The Audit and Governance Committee of North Northamptonshire Council met to discuss internal audit plans, progress reports, risk management, IT audits, and policies related to fraud, bribery, and whistleblowing. The committee approved the internal audit plan, noted the progress report and risk register, and approved the updated anti-fraud and corruption policy, as well as the existing anti-bribery policy. The committee also requested revisions to the whistleblowing policy before its adoption.

Internal Audit Plan Development 2026/27

The committee discussed the proposed approach for developing the internal audit plan for 2026/27. Rachel Ashley-Corn, Chief Internal Auditor, outlined the process, which includes consulting with the leadership team, reviewing risk registers and corporate plans, and assessing existing assurances. She also invited committee members to suggest areas where they would value potential internal audit coverage. Councillor David Brackenbury suggested growth, regeneration and regulatory services as potential areas of interest. The committee endorsed the proposed approach.

Internal Audit Progress Report

Rachel Ashley-Corn presented the internal audit progress report, which included updates on several completed audits.

• Mandatory Training: The audit revealed that only 60% of officers were compliant with mandatory training requirements. Feedback from managers indicated that they could only see their direct reports rather than their whole service area, limiting their oversight. The audit gave a moderate level of assurance for the control environment and compliance.
• Absence Management: The audit found that the level of absence appeared to be higher than expected, with anxiety, mental health, and depression being the highest reasons for absence. There were also issues with the accuracy and completeness of absence data, as absences were often recorded late. The audit gave a good level of assurance on the controlled environment but only moderate assurance for compliance.
• Customer Services: The audit found that action had been taken on previous audit recommendations, with good records around staff incident reporting and training. However, some areas of non-compliance were identified, including the completion of mandatory training and the recording of security incidents. The audit gave a good level of assurance for the control environment and a moderate level for compliance.
• Development Management: The audit focused on extensions of time and site notices and found that while site notices were being produced, there was a lack of evidence around how they had been recorded. Extensions of time were also not being published online. The audit gave a moderate assurance opinion for compliance. Councillor Mark Pengelly raised concerns about site notices being put in the wrong places and a lack of consultation with statutory bodies.
• Service User Monies - Adults: The audit reviewed two services supporting individuals with their money and found that while checks were in place, some audits were not taking place as regularly as expected, and some agreements had not been signed by the service user or their representative. The audit gave a good level of assurance on the control environment and moderate assurance for compliance.
• Payroll: An audit of the payroll service, which is shared with West Northamptonshire Council and performed by Cambridgeshire County Council, found some areas for improvement related to recommendations from previous audits. The audit gave a moderate assurance opinion for both the control environment and compliance.

The report also included an update on actions arising from audit reports, with 25 actions implemented since the last progress report. However, 13 actions were within three months overdue, and 46 were over three months overdue.

The committee approved a recommendation to amend the internal audit plan, replacing an audit of building control with an audit of housing complaints.

During the discussion, Councillor Trevor Conway raised concerns about the high number of sick days per member of staff and the prevalence of anxiety, mental health, and depression as reasons for absence. Councillor Steve Geary also commented that the number of sick days seemed high and that it would be interesting to find out what was going on. Claire Edwards, Executive Director of Finance and Performance, noted that the council's sickness rate was slightly higher than its nearest neighbours, reflecting the strain that local government is facing.

Councillor Andy Sims expressed concern about the mandatory training response rate of 49%.

Strategic Risk Register Update

Rachel Ashley-Corn presented an update on the Strategic Risk Register, highlighting a new risk entry around the risks associated with the public switched telephone network (PSTN) being decommissioned and its potential impact on services that provide support to vulnerable service users. She also noted that the health and safety risk entry had been reviewed following a change in the lead service area. Councillor Pengelly raised concerns about staff capacity and its impact on the risks listed in the register. The committee noted the outcomes of the risk register update.

External IT Audit 2024/25

Claire Edwards introduced Paul from the council's external auditor, Grant Thornton, to present the external IT general control report. The report reviewed the IT systems that feed into the council's financial statements. Paul noted that there were 19 recommendations from the prior year, 18 of which related to legacy systems that are now not applicable. The report identified two minor recommendations:

• User access was not appropriately revoked for terminated employees within Heycentric.
• Weak password configuration settings for Care First, the adult social care system.

Councillor Conway asked why this was being done as an external audit and not an internal audit, and how much the external audit cost. Paul explained that it was part of the external auditor's requirements and that the cost of doing the work internally would outweigh the cost of doing it externally. Claire Edwards added that the fees are set nationally through the prescribed PSA scale fee. Councillor Pengelly asked about the ICT value report that was set up by Guy Holloway, but that work seems to have stopped. The committee noted the findings of the external IT audit report.

Anti-Fraud and Corruption Policy and Anti-Bribery Policy

Rachel Ashley-Corn presented the anti-fraud and corruption policy and anti-bribery policy for annual review and approval. She noted that the policies had been assessed against the new requirements of the Economic Crime and Corporate Transparency Act, which introduces a new offence for organisations of failure to prevent fraud. She highlighted the addition of an action plan to the anti-fraud and corruption policy. The committee approved both the updated anti-fraud and corruption policy and the existing anti-bribery policy.

Whistleblowing Policy

Kamila Coulson-Patel, Director of Law & Governance and Monitoring Officer, presented the updated whistleblowing policy for review and feedback. She noted that the policy had been reviewed and updated to reflect organisational practices and modernisation. Councillor Brackenbury raised concerns about a paragraph stating that disciplinary action would be considered if an allegation was found to be unfounded, malicious, mischievous, or vexatious, arguing that no disciplinary action should apply if an allegation is made in good faith. Councillor Garner supported this point, noting that the Public Interest Disclosure Act 1998 states that a person is protected if they make a disclosure in good faith. Councillor Pengelly asked how the council benchmarks itself against other councils in terms of whistleblowing requests. Michael Whitworth, Independent Person, suggested having a laminate of who to speak to about whistleblowing and safeguarding concerns next to water coolers. The committee noted the review undertaken and requested revisions to the policy before its adoption.