This meeting will cover a wide range of issues relating to the Council's financial management and governance. The most significant discussions will focus on the Council's Corporate Risk Register, its Annual Governance Statement for 2023/24, and the performance of the Counter Fraud and Enforcement Unit. The Committee will also discuss the Council’s data protection arrangements and receive updates on the work of Internal Audit. The final item on the agenda is the approval of the Council's Statement of Accounts for 2023/24.

Financial management and the Corporate Risk Register

The Council's Corporate Risk Register is a useful tool that is commonly used by local authorities to demonstrate that risks are formally considered and managed. It captures the key risks facing the Council, assesses their likelihood and impact, and identifies the controls in place to mitigate these risks.

The Council has identified fourteen corporate risks, and these can be found within the report pack ¹. Significant updates to the register, include a new risk associated with the proposed change of the Council’s name ². The Register now identifies “Ineffective rollout/non-rollout of council name change” as a risk with a score of 20, meaning that the Council must take action to reduce the risks associated with this project. If not properly managed the project could result in “adverse reputational impact”, “additional financial cost”, and “additional officer time”.

Since the last update to the Register, there have also been increases in the risk scores associated with both Cyber Security and Business Continuity Planning ³. In both cases the risk scores have been increased as a result of a recent cyber attack experienced by the Council.

See: Appendix 1 - Corporate Risk Register- Dec 2024 Committee The Council experienced a cyber attack on 4 September 2024, which resulted in a temporary shutdown of its IT systems.

Governance and the Annual Governance Statement

The Annual Governance Statement (AGS) is a key document that provides an independent assessment of the Council's governance arrangements. The Council’s 2023/24 AGS can be found within the report pack ⁴. The AGS concludes that, overall, the Council’s governance arrangements are “sound and fit for purpose”. However, the AGS identifies a number of significant governance issues, which will be monitored and reported on by the Council during the coming year. These issues include:

• Development of a local code of corporate governance: The Council intends to develop a local code of corporate governance that will align with the principles of “Delivering Good Governance in Local Government: Framework 2016”.
• Equality, Diversity and Inclusion: The Council intends to develop a new Equality, Diversity and Inclusion (EDI) policy, supported with an associated action plan, to “make equality, diversity and inclusion a part of our core business”.
• Fraud risk registers: The Council intends to develop fraud risk registers for higher risk service areas. The development of fraud risk registers is intended to help the Council to promote high ethical standards and encourage the prevention and detection of fraudulent activities, thus supporting corporate and community plans.
• S106 process improvements: The Council intends to implement the recommendations of a recent internal audit report, which identified the need for significant process improvements in relation to the management of funds received through Section 106 agreements ⁵.
• Building control governance: The Council intends to review the governance arrangements for the delivery of its building control function and implement the recommendations of a recent internal audit report, which concluded that, as a result of failings in the service’s governance arrangements, it had “been unable to gain assurance that the fees and charges had been considered by the Joint Monitoring Liaison Group” ⁶.
• Complaints framework: The Council intends to complete the implementation of a new system for handling formal complaints and train staff on how to use the new system.
• Member development: The Council intends to implement a member development plan that will provide Members with more opportunities to develop their skills and knowledge.
• Place programme: The Council intends to develop an effective governance framework for the “place programme”, a key workstream within the Council’s recently adopted Council Plan. The programme aims to support communities to understand their issues and develop local solutions.
• Data strategy: The Council intends to develop and approve a new Data Strategy.
• Flood resilience and preparedness: The Council intends to report on an improved approach to “response and recovery in relation to flooding incidents”. This will be informed by a “lessons learnt” exercise conducted by the council’s internal Flood Risk Management Group.
• Cyber security: Following a recent cyber attack, the Council intends to develop a “lessons learnt” action plan to improve its response to, and recovery from, future cyber attacks.

Counter Fraud and Enforcement

The Council’s Counter Fraud and Enforcement Unit (CFEU) is responsible for investigating allegations of fraud against the Council. The CFEU's work is governed by a number of policies and procedures, including the Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016 (IPA). These Acts provide the legal framework for the use of surveillance and the acquisition of communications data during investigations.

A report on the work of the CFEU has been provided to attendees of the meeting ⁷. The report highlights a number of key activities undertaken by the Unit since the last meeting, including:

• Multi-Agency Approach to Fraud (MAAF): The CFEU has been working with a number of other agencies, including Gloucestershire Constabulary, Gloucestershire Trading Standards and the NHS, to establish a multi-agency approach to fraud in Gloucestershire. The MAAF will have a dedicated webpage, which is currently being developed by Tewkesbury Borough Council.
• Business Grant Schemes: The CFEU is continuing to work on the recovery of overpayments made under the government’s Business Grant Schemes, which were introduced during the COVID-19 pandemic. The deadline for this work has recently been extended to 30 June 2025.
• Flood Recovery Grants: The CFEU worked to verify claims made under the Community and Business Recovery Grant Schemes, which were introduced following severe flooding events between 2 and 8 January 2024. The CFEU verified 190 Community Recovery Grants and 61 Business Recovery Grants, and identified no instances of fraud.
• National Fraud Initiative: The CFEU has been using data matching techniques to identify potential cases of fraud. The National Fraud Initiative (NFI) is a data matching exercise, conducted by the Cabinet Office, which is used by local authorities to identify potential cases of fraud and error. The CFEU has identified a number of potential cases of fraud, relating to council tax single person discounts and the Housing Waiting List, which are being investigated.
• Housing Waiting List: The CFEU has been working to verify applications on the Housing Waiting List. This work has resulted in the removal of 97 applications and a loss avoidance figure of £415,451.
• Council Tax Reduction Scheme: The CFEU has been investigating allegations of fraud relating to the Council Tax Reduction Scheme. 4 cases were opened in 2023/24 and 2 cases have been opened since 1 April 2024. This work has resulted in an increase in council tax revenue of £21,465 and the acceptance of 3 criminal penalties and 3 civil penalties. In addition an individual received a suspended custodial sentence for failing to declare income.
• Wider enforcement activity: The CFEU has also been involved in a number of other enforcement activities, including the prosecution of individuals for taxi licensing offences and heritage offences.

Data protection

The Council, as a data controller, is required to process personal data in accordance with the UK General Data Protection Regulation (GDPR). A report on the Council’s data protection arrangements has been provided to attendees of the meeting ⁸. The report outlines the roles and responsibilities for data protection within the Council, highlights the key work that has been undertaken during the year, and sets out the Council’s future action plan ⁹.

The report identifies the following key activities, which have been undertaken during the year:

• Data protection training: Training on data protection and information security has been provided to staff and Members.
• Data retention project: A data audit across all service areas has been completed, the findings of which will inform future work, including the development of an Information Governance Framework and the revision of the Council’s Data Retention Schedule.
• Information Governance Framework: Work has commenced on the development of an Information Governance Framework.
• Subject Access Requests: The Council has successfully processed 77 Subject Access Requests during 2023/24.

The report notes that there have been a low number of data breaches recorded during the year and highlights that the only breach, which met the threshold for reporting to the ICO, has now been concluded without further action being taken.

Internal audit

Internal Audit is an independent function that provides assurance to the Council on the effectiveness of its risk management, control, and governance processes.

A report on the work of Internal Audit has been provided to attendees of the meeting ¹⁰. The report provides an update on the audit work completed since the last Audit and Governance Committee meeting, including:

• Licensing: This audit reviewed the systems, processes and procedures that support the issuing of 18 different types of licences by the Council, including street trading licences, private hire driver licences and road closure licences. The audit found that “policies are in place for all licences”, and that for the majority, procedure notes are also in place, with the exception of licences for “Tattoo, Piercing and Electrolysis”, the Gambling Act 2005 and “Scrap Metal Sites”. The audit recommends that procedure notes should be developed for these areas.
• Housing Benefit Debtors: This audit reviewed the systems, processes and procedures that support the recovery of overpayments made by the Council under the Housing Benefit scheme. The audit confirmed that “appropriate controls are in place for council staff accessing DWP data”, but identified a number of areas for improvement, including: the development of a report, which will capture information about the recovery of overpayments; and the introduction of weekly checks on suspense accounts.

In addition to these two audits, the Internal Audit team is currently working on audits in relation to the Council’s Leisure Centre contracts, the UK Shared Prosperity Fund, and the Transparency Code.

A further report ¹¹ provides information on the new Global Internal Audit Standards (GIAS) ¹². The new standards will come into effect in the UK public sector on 1 April 2025, and include a number of changes that will impact the way Internal Audit operates, including:

• Internal audit strategy: A new requirement for the CAE to develop and implement a strategy for the internal audit function.
• Co-ordination with other assurance providers: A new requirement for the CAE to co-ordinate with other assurance providers, such as external audit and regulators, and consider relying upon their work.
• Disagreement with management: A new requirement for internal auditors to follow an established methodology to resolve disagreements with management about engagement recommendations and/or action plans.

See: Internal Audit Monitoring Report - Covering report.

Statement of accounts

The Council’s Statement of Accounts for 2023/24 can be found within the report pack ¹³.

The report pack includes a report on the audit of the Council’s Statement of Accounts ¹⁴, which has been undertaken by Bishop Fleming LLP. The report confirms that an unqualified audit opinion is expected to be issued.