The Governance & Assurance Committee of Redbridge Council met on Tuesday 30 January 2024 to discuss a range of important governance and financial matters. Key topics included the planning for the external audit of the Pension Fund, the Treasury Management Strategy for the upcoming financial year, and an update on the Council's Strategic Risk Register. The committee also reviewed the progress of Internal Audit and Counter Fraud activities, along with the Risk Management Strategy and Policy for 2024/25.

External Pension Fund Audit Planning Report for the year ended 31 March 2023

The committee was scheduled to consider the External Pension Fund Audit Planning Report for the year ended 31 March 2023¹. This report, provided by the Council's external auditors Ernst & Young (EY), was intended to summarise EY's initial assessment of key risks relevant to an effective audit of the Pension Fund. It was also expected to outline EY's planned audit strategy in response to these identified risks. The report indicated that any changes to this plan would be communicated to the committee at a future meeting. The auditors were required to satisfy themselves that the Pension Fund accounts complied with the 2022/23 Account Code of Practice and latest statutory requirements, and that proper accounting practices had been observed. EY had set initial materiality thresholds for planning and performance purposes for the Pension Fund, based on 1% of the net assets of the Fund as at 31 March 2023. The report also detailed the EY audit team and the use of third-party specialists, along with the scale fee for the 2022/23 audit.

Treasury Management Strategy 2024/25

A significant portion of the meeting was dedicated to the Treasury Management Strategy for 2024/25². This strategy is crucial for the Council's financial operations, encompassing borrowing and debt repayment requirements, an annual investment strategy, and prudential indicators for capital and treasury management. The Council is required by statutory regulations and the Chartered Institute of Public Finance & Accountancy (CIPFA) Code of Practice in Treasury Management to prepare this strategy annually, which is then approved by the Council as part of the budget-setting process. The Governance and Assurance Committee was nominated to scrutinise this proposed strategy. The strategy itself comprised proposed capital expenditure forecasts, a Treasury Management Policy Statement, a Minimum Revenue Provision Policy Statement, prudential indicators, and the Annual Treasury Investment Strategy. A key consideration within the strategy was the impact of the accounting standard IFRS 16, which requires the Council to account for certain leased assets as right of use assets from April 2024. The committee was recommended to support the proposed strategy, with a note that prudential indicators were subject to potential change before final approval by the Council.

2023/24 Strategic Risk Register Quarter 3

The committee was scheduled to review the 2023/24 Strategic Risk Register for the third quarter³. This report detailed the risks presented within the register, including changes in controls and their associated scoring. The register monitors risks using a Red, Amber, Green (RAG) status. The report highlighted that several strategic risks remained at a high residual score after the application of mitigating controls. Notably, the risk concerning the Failure to maintain a sustainable Medium Term Financial Strategy (MTFS) in an increasingly uncertain economic outlook (CORP0022) remained at 'Red' due to the ongoing impact of high inflation and interest rates on budget planning. Similarly, risks related to safeguarding vulnerable children (CORP0004) and vulnerable adults (CORP0013) remained 'Red'. The risk of Lack of availability of suitable standard affordable housing provision for temporary and permanent housing (CORP0014) had seen an increase in its likelihood score, moving it to a 'Red' status. The report also detailed updates on other risks, including those related to emergency planning, staff sickness, health and safety legislation, extremism prevention, alternative delivery models, and cyber security.

Internal Audit and Counter Fraud 2023/24 Quarter 3 Update

An update on Internal Audit and Counter Fraud activities since the previous meeting was presented⁴. This report included the outcomes of completed Internal Audit work, with a particular focus on areas where limited or no assurance was provided regarding governance, risk management, or control arrangements. It also outlined the progress made by management in implementing 'Red' and 'Critical' risk recommendations. Since the last meeting, no Internal Audit reports with limited or no assurance opinions had been finalised, although four were in draft reporting stage. The report detailed the progress on implementing 'Red' risk actions, noting that as of 15 December 2023, 20 out of 21 'Red' risk actions were not yet implemented. An aged analysis of these outstanding actions was provided, showing that 26% were over 12 months past their original target date. A summary dashboard of counter fraud activity and outcomes for the period January 2023 to December 2023 was also presented, detailing notional and cashable savings achieved through various investigations, including tenancy fraud, Blue Badge misuse, and data matching exercises.

Risk Management Strategy and Policy 2024/25

The committee was asked to review and consider the revised Risk Management Strategy and Policy for 2024/25⁵. This strategy, which integrates the Risk Management Policy Statement, Strategy, and Methodology, is reviewed annually and aligns with the International Standard in Risk Management, ISO 31000. Notable changes in the revised strategy included enhanced guidance on the risk management process, more detailed impact measures, a clearer explanation of the escalation process, a description of the Council's risk appetite, and updated Terms of Reference for the Corporate Risk Champions Group. The strategy aimed to embed risk management throughout the Council and its operations, supported by training and guidance available on the intranet. The Assurance Board had previously considered and endorsed this revised strategy.

Anti-Fraud and Corruption Strategy and Supporting Policies 2024/25

The committee was informed that the existing Anti-Fraud and Corruption Strategy (AF&CS) 2023-2025 and its supporting policies remained relevant and had been reviewed. No changes were deemed necessary before their planned end date in 2025. The key messages of the strategy, including zero tolerance for fraud and corruption and the pursuit of strong redress actions, were reiterated. An updated Annual Counter Fraud Strategic Action Plan for 2024/25, outlining corporate arrangements and actions to deliver the AF&CS, was presented for noting. The committee was recommended to note the updated action plan and to recommend to Cabinet the continued endorsement of the AF&CS and supporting policies.

Cyber Security Strategy 2024/25

The committee was presented with the Cyber Security Strategy for 2024/25⁶. This strategy outlines the Council's approach to managing cyber security risks, encompassing people, processes, and technology to protect digital services and information. It is informed by legislative, regulatory, and statutory requirements, aiming to provide proportionate controls to manage information risk. The strategy detailed the Council's established Information Governance framework, including the roles of the Senior Information Risk Owner (SIRO) and the Information Governance Board. The report highlighted the continuing hostile cyber threat landscape, with primary threats including phishing, supply chain compromise, and digital service/asset compromise. The strategy aimed to minimise the risk of data breaches and associated financial penalties.

Information Governance Strategy 2024/25

The Information Governance (IG) Strategy for 2024/25⁷ was presented, aligning IG activity with the Council's overall strategy. IG was described as a framework that brings together requirements, standards, and best practices for handling records and information, risk management, and compliance, particularly in relation to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The strategy's vision was to create an environment where individual privacy is respected and personal information is processed lawfully, fairly, and transparently. It outlined how the Council would meet its information management and security responsibilities, aiming to build confidence among residents, customers, partners, and suppliers. The strategy detailed links to the Corporate Strategy's priority themes and outlined objectives and deliverables related to legal compliance, privacy, service delivery, and information security.

Regulation of Investigatory Powers Act 2000 Policy

The committee was asked to consider the Council's Policy and Procedures on the use of powers available under the Regulation of Investigatory Powers Act 2000 (RIPA)⁸. This policy details the Council's use of covert surveillance techniques when investigating serious criminal offences. It explained the different types of covert surveillance, including directed surveillance and the use of Covert Human Intelligence Sources (CHIS), and the legal basis for their lawful use under the Human Rights Act 1998 and RIPA. The report noted that there had been no authorisations for RIPA powers in the past financial year, reflecting a general reduction in their use by local authorities. The policy and procedures were overseen internally by the Operational Director of Assurance and externally by the Investigatory Powers Commissioner's Office (IPCO). The committee was recommended to endorse the policy and delegate authority to the Chief Executive to amend the list of Authorised Officers as necessary.

Work Programme

Finally, the committee was presented with its work programme for the remainder of the 2023/24 municipal year⁹. This outlined the reports scheduled to be presented at future meetings, including the Annual Internal Audit Report, the Annual Report of the Monitoring Officer, an External Auditor Update Report, and the Information Governance Annual Report.