Moved from 18/4/24, Audit Committee - Tuesday, 23rd April, 2024 6.30 p.m.
April 23, 2024 View on council website Watch video of meetingTranscript
My name is Councillor Haran Meer and I am the Chair of the Committee. Thank you all for coming. This meeting is being webcast live on the Council website. I will now ask from my right-hand side the Committee members present to introduce themselves. Can you please state any declaration of interest that you may have in the agenda? Thank you. I am Jill Bailey. I am from legal. Hi, my name is Amajukhar and I am a Councillor for Blakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilaking. Good evening everyone, Councillor Saeed Ahmed. Asang Khan, head of strategic finance and chief accountant. Paul, I will do interim head of pension and treasury. Angus Fish, manager from Deloitte, the external auditor. Jonathan Gooding, the external auditor part of Deloitte. [ Inaudible ] [ Inaudible ] David Dobbs, head of internal auditor, anti-frauding risk. Councillor Rachel Blake. [ Inaudible ] [ Inaudible ] [ Inaudible ] [ Inaudible ] Now to the items of the agenda. Item two unrestricted minutes of the previous meeting. Can I please invite members to approve the unrestricted minutes of the meeting held on this 22nd of January as an accurate record of the proceedings. Is that okay? Yeah. Thank you, members. Item number three. Deloitte items for consideration. Okay, officers from Deloitte, can I ask? They are here. So they will be contributing to the next item. The report is on 4.1. Now agenda four, terms items for consideration, 4.1, addressing the local audit backlog and update on the outstanding audit accounts, supplementary agenda. This will take 20 minutes. Now can I invite Julia Lorin or Abhirajak Kashim? [ Inaudible ] Yes, sir. Okay. Can I invite us sometime to proceed with the present this report? [ Inaudible ] Okay. Yes. So come in. We started with this. Yeah, of course. Of course. The gentleman there. Would you mind turning off the -- [ Inaudible ] Yeah. Good job. Yeah. Thank you. Okay. All right. We have two members. Can I just take their introduction just for a minute before you proceed. Okay. Can we wait? Can you introduce yourself? I apologize for the delay. There's also the appointments panel which is -- did an appointment. Okay. Anything? No. Okay. Thank you. Okay. Asan Khan. Thank you, Chair. Yeah. So the paper really discusses two key areas. Proposals for addressing the local audit backlog nationally. As well as tower hamlets council external audit position in the context of these proposals. There's also a briefing paper included from our external auditors who are here to with us tonight. And they can take you through the position in regards to the external audit point of view as well. So from an officer point of view. Since July 23 organizations involved in the regulation and oversight of local authority financial reporting and audit. This includes DLAC, National Audit Office, SIPFAR, external auditors have been working collectively to agree a proposed solution to clear the outstanding historic audits across the country. Proposals were drawn up and published earlier in the year in February with consultation on these proposals ending in 7th of March 2024. The consultation included three key parts, DLAC's intentions for amending the accounts and audit regulations. Which I can broadly summarize as largely putting a series of dates in law. Which are now commonly being referred to as black stop dates. These are dates by which local authorities will need to have published audit accounts for all outstanding years. The second key part of the consultation was the National Audit Office intentions for amending the code of audit practice. Largely affecting the external auditors in their processes and their practices. And also SIPFAR proposals for temporary changes to the accounting code of practice to reduce burdens on those who prepare an audit local authority account. So both practitioners and auditors. So those were the three key parts. Most importantly I think for the council part one, DLAC's intentions around the backstop dates. And the SIPFAR proposals for temporary changes to the accounting code of practice. The proposed measures consists of three phases. So phase one reset. This is legislating for a statutory backstop date for the publication of all financial statements or all outstanding financial statements by 30th of September 2024. It's quite a key date for members to note. So any accounts that the council has outstanding under current proposals in line with the consultation will need to be completed by 30th of September 2024. Phase two is about recovery. So it's about next financial years. So it's composed of a series of statutory backstop dates covering the financial years 23, 24 through to 27, 28 to allow auditors to rebuild assurance over a five year period. And most notably the time allowed to complete the audits gets shorter and shorter across those five years. I think that's a general acknowledgement that in the earlier years because of the backstop dates in regards to the financial years up to and including 22, 23 and some of the qualification or modified opinions that might be issued. And the work will need to be done earlier in those five years to gain those assurances around those opening balances from 23, 24 onwards. So that's face to recovery. Most of that work will take place with EY, new auditors, I should add. Phase one obviously will be with our current auditors, the lights. Phase three is more around reform. So they are far see alongside D. Luck and other system partners that will continue to work and address system systematic challenges and embed timely financial reporting and audit. There's no firm proposals around this as commitments, including setting up specific bodies, streamlining, processing and accounting procedures. That no firm proposals. So I'm sure we'll hear more of that in the coming time. The council responded to the consultation supportive or very supportive in regards to the proposals. So we did respond to the consultation. So that's the summary of the proposals that were issued consultation has ended on that and the council has been supportive of that. Now, to provide some general context in regards to how Hamlet's council external audit position in the context of these proposals. So, as per reported to the committee in November last year, we set out plans, timeframes, work plans in regards to accelerating the production of accounts. Back then, 2122 draft accounts as well as 2223 draft accounts had not been published and focus and key resources were channeled to ensure that 2122 and 2223 draft accounts were published as soon as practically possible, which was early February this year. That was with the view of these backstate backstop dates coming into effect, as well as at the time of reporting to ensure that the council was acting in the public interest and balances needed to be confirmed in regards to the council's available resources for future financial decision-making and MTFS planning. So, 2 key components, which will report at the time until you're in terms of accelerating the production of accounts. So, the council officers will largely broadly met these timeframes. So, since we reported on the time on the plans in November last year, council officers published will redraft the 2020 or 2021 accounts in December. As well as publishing draft accounts for 2122 in December, 2223 draft accounts were published in early February, and public inspection period for 2122 as well as 2223 have been fully observed and ended in March 2024. In regards to achieving these timeframes and the time constraints available to us, I think it's worthwhile noting to the committee, some compromises were made in regards to the accounts. So, some, a handful of disclosure notes were compromised, these are detailed in the report in regards to remuneration information related party transaction and revenue from contracts with customers. Full comprehensive collation, all required data was not met. Due to kind constraints, group accounts were not prepared, but officers deemed that financial management and decision-making would not be affected as a consequence. Perhaps more substantially, we need to corroborate our member data, our scheme member data, regards to the pension valuation, the actual valuation and work on that continues. So, I think it's worthwhile highlighting these risks that were accepted at the time to ensure that we met publishing the draft accounts for 2122, 2223. Subsequently, with 2324 financial year ending, council office of time is very much focused on closing down the 2324 financial year. We have been in discussions with EY to ensure they are onboarded so they can scope out the audit for 2324 and to ensure that we have the necessary information over to them as soon as possible, so they can commence their audit in a timely basis. The additional work that we will also need to do in the coming months with our current auditors Deloitte will be focusing on completing the required work for 2021, 21, 22 and 22, 23, and which largely is currently deemed to be a lot of the work around the value for money. So, our expectation is we will get to the 30th of September with opinions issued. We expect that to be some form of a modified opinion, which may be disclaimers. This will not be a tower hamlets only issue and not peculiar to tower hamlets. Moreover, we suspect it will be a national trend. It will help tower hamlets catch up when a true up will be required with our new auditors EY from 2324 onwards. So that's an update on tower hamlets' next steps and offices plans to address outstanding accounts for 2021, 21, 22 and 22, 23. And those accounts or the latest draft version of those accounts have also been included as part of this report with the appendices. So I'll hand over to Jonathan in regards to those key issues from an external audit point of view, so we can update the committee tonight. Okay, thank you. Okay, well what have we got to it? Thank you very much. So I don't have a lot to add, as I think our sound covered most of the material. So our responsibility is with respect to your order up to the 31st of March, 2023 accounts. As has been said, we signed the 1819 and 1920 accounts back in November. Since then the authority, as I said, has published your remaining three years that are relevant to us. And they've gone through the appropriate inspection period. There are a number of things, so the number of consultations happening, as our sound has said, and the key point is this backstop date at the end of September. And there are a number of things that we need to do between now and then to meet that backstop date. We have a plan in place, we have the published accounts, and we are making progress against that. As our sound mentioned, the first priority is to complete the value for money work in respect to those three years as that's a requirement. And we will report that work to you as part of our annual auditors report. We are also required to issue audit planning information in respect to those three years. We are performing procedures to look through what has been done. Some work has been done on the 2021 audit and we're going through that. But as our sound mentioned, the expectation would be that at the end of September, we would issue likely disclaimer opinions on those three years of accounts once we've completed all of the necessary procedures. Part of those procedures includes reading the accounts that have been prepared and where there are known errors or issues in them that we would capture those and report those as well. And so those may form part of an opinion or part of our reporting to you as part of our committee paper. So we have the resources in place and plan in place to deliver that. And alongside that, as our sound has said, you are beginning your work with your new audits in respect to the 2024 audit to get back on track and to recover that position. I have to take any questions. Thank you for that report. And I'll ask committee members, do they have any questions? I can see. Yeah. I have two questions. First, to Deloitte, that's an extraordinarily tight timetable that I see you have no option but to go for it. What's the implications if it isn't met and sort of connected to that is being mindful of the situation that Deloitte inherited from the previous auditors KPMG and the additional work required to get to an agreed state. Is this something that's been incorporated in or will be incorporated to the handover to EY or are they just going to be left holding a bag of eels? That was it. Yeah. What if we don't make it? What's the impact? And also, can we sort of. Okay, so some of the guidance and consideration around all of this is evolving because the consultation happened proposals have been made that some of this hasn't been written into statute and some of the additional guidance hasn't come out yet. There is a suggestion that authorities that do not meet the bank stop would be in some way reported. It would be publicly available information that you've not met bank stop. And there may be some reporting as to why that was. I think very much. I mean, clearly there are risks to any time table and there are risks to this timetable. It certainly feels as though the authority is prioritizing this and prioritizing the value for money work at this stage, which we need to complete in the next few months. The other procedures, there are a number of procedures that we need to perform, but we do have reviewed our resourcing and prioritise what we're looking at. So the tasks that we have identified are, we consider to be absolutely necessary to meet the deadline. And we have prioritised those matters rather than trying to do additional pieces of work that may or may not complete before the deadline. And in that way, we're trying to mitigate that risk. We have already met with the new auditor and had a discussion and we will have further discussions with them and they will have access to our files at an appropriate point. As I said, the council is in a very similar position to many, many other authorities and many authorities will be in a similar position with regards to not being able to rely on opening balances. And that will have an impact on future years' opinions, more sector-wide guidance coming out in regards to wording of some of those things and the process for recovery. And I think that's part of the Stage 3 and Stage 4 of the sector leaders' plans. So just to add to Jonathan's response, a lot of this will be the work that EY will need to do, so we are engaged with them, so we started some initial workings. We have not been fully able to engage with them as yet as they clear the internal processes, but what we'd like to do is have that engagement to EY to understand exactly what they need in terms of when they get those and work on those opening balances for 23-24. So we're fully committed to engage with EY as soon as possible to understand what additional work will be required. So I think as soon as we understand the quantum of additional work required and what that will look like, that's the kind of thing we can report back to the committee in due course. Thank you for the answer. A second question from COVID-19. Thank you. So the first thing I wanted to pick up on, and I know you alluded to it slightly just now, is the program timetable in order to get this signed off. Our officers had sight of it. Are you confident that this can meet the target? That's the first thing, because we've got three years of accounts and we've literally got like five months ahead of us. And if there are any questions or queries that come back, are we reinforced enough in terms of capacity to respond to that in time and vice versa on the other side as well? So how resources are we on both sides? You've said you've got enough capacity in there. I'm wanting to find out from the finance team. Also, in terms of costs, is there further additional costs for that additional resourcing? And do we need additional resourcing in order to meet that tight timeline? And lastly, if, for whatever happens, these certificates are not issued, are we still liable to pay money for services rendered? What are the risks associated with that? So just one needed explanations of that, or how is that calculated? Thank you for the wait. Yeah, okay. Hi, Councillor Kabir. Yeah, so the resourcing side of it, we've been meeting with Angus who spoke about, you know, what is required by them. So we have from an office's point of view, we've got that timetable. So as soon as we finish our closing of 23-24, which is the end of May, the value for money work is a priority for us. So we are ready for that. In terms of the reconciliations and other items required, Angus made clear what he wants us to submit, and that is ready to be submitted as soon as possible. Can I just pick up on the cross question? I love that, to be still paid if we don't get numbers, outcome-based orders. I think I need to try and be measured, because you can oversimplify this, but you can overcomplicate it as well. So I'm just going to go for it. The whole point of the consultation from the government and all of the bodies involved is a recognition that actually something has not gone quite right. It's not gone quite right in the system, and if we don't take quite radical steps, then we'll end up in this backlog forever. So largely when auditors provided they do focus on value for money and areas like that, when they issue an opinion that in order to meet the backstop date has an element of restricted assurance, shall we say in it? That allows the new auditors EY to avoid those costly going backwards to revisit issues, and that's why the backstop processes across so many years, because it takes that many years to work through your accounts from an opinion that was limited or came under different governance arrangements. For me, the opinion that will be issued in order to meet the backstop date, I will relentlessly pursue colleagues in order to get that. That doesn't mean to say at any cost, so the thing that will make authorities difficult and run high costs up is if a reason for a limited assurance goes outside of just being able to meet those backstop dates. In my view, the work the team has done and the big issue for us as Abdul Razak has alluded to, directly stated, is pensions, and it would be good for the audit committee to get an update on that, and the position of where we are and the action of taking and confident that we will overcome that. So from my perspective, the obligation to meet backstop dates set in statute is just as much an obligation for the auditors as it is for us as being audited. So we share a mutual statutory requirement to do so, and I can see no reason at all why that won't happen for tower helmets, and I think that the whole backstop issue and the whole issue of restricted opinions mean that we can reset as a nation. Public sector accountants, so we end up getting back to your point, what you pay for an audit gives you sound levels of assurance, it isn't light touch, it isn't governed by backstop dates, but that will take years to work through. A lot of the heavy lifting of additional cost, rightly additional cost because there was a lot of additional work has already been done by the team, and actually by Deloitte. So I can't see that we would, if for us not to meet that backstop date to a large degree, we both have to fail, really, Deloitte's and timelots, and I don't think either of us will put any intentions to do, and so that's my view. Okay, thank you for that answer. Okay, are there any more questions? Okay, can I kindly ask that the comments of the committee are noted, the audit committee is recommended to. Okay, is there anything you wish to add from Deloitte or Assam? No, no. Okay. Thank you. Okay. The audit committee is recommended to note the summary proposals for addressing the local audit backlog in England. To note Deloitte's briefing paper to the Council on plans for addressing the backlog in local audits. To note the position on the outstanding external audits of the council statements of account for 2020, 2021, 21, 22 and 22, 23. And finally, to note the council's latest draft accounts for 2021. So item now, we're moving on to item 4.2, internal audit plan and charter for 2024, 2025. These are on pages 17 to 34. Can I kindly ask David Dobbs to present this report? You have 10 minutes. Thank you, Mr. Chairman. I'll take this paper largely as red and just draw your attention to one, two key features, please. The plan, as you would expect, sets out our internal audit work that we've got programmed for 24, 25. And it recognizes that our audit approach needs to develop and evolve to maintain its relevance and its value to the organization. And therefore, while what you see in the plan includes that traditional list of programmed risk-based audit assignments in appendices A and B, it also includes an allowance for work that will be undertaken collectively by the team to develop, enhance and embed good corporate governance across the council. This will include, for example, assurance over the council's various and many grants programs, supporting corporate priorities such as transformation. As you know, we lead on the compilation of the annual governance statement and we intend to bring the 23, 24 AGS to the next meeting of this committee. It's assisting in the development of the council's incipient control framework. And also, it acknowledges that we've included a contingency provision within the plan that would enable us to absorb any unplanned or responsive work that we need to undertake at the request of management. Now, within the plan itself, you will see in Appendix A, we've included a column there, which is our fairly fundamental rudimentary risk map in there, which shows where the genesis of some of these audits have come from. I think quite rightly, when we looked at last year's plan, which I inherited, there was some comment around perhaps a bias towards undertaking audits that have been requested by management. And we've obviously recognized that in compiling the plan for 24, 25, and you'll see that in Appendix A. Appendix B is the list of schools audits, which is cyclical, and we intend to audit all the schools over a five year period. Additionally, in the plan, you'll see there's an acknowledgement that the plan is not set in stone. And as described in paragraph 2.5, it can be flexed to allow for the refocus on the changing needs of the council. So as part of this approach, we will fully review the plan at a six month point, probably in September. We'll go back to corporate management team, and we'll come back to this committee with any changes and seek a mandate for that going forward. This is quite important because it recognizes what might be a risk now, and is included in the plan for quarters three and four, might not be a risk then, might be dealt with, or the risk may have evolved in some way. So the plan needs to change, too. In relation to the updated audit charter, which is appended to the plan, there's a lot of narrative here, but in essence, it's sent out into an audit's terms of reference and related considerations, including the service mandates. It's positioning with the organisation, how we report and independence and objectivity. It recognizes that internal audit is governed primarily by adherence to the public sector internal audit standards. And therefore, the way we operate and how we undertake audits, how we report is designed to sit within the parameters of those standards, so we comply with a set of professional standards. It therefore also recognizes the duality of internal audit in so far as we report administratively to the senior management of the council, essentially corporate management team, and functionally to this committee. I'll pause there, Joan, of course, happy to take any questions. Thank you for that. Are there any questions? Do you wish to ask? Oh, okay. Charlotte. Yeah, it was just really to say thank you. I think the point you raised earlier is the point that I've been banging on for a while about taking control of your own destiny. And yes, it was good to see that reflected. And I just wondered, this isn't really a question or an observation that the key drivers that you've recognised in the current audit plan, it would be quite interesting to see if there's any correlation between the origin of their inclusion and the outcome of the reviews themselves, because it might be that management are to a gold mine and it would be good to understand the quality of your own measures. Yes. Yeah. Thank you for the comment. I guess we'll see during the year, essentially. I mean, we've drawn the audit plan from a number of sources and includes, of course, those really important discussions with with stakeholders, which we still have an extensive extensive. But those this time around have really been in order to validate our audit intel, but we've drawn other audits from a number of areas, including some of the thought leadership coming after the institute internal orders. So that was quite important to incorporate as well. Thank you for that. Can I try to relate to your question, please? Thanks. The minutes of the meeting in January say that I requested for internal audit to consider the management of letings and also the management of markets. I can see that there's the kind of linked to that. These are some really big topics here, and my experience on the committee over the years suggests that you you set out these topics and then you come back with a brief, there's a degree of negotiation within the with the director about what will be within scope and beyond that. And so I just wanted to understand, appreciate your, the, the ones about letings. So there is bidding process, but that is different to letings. And also, I can't see markets in here at all. So that's kind of one, one question, but then the other bit, the other question would be with the quarter one and two audits. Will you bring back those briefs or will there be a kind of request basis for, for the briefs within the, within the audits? Thank you for the question, David. Thank you, Chairman. Yeah. So in relation to management of markets and the management of letings, those are audits that have been undertaken now. I think the request was to bring those reports back into course. And, and, and depending on the outcomes of those, we bring back or summarize ones that limited assurance, but, but my commitment to this committee is we're completely transparent. I'm happy to make full reports available to committee should they wish to digest them in full. That's absolutely fine. In relation to Q1 and Q2 work again, what we would do is those are scoped out with management in terms of the reference and how those audits will look and how they'll be carried out and what the brief looks like. We will bring them back to this committee in summary form were there to be an adverse findings were the audits to resulting limited or no assurance audit, audit opinions. But once again, there's a number of audits here on the plan, Mr Chairman, I'm quite happy for members to see any of the reports in full. Should they wish to do so in summarizing them, what we are trying to do is direct committee members to those areas of risk rather than give them everything in totality, which would have resulted. Obviously a very, very lengthy agenda pack. So quite happy to make the reports available outside of the meeting. They'll come back if they're limited or no assurance reports in due course. Thank you for that. Are there any more questions for members? Okay. I can see no more questions. Can I ask that the comments of the committee and noted the audit committee is recommended to one agree the internal audit plan and charter for 2024 2025 item agenda item 4.3 internal audit and anti fraud progress report. These are pages 35 to 62. We have 10 minutes for the report. Can I once again ask David jobs to present this report, please. Thank you, Mr Chairman. This augments and the report that you would have seen that January's committee in terms of progress. So it's an incremental update. So there's a lot of detail in here and it updates that report and provides the latest snapshot of this. I would draw your attention to on page 40, the graph there, which states on the year to date. Audits resulting in reasonable or substantial assurance is currently 47%. That's climbed, I think, from 43% when we last reported. Again, I would stress this is an interim figure. Whilst we complete the work that was contained within 2324 audit plan, this figure will be subject to change. We will bring back the final figure and our annual report to the July meeting of this committee. So you will see what the outcome will be there. And we'll of course bring back a much more comprehensive audit report then, which will show you our full out turn for 2324. In relation to specific audit outcomes during this period, the appendix reports summarises limited assurance audit reports at which there were three and some of the consultancy work, which we've undertaken. In terms of those limited assurance audit reports, there were three. One was the scheme of publication. The second one was in relation to attendance management and the third was in relation to the requisition or RFQ system. And an office this evening are available to answer some of your questions on those limited assurance reports, Chair. One point I would make particularly in relation to the audit report on RFQ is you will see here there are a number of compliance issues. I think it's quite right to say that this has led to a wider debates with the organisation around our procurement procedures and whether or not they are fit for purpose and appropriate and proportional. And that's not to suggest that in any way we would weaken compliance. It's simply to say that we need to drive compliance and have a system that walks for everybody and allows us to move quickly, particularly in relation to procurement of low value items where I'm talking about items under 100,000 pounds in value which are covered by this system. I'm happy to pause there for questions, Chairman. We'll see the question. We have a guest here too. We have a, yeah, can you kindly welcome to the audit committee. Would you like to just take a minute to introduce yourself, please? Good evening. So I'm Pat Chen, the Acting Director of Workforce, OD and Business Support. Do you want to come in now? Yes, Chair, if you don't mind. Yes, Chair, if you don't mind. Just to comment, following up from David's correct observations that we are looking wider at some of those procurement thresholds. I just want to stress A, these are internal thresholds. These are not in relation to our statutory obligations. They are the organization's internal limits that are somewhat outdated. And we have commissioned support from SIFA through their fully owned subsidiary called SIKA. And they will be undertaking a dependent review for us of the proposed changes to our current thresholds. And that will achieve several things. One, we give everybody in the council assurance that we're not changing the rules within any that we are in line with best contemporary practice and other organizations. But two, it will remove an awful lot of the burden from managers where it has become almost impossible to continue to comply with our own internal regulations because they haven't been updated. For some years. So I just wanted to give you all some assurance that in hand, it is SIPA we're working with. I'm happy to make sure you will see their independent assurance. And of course, you'll see any recommendations we make to change those thresholds. Thank you, Julie, for that. We have a question from Councillor Rachel Blake. Your question, please. In the report on the RFQs and the procurement system, I noticed that in terms of your recommendations, I didn't see many recommendations on staff training because I think the findings are quite significant in terms of the scale of people not complying. And I didn't see any reference to how this could be changed in terms of staff awareness. I would like to answer that, please. Yeah, I think the big picture is this is something that is being addressed by the work that Director of Corporate Director of Resources just alluded to. So we're looking at the system in its entirety. This includes the requirements and the burdens on officers when they engage with the procurement system, including training and so on and so forth. At the moment, officers do need to undertake various items of training before they engage in the procurement system. And clearly, that's something we're mindful of looking forward into a new system to ensure that that is properly addressed. But clearly, we need people and individuals are engaging with the system who understand it and have been appropriately trained. Whether or not that means a reversion to procurement departments or to actually individual procurers has yet undecided, but it is certainly something that is going to be looked at in some detail. I don't think we've got a firm direction to travel on that particular issue yet, Chairman. Thank you. We have one more question. Oh, sorry, do you have another question? Can you just go through the process of what's going to happen next to it? Because obviously there's quite a large amount of expenditure is exposed to it. And my experiences, officers will, these schemes can be pretty burdensome and the databases are often quite unfriendly. People are keen to get their work done and there are often some quite practical reasons for why there is non-compliance. Is there an action plan that goes further than this so that we can understand where there are genuine errors that could be the people could overcome through training? And that would also help us to understand when there is more deliberate breaching of the rules because I'm not seeing that in these summary of recommendations. So if you could help me on the process of what's going to happen next to it. So the first thing to say is I think what officers may wish to comment on this further is that the system as it stands, the RFQ system is something you need to engage with for any procurements, over a thousand pounds and under a hundred thousand pounds. As a copy of the retro resources alluded to, these thresholds are set by us internally. So if I'm spending £1,500 on stationary, I would need to engage with a formal IT system. I would need to undergo various items of training. I would need to go through a fairly robust set of parameters in order to undertake that procurement for what is a very low level value contract or requisition. And having looked at the data, one of the things we've come to understand is a lot of those activities where people have to, or a forced or shoehorned into that type of procurement are for items that are still probably low £50,000 in value. So one of the things you can consider is actually, we can still have a RFQ system, but it would tend to be for higher value items. We need to move to, and I think there's a recognition that we need to move to a system that is less burdensome for smaller or lower value items. So far I'm buying £1,500 with a stationary. I don't need to undergo training. I don't need to go through a formal procurement system. I don't need to necessarily check the insurance and the disaster recovery plan of a supplier we've already engaged. So there'll be another route to market that's much more efficient where we're using established supplier, for example. So I think that's one thing. I think on the second point about the broader set of actions again. Other colleagues may wish to comment, but that's in training. Myself, Director of Finance, a part of the project group that met this week to look at how we can address some of these systems, issues and blockages. So it is in train, but we haven't got that action plan yet. Okay, we have another question from COVID-19. The action plan on this audit report should come to this committee. I take the point, these are above £100,000 and then the huge contracts, that is a completely different process, but you could spend quite a lot of money without going through the proper process under £100,000. Do you want to further clarify? Yeah, I apologize. Yeah, so I should explain a little bit better. So there's the order report, which has generated this action plan. There's this wider piece of work looking at the process, trying to re-engineer those. My role in that is to advise on the process to advise on the controls, but primarily, once we've got a result, revise system in place, once things have been decided, you know, I will test the controls. There will be an audit and then we will come back to this committee with the results of that work. Absolutely. Let's understand. Is that the action plan? That's what I don't understand. I don't understand whether what's in that report is the action plan. I don't think it is, but I'm confused by what's. Okay, so when you make do you want to make it slightly differently? Sorry. So that's not the action plan. It's an entirety from the audit report. I'm quite happy to circulate that. There's no issues with that. There is an additional piece of work where we're re-engineing the system, and there'll be an audit after that, just to check that we are comfortable with those revised controls. And again, I'm happy to bring that back to this committee. Oh, that's good. Okay, then. Councillor Colbally, your question, please. Very brief. Page 45, the school's audit results. There's three schools with substantial and their final status is final as well. What was the reason behind that? And also going forward, how robust are we in tackling those challenges because of schools? Although their local authority schools, they have processes internally within schools, and how do we monitor those? Question? So just to be clear, where they've got a substantial rating, that's the highest rating we would issue as auditors. So there would be almost no issues on those schools. So perhaps re-engineing your question was possible, how do we spread good practice? And I think there is a way of doing that. We would talk to our colleagues in finance who are interested in the financial governance of schools, and I think they would help disseminate any good practice from those schools which are at that exemplar level. Sorry, the limited one is still in proper form, how confident are we that it will get to reasonable or substantial? Well, in terms of this cycle, it's likely that it will stay limited. So that's an outline at the moment. Now it's still in draft, so it's possible the school might produce a raft of evidence which induces us to upgrade our audit opinion. By some eyes, is that unlikely? So clearly that's an outline, there needs to be a bit of work there. And as I said, in terms of driving improvements, we would engage with the school, but also with colleagues in schools finance to help drive those changes. Okay, thank you for the question and the answer. Okay, shall I turn to your question please? I've got two questions. Firstly, I noticed that a bunch of reviews are advisory. Could you just confirm what makes a review advisory as opposed from an actual full audit? For example, the HMO results read as though it's an audit, and I was just wondering why it's not rated. And then secondly, specifically looking at the attendance management review in the context of what you've just been saying about procurement, that I get with procurement that you need to revise the whole approach to make sure it's fit for purpose and not sort of hobbling people and trying to get them with business. From the attendance management, it seems that the policies and procedures are in place as good practice, but they're just not followed. It's at the same thing that they're not followed because they're too arduous, or was there an element of root cause analysis behind these reviews that informed the actions? Okay, thank you for the question David. Thanks, Joan. Yeah, in relation to the reviews being advised, it's often the case that these are ones that are things that are requested by management on very narrow or specific. Through the nature of the work, don't lend themselves to as issuing an audit's opinion. So they're often very narrow and very specific in their focus. So we would label those advisory. I, of course, recognize the need to balance undertaking those advisory reports with the wishes and needs of this committee, which like to see audit's opinions. Similarly, that needs to be weighed against the organization's desire often to see those risk assurance pieces of work undertaken very quickly without us getting into audit's insurance opinions. So it's where we would flex our approach to a piece of work quite narrowly focused quite quickly. Absolutely, yes. In relation to the second issue, I mean, in terms of root causes, I think there's possibly a number of issues here. I mean, I think you're right in saying we've got a policy, we've got procedures in place. It's simply the fact that we're, in many cases, not hearing to them. Now, the wise and wear force behind that, I could only really speculate, and I know the direct interim director of HR may wish to comment further, but clearly in undertaking these. And it's very similar to procurement one. It's not simply a case of saying there's lack of compliance, people must comply. We need to think about the processes in terms of how we would drive these improved behaviors and how we can drive compliance and how we can improve that. So one of the issues we might have at the moment, for example, is that managers now are responsible for recording sickness of their staff. Now, to do that, you've got to remember, you've got to remember somebody who's off sick, you've got to remember when they were off sick and so on and so forth. And at the moment, we largely are compliant with that, but we don't know the extent to which there may be underreporting of that because people, for whatever reason, forget. We don't believe that's deliberate, but there's possible underreporting there. So we need to provide a mechanism or prompt so that managers are looking at those sickness levels and are properly reporting them, for example. And I think that goes with the other parts of the process too. There needs to be proper prompts and inducements so people actually undertake the correct behaviors. So the policy in itself is fine, but we probably need to think about reengineering that so that managers are prompted. They understand their responsibilities and they are correctly reminded either through automated or all the means to make sickness reports and to comply with the other parts of the policy. Was that part of the remediation plan for this review? So I don't think it was specifically covered in the plan, but I think it's something that's being looked at in terms of processes very similar to the procurement one. I think it's a wider piece we're looking at within the organisation as to how we can better utilise some of our embryonic IT capacity and things like AI to make sure that some of these systems work better for us and better for managers. Thank you for the answer. I think Julie Lauren, you want to contribute? Yes, I do, just to provide some context. David Drake, when he says it's part of a bigger issue. For me, this is a fundamental issue to the council's operating model. So we are looking to become much more service-focused. Actually, attendance management is a key responsibility of any manager in the business. The minute you centralise that, it's almost like it's not the business's responsibility at HR's responsibility. So what we will be bringing to the HR committee in May is a proposal that actually doesn't just look at re-engineering the processes. It looks at putting accountability and responsibility back into those operational areas. So the responsibility systems and processes for managing absence will return to the services rather than sit at the centre. And I passionately believe that that will make a significant difference. The other thing I think to bear in mind why we need to do this, it's become not just for the council, but for everybody since COVID, when patterns of work and we're different, those become an entrenched set of behaviours in the organisation that's quite difficult to turn around at a corporate level. So at a corporate level, CMTR looking at different models of work and patterns, whether that be agile, whether that be hybrid, whether it's all office-based, lend itself to different services, and the custodians of ensuring attendance to meet those respective work and patterns that fit those areas will absolutely become embedded in those service areas themselves. And that's the biggest change of technology that David's talking about. Technology, traditionally an organisation, sits in the middle. We either HR have got the system. Actually the best technology today is the point at which it is closest to the end user. So the technology we use will also be service-based. We'll be able to import data from the service system to the centre. Our job will be to report on attendance management. It will be to support managers, identify trends where there's peaks or troughs and support them in reaching agreement for different work and patterns that lend themselves. But the job of the centre won't be at the moment. It seemed to be HR's job for attendance management. Actually, it's a managers job for attendance management. Yeah, okay. Thank you. That's how I was assuming the intention was with us. Interesting. Thanks. Do you have any supplementary question? Okay. Thank you. I think we have a further question from Council side here. Your question, please. Thank you, Chair. Just to understand a little bit about the internal audit. Do we have guidelines from SIPF to understand what good looks like? So understand we are auditing different areas. The offices are undertaking internal audits and bringing about what good practices we have and also areas where we could have improvement. But what are the benchmarking that we're doing and who are the best in class that we can sort of compete with? Okay. Thank you for the question. David. Yeah. Thank you, Chairman. There is an early direct benchmarking in terms of those sort of operational areas from SIPF. But just give you a bit of assurance around that we talk to colleagues across the London audit group into and understand what they're doing and to share best practice in audit methodologies, but also operational areas. Now, what you would find sometimes is it's quite a disparity there in terms of practice and capability in various service areas. So some councils might be a little bit more advanced with the noise in their use of AI and somewhere a long way behind. And sometimes that's to do with the size, the scalability of the council and the resources of their disposal. But there is that kind of informal benchmarking. SIPF for itself isn't particularly helpful in this regard though. We can benchmark using SIPF, but that's more to do with benchmarking your actual internal audit service in terms of the number of days and resources it looks like with with a comparable peer group. So that understanding that best practices is a challenge certainly. Thank you for that answer. Okay. Moving on. I can ask that the comments of the committee are noted. The audit committee is recommended to one. Note the concept of the attached report and the overall progress and assurance opinions for audits carried out as part of 2023 2024 audit plan. Next we have item 4.4 risk management, corporate and direct risk registers. These are on page 63 and one or two. Okay. Sorry. Did make it make it more lively. Would you like to join us here? Okay. Thank you. Yeah. Thank you. Yeah, that's. Okay. Just give a minute for them to set it down. Thank you. Yeah. Okay. Pat, are you leaving or do you want to contribute? Do you want to say a few words about your role in this attendance management? That's been done. No. Oh, I know, but she's leaving. That's why she came prepared to say a few words. Okay. Take two minutes and just. Okay. So I attended today to talk about the limited assurance audit report on attendance management. And Julia is very kindly fielding lots of gaps for me. What I would say is that we have action the recommendations around strengthening policy. We've done manager briefing notes. We've updated staff in TH now, so many of the recommendations have already been actioned. I would just echo what Julia Rang said in that this is a manager's responsibility. But it's often seen as an HR responsibility in the centre. So it's right that we should put that back in the service area. I do think there are some systems that changes that might help us to flag to managers. We've already introduced an application that's available to managers on their phone. So they don't have to log on to a laptop now. They can access their HR self service on a phone app. So it's much more accessible for them. Then hopefully that will improve compliance. So I think most of the actions now have actually been the recommendations have been actions. So really I was just coming to give you some assurance that we have carried out many of the actions. Many of the compliance will improve, I think, with the changes in the organisational structure and getting the service back nearer to service managers. I think I will improve compliance, as Julie said. Thank you for coming. We'll see you in the next meeting. Thank you. Okay. Moving on to item 4.4, that's your risk management. So can I kindly ask once again David Dobbs to present your report, please? You have 10 minutes. Thank you, Chairman. Again, just to draw attention to the salient features of this report. In the area of risk management, there's been a raft of ongoing activity undertaken by the risk management team. This has included attendance at all of the Council's Directorate Leadership Team meetings to facilitate discussion and provide challenge around key risk areas, and to ensure that any outstanding activities have been highlighted and addressed by the risk owners and the control owners, and those are the senior officers in the service departments. Additionally, you'll see in the covenant report, we've made reference to some of the risks being re-articulated to help create and improve the more complete description of a particular risk in its consequences. And we've given an example there in the covenant report around the risk of a cyber attack. Nevertheless, as noted in the report, there is an inconsistency. Some business areas have yet to undertake a risk identification exercise, i.e., some business areas haven't yet been through and populated our risk management software with the key risks that are in their service areas. And therefore, while it's known in some areas that risks exist and are known and acknowledged, they've not yet been formally captured on the JKAD risk register. So there are some gaps. Additionally, organisational change has had an impact. For example, work is on going to assimilate the risks that were previously held and recorded separately by Tower Hamlet's homes, the ALMA, which has now been absorbed by the council. So they had a separate risk register. That now needs to be looked at, assessed by the Director of Housing and Region, assimilated and absorbed into their risk register. Work is also underway to incorporate the pensions risk register into JKAD. And again, this was another risk register, although in place was held separately. So we are trying to draw the risks into one place using the council's corporate software JKAD. So there are some gaps there, which we know about, which the risk team is addressing on an ongoing basis. Specifically in relation to the corporate risk register, the report highlights three new risks that will be added to the corporate risk register. These are an emerging risk in relation to rent collection and related arrears. Secondly, a risk in relation to community cohesion. And thirdly, a risk in relation to the people first, council transformation programme. These risks, it's been agreed, will be added to the risk register due to the next cycle. They will have owners assigned and controls will be populated. Similarly, it's also been agreed, a long-standing risk in relation to compliance with the Protection of Freedom Act 2012 can be relegated from the corporate risk register. So that can be de-escalated. We're in a position on that one where we regard the mitigations now sufficient to allow for this risk to be downgraded. The specifics of that in relation to the act are that we had some years ago an adverse inspection report in relation to how we collected CCTV surveillance data. We had to put a number of mitigations and actions in place. Those are largely complete now. That risk can be de-escalated. Finally, alongside the corporate risk register, you've also got the health and social care director at risk register. And colleagues are here from that directorate. So Mr. Banerjee, the interim director for that area, and is present to answer any questions. My assessment of that particular risk register is it's in pretty good shape. It's one of the more mature ones we've got across the council. So the recently departed deputy chief executive was very diligent in ensuring those risks were looked at, questioned and challenged in some detail at least on a quarterly basis. So colleagues in that directorate have inherited a fairly solid risk register. That would be my assessment. I'm happy to take any questions, Jim. Thank you for that report. Do they wish to contribute now after the questioning session? I think it's if there's any questions. Okay. First of all, take the questions. Yeah. Members wish to ask any questions. Okay. We can see you, COVID-19. Your question first, please. Not a question. Just an update on the risk register. I think Sherman's is already a director, but he's acting corporate director. So Denise's name is still on the register. It's maybe because of publication dates, but if we, as a risk register, we can update for the time period. Sherman's name on it. That's all. Just an observation. Yeah. It is entirely to do with publication dates and Denise Ravi did email me on our last evening telling me to change it. And I did it immediately. Let's thank a wrap, Jim. Okay. Thank you. Are there any more? I'll question. Okay. We have a question. Just for clarification for my understanding. I think you said earlier that there's, there are certain areas that they haven't got around to putting their risks on. Is this people who are porting into the system or, I mean, what, what, or are they just a bit surprised to hear that there's people who haven't bothered populating the risk register. Because it's, it's not new. Or is this people who have been sort of brought in? They've, they've just, yeah, it's a little bit of everything to be honest with you. So there are some people that are porting in and we've talked about how much home's porting in and they've had their own risk register and that now leads to be looked at. There are other areas where there have been staff changes. So ahead of service may have left and that may have created a gap. And hitherto they hadn't considered risks in that particular area and we ask that people down to their service do just that. So, so previously there's been some gaps. We've been working to address those gaps. We've been facilitating risk identification sessions in one or two areas. Obviously that hasn't yet come to fruition in terms of those individuals undertaking the J-CAD training and populating the risk registers. So I think we've got a good idea of where they are. But it does need the individuals to take action to do that. Now we are happy to facilitate that. We're not going to be dogmatic and say it's your risks you must do it. If somebody's struggling with workload, if somebody's struggling in some other area, if they can't engage with the software, we will help them do that. And we will certainly populate the risk register to the best of our knowledge and leave them to pick up some of bits and pieces in terms of control owners and so forth. So there's a process in there where we identify the gaps. We work with those particular managers to do the remediation work. But it hasn't borne fruition and borne action in all areas. So does that mean that they are managing risks but just on the side and you don't have visibility to the system? Or does it mean that they're not consciously identifying and managing and controlling the risks in their area? It's a little bit difficult to speak in terms of generalities. But my assessment breeds the former rather than the latter in most cases. OK. Thank you. Do you have any more? Sorry, a quick one. You mentioned that somebody had got a risk register that was in good shape that had been ported in. Was that one of you guys? Yeah. I was just wondering if you could share what, if you have an opinion on what makes your risk register have worked well previously. I'm interested to know whether it's system, structure, operating, rhythm, culture. I need to go on about it all night. Well, I could. But just briefly, it would be good to get your insights as to what works. Yeah, why not? So just to come in briefly, there's been a long-standing, obviously a long-standing corporate director in that particular area. She was well-versed in using JKAD and she would do many of the entries herself. And became almost an expert user. So that continuity and use, repetitive use of the system enabled her to have the knowledge and to manage those risks. Now, if you have changes, of course, people need to be retrained into how to use the system and that can be a burden. So you would have those gaps or those interregnum where things don't happen. That would be my assessment. I'm a colleague of my wish to call in. Yeah, thanks very much. I think the reason why this is in reasonable shape is simply because we follow the process. We, you know, the previous corporate director would continually update the risks. Our direct leadership team, we would go through these risks one by one. At the last meeting, we just went through these risks and assured ourselves that our mitigations were robust. And I don't think it's rocket science, really. It's just kind of repetition and routine. And did that help you focus on, focus your discussions? Do you sort of feel that it was helpful? Yeah, I think the sort of ongoing challenge from the corporate director and the review, taking risks out, making that decision with David and having David come on a regular basis, is really, you know, that's the process. Okay, yeah. You wish to contribute? Yeah. Okay. Yeah, thank you. Just to add to that, I think because we were in a cycle of regularly reviewing the risk register and discussing the risks that were on there, it also means that in other discussions, when we're not particularly looking at the risk register, we would also consider whether there was anything emerging that should be on it. So it wasn't just confined to actually looking at the risk register. Yeah, that's really good to hear. Thank you. Thank you for that. Okay, we can now move on. Oh, so go away. Do you find it? Okay. And I know the observation, but just wanted to find out a bit of just want to find out most of the names allocated are either chief executive corporate directors and directors, but there's a few names who were not directors or corporate directors or chief executives. Is there a standard we need to meet or is anybody who does the relevant training in managing the risk and is this a a corporate need for the council, or should we have an approach where we have the corporate directors or directors who oversee that level of risk. So there isn't a hard and fast set of rules at the moment. Our advice is always that the risk should be owned by a corporate director or a director. That would be our advice. Now, there is an opportunity to lay down a bit more of a mark and be a bit more dogmatic in this insofar as we will be updating the risk management strategy during this year and at that point in time. We could potentially look at introducing such a requirement. Now, the moment we've resisted from doing so. But where risks are not owned by director or corporate director we've had discussions with the corporate director or the direct responsible saying, wouldn't that sit better with you owning that particular risk. So there is a debate in the discussion it has been challenged, I can assure the council about that. I think, yeah. One last one from me I guess. What we have risk, current risk and target risks, would it be possible and I think for presentation purposes to have a chart to see what the trend is of what in year today of what increases. Yes, please. David. Yeah, we upgraded the software recently we've got this capability now so we can certainly do that now because, you know, and I've mentioned this previously because some of the risks have previously been static. I can't pretend that's going to be particularly exciting diagram, but we will certainly bring that back to this committee for the purpose of transparency. Absolutely. Thank you. Just a comment from my side, you did mention about cyber attack. Are you saying we are, we are under attack? Oh, we have potentially, you said, by race and it's so why are people interested in cyber attacking us. Well, Chairman, it's a risk on the corporate register because we could fall to a cyber attack and a number of councils have fallen victim to cyber attacks rendering their almost their entire IT operations redundant for a number of days, weeks and months. So it's a possibility. I think Hackney was one that was hacked not so long ago, Chairman, there have been others that wanted Lester was hacked recently. So it's a big pardon. Oh, yeah. Did all the source of the cyber attack? Is it from China? No, no, I'm not aware of where it was from. I mean, I know it's an amusement and so I worked at ACCA before they suffered a lot of cyber attacks, particularly from China, so it's possible. Sorry, Council just to let you know that the NHS, there was various different cyber attacks ransomware on NHS, and in terms of housing associations, most recent one that I'm aware of, Clarion, and that affected a lot of our residents. Yeah, thank you for that. You kindly come in. I can, I can, and it's just to say, as organizations increasingly become more dependent on technology and systems for storing data, those become gold mines targets for potential cyber attackers, either because they threaten to shut down your systems and hold you to ransom and a number of organizations that happen to, or because they mine your data system and use the information it contains for bad purposes. So, for example, in children's services, you have a list of vulnerable children in adult social care, they have a list of vulnerable adults with names and addresses. The last thing you would ever want is that information to give them to the wrong hands. And so, being data secure and cyber aware is critical for organizations like this. Thank you for that. Yes, it's so clear. We have one more question from COVID-19. Look, is it common? Just information sharing, as this is the audit committee, apologies, Councillor. Right, so there are malicious emails that go around in the name of Councillors and the mayor, so we've had a number of those going... So, these are personal, isn't it? No, it's not. It's come to email addresses, so it might be worthwhile to have a corporate message sent out regarding phishing and stuff like that, and how you quarantine all of that. So, I've got it on an individual level, but maybe corporate-wise, we look at sending out to staff or renewing training for staff, so they're aware of it, so they don't accidentally press respond or go onto any of those links. Just... The very good suggestion, we should vote. Okay, I think that completes that agenda. Okay, thank you. Thank you for coming. Yeah, Councillor, he did send... Okay, next one, thank you. Okay. No, we have four now, yes, but we are the final stages. No, we can't, we aren't allowing anybody else to go until the meeting is complete. Okay. Yeah, let's give it a minute until the day. Thank you. Okay. Can I now ask that the comments of the committee are noted? The audit committee is a commented one. Note the updated corporate risk register and why applicable request risk owners with risks requiring further scrutiny to provide a detailed update on the treatment and mitigation of those risks, including impact on the corporate objectives at the next audit committee meeting. Note the proposed changes to the council risk register as set out in paragraph 3.4 and 3.5. Note the updated health and social care director risk register and why applicable request risk owners with risk requiring further scrutiny to provide a detailed update on the treatment and mitigation of the risk, including impact on the director's objective at the next audit committee meeting. Now, we have come to the one of the last item. We have two left, 4.5 annual review of the anti-bribery policy. This should take 10 minutes. Can I again ask invite David Dobbs to present this report on annual review, please. Thank you, Chairman. Very straightforward. This is simply a cosmetic policy update in relation to the Bribery Act 2010 and the council's policy. We needed to update some of the officer contact details to make sure that we could republish the policy and so that it's appropriate for circulation amongst council officers. This, I would suggest, isn't a huge risk area for the council and I think since the act was brought in in 2010, we've only examined two offenses in relation to the Bribery Act and looked at whether or not they met the criminal threshold and neither of them did. There's perhaps not such a huge issue for councils, probably more for organisations in the commercial sector. Nevertheless, it is a strict liability offence, so it's not good enough just to say we didn't know about Bribery. We need to maintain what's known as adequate procedures. Parts of those procedures include a policy of which this is one, Chairman, so it's submitted here for all the data and ratification by the committee. Thank you. Thank you for that. Does member wish to ask any question on this? Okay, we have council member. Please. Thank you, Chair. Do we send out, I know this is on a paper format, do we send out training to our staff as well? So everyone to sort of the online training so they are aware of different scenarios rather than just reading an essay? Yeah, David Dobbs. Yeah, this forms part of the mandated corporate induction which all officers undertake when they join the council. I think it could possibly be augmented by the training being updated and refreshed periodically, so we would update the training, provide some new scenarios as you've described and then it'll be rolled out again to officers. But I think that induction package and all the e-learn that goes with it again is part of what colleagues in human resources are looking at at the moment in terms of how they can provide a better experience for new joiners. But also make sure we are meeting our responsibilities because that trainee element is key part of it. Thank you, David. Are there any more questions? Say, let's go away. Okay. Can I now ask the comments of the committee and note it and the recommendations are approved. The audit committee is recommended to one note and approve the council updated anti-bribery policy. Moving on to item five, audit committee work plan. These are on pages 117 to 118. Can I ask members to note the audit committee work plan? Yeah, it's okay. Yeah. Yes, we'll have a new one at the next, yeah, immediately, yeah. Thank you for everybody for coming and taking part and contributing, especially the guest from the best value. Thank you for coming. Next time when we will prepare, okay, that's it. What is the next meeting? May. Okay. Yeah, you'll get part of it. That's the next meeting. So thank you and we'll see you on the next meeting. So, so. Thank you. Thank you.
Transcript
My name is Councillor Haran Meer and I am the Chair of the Committee.
Thank you all for coming.
This meeting is being webcast live on the Council website.
I will now ask from my right-hand side the Committee members present to introduce themselves.
Can you please state any declaration of interest that you may have in the agenda?
Thank you.
I am Jill Bailey.
I am from legal.
Hi, my name is Amajukhar and I am a Councillor for Blakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilakwilaking.
Good evening everyone, Councillor Saeed Ahmed.
Asang Khan, head of strategic finance and chief accountant.
Paul, I will do interim head of pension and treasury.
Angus Fish, manager from Deloitte, the external auditor.
Jonathan Gooding, the external auditor part of Deloitte.
[ Inaudible ]
[ Inaudible ]
David Dobbs, head of internal auditor, anti-frauding risk.
Councillor Rachel Blake.
[ Inaudible ]
[ Inaudible ]
[ Inaudible ]
[ Inaudible ]
Now to the items of the agenda.
Item two unrestricted minutes of the previous meeting.
Can I please invite members to approve the unrestricted minutes
of the meeting held on this 22nd of January as an accurate record of the proceedings.
Is that okay?
Yeah.
Thank you, members.
Item number three.
Deloitte items for consideration.
Okay, officers from Deloitte, can I ask?
They are here.
So they will be contributing to the next item.
The report is on 4.1.
Now agenda four, terms items for consideration, 4.1, addressing the local audit backlog and update
on the outstanding audit accounts, supplementary agenda.
This will take 20 minutes.
Now can I invite Julia Lorin or Abhirajak Kashim?
[ Inaudible ]
Yes, sir.
Okay.
Can I invite us sometime to proceed with the present this report?
[ Inaudible ]
Okay.
Yes.
So come in.
We started with this.
Yeah, of course.
Of course.
The gentleman there.
Would you mind turning off the --
[ Inaudible ]
Yeah.
Good job.
Yeah.
Thank you.
Okay.
All right.
We have two members.
Can I just take their introduction just for a minute before you proceed.
Okay.
Can we wait?
Can you introduce yourself?
I apologize for the delay.
There's also the appointments panel which is -- did an appointment.
Okay.
Anything?
No.
Okay.
Thank you.
Okay.
Asan Khan.
Thank you, Chair.
Yeah.
So the paper really discusses two key areas.
Proposals for addressing the local audit backlog nationally.
As well as tower hamlets council external audit position in the context of these proposals.
There's also a briefing paper included from our external auditors who are here to with us tonight.
And they can take you through the position in regards to the external audit point of view as well.
So from an officer point of view.
Since July 23 organizations involved in the regulation and oversight of local authority financial reporting and audit.
This includes DLAC, National Audit Office, SIPFAR, external auditors have been working collectively to agree a proposed solution to clear the outstanding historic audits across the country.
Proposals were drawn up and published earlier in the year in February with consultation on these proposals ending in 7th of March 2024.
The consultation included three key parts, DLAC's intentions for amending the accounts and audit regulations.
Which I can broadly summarize as largely putting a series of dates in law.
Which are now commonly being referred to as black stop dates.
These are dates by which local authorities will need to have published audit accounts for all outstanding years.
The second key part of the consultation was the National Audit Office intentions for amending the code of audit practice.
Largely affecting the external auditors in their processes and their practices.
And also SIPFAR proposals for temporary changes to the accounting code of practice to reduce burdens on those who prepare an audit local authority account.
So both practitioners and auditors.
So those were the three key parts. Most importantly I think for the council part one, DLAC's intentions around the backstop dates.
And the SIPFAR proposals for temporary changes to the accounting code of practice.
The proposed measures consists of three phases. So phase one reset.
This is legislating for a statutory backstop date for the publication of all financial statements or all outstanding financial statements by 30th of September 2024.
It's quite a key date for members to note.
So any accounts that the council has outstanding under current proposals in line with the consultation will need to be completed by 30th of September 2024.
Phase two is about recovery. So it's about next financial years.
So it's composed of a series of statutory backstop dates covering the financial years 23, 24 through to 27, 28 to allow auditors to rebuild assurance over a five year period.
And most notably the time allowed to complete the audits gets shorter and shorter across those five years.
I think that's a general acknowledgement that in the earlier years because of the backstop dates in regards to the financial years up to and including 22, 23 and some of the qualification or modified opinions that might be issued.
And the work will need to be done earlier in those five years to gain those assurances around those opening balances from 23, 24 onwards.
So that's face to recovery. Most of that work will take place with EY, new auditors, I should add.
Phase one obviously will be with our current auditors, the lights.
Phase three is more around reform. So they are far see alongside D. Luck and other system partners that will continue to work and address system systematic challenges and embed timely financial reporting and audit.
There's no firm proposals around this as commitments, including setting up specific bodies, streamlining, processing and accounting procedures.
That no firm proposals. So I'm sure we'll hear more of that in the coming time.
The council responded to the consultation supportive or very supportive in regards to the proposals. So we did respond to the consultation.
So that's the summary of the proposals that were issued consultation has ended on that and the council has been supportive of that.
Now, to provide some general context in regards to how Hamlet's council external audit position in the context of these proposals. So, as per reported to the committee in November last year, we set out plans, timeframes, work plans in regards to accelerating the production of accounts.
Back then, 2122 draft accounts as well as 2223 draft accounts had not been published and focus and key resources were channeled to ensure that 2122 and 2223 draft accounts were published as soon as practically possible, which was early February this year.
That was with the view of these backstate backstop dates coming into effect, as well as at the time of reporting to ensure that the council was acting in the public interest and balances needed to be confirmed in regards to the council's available resources
for future financial decision-making and MTFS planning. So, 2 key components, which will report at the time until you're in terms of accelerating the production of accounts.
So, the council officers will largely broadly met these timeframes. So, since we reported on the time on the plans in November last year, council officers published will redraft the 2020 or 2021 accounts in December.
As well as publishing draft accounts for 2122 in December, 2223 draft accounts were published in early February, and public inspection period for 2122 as well as 2223 have been fully observed and ended in March 2024.
In regards to achieving these timeframes and the time constraints available to us, I think it's worthwhile noting to the committee, some compromises were made in regards to the accounts.
So, some, a handful of disclosure notes were compromised, these are detailed in the report in regards to remuneration information related party transaction and revenue from contracts with customers.
Full comprehensive collation, all required data was not met. Due to kind constraints, group accounts were not prepared, but officers deemed that financial management and decision-making would not be affected as a consequence.
Perhaps more substantially, we need to corroborate our member data, our scheme member data, regards to the pension valuation, the actual valuation and work on that continues.
So, I think it's worthwhile highlighting these risks that were accepted at the time to ensure that we met publishing the draft accounts for 2122, 2223.
Subsequently, with 2324 financial year ending, council office of time is very much focused on closing down the 2324 financial year.
We have been in discussions with EY to ensure they are onboarded so they can scope out the audit for 2324 and to ensure that we have the necessary information over to them as soon as possible, so they can commence their audit in a timely basis.
The additional work that we will also need to do in the coming months with our current auditors Deloitte will be focusing on completing the required work for 2021, 21, 22 and 22, 23, and which largely is currently deemed to be a lot of the work around the value for money.
So, our expectation is we will get to the 30th of September with opinions issued.
We expect that to be some form of a modified opinion, which may be disclaimers.
This will not be a tower hamlets only issue and not peculiar to tower hamlets.
Moreover, we suspect it will be a national trend.
It will help tower hamlets catch up when a true up will be required with our new auditors EY from 2324 onwards.
So that's an update on tower hamlets' next steps and offices plans to address outstanding accounts for 2021, 21, 22 and 22, 23.
And those accounts or the latest draft version of those accounts have also been included as part of this report with the appendices.
So I'll hand over to Jonathan in regards to those key issues from an external audit point of view, so we can update the committee tonight.
Okay, thank you.
Okay, well what have we got to it?
Thank you very much.
So I don't have a lot to add, as I think our sound covered most of the material.
So our responsibility is with respect to your order up to the 31st of March, 2023 accounts.
As has been said, we signed the 1819 and 1920 accounts back in November.
Since then the authority, as I said, has published your remaining three years that are relevant to us.
And they've gone through the appropriate inspection period.
There are a number of things, so the number of consultations happening, as our sound has said, and the key point is this backstop date at the end of September.
And there are a number of things that we need to do between now and then to meet that backstop date.
We have a plan in place, we have the published accounts, and we are making progress against that.
As our sound mentioned, the first priority is to complete the value for money work in respect to those three years as that's a requirement.
And we will report that work to you as part of our annual auditors report.
We are also required to issue audit planning information in respect to those three years.
We are performing procedures to look through what has been done.
Some work has been done on the 2021 audit and we're going through that.
But as our sound mentioned, the expectation would be that at the end of September, we would issue likely disclaimer opinions on those three years of accounts once we've completed all of the necessary procedures.
Part of those procedures includes reading the accounts that have been prepared and where there are known errors or issues in them that we would capture those and report those as well.
And so those may form part of an opinion or part of our reporting to you as part of our committee paper.
So we have the resources in place and plan in place to deliver that.
And alongside that, as our sound has said, you are beginning your work with your new audits in respect to the 2024 audit to get back on track and to recover that position.
I have to take any questions.
Thank you for that report.
And I'll ask committee members, do they have any questions?
I can see.
Yeah.
I have two questions. First, to Deloitte, that's an extraordinarily tight timetable that I see you have no option but to go for it.
What's the implications if it isn't met and sort of connected to that is being mindful of the situation that Deloitte inherited from the previous auditors KPMG and the additional work required to get to an agreed state.
Is this something that's been incorporated in or will be incorporated to the handover to EY or are they just going to be left holding a bag of eels?
That was it.
Yeah.
What if we don't make it?
What's the impact?
And also, can we sort of.
Okay, so some of the guidance and consideration around all of this is evolving because the consultation happened proposals have been made that some of this hasn't been written into statute and some of the additional guidance hasn't come out yet.
There is a suggestion that authorities that do not meet the bank stop would be in some way reported. It would be publicly available information that you've not met bank stop.
And there may be some reporting as to why that was.
I think very much. I mean, clearly there are risks to any time table and there are risks to this timetable.
It certainly feels as though the authority is prioritizing this and prioritizing the value for money work at this stage, which we need to complete in the next few months.
The other procedures, there are a number of procedures that we need to perform, but we do have reviewed our resourcing and prioritise what we're looking at.
So the tasks that we have identified are, we consider to be absolutely necessary to meet the deadline.
And we have prioritised those matters rather than trying to do additional pieces of work that may or may not complete before the deadline.
And in that way, we're trying to mitigate that risk.
We have already met with the new auditor and had a discussion and we will have further discussions with them and they will have access to our files at an appropriate point.
As I said, the council is in a very similar position to many, many other authorities and many authorities will be in a similar position with regards to not being able to rely on opening balances.
And that will have an impact on future years' opinions, more sector-wide guidance coming out in regards to wording of some of those things and the process for recovery.
And I think that's part of the Stage 3 and Stage 4 of the sector leaders' plans.
So just to add to Jonathan's response, a lot of this will be the work that EY will need to do, so we are engaged with them, so we started some initial workings.
We have not been fully able to engage with them as yet as they clear the internal processes, but what we'd like to do is have that engagement to EY to understand exactly what they need in terms of when they get those and work on those opening balances for 23-24.
So we're fully committed to engage with EY as soon as possible to understand what additional work will be required.
So I think as soon as we understand the quantum of additional work required and what that will look like, that's the kind of thing we can report back to the committee in due course.
Thank you for the answer. A second question from COVID-19.
Thank you. So the first thing I wanted to pick up on, and I know you alluded to it slightly just now, is the program timetable in order to get this signed off.
Our officers had sight of it. Are you confident that this can meet the target?
That's the first thing, because we've got three years of accounts and we've literally got like five months ahead of us.
And if there are any questions or queries that come back, are we reinforced enough in terms of capacity to respond to that in time and vice versa on the other side as well?
So how resources are we on both sides? You've said you've got enough capacity in there. I'm wanting to find out from the finance team.
Also, in terms of costs, is there further additional costs for that additional resourcing?
And do we need additional resourcing in order to meet that tight timeline?
And lastly, if, for whatever happens, these certificates are not issued, are we still liable to pay money for services rendered?
What are the risks associated with that?
So just one needed explanations of that, or how is that calculated?
Thank you for the wait.
Yeah, okay.
Hi, Councillor Kabir. Yeah, so the resourcing side of it, we've been meeting with Angus who spoke about, you know, what is required by them.
So we have from an office's point of view, we've got that timetable.
So as soon as we finish our closing of 23-24, which is the end of May, the value for money work is a priority for us.
So we are ready for that.
In terms of the reconciliations and other items required, Angus made clear what he wants us to submit, and that is ready to be submitted as soon as possible.
Can I just pick up on the cross question?
I love that, to be still paid if we don't get numbers, outcome-based orders.
I think I need to try and be measured, because you can oversimplify this, but you can overcomplicate it as well.
So I'm just going to go for it.
The whole point of the consultation from the government and all of the bodies involved is a recognition that actually something has not gone quite right.
It's not gone quite right in the system, and if we don't take quite radical steps, then we'll end up in this backlog forever.
So largely when auditors provided they do focus on value for money and areas like that, when they issue an opinion that in order to meet the backstop date has an element of restricted assurance, shall we say in it?
That allows the new auditors EY to avoid those costly going backwards to revisit issues, and that's why the backstop processes across so many years, because it takes that many years to work through your accounts from an opinion that was limited or came under different governance arrangements.
For me, the opinion that will be issued in order to meet the backstop date, I will relentlessly pursue colleagues in order to get that.
That doesn't mean to say at any cost, so the thing that will make authorities difficult and run high costs up is if a reason for a limited assurance goes outside of just being able to meet those backstop dates.
In my view, the work the team has done and the big issue for us as Abdul Razak has alluded to, directly stated, is pensions, and it would be good for the audit committee to get an update on that, and the position of where we are and the action of taking
and confident that we will overcome that. So from my perspective, the obligation to meet backstop dates set in statute is just as much an obligation for the auditors as it is for us as being audited.
So we share a mutual statutory requirement to do so, and I can see no reason at all why that won't happen for tower helmets, and I think that the whole backstop issue and the whole issue of restricted opinions mean that we can reset as a nation.
Public sector accountants, so we end up getting back to your point, what you pay for an audit gives you sound levels of assurance, it isn't light touch, it isn't governed by backstop dates, but that will take years to work through.
A lot of the heavy lifting of additional cost, rightly additional cost because there was a lot of additional work has already been done by the team, and actually by Deloitte.
So I can't see that we would, if for us not to meet that backstop date to a large degree, we both have to fail, really, Deloitte's and timelots, and I don't think either of us will put any intentions to do, and so that's my view.
Okay, thank you for that answer. Okay, are there any more questions?
Okay, can I kindly ask that the comments of the committee are noted, the audit committee is recommended to.
Okay, is there anything you wish to add from Deloitte or Assam?
No, no. Okay. Thank you. Okay.
The audit committee is recommended to note the summary proposals for addressing the local audit backlog in England.
To note Deloitte's briefing paper to the Council on plans for addressing the backlog in local audits.
To note the position on the outstanding external audits of the council statements of account for 2020, 2021, 21, 22 and 22, 23.
And finally, to note the council's latest draft accounts for 2021.
So item now, we're moving on to item 4.2, internal audit plan and charter for 2024, 2025.
These are on pages 17 to 34.
Can I kindly ask David Dobbs to present this report? You have 10 minutes.
Thank you, Mr. Chairman. I'll take this paper largely as red and just draw your attention to one, two key features, please.
The plan, as you would expect, sets out our internal audit work that we've got programmed for 24, 25.
And it recognizes that our audit approach needs to develop and evolve to maintain its relevance and its value to the organization.
And therefore, while what you see in the plan includes that traditional list of programmed risk-based audit assignments in appendices A and B,
it also includes an allowance for work that will be undertaken collectively by the team to develop, enhance and embed good corporate governance across the council.
This will include, for example, assurance over the council's various and many grants programs, supporting corporate priorities such as transformation.
As you know, we lead on the compilation of the annual governance statement and we intend to bring the 23, 24 AGS to the next meeting of this committee.
It's assisting in the development of the council's incipient control framework.
And also, it acknowledges that we've included a contingency provision within the plan that would enable us to absorb any unplanned or responsive work that we need to undertake at the request of management.
Now, within the plan itself, you will see in Appendix A, we've included a column there, which is our fairly fundamental rudimentary risk map in there, which shows where the genesis of some of these audits have come from.
I think quite rightly, when we looked at last year's plan, which I inherited, there was some comment around perhaps a bias towards undertaking audits that have been requested by management.
And we've obviously recognized that in compiling the plan for 24, 25, and you'll see that in Appendix A.
Appendix B is the list of schools audits, which is cyclical, and we intend to audit all the schools over a five year period.
Additionally, in the plan, you'll see there's an acknowledgement that the plan is not set in stone.
And as described in paragraph 2.5, it can be flexed to allow for the refocus on the changing needs of the council.
So as part of this approach, we will fully review the plan at a six month point, probably in September.
We'll go back to corporate management team, and we'll come back to this committee with any changes and seek a mandate for that going forward.
This is quite important because it recognizes what might be a risk now, and is included in the plan for quarters three and four, might not be a risk then, might be dealt with, or the risk may have evolved in some way.
So the plan needs to change, too.
In relation to the updated audit charter, which is appended to the plan, there's a lot of narrative here, but in essence, it's sent out into an audit's terms of reference and related considerations, including the service mandates.
It's positioning with the organisation, how we report and independence and objectivity.
It recognizes that internal audit is governed primarily by adherence to the public sector internal audit standards.
And therefore, the way we operate and how we undertake audits, how we report is designed to sit within the parameters of those standards, so we comply with a set of professional standards.
It therefore also recognizes the duality of internal audit in so far as we report administratively to the senior management of the council, essentially corporate management team, and functionally to this committee.
I'll pause there, Joan, of course, happy to take any questions.
Thank you for that. Are there any questions?
Do you wish to ask? Oh, okay, Charlotte.
It was just really to say thank you.
I think the point you raised earlier is the point that I've been banging on for a while about taking control of your own destiny.
And yes, it was good to see that reflected. And I just wondered, this isn't really a question or an observation that the key drivers that you've recognised in the current audit plan, it would be quite interesting to see if there's any correlation between the origin of their inclusion
and the outcome of the reviews themselves, because it might be that management are to a gold mine and it would be good to understand the quality of your own measures.
Thank you for the comment. I guess we'll see during the year, essentially. We've drawn the audit plan from a number of sources and includes, of course, those really important discussions with stakeholders, which we still have on that are extensive.
But those this time around have really been in order to validate our audit intel, but we've drawn other audits from a number of areas, including some of the thought leadership coming after the institute internal audits.
So we thought that was quite important to incorporate as well.
Thank you for that. Can I ask you a question, please?
Thanks. The minutes of the meeting in January say that I requested for internal audit to consider the management of lettings and also the management of markets.
I can see that there's the kind of linked to that. These are some really big topics here, and my experience on the committee over the years suggests that you set out these topics and then you come back with a brief, there's a degree of negotiation within the with the director about what will be within scope and beyond that.
And so I just wanted to understand, appreciate your the the ones about lettings. So there is bidding process, but that is different to lettings. And also I can't see markets in here at all.
So that's kind of one one question, but then the other bit. The other question would be with the quarter one and two audits.
Will you bring back those briefs or will there be a request basis for the briefs within the in the audits?
Thank you for the question David.
Thank you, Jim. Yeah. So in relation to management of markets and the management of lettings, those are audits that have been undertaken now.
I think the request was to bring those reports back into course and and and depending on the outcomes of those, we bring back or summarize ones that limited assurance but but my commitment to this committee is we're completely transparent.
I'm happy to make full reports available to committee should they wish to digest them in full. That's absolutely fine.
In relation to Q1 and Q2 work again, what we would do is those are scoped out with management in terms of the reference and how those audits will look and how they'll be carried out and what the brief looks like.
We will bring them back to this committee in summary form were there to be an adverse findings and were the audits to resulting limited or no assurance or all its opinions.
But once again, there's a number of audits here on the plan. Mr Chairman, I'm quite happy for members to see any of the reports and full should they wish to do so in summarizing them, what we are trying to do is direct committee members to those areas of risk rather than give them everything in totality,
which would have resulted in obviously a very, very lengthy agenda pack. So quite happy to make the reports available outside of the meeting. They'll come back if they're limited or no assurance reports in due course.
Thank you. Are there any more questions for members? Okay. I can see no more questions.
Can I ask that the comments of the committee and noted the audit committee is recommended to one agree the internal audit plan and charter for 2024 2025 item agenda item 4.3 internal audit and anti fraud progress report.
These are pages 35 to 62. We have 10 minutes for the report. Can I once again ask David Dobbs to present this report, please.
Thank you, Mr Chairman. This augments the report that you would have seen that January's committee in terms of progress.
So it's an incremental update. So there's a lot of detail in here and it updates that report and provides the latest snapshot of this.
I'll draw your attention to on page 40, the graph there, which states on the year to date.
Audits resulting in reasonable or substantial assurance is currently 47%. That's climbed, I think, from 43% when we last reported.
Again, I would stress this is an interim figure. Whilst we complete the work that was contained within 2324 audit plan, this figure will be subject to change.
We will bring back the final figure and our annual report to the July meeting of this committee.
So you will see what the outcome will be there. And we'll of course bring back a much more comprehensive audit report then, which will show you our full out turn for 2324.
In relation to specific audit outcomes during this period, the appendix report summarises limited assurance audit reports at which there were three and some of the consultancy work, which we've undertaken.
In terms of those limited assurance order reports, there were three. One was the scheme of publication.
The second one was in relation to attendance management, and the third was in relation to the requisition or RFQ system.
And an office this evening are available to answer some of your questions on those limited assurance reports, Chair.
One point I would make particularly in relation to the order report on RFQ is you will see here there are a number of compliance issues.
I think it's quite right to say that this has led to a wider debates with the organisation around our procurement procedures and whether or not they are fit for purpose and appropriate and proportional.
And that's not to suggest that in any way we would weaken compliance. It's simply to say that we need to drive compliance and have a system that walks for everybody and allows us to move quickly, particularly in relation to procurement of low value items where I'm talking about items under 100,000 pounds in value which are covered by this system.
I'm happy to pause there for questions, Chairman.
We have, can you kindly welcome to the old committee, would you like to just take a minute to introduce yourself please.
Good evening, so I'm Pat Chen, the Acting Director of Workforce ODM Business Support.
Do you want to come in now?
Yes, Chair, if you don't mind.
Just to comment following up from David's correct observations that we are looking wider at some of those procurement thresholds, I just want to stress a, these are internal thresholds, these are not in relation to our statutory obligations, they are the organisations,
internal limits that are somewhat outdated.
And we have commissioned support from SIPF through their fully owned subsidiary called SICO, and they will be undertaking a independent review for us of the proposed changes to our current thresholds, and that will achieve several things.
One, we give everybody and the Council assurance that we're not changing the rules really nearly that we are in line with best contemporary practice and other organisations, but two, it will remove an awful lot of the burden from managers where it has become almost impossible to continue to comply with our own internal regulations because they haven't been updated for some years.
So I just wanted to give you all some assurance that in hand, it is SIPF we're working with, I'm happy to make sure you will see their independent assurance, and of course you'll see any recommendations we make to change those thresholds.
Thank you, Julie, for that.
We have a question from Councillor Rachael Blake.
Your question, please.
In the report on the RFQs and the procurement system, I noticed that in terms of your recommendations, I didn't see many recommendations on staff training because I think the findings are quite significant in terms of the scale of people not complying and that I didn't see any reference to how this could be changed in terms of staff awareness.
David also would like to answer that, please.
Yeah, I mean, I think the big picture is this is something that is being addressed by the work that Director of Corporate Director of Resources just alluded to, so we're looking at the system in its entirety.
This includes the requirements and the burdens on officers when they engage with the procurement system, including training and so on and so forth.
At the moment, officers do need to undertake various items of training before they engage in the procurement system and clearly that's something we're mindful of looking forward into a new system to ensure that that is properly addressed.
But clearly, we need people and individuals are engaging with the system who understand it and have been appropriately trained.
Whether or not that means a reversion to procurement partners in departments or to actually individual procurers has yet undecided, but it is certainly something that is going to be looked at in some detail.
I don't think we've got a firm direction of travel on that particular issue yet, Chairman.
Thank you.
We have one more question.
Oh, sorry. Do you have another question? Yeah, can you just go through the process of what's going to happen next to it? Because obviously there's quite a large amount of expenditure is exposed to it.
My experiences, officers will, these schemes can be pretty burdensome and the databases are often quite unfriendly. People are keen to get their work done and there are often some quite practical reasons for why there is non-compliance.
I don't, is there an action plan that goes further than this so that we can understand where there are genuine errors that could be that people could overcome through training or, and that would also help us to understand when there is more deliberate breaching of the rules because I'm not seeing that in these summary of recommendations.
So if you could help me on the process of what's going to happen next to it.
So the first thing to say is nothing, I think, you know, officers may wish to comment on this.
This further is, is that the system as it stands, the RFQ system is something you need to engage with for any procurements over a thousand pounds and under a hundred thousand pounds.
There's a couple of directional resources alluded to, these thresholds are set by us internally. So if I'm spending £1,500 on stationary, I would need to engage with a formal IT system.
I would need to undergo various items of training. I would need to go through a fairly robust set of parameters in order to undertake that procurement for what is a very low level value contract or requisition.
And having looked at the data, one of the things we've come to understand is a lot of those activities where people have to, or a forced or shoehorned into that type of procurement are for items that are still probably low £50,000 in value.
So one of the things you can consider is actually we can still have a RFQ system, but it would be for, it would tend to be for higher value items.
We need to move to, and I think there's a recognition that we need to move to a system that is less burdensome for smaller or lower value items.
So far I'm buying £1,500 with a stationary. I don't need to undergo training. I don't need to go through a formal procurement system.
I don't need to necessarily check the insurance and the disaster recovery plan of a supplier we've already engaged.
So there'll be another route to market that's much more efficient where we're using established supplier, for example.
So I think that's one thing. I think on the second point about the broader set of actions, again, other colleagues may wish to comment, but that's in training.
Myself, Director of Finance, a part of the project group that met this week to look at how we can address some of these systems, issues and blockages.
So it is in train, but we haven't got that action plan yet, Jan. Thank you for that.
Okay. We have another question from COVID-19.
The action plan on this audit report should come to this committee.
I take the point, these are above £100,000 and then the huge contracts, that is a completely different process, but you could spend quite a lot of money without going through the proper process under £100,000.
Do you want to further clarify? Yeah. Yeah. Apologies. Yeah. So I should explain a little bit better. So there's the audit report, which has generated this action plan.
There's this wider piece of work looking at the process, trying to re-engineer those. My role in that is to advise on the process, to advise on the controls, but primarily, once we've got a result, revise system in place, once things have been decided, you know, I will test the controls.
There will be an audit and then we will come back to this committee with the results of that work. Absolutely.
That's understood.
Is that the action plan? That's what I don't understand.
I don't understand whether what's in that report is the action plan. I don't think it is, but I'm confused by what's.
Okay. So, do you want to make it slightly differently?
Sorry.
So, that's not the action plan. It's an entirety from the audit report.
I'm quite happy to circulate that. There's no issues with that. There is an additional piece of work where we're re-engineing the system, and there'll be an audit after that, just to check that we are comfortable with those revised controls, Chairman.
And again, I'm happy to bring that back to this committee.
Oh, that's good.
Okay.
Councilor Colburn, your question, please.
Very brief.
Page 45, the school's audit results.
There's three schools with substantial and their final status is final as well.
What was the reason behind that?
And also, going forward, how robust are we in tackling those challenges, because the schools, although their local authority schools, they have processes internally within schools, and how do we monitor those?
So, just to be clear, where they've got a substantial rating, that's the highest rating we would issue as auditors.
So, there would be almost no issues on those schools.
So, perhaps re-engineing your question was possible, how do we spread good practice?
And I think there is a way of doing that.
I mean, we would talk to our colleagues in finance, who are interested in the financial governance of schools, and I think they would help disseminate any good practice from those schools, which are, that's exemplar level.
Sorry, is the limited one is still in proper form?
How confident are we that it will get to reasonable or substantial?
Well, in terms of this cycle, it's likely that it will stay limited.
So, that's an outline at the moment.
Now, it's still in draft, so it's possible the school might produce a raft of evidence, which induces us to upgrade our audit opinion.
So, I think it's a very good question, but by some means, that's unlikely.
So, clearly, that's now an outline that needs to be a bit of work there.
And, as I said, in terms of driving improvements, we would engage with the school, but also with colleagues in schools finance to help drive those changes.
Okay, thank you for the question and the answer.
Okay, shall I turn to your question, please?
I noticed that a bunch of reviews are advisory.
Could you just confirm what makes a review advisory as opposed from an actual full audit?
For example, the HMO results read as though it's an audit.
I was just wondering why it's not rated.
And then, secondly, specifically looking at the attendance management review in the context of what you've just been saying about procurement,
that I get with procurement that you need to revise the whole approach to make sure it's fit for purpose and not sort of hobbling people and trying to get them with business.
From the attendance management, it seems that the policies and procedures are in place as good practice, but they're just not followed.
Is that the same thing that they're not followed because they're too arduous, or was there an element of sort of root cause analysis behind these reviews that informed the actions?
Okay, thank you for the question David.
Yeah, in relation to the reviews being advisory, it's often the case that these are ones that are things that are requested by management on very narrow or specific topics which through the nature of the work don't lend themselves to as issuing an audit's opinion.
So they're often very narrow and very specific in their focus, so we would label those advisory. I, of course, recognize the need to balance undertaking those advisory reports with the wishes and needs of this committee which like to see audit's opinions.
Similarly, it needs to be weighed against the organization's desire often to see those risk assurance pieces of work undertaken very quickly without us getting into audit assurance opinions.
So it's where we would flex our approach to a piece of work quite narrowly focused quite quickly.
Absolutely, yes, yeah. In relation to the second issue, I mean, in terms of root causes, I think there's possibly a number of issues here.
I mean, I think you're right in saying we've got a policy, we've got procedures in place, it's simply the fact that we're in many cases not hearing to them.
Now, the wise and we're force behind that, I could only really speculate and I know the direct interim director of HR may wish to comment further, but clearly in undertaking these and it's very similar to procurement one.
It's not simply a case of saying there's a lack of compliance, people must comply.
We need to think about the processes in terms of how we would drive these improved behaviors and how we can drive compliance and how we can improve that.
So one of the issues we might have at the moment, for example, is that managers now are responsible for recording sickness of their staff.
Now, to do that, you've got to remember, you've got to remember somebody who's off sick, you've got to remember when they were off sick and so on and so forth.
And at the moment, we largely are compliant with that, but we don't know the extent to which there may be underreporting of that because people for whatever reason forget, we don't believe that's deliberate, but it's possible underreporting there.
So we need to provide a mechanism or prompt so that managers are looking at those sickness levels and are properly reporting them, for example, and I think that goes with the other parts of the process too.
There needs to be proper prompts and inducements so people actually undertake the correct behaviors.
So the policy in itself is fine, but we probably need to think about re-engineering that so that managers are prompted and they understand their responsibilities and they are correctly reminded either through automated or all the means to make sickness reports and to comply with the other parts of the policy.
Was that part of the remediation plan for this review?
So I don't think it was specifically covered in the plan, but I think it's something that's been looked at in terms of processes very similar to the procurement one.
I think it's a wider piece we're looking at within the organisation as to how we can better utilise some of our embryonic IT capacity and things like AI to make sure that some of these systems work better for us and better for managers.
Thank you for the answer. I think Julie Lauren, you want to contribute? Yes, I do, just to provide some context. David Drake, when he says it's part of a bigger issue.
For me, this is a fundamental issue to the Council's operating model, so we are looking to become much more service-focused.
Actually, attendance management is a key responsibility of any manager in the business.
The minute you centralise that, it's almost like it's not the business's responsibility at HR's responsibility, so what we will be bringing to the HR committee in May is a proposal that actually doesn't just look at re-engineering the processes.
It looks at putting accountability and responsibility back into those operational areas, so the responsibility systems and processes for managing absence will return to the services rather than sit at the centre, and I passionately believe that that will make a significant difference.
The other thing I think to bear in mind why we need to do this, it's become not just for the Council, but for everybody since COVID, when patterns of work were different, those become an entrenched set of behaviours in the organisation that's quite difficult to turn around at a corporate level.
Corporate levels, CMT are looking at different models of work and patterns, whether that be agile, whether that be hybrid, whether it's all office-based, lend itself to different services, and the custodians of ensuring attendance to meet those respective work and patterns that fit those areas will absolutely become embedded in those service areas themselves.
And that's the biggest change of technology that David's talking about. Technology traditionally in organisations sit in the middle, we either HR have got the system, actually the best technology today is the point at which it is closest to the end user.
So the technology we use will also be service-based, we'll be able to import data from the service system to the centre. Our job will be to report on attendance management, it will be to support managers, identify trends where there's peaks or troughs and support them in reaching agreement for different working patterns that lend themselves.
But the job of the centre won't be at the moment, it seemed to be HR's job for attendance management. Actually, it's a managers job for attendance management.
Yeah, okay, thank you. That's how I was assuming the intention was with us. Interesting, thanks.
Do you have any supplementary question? Okay, thank you. I think we have a further question from Council said. Your question, please.
Thank you, Chair. Just to just to understand a little bit about the internal audit, do we have guidelines from sit for to understand what good looks like?
So, understand we are auditing different areas, the offices are undertaking internal audits and bringing about what good practices we have and also areas where we could have improvement, but what are the benchmarking that we're doing and who are the best in class that we can sort of compete with?
Okay, thank you for the question. David does.
Yeah, thank you, Chairman. There is an early direct benchmarking in terms of those sort of operational areas from sit for, but just give you a bit of assurance around that.
We talk to colleagues across the London audit group into and understand what they're doing and to share best practice in audit methodologies, but also operational areas.
Now, what you would find sometimes is there's quite a disparity there in terms of practice and capability in various service areas, so some councils might be a little bit more advanced with the numbers in their use of AI and somewhere along way behind.
And sometimes that's to do with the size, the scalability of the council and the resources of their disposal.
But there is that kind of informal benchmarking, sit for itself isn't particularly helpful in this regard though.
We can benchmark using sit for, but that's more to do with benchmarking your actual internal audit service in terms of the number of days and resources it looks like with a comparable peer group.
So that understanding that best practice is a challenge certainly.
Thank you for that answer. Okay. Moving on.
I can ask that the comments of the committee are noted.
The audit committee is recommended to one.
Note the concept of the attached report and the overall progress and assurance opinions for this carried out as part of 2023, 2024 audit plan.
Next, we have item 4.4 risk management, corporate and direct risk registers. These are on page 63 and one or two.
Okay. Sorry. Did make it make it more lively. Would you like to join us here? Okay. Thank you.
Yeah. Thank you. Yeah.
Okay. Just give a minute for them to set it down. Thank you.
Yeah. Okay. Pat, are you leaving or?
Do you want to contribute? Do you want to say a few words about your role in this attendance management?
No. Oh, I know, but she's leaving. That's why.
She came prepared to say a few words.
Okay. Go on. Take two minutes and just. Okay. So I attended today to talk about the limited assurance audit report on attendance management.
And Julia is very kindly filtering lots of gaps for me.
What I would say is that we have action the recommendations around strengthening policy.
We've done manager briefing notes. We've updated staff in TH now.
So many of the recommendations have already been actioned.
I would just echo what Julia Rang said in that this is a manager's responsibility.
But it's often seen as an HR responsibility in the centre.
So it's right that we should put that back in the service area.
I do think there are some systems that changes that might help us to flag to managers.
We've already introduced an application that's available to managers on their phone.
So they don't have to log on to a laptop now. They can access their HR self service on a phone app.
So it's much more accessible for them than hopefully that will improve compliance.
So I think most of the actions now have actually been the recommendations have been actions.
So really I was just coming to give you some assurance that we have carried out many of the actions.
Many of the compliance will improve, I think, with the changes in the organisational structure
and getting the service back nearer to service managers.
I think I will improve compliance, as Julia said.
Thank you for coming. We'll see you in the next meeting.
Thank you.
Okay, I'm moving on item 4.4. That's a risk measurement.
So can I kindly ask, once again, David wants to present your report, please.
Thank you, Chairman.
Again, just to draw attention to the salient features of this report.
In the area of risk management, there's been a raft of ongoing activity undertaken by the risk management team.
This has included attendance at all of the Council's directorate leadership team meetings to facilitate discussion
and provide challenge around key risk areas, and to ensure that any outstanding activities have been highlighted
and addressed by the risk owners and the control owners, and those are the senior officers in the service departments.
Additionally, you'll see in the covering report, we've made reference to some of the risks being re-articulated
to help create and improve the more complete description of a particular risk and its consequences.
And we've given an example there in the covering report around the risk of a cyber attack.
Nevertheless, as noted in the report, there is an inconsistency.
Some business areas have yet to undertake a risk identification exercise, i.e., some business areas haven't yet been through
and populated risk management software with the key risks that are in their service areas.
And therefore, while it's known in some areas that risks exist and are known and acknowledged,
they've not yet been formally captured on the J-CAD risk register.
So there are some gaps.
Additionally, organisational change has had an impact.
For example, work is on going to assimilate the risks that were previously held and recorded separately
by Tower Hamlet's Homes, the ALMA, which has now been absorbed by the Council.
So they had a separate risk register.
That now needs to be looked at, assessed by the Director of Housing and Region,
assimilated and absorbed into their risk register.
Work is also underway to incorporate the pensions risk register into J-CAD.
And again, this was another risk register, although in place was held separately.
So we are trying to draw the risks into one place using the Council's corporate software J-CAD.
So there are some gaps there, which we know about, which the risk team is addressing on an ongoing basis.
Specifically in relation to the corporate risk register, the report highlights three new risks
that will be added to the corporate risk register.
These are an emerging risk in relation to rent collection and related arrears.
Secondly, a risk in relation to community cohesion.
And thirdly, a risk in relation to the People First Council Transformation Program.
These risks, it's been agreed, will be added to the risk register due to the next cycle.
They will have owners assigned and the controls will be populated.
Similarly, it's also been agreed that longstanding risk in relation to compliance with the Protection of Freedom Act 2012
can be relegated from the corporate risk register, so that can be de-escalated.
We're in a position on that one where we regard the mitigations now sufficient
to allow for this risk to be downgraded.
The specifics of that in relation to the Act are that we had some years ago an adverse inspection report
in relation to how we collected CCTV surveillance data.
We had to put a number of mitigations and actions in place.
Those are largely complete now ago.
That risk can be de-escalated.
Finally, alongside the corporate risk register, you've also got the Health and Social Care Director at Risk Register
and colleagues here from that directorate.
So Mr Banerjee, the interim director for that area, and is present to answer any questions.
My assessment of that particular risk register is in pretty good shape.
It's one of the more mature ones we've got across the council.
So the recently departed deputy chief executive was very diligent in ensuring those risks were looked at,
questioned and challenged in some detail, at least on a quarterly basis.
So colleagues in that directorate have inherited a fairly solid risk register.
That will be my assessment. I'm happy to take any questions, Jim.
Thank you for that report.
Do they wish to contribute now after the question?
I think it's if there's any questions.
First of all, we'll take the questions.
Members wish to ask any questions.
Okay, we can see it.
COVID-19, your question first, please.
Not a question, just an update on the research.
I think Sherman's is already a director, but he's acting corporate director.
So Denise, his name is still on the register.
It's maybe because of publication dates.
But if we, as a risk register, we can update for the time period.
Sherman's name on it, that's all, just an observation.
Yeah, it is entirely to do with publication dates.
And Denise, did he email me on the last evening telling me to change it, and I did it immediately.
Less like a rough journey.
Okay, thank you. Are there any more? Okay, we have a question.
Just for clarification for my understanding.
I think you said earlier that there are certain areas that they haven't got around to putting their risks on.
People who are porting into the system, or are they just a bit surprised to hear that there's people who haven't bothered populating the risk register, because it's not new.
Or is this people who have been brought in?
Yeah, it's a little bit of everything, to be honest with you.
There were other areas where there have been staff changes, so ahead of service may have left, and that may have created a gap.
And hitherto, they hadn't considered risks in that particular area, and we ask that people down to the end of service do just that.
So previously, there's been some gaps. We've been working to address those gaps.
We've been facilitating risk identification sessions in one or two areas.
Obviously, that hasn't yet come to fruition in terms of those individuals undertaking the JCAD training and populating the risk registers.
So I think we've got a good idea of where they are, but it does need the individuals to take action to do that.
We are happy to facilitate that. We're not going to be dogmatic and say, It's your risks you must do it.
If somebody's struggling with workload, if somebody's struggling in some other area, if they can't engage with the software, we will help them do that.
And we will certainly populate the risk register to the best of our knowledge and leave them to pick up some of bits and pieces in terms of control owners and so forth.
So there's a process in there where we identify the gaps. We work with those particular managers to do the remediation work, but it hasn't borne fruition and borne action in all areas.
So does that mean that they are managing risks, but just on the side, and you don't have visibility to the system, or does it mean that they're not consciously identifying and managing and controlling the risks in their area?
It's a little bit difficult to speak in terms of generalities, but my assessment reads the former, rather than the latter, in most cases.
Okay, thank you. Do you have any more?
Sorry, a quick one.
You mentioned that somebody got a risk register that was in good shape that had been ported in.
Was that one of you guys?
I was just wondering if you could share what, if you have an opinion, on what makes your risk register have worked well previously.
I'm interested to know whether it's system structure, operating rhythm, culture.
I know you could go on about it all night.
Well, I could.
But just briefly, it would be good to get your insights as to what works.
Yeah, why not?
So just to go in briefly, there's been a long-standing, obviously a long-standing corporate director in that particular area.
She was well-versed in using J-CAD, and she would do many of the entries herself, and became almost an expert user.
That continuity and use, repetitive use of the system enabled her to have the knowledge and to manage those risks.
If you have changes, of course, people need to be retrained into how to use the system, and that can be a burden.
So you would have those gaps or those interregions where things don't happen.
That would be my assessment.
Colleagues, may wish to call it.
Yeah, thanks very much.
I think the reason why this is in reasonable shape is simply because we follow the process.
The previous corporate director would continually update the risks.
Our directorate leadership team, we would go through these risks one by one.
At the last meeting, we just went through these risks and assured ourselves that our mitigations were robust.
I don't think it's rocket science, really. It's just kind of repetition and routine.
And did that help you focus on your discussions?
Do you sort of feel that it was helpful?
Yeah, I think the ongoing challenge from the corporate director and the review, taking risks out, making that decision with David and having David come on a regular basis is really, you know, that's the process.
You wish to contribute?
Yeah, thank you. Just to add to that, I think because we were in a cycle of regularly reviewing the risk register and discussing the risks that were on there, it also means that in other discussions, when we're not particularly looking at the risk register,
we would also consider whether there was anything emerging that should be on it.
So it wasn't just confined to actually looking at the risk register.
Yeah, that's really good to hear. Thank you.
Thank you for that. Okay, we can now move on.
Oh, so go away. Do you find it? Okay.
Just another observation, but just wanted to find out a bit of, just wanted to find out most of the names allocated are either chief executive corporate directors and directors, but there's a few names who were not directors or corporate directors or chief executives.
Is there a standard we need to meet or is anybody who does the relevant training in managing the risk and is this a a corporate need for the council, or should we have an approach where we have the corporate directors or directors who oversee that level of risk.
So there isn't a hard and fast set of rules at the moment. Our advice is always that the risk should be owned by a corporate director or a director. That would be our advice.
Now, there is an opportunity to lay down a bit more of a mark and be a bit more dogmatic in this insofar as we will be updating the risk management strategy during this year and at that point in time, we could potentially look at introducing such a requirement.
Now, at the moment, we've resisted from doing so.
But where risks are not owned by director or corporate director, we've had discussions with the corporate director or the director responsible saying, wouldn't that sit better with you owning that particular risk.
So there is a debate in the discussion. It has been challenged. I can assure the council about that.
I think, yeah.
Sorry, last one from me, I guess. What we have risk, current risk and target risks, would it be possible and I think for presentation purposes to have a chart to see what the trend is in your today of what increases.
Yeah, the movement, yes, please.
David, we upgraded the software recently. We've got this capability now, so we can certainly do that.
Now, because, you know, and I've mentioned this previously, because some of the risks has previously been static, I can't pretend that's going to be particularly exciting diagram, but we will certainly bring that back to this committee for the purpose of transparency.
Absolutely.
Thank you.
Just to comment from my side, you did mention about cyber attack.
We're saying we are, we are under attack, or we have potentially, it's in my eyes and it's so why are people interested in cyber attacking us.
I mean, it's a risk on the corporate register because we could fall to cyber attack and number of councils have fallen victim to cyber attacks rendering their almost their entire IT operations redundant for a number of days, weeks and months.
It's a possibility. I think Hackney was one that was hacked not so long ago, Chairman, there have been others that wanted Lester was hacked recently.
So it's a big pardon.
Oh, yeah.
Did all the source of the cyber attack?
Is it from China?
No, no, I'm not aware where it was from. I mean, I know it's an amusement and so I did work at, I worked at ACCA before they suffered a lot of cyber attacks, particularly from China.
So it's possible.
Sorry, Councillor, just to let you know that the NHS, there was various different cyber attacks ransomware in NHS and in terms of housing associations, most recent one that I'm aware of, Clarion, and that affected a lot of our residents.
Yeah, thank you for that.
You kindly come in.
I can, I can, and it's just to say, as organizations increasingly become more dependent on technology and systems for storing data, those become gold mines targets for potential cyber attackers, either because they threaten to shut down your systems and hold you to ransom
and a number of organizations that happen to, or because they mine your data system and use the information it contains for bad purposes.
So, for example, in children's services, you have a list of vulnerable children in adult social care, they have a list of vulnerable adults with names and addresses. The last thing you would ever want is that information to give them to the wrong hands.
And so being data secure and cyber aware is critical for organizations like this.
Thank you for that. Yes, it's so clear. We have one more question from COVID-19.
Just the information sharing as this is the audit committee, apologies, Councillor.
Right, so there are malicious emails that go around in the name of Councillors and the mayor, so we've had a number of those going.
So, these are personal, isn't it?
No, it's not.
It's come to email addresses, so it might be worthwhile to have a corporate message sent out regarding phishing and stuff like that and how you quarantine all of that.
So, I've got it on an individual level, but maybe corporate wise, we look at sending out to staff or renewing training for staff so they're aware of it so they don't accidentally press respond or go onto any of those links.
Just the very good suggestion, we should vote.
Okay, I think that completes that agenda.
Okay, thank you.
Thank you for coming.
Yeah.
Councillor, he did send, okay, next one, thank you.
Okay.
No, we have four now, yes, but we are the final stages.
No, we can't, we can't, we aren't allowing anybody else to go until the meeting is complete.
Okay.
Yeah, let's give them a damn tip. Thank you.
Okay.
Can I now ask that the comments of the committee are noted?
The audit committee is a committed one.
Note the updated corporate risk register and why applicable request risk owners with risk requiring further scrutiny to provide a detailed update on the treatment and mitigation of those risks, including impact on the corporate objectives.
And the next audit committee meeting.
Note the proposed changes to the council risk register as set out in paragraph 3.4 and 3.5.
Note the updated health and social care director risk register and why applicable request risk owners with risk requiring further scrutiny to provide a detailed update on the treatment and mitigation of the risk,
including impact on the director's objective at the next audit committee meeting.
Now, we have come to the one of the last item, we have two left, 4.5 annual review of the anti-bravery policy.
This should take 10 minutes.
Can I again ask, invite David Dobbs to present this report on annual review, please.
Thank you, Chairman. Very straightforward. This is simply a cosmetic policy update in relation to the Bribery Act 2010 and the council's policy.
We needed to update some of the officer contact details to make sure that we could republish the policy and so that it's appropriate for circulation amongst council officers.
This, I would suggest, isn't a huge risk area for the council and I think since the act was brought in in 2010, we've only examined two offenses in relation to the Bribery Act and looked at whether or not they met the criminal threshold and neither of them did.
That's perhaps not such a huge issue for councils, probably more for organisations in the commercial sector. Nevertheless, it is a strict liability offence, so it's not good enough just to say we didn't know about Bribery.
We need to maintain what's known as adequate procedures. Parts of those procedures include a policy of which this is one chairman, so it's submitted here for updates and ratification by the committee. Thank you.
Thank you for that. Does member wish to ask any question on this? Okay, we have Councillor.
Thank you, Chair. Do we send out, I know this is on a paper format, do we send out training to our staff as well, so everyone to sort of online training, so they are aware of different scenarios, rather than just reading an essay?
Yeah, very good. Yeah, this forms part of the mandated corporate induction which all officers undertake when they join the council.
I think it could possibly be augmented by the training being updated and refreshed periodically, so we would update the training, provide some new scenarios as you've described and then it'll be rolled out again to officers.
But I think that induction package and all the e-learn that goes with it again is part of what colleagues in human resources are looking at at the moment in terms of how they can provide a better experience for new joiners, but also make sure we are meeting our responsibilities because that training element is key part of it.
Thank you, David. Are there any more questions? Sorry, let's go away. Okay.
Can I now ask the comments of the committee and note it and the recommendations are approved.
The audit committee is recommended to one note and approve the council updated anti-bribery policy.
Moving on to item five, audit committee work plan. These are on pages 117 to 118.
Can I ask members to note the audit committee work plan? Yeah, it's okay. Yeah.
Yes, we'll have a new one at the next year, immediately.
Now on the any other business, I don't think we have any others.
So, thank you for everybody for coming and taking part and contributing, especially the guest from the best value.
Thank you for coming. Next time when we will prepare, okay.
That's it. What is the next meeting?
Okay. Okay. Yeah, you'll get part of it. That's the next meeting. So, thank you and we'll see you on the next meeting.
So, so.
Thank you.
Thank you.
Summary
The council meeting focused on addressing the backlog of local audits, reviewing internal audit plans and progress, updating risk management strategies, and reviewing the anti-bribery policy. The committee discussed various reports and recommendations, leading to several decisions aimed at improving council operations and compliance.
Addressing Local Audit Backlog: The committee discussed proposals to address the backlog of audits from 2020-2023. The decision was to adopt a phased approach to clear outstanding audits and implement new statutory backstop dates. Arguments centered on the need for timely financial reporting versus the practical challenges of meeting proposed deadlines. The decision aims to restore timely financial accountability and avoid potential statutory penalties.
Internal Audit Plan and Charter for 2024/2025: The committee approved the internal audit plan and charter, emphasizing the need for audits to be more reflective of inherent risks rather than just managerial requests. The decision was to ensure audits are aligned with strategic risks and provide value. This change is expected to enhance the council's risk management and governance processes.
Risk Management Updates: Updates to the corporate and directorate risk registers were noted, including the addition of new risks related to rent collection, community cohesion, and the People First transformation program. The decision to update the risk registers aims to keep the council's risk management strategies aligned with current challenges and operational changes.
Review of Anti-Bribery Policy: The committee approved an updated anti-bribery policy, which was mainly a routine update to ensure compliance with current laws and regulations. The decision underscores the council's commitment to maintaining high ethical standards and legal compliance.
An interesting point in the meeting was the discussion on the practical challenges and implications of the local audit backlog, highlighting the national trend of delayed audits and the significant efforts required to address this issue. The meeting primarily focused on addressing the local audit backlog, updating the internal audit plan, reviewing risk management, and updating the anti-bribery policy. Key discussions included the audit backlog, internal audit findings, risk management updates, and the anti-bribery policy.
Local Audit Backlog: Asan Khan, head of strategic finance, discussed proposals to address the national local audit backlog and Tower Hamlets Council's external audit position. The proposals include statutory backstop dates for publishing financial statements by 30th September 2024 and subsequent years. The council has been supportive of these measures and has published draft accounts for 2021-2023. The focus is now on completing value for money work and preparing for the new auditors, EY, to take over from Deloitte.
Internal Audit Plan and Charter: David Dobbs, head of internal audit, presented the internal audit plan for 2024-2025. The plan includes traditional risk-based audits and allowances for work on corporate governance. The audit charter outlines internal audit's terms of reference and adherence to public sector internal audit standards. The committee agreed to the plan and charter.
Internal Audit and Anti-Fraud Progress Report: David Dobbs reported on the progress of the 2023-2024 audit plan, noting that 47% of audits resulted in reasonable or substantial assurance. Three audits received limited assurance: scheme of publication, attendance management, and the requisition system. The committee discussed the need for training and system improvements to address non-compliance issues.
Risk Management: The committee reviewed the corporate and health and social care directorate risk registers. David Dobbs highlighted ongoing efforts to update risk registers and assimilate risks from Tower Hamlets Homes and the pensions risk register. Three new risks will be added to the corporate risk register: rent collection and arrears, community cohesion, and the People First Council Transformation Program. The risk of non-compliance with the Protection of Freedom Act 2012 will be de-escalated.
Anti-Bribery Policy: The committee approved updates to the council's anti-bribery policy, which included updating officer contact details. The policy forms part of the mandated corporate induction for all council officers.
Audit Committee Work Plan: The committee noted the audit committee work plan for the upcoming year.
The meeting concluded with no additional business.
Attendees
- Abdul Wahid
- Ahmodur Khan
- Asma Islam
- Charlotte Webster
- Harun Miah
- Kabir Ahmed
- Maisha Begum
- Mufeedah Bustin
- Rachel Blake
- Saied Ahmed
- Abdulrazak Kassim
- Ahsan Khan
- Angus Fish
- David Dobbs
- Dr Somen Banerjee
- Farhana Zia
- Jonathan Gooding
- Julie Lorraine
- Leah Sykes
- Pat Chen
- Paul Audu
- Sarah Murphy
- Usman Zia
- Warwick Tomsett
Documents
- Agenda frontsheet 23rd-Apr-2024 18.30 Audit Committee agenda
- SUPPLMENTARY AGENDA 23rd-Apr-2024 18.30 Audit Committee agenda
- Declarations of Interest Note
- FINAL MINUTES 220124
- Addressing the Local Audit Backlog and Update on Outstanding Audit of Accounts 202021 202122 and
- Appendix. A - Deloittes Briefing Note on Plans for Addressing the Backlog in Local Audits
- Appendix. B 2020-21 Draft Statement of Accounts
- Appendix. C 2021-22 Draft Statement of Accounts
- Appendix. D 2022-23 Draft Statement of Accounts
- Internal Audit Plan and Charter 2024-25
- Appendix. 1 for Internal Audit Plan and Charter 2024-25
- Internal Audit and Anti-Fraud - Progress Report
- Appendix. 1 for Internal Audit and Anti-Fraud - Progress Report
- Risk Management Corporate and Directorate Risk Registers
- Appendix. 2 for Risk Management Corporate and Directorate Risk Registers
- Appendix. 3 for Risk Management Corporate and Directorate Risk Registers
- Annual Review of the Anti-Bribery Policy
- Appendix. 1 for Annual Review of the Anti-Bribery Policy
- Printed minutes 23rd-Apr-2024 18.30 Audit Committee
- Audit Cttee work plan draft 2023-24v10 - Apr mtg