Agenda and minutes

Audit Committee - Monday 30th January 2023 7.30 pm

Venue: Council Chamber, Council Offices, The Campus, Welwyn Garden City, Herts, AL8 6AE

Contact: Vanisha Mistry 

No. Item



To confirm as a correct record the Minutes of the meeting held on 21 September 2022 (previously circulated).


The minutes of the meeting held on 21 September 2022 were agreed as a correct record and noted by the chair.



Report of the Executive Director (Finance and Transformation) on the current strategic risks facing the Council as determined by the Corporate Management Team.  These risks have been reviewed in place for the quarter October to December 2022.

Additional documents:


Officers shared the risks as determined by the Senior Management Team and reviewed at the Performance Clinic in January 2023. The risk commentaries have been updated to reflect the assessment of risks for the quarter October to December 2022.


Members noted that the previously reported risks scores were now included in the reporting and this assists members in identifying where there has been a change in the assessed level of risk between quarters.


It was noted the corporate resilience risk has been reduced following a review of the emergency planning function, and additional training which is being planned for the coming quarter.   The risk on the Local Plan has been reduced as the council is progressing with the consultation on the main modifications to the plan, as required by the Planning Inspector. The risk on Finance has been reduced on the basis that the draft budget proposals have been put forward for 2023/24 which shows a balanced budget.


There are four operational risks with a score over 50 and the details of those are contained within the report.   It was noted that the commentary against Strategic IT was incorrect as it showed the commentary from the homelessness risk, it should read as follows, “we have a large number of robust control systems and processes in place, providing preventative cover and mitigating action in order for us to be as protected as reasonably possible. The risk has been maintained as high due to the ongoing cybersecurity threats on public bodies associated with the war in Ukraine and, as part of our response to the ongoing threat, the council has an exercise planned during the next quarter to raise awareness of phishing attacks”.


The following points were raised and discussed:


·         Members asked when they could expect to see a reduction in the score of the six red risks, as there has been no change from the previous quarter.  Officers stated that the score for the risk is based on the current controls that are in place so it may be that the council have the risk as controlled as possibly can.  For example in IT, there are inherent risks from external factors beyond the councils control such as a cyber attack against the Council. The council cannot control that risk but measures will be put in place to reduce that risk as much as possible.

·         Officers said that the ICT exercise would initially get reported to the management team to come up with an action plan and depending on that, the council would provide an update to this committee against that particular risk.





(1)The committee noted the current Risk Management Update.


(2)The committee noted comments and actions in respect of the strategic and top operational risks.



Report of the Executive Director (Finance and Transformation) on a new Risk Management Policy and Strategy, along with the Risk Management Framework for the Council.

Additional documents:


Report of the Executive Director (Finance and Transformation) on a new Risk Management Policy and Strategy, along with the Risk Management Framework for the Council.


Following the management restructure, the remit for risk management had been moved to the Finance and Transformation Directorate, providing a good opportunity for a fundamental review.


Previously, the strategy and framework, was one document, but these have been separated to provide clearer distinction between the council’s policy and procedures. There is now a more defined policy statement on the Council's approach to risks, what the council’s key commitments are and what the governance arrangements are around risk. There are therefore some key changes worth highlighting to Members between the previous approach and the new approach.


The Council will be moving away from only assessing current risks and now would be measuring both the inherent risk and the residual risk and that will allow Members to understand how the control measures that the council put in place manage and mitigate the impact on the risk score.


The Council will be moving to a risk scoring system of risk impact multiplied by risk probability, rather than probability, multiplied by impact squared.  The previous more complex score and approach was required as the council did not report on inherent risk, it was a way to try and filter out those risks which had a higher impact.


The Council will be looking to use a new system for recording risk which will, firstly change the way reports will look and improve reporting for both officers and members but will also allow officers to record project risks. They are not currently managed in a consistent way throughout the organisations, this new approach will allow that. The risks will be reported to management on a more frequent basis which will allow faster action to be taken on any emerging risks or any increasing risks.


The new strategy and framework was presented to the Committee for consideration in advance of the 2023/24 year to ensure that following its approval, officer training can be provided and a full and comprehensive review of the risk register to be undertaken in advance of the start of 2023/24. Member training on the new strategy and framework will be provided at the start of the new municipal year.


The following points were raised and discussed:


·         Members noted that the levels were similar to what was currently being used but the methodology for calculating them will be different.  Members asked if the new methodology was proven from other organisations or was it something that had been developed?  Officers said it was a standard approach, quite often organisations will choose between 1 to 3, 1 to 4 or 1 to 5, so it is a proven standard approach for risk management. Different organisations take different approaches to whether they report on the inherent risks or not, but moving to one with inherent risks means the council can simplify the scoring methodology.

·         Members asked if any of the risks had  ...  view the full minutes text for item 12.



Report of the Shared Internal Audit Service (SIAS) which provides details on the progress made by SIAS in delivering the Council’s Annual Audit Plan for 2022/23 as at 13 January 2023.


Report of the Shared Internal Audit Service (SIAS) which provides details on the progress made by SIAS in delivering the Council’s Annual Audit Plan for 2022/23 as at 13 January 2023.


The following points were raised and discussed:


·         In paragraph 2.2, the table detailed all the finalised reports since the last committee meeting in September 2022. It was noted eight audits had been finalised.

·         Paragraph 2.3, detailed all the reports currently issued in draft. 

·         The table at paragraph 2.4 detailed the status of the one remaining outstanding audit from the council’s 2021/22 audit plan.  This audit has now been finalised.

·         In paragraph 2.7, it was noted that no new high priority recommendations have been raised as a result of the work completed.  There are currently no outstanding high priority recommendations from previous reports.

·         Paragraph 2.8 confirmed there were five medium priority recommendations due for follow up by the end of January 2023.  Two have been implemented, an update has been provided regarding the status of each remaining outstanding Audit recommendation and is included in Appendix D.

·         In paragraph 2.1.2 an update was provided on performance indicators as at 13 January 2023, since the submission of the progress report to the committee, SIAS have also issued an additional two draft reports.

·         Paragraph 2.1.5 provided an update on the current plan delivery position for SIAS noting the challenges. However, whilst subject to continuous monitoring, SIAS were able to provide assurance to the committee that the audits for 2022/23 have been allocated for completion before the end of the financial year.

·         Appendix A provided a detailed summary of all audits and their current delivery status. Appendix B detailed all audits, their start dates and status across the year.

·         SIAS noted that the medium recommendations relate to gaps in record keeping identified within compliance workbooks and remedial action trackers for the water hygiene compliance areas.  These relate to the medium recommendation follow ups in the report.  In regards to the partially implemented recommendations, they were rolling out tablets for testing to surveyors.  It was noted that this was around the further improvements and controls that have been put in place.   Controls were put in place to make sure that the compliance was up to standard, and the council will make sure that was on an ongoing basis for further improvements.

·         Members wanted clarification on voids management as the audit was cancelled or did not proceed. SIAS advised the audit was cancelled following an open meeting where it was agreed this was not the right time to do the review.  The remaining budget was put back into the building regulations audit area.  It was noted SIAS has an audit scheduled to be completed very shortly which will look at the process mapping around voids management.

·         The Chair stated that he queried the completion of the SIAS audit, as they were running below budget.  The SIAS officer had explained that they got additional resources and were hoping to catch up by the end of the year.  ...  view the full minutes text for item 13.



Report of Ernest & Young LLP providing the Council’s Audit planning report for the year ended 31 March 2022.


Report of Ernst & Young LLP providing the Council’s Audit planning report for the year ended 31 March 2022.


The following points were raised and discussed:


·         Pages 63 and 64 of the agenda pack summarises Ernst and Young’s (EY) risk of material statements that they have identified. The Committee will be familiar with most of these risks as most have not changed since the prior period. However, there was a slight change in focus on the risks related to provisions and allowances. These were previously communicated as one risk, however, this year EY disaggregated this so there is a better focus on the different assumptions that are required in making each of those estimates.

·         Page 65 looks at the materiality. The planning materiality for the year was £2.63m and this is the level of which will make an overall assessment on the truth and fairness of the financial statements. The performance materiality is £1.97m and this is the level which EY perform their audit fieldwork. The trivial errors threshold is at £0.13m and will communicate the errors corrected to the Committee above this level.

·         On page 93 the Final Reporting Council’s (FRC) ethical standard requires EY to communicate formally that they are independent of the Council throughout the external audit.

·         Members queried page 79 where it refers to EY’s status of 2021/22 value-for-money planning and asked if it is correct as we are now in 2023? EY stated they undertake value for money work alongside the external work of the accounts. That work is on the arrangements in place up until 31 of March 2022 so this is correct.





The committee noted the External Audit Planning Report by Ernst and Young LLP.