The Audit and Standards Committee of Staffordshire Council met on Tuesday 21 April 2026 to review the council's information governance, civil contingencies, and internal audit functions. Key decisions included the endorsement of updates to the council's constitution regarding the Staffordshire Health and Wellbeing Board and the approval of the proposed Internal Audit Strategy and Plan for 2026/27.

Annual Report on Information Governance

Tracey Foley, Assistant Director for Corporate Operations, presented the Annual Report on Information Governance for 2025/26. The report highlighted a significant increase in Subject Access Requests (SARs), particularly in children's services, which has impacted response times. While there was a slight decline in reported security incidents, data breaches reported to the Information Commissioner's Office (ICO) increased slightly, though the ICO took no further action on any reported cases. Freedom of Information response rates declined dramatically due to staffing issues, but temporary agency support has been secured to address backlogs. Cyber security measures have been reviewed and strengthened, with the council receiving a £15,000 grant to enhance third-party and supply chain security. Mandatory cyber security training has a 93% completion rate. The council has successfully renewed its Public Sector Network (PSN) connection and achieved Cyber Essential accreditation for the sixth consecutive year. Records management training is being refreshed due to identified poor practices, such as saving data for too long. No surveillance applications were made under the Regulation of Investigatory Powers Act (RIPA) during the reporting period, and no requests were made to the National Anti-Fraud Network. Councillor Colin Greatorex raised concerns about the impact of a single specialist going on long-term sick leave on Freedom of Information (FOI) responses, and the council confirmed that business support staff and external resources are being used to mitigate this. Councillor Alex Farrell questioned the mandatory nature of GDPR training for councillors, which was confirmed as mandatory during induction. Councillor Matthew Wallens inquired about consequences for non-compliance with cyber training, and it was stated that this is monitored monthly and reported to senior leadership. Councillor Francis Chiwariro asked about the causes of security incidents, with human error being the majority cause, often due to rushing or sending to the wrong email address. The committee accepted the report, acknowledging the appropriateness and currency of information governance practices.

Annual Civil Contingencies Report

Adam Cooper, Head of Registration Service and Emergency Planning, and Tracey Foley presented the Annual Civil Contingencies Report for 2025/26. The report detailed the council's emergency planning, response, recovery, and business continuity arrangements, which were deemed fit for purpose and compliant with the Civil Contingencies Act 2004. The Staffordshire Resilience Forum (SRF), supported by the Civil Contingencies Unit (CCU), works in partnership with various agencies to ensure a coordinated multi-agency approach. Key achievements for the year included exercising a COMAH site external emergency plan, maintaining an accredited training and exercise programme, implementing a National Power Outage Plan, and introducing the Staffordshire Multi-Agency Flood Plan. A new Care and Welfare Task and Finish Group was established to enhance humanitarian assistance. The council has an overarching Civil Contingencies Policy and a suite of supporting plans, which are reviewed regularly. The Community Risk Register and the council's own Emergency Planning & Resilience Risk Register have been maintained. Business continuity management has been strengthened with a revised framework rolled out across all directorates. Training and exercising records are now held in an electronic learning hub, providing a clear audit trail. Response arrangements were strengthened with the introduction of a tactical on-call role to support the director on-call, and investment in a radio communication system for use during power outages. Priorities for the year ahead include improving resilient telecommunications, maintaining the accredited training programme, and preparing for the implementation of the Terrorism (Protection of Premises) Act 2025 (Martyn's Law). Councillor James Hodges asked for measurable evidence of improved response times from the new tactical on-call role, with officers noting that it was too early to provide definitive data but that it had assisted in preparedness incidents. Councillor Jon Pendleton inquired about the completion of business continuity plans, with approximately 54% of services having plans on the new system, and a higher percentage having completed business impact assessments. Councillor Colin Greatorex raised concerns about pre-emptive work, particularly in flood management, and the council's involvement with development authorities regarding building on floodplains. The report assured that the SRF model facilitates sharing lessons learned and proactive planning. The committee accepted the report, acknowledging the effectiveness of emergency planning arrangements.

Internal Audit Charter 2026

Lisa Andrews, Assistant Director – Audit, Risk Management and Insurance Services, presented the Internal Audit Charter for 2026. The charter defines the purpose, authority, and responsibilities of the internal audit function in line with the Global Internal Audit Standards in the UK Public Sector. A key change for this year's charter is the requirement for internal and external auditors to meet with the committee privately at least annually, without senior management present. The charter was endorsed by the committee. Councillor Matthew Wallens asked about reducing catastrophic and high-priority risks, and it was explained that the priority ratings matrix is illustrative and used to rank recommendations. Councillor Jon Pendleton questioned safeguards for audit independence given the Chief Audit Executive's operational overlap, and it was stated that colleagues would report directly to the Director of Finance and Resources in such instances. David Webster, an expert witness, commented that the charter was comprehensive and met all standards.

Proposed Internal Audit Strategy & Plan 2026/27

Lisa Andrews presented the proposed Internal Audit Strategy and Plan for 2026/27. The plan is risk-based and developed through consultation with senior management and operational managers. Key areas of focus include financial management and controls, digital innovation projects (such as AI and the Corporate File Plan), ICT audits, cyber assurance, and support for children's services following an Ofsted review. The plan also includes audits related to Local Government Reorganisation (LGR), governance, and partnerships. The top ten risk reviews identified include new system implementations (Finance & HR ERP, Care Case Management), LGR support, Children's Services improvement plans, SEND governance, business planning, digital transformation, HR management, cyber assurance, highways services, and Entrust future contract arrangements. The plan allocates resources to risk-based audits, counter-fraud work, and audit management. The committee reviewed and approved the proposed content and coverage of the Internal Audit Strategy and Plan 2026/27. Councillor Thomas Baker questioned the audit of academies, and it was clarified that the council does not audit academies unless contracted to do so. Councillor Matthew Wallens asked about the inclusion of portfolio holders in consultations, and it was confirmed that consultation is primarily with senior management. David Webster commented on the performance measures, suggesting the inclusion of draft reports issued within deadlines and audits carried out within the resource budget. Lisa Andrews agreed to take this away for consideration.

Proposed Update to the Constitution

Jennifer Norman, Member and Democratic Services Support Officer, presented a proposed update to the council's constitution regarding the Staffordshire Health and Wellbeing Board. The changes reflect a revised meeting structure, board membership, and co-chairing arrangements, aligning with good practice. The committee noted the changes and endorsed them for referral to Full Council for updating the constitution.

Forward Plan for the Audit and Standards Committee

Lisa Andrews presented the refreshed Forward Plan for the Audit and Standards Committee for 2026/27. The plan outlines the topics to be covered in future meetings, highlighting the cyclical nature of the committee's business. The committee noted the plan, with Councillor Paul Jones commenting positively on its clarity.

The meeting concluded with a short comfort break before moving to exempt items.