this, but there's different aspects of risk and assessment that have been made tonight. Some of those are conflicting. Some of those allude to an improvement and an improvement that needs to be made in terms of culture and in terms of accountability as well for risk as well. So where we've got individual risks, where do you as an independent team, when you're looking at risk, where do you bring about your overall conclusions about the risk management within the council? Thank you. David Dobbs, would you like to respond please? Yeah, thank you. So I think you're right. There are, you know, different aspects of risk and we've had a good discussion tonight and different kind of perspectives, you know, between ourselves and the external auditor of course. I mean, just to give you a bit of additional information on that, we talked to the external auditor, we discussed things with them. As part of their planning processes, they ask for our views as they do with other senior officers in terms of things like risk of fraud and misstatement. Similar as you've also alluded to when we do our annual opinion and in the annual governance statement we refer to the work of external auditor and other inspections as well. In terms of kind of assessing that overall risk management framework, I suppose that's when I sort of turn from my risk hat and put my audit hat on and actually that's where it kind of sits in terms of the annual opinion and we kind of think to ourselves how does that tie up with the results of the audits. And the audits are designed to be risk-based insofar as they are addressing a lot of those risks or those controls, testing those controls that you will see in that corporate risk register. So that's really how we would do it. We would sort of take that risk register and think well what are those specific controls, what are those key controls, the audit process then tests those and that then feeds into our overall opinion as part of that we provide that commentary on the risk management process. Now it's sort of a little bit difficult for me because I'm sort of part of engineering that process as well so it's not always an easy assessment to make but in doing so we're not necessarily looking at the infrastructure we're putting in place. We're looking at how offices have managed those risks so it's not necessarily what we're doing in terms of risk registers, it's what the outcomes of those processes are, has the risk management process been effective in actually mitigating some of those risks, what's happened, have we got other things where the risk management process has been effective or ineffective and so on and so forth. So it comes through the internal audit side by and large in terms of our overall assessment but it is because I've got the two hats, do risk and audit, is useful and of course that's why we've had an external party looking at the risk management process whereas previously I've sort of done an annual audit of risk management which is a bit like marking your own homework. So we do put a lot of faith in the external report we've received and obviously you can see there's a large number of recommendations there which will help providers with a roadmap to kind of drive forward those improvements. I'm sorry that's a little bit long winded. No, it was a broad question. I suppose my question is with those recommendations is there corporate, you know, is there a senior buy-in to implementing those recommendations? Yeah, I'm confident about that. I mean we discuss these things at CMT. I think they recognise this is a situation that's been improving and evolving over time. I think Jesper's assessment situation is correct and I think by and large that's possibly due to some of the changes and people need to reacquaint themselves with the risk management processes we have in place. But I think like a lot of councils we had a very specific process in place in terms of risk. If we're dealing with the COVID pandemic what happened during that period of about two years was everything else fell off and when we come out of the pandemic you can try and resurrect that corporate memory has gone. People haven't remembered what they should be doing so we're having to reinvigorate the process from quite a low level of understanding. Thank you. Just going back, Council Armin did ask a question about how do we make our children safe? Safer? Yeah, yeah. I think, did you manage to look into that? So again I think that would be something we'd have to take and speak to the director. I mean what, just to give you a bit of assurance on that, we can provide a response to that outside of the meeting but of course that specific director will have its turn in terms of the deep dive. So they will come back to this committee with their register and you'll be able to interrogate a senior officer regarding that specific risk. If you want something in the meantime I'm happy to have that discussion with them and come back to you. Okay, thank you. Yeah. I think what myself and Council Armin are saying is for it to go back to that director and look at the risk elements. Thank you, Covid Wave for the recommendation and finally on this point, Councillor Murphy, your last comment please. Yeah, thank you, Chair. So just going back to your comment, David, about senior directors being here to interrogate. You know, what was the explanation for the corporate director of communities not being here today? I think that's my fault. I don't think we've properly communicated the requirement to attend this meeting. Some directors are familiar. So that would be my fault, Councillor Buston. Thank you. So moving on. The audit committee is recommended to consider and note the following. The corporate risks and where it's applicable request risk owners with risks requiring further scrutiny to provide a detailed update on the treatment and mitigation of those risks, including impact on the corporate objectives. Number two, the communities drive the risks and why applicable request risk owners with risk requiring further scrutiny to provide a detailed update on the treatment and mitigation of the risks, including impact on the directors objectives. Number three, the summary health check report from Zurich municipal and corresponding action plan. Now that concludes item 4.2. Moving on to item 4.3. Just for your information, I think we are approaching the end of the meeting. We have a few more items left. 4.3, territory management out-turn report. Can I now at this stage invite Paul Odu to present this report? You have 10 minutes. Thank you. Thank you, Chair. In the interest of time, I'm happy for the report to be taken as read. And suffice to say that this is one of the main reports that this committee is required during the year. And I'm pleased to say that in terms of the economic outlook, which is laid out between 3.6 and 3.11, markets were characterized by volatility and inflation and interest rates, you know, began to show a downward trend towards the end of the period. And with regards to credit, the UK sovereign debt was reiterated from negative to stable. And with respect to the treasury management strategy for the year, Chair, the strategy was essentially built around internal borrowing. And that was to control risk and also in terms of investment benchmarking, both the investment profile and performance show that both were in line with the broad local authority average. And finally, the tables in paragraphs 3.35 and 3.36 demonstrate full compliance across investment and debt areas. Thank you, Chair. I'm happy to take any questions. Okay. Thank you for that brief report. Can I ask committee members to make -- do you have any comments or questions on the report of treasury management? Okay, Councillor Amin, your question or comment, please. Yes, thank you. Just a quick one. What is the expected impact of -- Mr. Paul, your answer, please. Thank you, Chair. Yeah, the -- I'll include the authority's treasury adviser continue to maintain that central view of perhaps another rate cut before the end of the municipal year. And essentially that would create opportunities for the council where the council decided to perhaps take loans to fund capital borrowing. Councillor Collebay, your question or comment, please. Thank you. I just want to find out if there are any planned changes to the council's strategy. Thank you, Chair. As yet, there is no agreed strategy to deviate from the strategy. Okay. Are you happy with the response? Yeah. Thank you. Let's conclude this item. The audit committee is recommended to note the contents of the treasury management activities and performance against targets for the year ending 31st March, 2024. Note the council investment as set out in Appendix 1. The balance as at 31st March, 2020, was $219.7 million. Thank you. Moving on. Item 5. That's the audit committee work plan. These are on pages 201 to 206. Can I ask members to note the audit committee work plan? Yeah. Thank you. That's good. Item 6. Any other business the Chair consider urgent? So there's no other business to discuss. Sure. Just before we go on to the restricted item, the discussion around the restricted item, I just wanted to ask two things. First of them is following the point that I made at the start of the meeting. So I appreciate obviously it's a restrict we're moving into a restricted part of the meeting. But as requested a couple of meetings ago, I think I would like to request tonight that the recording of this meeting is kept as a record of the conversations that we will have. So for the restricted part. So that's my request. I don't know if that's technically possible, but I'm asking. I think it was done previously. And then the other thing I wanted to ask is just about a separate investigation that I think has been undertaken into housing options. And it's like I haven't seen something in on these papers in relation to that. It's been talked about an overview and scrutiny committee that I was on several months ago. I think it's also been raised in a full council meeting as well. So I just wondered if it's possible for you to ask that committee members are given a written update on that issue. So that we can know exactly where things stand at the moment, please. Let me get some advice from legal. So, yeah, I can confirm that we can keep a couple. We will also get a backup recording on teams just in case of any webcasting issues. And in this case, we can continue recording. And then with discussion with the chair and other people, we can decide if that could be shared. I don't know if I can do that, but we can keep the recording and that can be discussed later. So, the unrestricted, you know, are we allowed to keep as suggested by Councilman McMahon, can we do a recording? It's not for the public, but for ourselves. I can't see any reason why not. Why not? Okay. Okay, so your wishes are granted. Thank you. Okay. Item 7, exclusion of press and public. In view of the context of the remaining items on the agenda, the committee is recommended to add up the following motion. That under the provisions of section 100A of the Local Government Act 1972, as amended by the Local Government Access to Information Act 1985, the press and the public be excluded from the remainder of the meeting for the consideration of the section 2, business on the grounds that it contain information defined and exempt in part 1 of schedule 12A to Local Government Act 1972. So, item 7.1. Yes. Can we have the press and, yeah. So, we just give a few seconds to turn it off.