The Audit Committee of Mid Devon District Council were scheduled to meet on Tuesday, 30 September 2025 to discuss the corporate risk register, cyber security, and internal audit progress. The meeting was scheduled to be held in a hybrid format, allowing both in-person and virtual attendance. An audio recording of the meeting was scheduled to be made and published on the council website.

Corporate Risk Report

The committee were scheduled to receive a quarterly update on the Corporate Risk Register (CRR) from Steve Carr, Corporate Performance and Improvement Manager, and Matthew Page, Head of People, Performance & Waste.

The CRR contains strategic risks that could impact the council's corporate priorities. The report pack included a risk matrix and a template providing information on each risk.

Since the last report, significant changes to the CRR included:

• An increase in the risk rating for financial sustainability due to local government funding announcements.
• An increase in the risk rating for the quality of planning decisions, reflecting the fact that the Local Plan is out of date.
• A redraft and widening of the severe weather emergency recovery risk, now called Emergency Recovery, with a reduced risk rating.
• The addition of Emergency Planning Response to the CRR.

The CRR contained seventeen risks, including:

• Culm Garden Village – Loss of capacity funding
• Culm Garden Village – Delay/ impact to project arising from infrastructure delays
• Cyber Security
• Failure to meet Climate Change Commitments by 2030
• Homes for Ukraine Scheme
• Information Security
• Financial Sustainability
• Quality of Planning Committee Decisions
• Cullompton Town Centre Relief Road
• Cost of Living Crisis
• Housing Crisis
• Corporate Property Fire Safety
• Building Control Service viability
• Emergency Recovery
• Housing Rent Error Correction
• Devolution and Local Government Reorganisation
• Emergency Planning Response

Devon Assurance Partnership (DAP) Internal Audit Progress Report

The committee were scheduled to receive a progress report from the Devon Assurance Partnership (DAP) on the Internal Audits completed to date. The report included a summary of work against the Internal Audit plan for the 2025/26 financial year, highlighting key areas of work and summarising findings and recommendations.

The report noted that the Head of Internal Audit was unable to provide an opinion on the adequacy and effectiveness of the authority's internal control framework at this stage of the year.

The report also included:

• An assurance map to reflect audit work and input from management, including the council's risk register.
• A summary of assurance opinions.
• Information on value added.
• Details of annual follow up activity.
• A summary of audit recommendations.
• Information on audit performance.
• An update on irregularities prevention and detection.

Appendix 1 of the report contained a summary of audit reports and findings for 2025/26, including information on procurement, housing rents, legal services, staff performance and appraisals, the corporate plan, and repairs and maintenance.

Appendix 2 provided information on the clearance of audit recommendations. Appendix 3 detailed professional standards and customer service. Appendix 5 described the audit authority. Appendix 6 concerned the annual governance framework assurance, and Appendix 7 set out the basis for opinion.

Cyber and Information Security Update

The committee were scheduled to receive a report from Lisa Lewis, Head of Digital Transformation & Customer Engagement, providing an update on cyber and information security activities over the last 12 months.

The report stated that the council's ICT and Information Management teams are responsible for ensuring that cyber and information security risks are appropriately mitigated, and that these activities are overseen by the IT and Information Governance (ITIG) board.

In 2024, Mid Devon District Council participated in a 'Get CAF Ready' project and an external audit with Bridewell, resulting in a Cyber Assessment Framework (CAF) improvement plan. Devon Audit Partnership (DAP) provided project assurance on these activities.

Other recent activities included:

• The purchase and implementation of a 24/7 managed extended detection and response service for threat detection, monitoring, and incident response services.
• Full roll-out of Multi Factor Authentication (MFA) on end-point devices.
• The recent procurement and current implementation of a system for managing risks around supply chains for cyber and data.
• Market research on improved cyber and data protection awareness training and phishing simulations.

Other items

The agenda also included:

• Apologies for absence.
• Public question time.
• Declaration of interests under the code of conduct.
• Minutes of the previous meeting.
• Chairman's announcements.
• An interim update from Bishop Fleming, the external auditors.
• Identification of items for the next meeting.