Agenda and draft minutes

The Chair welcomed all present to the meeting and read out the Building Evacuation procedure.

To receive any declarations of interest.

A Member referred to the Chief Officers Appointments Committee.  It was queried whether a declaration of interest was required at this meeting if Members sitting on both the Audit Committee and Chief Officers Appointments Committee had supported the appointment of a Chief Officer, who could be associated with the business of the Audit Committee.  It was confirmed that this was not a requirement.

The minutes of the Audit Committee meeting held on 14 March 2024 were submitted and approved as a correct record, subject to the following amendment:

• Page eight, Minute No. 23/36 – paragraph four, line two: “The Auditor stated…” to be amended to: “The Officer stated…”.

The Chair requested updates in relation to two previously agreed actions; these would be considered under Any Other Urgent Items.

A report of the Director of Legal and Governance Services (Monitoring Officer) was presented to outline the Council’s approach to health and safety management and summarise activity in the past year and planned activity for 2024, in order to provide the Committee with assurance that the Council has robust arrangements in place, as required by the Health and Safety Act 1974.

The Council had a governance framework structure in place to oversee health and safety, ensure compliance with legal requirements and deliver ambitions in relation to Health and Safety.

The digitised health and safety management application (My Compliance) continued to be developed and its processes embedded within day-to-day risk management.  Data built up in the system had been used to improve understanding of the impact of violent incidents, unblock systematic issues to improve compliance and increase Officer and Member visibility and oversight.  Regular reviews of underpinning documentation with the governance framework were undertaken. 

During 2023, the following procedures were implemented and/ or reviewed:

• Legal Register implemented.
• Health and Safety Policy reviewed.
• Three-year Strategic Health and Safety Plan implemented.
• Fire Procedure and Policy Statement implemented.
• Noise Procedure implemented.
• Vibration Procedure implemented.
• Personal Protective Equipment Procedure implemented.
• Respiration Protective Equipment Procedure implemented.
• Abusive, Persistent and Vexatious Policy implemented.

Reporting content for oversight of health and safety had also been refreshed, utilising the new capabilities of My Compliance and Power BI to enable reports to focus on the lessons to be learned, trends and areas of concern, while providing assurance as to the robust datasets in place to track health and safety compliance.

A key focus for the team during 2023 had been the implementation of the health and safety management system, which had ensured that there was a robust system in place to support staff and Members.

The Council continued to deliver training and support to staff to ensure compliance with health and safety obligations and understanding of roles and responsibilities. 

In addition to the suite of eLearning materials that were already available to all staff, during 2023:

• Face-to-face incident investigation awareness, evacuation chair and fire warden courses were delivered to supplement e-learning.
• Face-to-face manual handling and people handling were delivered to support operational areas.
• eLearning resources were refreshed to enhance manual handling training.
• A Personal Safety Train the Trainer course was completed by eight personnel within the Local Authority to deliver a bespoke package in 2024 onwards.

A restructure of the Health and Safety Unit occurred in May 2023, which resulted in the Health and Safety Unit combining with risk management to create the Risk and Health and Safety Team.  Current financial restraints within the Local Authority meant one post within the Risk and Health and Safety Team had not been filled.  This resulted in ownership for delivery of fire risk assessments from January 2024 moving back to Asset Management to manage until the post could be filled.  This had now been achieved.

During 2024, further work would be undertaken to implement the new strategic plan for health and safety.  This  ...  view the full minutes text for item 23/42

A report of the Head of Governance Policy and Information was presented to advise the Audit Committee of arrangements in place to ensure the proper governance of information within the Council, progress made within the 2023 calendar year, risks and issues arising, and priorities for 2024/25.

The Council created, protected, managed, shared and disclosed information in line with a complex legal framework.  The report dealt principally with information governance arrangements relating to the following, and the risks arising from:

• Data Protection Act 2018 (DPA).

·        UK General Data Protection Regulation 2016 (UK GDPR).

·        Privacy and Electronic Communications Regulations 2003 (as amended).

·        Environmental Information Regulations 2004 (EIR).

·        Freedom of Information Act 2000 (FOI).

·        Regulation of Investigatory Powers Act 2000 (RIPA).

·        Protection of Freedoms Act 2012 (PoFA).

The Council’s activity in this area was largely regulated by the Information Commissioner’s Office (ICO), with the Investigatory Powers Commissioner’s Office (IPCO) acting as the regulatory body for RIPA, and compliance with the Surveillance Camera Code of Practice and the relevant provisions of PoFA encouraged by the Biometrics and Surveillance Camera Commissioner.

The Head of Governance Policy and Information acted as the Council’s SIRO/ Senior Responsible Officer (SRO) for Biometrics and Surveillance and RIPA, and was the owner of the Council’s Information Strategy.  The SIRO advised the Chief Executive and the Council’s management team on information risk, reporting quarterly to the internal risk management group and annually to the Leadership Management Team (LMT) and Audit Committee.

The report provided an overview of compliance, issues and risks in 2023 in the following areas:

• Information Governance Framework.
• The Information Strategy.
• Data Protection.
• Information Security.
• Cyber Security.
• Records Management.
• Surveillance Policy.
• Public Information and Information Requests.
• Physical Access and Building Security.

During 2024, a refresh of the Information Strategy would be undertaken to:

• Focus on refreshing the assessment of the health of Council data.
• Identify the improvement transformation required to enable the Council’s delivery of transformation activity.
• Refresh the Information Governance Policy Framework to reflect emerging opportunities and risk, for example, opportunities around use of artificial intelligence and policy safeguards that would need to be put in place.

The Council’s data protection activity over 2023 had continued to focus on incidents and rights requests. Other data protection activity over 2023 had involved cyclical reviews and updates to information sharing agreements and privacy notices. 

Mandatory training compliance had declined to 91% with areas for improvement identified in Children’s Services, partly due to staff turn-over, and Regeneration Services, where plans for alternative training approaches for large groups of casual staff in cultural and creative services were being developed. 

The final two recommendations from the 2020 ICO consensual audit of the Council were implemented.  Analysis of ICO published statistics for receipt of any complaints and concerns, up to June 2023, showed Middlesbrough Council ranked 115^th equal out of 118.  Within 2023, there were no complaints or breaches referred to the Council by the ICO and of the four reports made to the ICO about the Council, all were closed  ...  view the full minutes text for item 23/43

A report of the Director of Legal and Governance Services (Monitoring Officer) was presented which outlined the Council’s approach to risk management, and summarised activity in the past year and planned activity for 2024 to provide the Committee with assurance that the Council had robust risk management arrangements in place.

Risk management was a critical element of corporate governance and was a statutory requirement for public sector organisations.  Risks were to be reduced to an acceptable level, or if possible, eliminated.  Robust risk management enabled the Council to effectively discharge its responsibilities and deliver its various functions. 

Risk management was the collective responsibility of all Elected Members and officers of the Council.  The Council’s approach to risk management was articulated by the Risk Management Framework, which was reviewed by Executive in July 2023. 

The Council used risk registers to manage the various risks it identified.  The overarching risk register was called the Strategic Risk Register, which captured the most significant risks the organisation was exposed to that could impact on its ability to deliver its strategic priorities, which were outlined in the Council Plan.  A summary of the current Strategic Risk Register was shown at Appendix 1.

In addition to annually reporting the Council’s overall approach on risk management to Audit Committee, a summary of the Strategic Risk Register was monitored monthly in performance deck and reviewed every three months by LMT.

Details regarding the Risk Management Framework were provided to the Committee.  It was explained that the Council’s Risk and Opportunity Management Policy set out how risks were captured, scored and managed using a likelihood and impact scale.

A Risk Improvement Plan was developed in March 2023 for the Council to ensure that it was committed to ensuring its risk management practice continued to be effective.  Actions were split into the following areas:

• Risk communication and training - Intranet updates - shared information.

§  Strategic risk identification and monitoring - LMT three-monthly reviews.

§  Risk management processes - DMT monthly reviews.

An internal audit of the Council’s risk management arrangements was programmed to be completed in 2024; resulting recommendations would be highlighted to relevant Members and officers when completed.

In terms of risk management activities for 2024/2025, further work would be undertaken to build on progress made in 2023/2024 as part of the Council’s commitment to continually improve risk management planning.  Planned activity included:

• Review of the Communication and Engagement Plan.
• Review of the Strategic Risk Register.
• Improvements in the build in Ideagen for Directorates.
• Review of Risk Management Group membership.
• Increased risk reporting frequency to Audit Committee on risk governance and the content of the Strategic Risk Register.
• Review of the current risk management software.

A Member commented on the unexpected nature of risk and queried the procedures in place for preparing for all eventualities. In response, the Committee heard that an array of work was being undertaken to assist with this, which included: discussion at LMT and Departmental Management Team (DMT) meetings; identification of formal review points;  ...  view the full minutes text for item 23/44

A report of the Director of Finance (S151 Officer) was submitted, the purpose of which was for Ernst & Young (EY), the Council’s External Auditor, to present their Value for Money interim report for the 2021/22 and 2022/23 financial years.

The report set out EY’s findings and commentary on the Council’s systems and arrangements over this period and highlighted any deficiencies that required improvement for the future.  It also covered other findings that EY wished to raise with the Audit Committee following this work.  These matters related to either governance-related issues or to the accounts for the relevant two-year period, which currently remained open and not yet signed off by EY.

The Interim Report was attached at Appendix 1.

For background context, the Committee heard that the previous Value for Money commentary had been provided for the period up to March 2021.  A governance update was provided in December 2022 which highlighted ongoing risks, and a further update was issued in August 2023.  This Interim Report covered the period four-months prior to the statutory notice being issued.  Guidance was currently awaited from the government in relation to the conclusion of financial statements.  Once received, the report would be finalised.

The External Auditor referred Members to the statutory recommendations and six areas of significant risk that had been identified.  The following points were made:

• Regarding organisational culture, it was indicated that following issues raised in 2021/22, a response plan had commenced in 2022/23.  A report on the Council’s progress was provided in December 2022.  Mention was made of the change to the Council’s administration since that time.  Regarding governance arrangements and the Council’s Constitution, it was noted that the previously constituted Corporate Affairs and Audit Committee had since been separated into two and were now Corporate Affairs Committee and Audit Committee.
• Regarding financial sustainability, Members heard that during 2021/22 initial concerns in terms of the direction of travel were raised, but there was no significant weakness that year.  The Council’s position deteriorated in 2022/23, with significant risk being identified during that time.
• Regarding contracts and procurement, there was no view expressed in the report in terms of specific contract details or contractors appointed.  Reference was made to exemptions and the procedures associated with these.  It was indicated that inappropriate application of these had been a factor during 2021/22 and 2022/23, hence the association of risk during that period.
• Regarding the Middlesbrough Development Corporation, gaps had emerged since the formation of the company and therefore weakness was apparent across the period 2021/22 and 2022/23.  The recommendations in the Interim Report were the same as those in the statutory report.
• Regarding assets, particularly The Crown pub, the Committee heard that in terms of processes/ due diligence, there was evidence of weakness in 2022/23.
• Regarding Children’s Services, it was explained that the outcome of Ofsted inspections and other work carried out had demonstrated progress; the Council had delivered on the Children’s Services Improvement Plan.  The risk identified was based around service delivery.
• In the time  ...  view the full minutes text for item 23/45

A report of the Director of Finance (S151) was presented, the purpose of which was for Mazars, the Council’s External Auditor, to present their Audit Strategy Memorandum for the 2023/24 financial year.  This set out their plans for the audit of the financial statements and Value for Money arrangements for the Council.

This was the first year of the new external audit contract with Mazars, covering the period 2023/24 to 2027/28.  The audit of the two previous years accounts for the Council with Ernst & Young were still open; it was expected that these would be modified and/or disclaimed opinions, depending on government legislation that was still to be confirmed.

Mazars Audit Strategy Memorandum for 2023/24 was attached at Appendix 1 and included the following sections:

·        Engagement and responsibilities summary.

·        The audit engagement team.

·        Audit scope, approach, and timeline.

·        Significant risks and other key judgement areas.

·        Value for Money arrangements.

·        Fee for the audit and other services.

·        Commitment to independence.

·        Materiality and other misstatements.

It was indicated that, as the incoming auditor, work had started and followed up on the outgoing auditor’s work.  The intention was to move to an annual report, as opposed to reports being linked to a specified period. 

In terms of financial recompense for work undertaken, the Council had decided on 23 February 2022 to ‘opt in’ to the national audit appointment scheme undertaken by Public Sector Audit Appointments (PSAA), a government agency for contracting external audit services.  The base audit fee for any Local Authority who opted into the national scheme was set by PSAA, based on size and on previous audit experience and fees paid.  The audit fee for the Council for the 2023/24 audit was outlined in section six of the Audit Strategy Memorandum at £321,074.  It was possible that this fee could increase, based on any additional work required by the auditor as part of their statutory role.

The fee for 2023/24 was a significant increase over the base audit fee for 2022/23 of £111,857, but represented the additional external audit work undertaken in relation to the Council over the last couple of completed audits.  The 2023/24 fee was fully budgeted for within the corporate part of the Council’s accounts.

A Member referred to the backlog of work and two years currently outstanding.  In response, it was explained that information would be updated and presented to Audit Committee, as required.

A Member referred to the concept of value, the subjective nature of this and queried how this could be considered.  In response, the Committee was advised that the remit was to look at the arrangements in place and to raise any issues in this forum for discussion/ consideration.  It was noted that the auditor’s comments concerned the Council’s arrangements that were in place and not on individual contracts. 

NOTED

A report of the Director of Finance (S151) was presented, the purpose of which was for Mazars, the Council’s External Auditor, to present their Audit Strategy Memorandum for the 2023/24 financial year.  This set out their plans for the audit of the financial statements for the Teesside Pension Fund.

This was the first year of the new external audit contract with Mazars, covering the period 2023/24 to 2027/28.  The audit of the two previous years accounts for the Council and Pension Fund with Ernst & Young were still open; it was expected that these would be modified and/or disclaimed opinions, depending on government legislation that was still to be confirmed.

Mazars Audit Strategy Memorandum for 2023/24 was attached at Appendix 1 and included the following sections:

·        Engagement and responsibilities summary.

·        The audit engagement team.

·        Audit scope, approach, and timeline.

·        Significant risks and other key judgement areas.

·        Value for Money arrangements.

·        Fee for the audit and other services.

·        Commitment to independence.

·        Materiality and other misstatements.

The External Auditor presented the report and overall approach to the Committee.  The Teesside Pension Fund was accounted for separately from the Council’s financial statements, albeit both were incorporated in the overall Council’s Statement of Accounts.

NOTED

A joint report of the Chief Executive, Director of Finance (S151 Officer) and Director of Legal and Governance Services (Monitoring Officer) was presented, which set out the key activities and progress since an update was last provided.  The report also provided an update on activity in response to the Section 24 recommendations made by the Council’s External Auditors and the Council’s Corporate Governance Improvement Plan.

For the current reporting period, as at 18 June 2024, 96% of planned activity had either been delivered or was on-track for delivery in relation to the Corporate Governance Improvement Plan, with three planned activities across the 10 workstreams measuring as off-track.  96% of activity in relation to the Section 24 delivery plan was on-track or had been delivered, with one activity showing as off-track.  The report set out the detail of the delivery plan activity, alongside supporting measures of success that were in place to assess the impact of activity.

Since its work was last reported in March 2024, the Independent Improvement Advisory Board had held meetings in April, May and July 2024.  Details regarding the reports, presentations and representatives involved were outlined at paragraphs 7.2 and 7.3 of the report.  Action points arising from formal meetings, together with a summary of information requested by the Board, were set out at Appendix 3.

It was anticipated that in mid-July, the Board would issue its third progress report for the Council’s consideration.  In line with agreed reporting for this, the report would be considered by Executive on 24 July 2024.

An update on the key activities related to delivery of the Section 24 Action Plan since last presented to Council was provided, along with some changes to delivery dates.

Appendices 1 and 2 provided details of measures of success against the Corporate Governance Improvement Plan and Section 24 Report.

AGREED that:

1.      Progress against the Corporate Improvement Plan and Section 24 Action Plan was received and noted.

2.      The proposed changes to milestones and activity in relation to the Section 24 Action Plan, as outlined at paragraphs 6.7 to 6.10, was agreed.

A report of the Head of Internal Audit, Veritau was presented to seek Members’ approval for the 2024/25 planned programme of internal audit, and for Members to note the Counter Fraud Work Programme 2024/25.

Appendix 1 set out the proposed internal audit work for 2024/25, which was based on an initial assessment of risk undertaken.  The identification of risks included in the assessment had been informed in several ways, which included review of the organisational risk management processes; understanding the Council’s strategies and objectives; and the results of recent audit work.

It was explained that to meet professional aims and objectives, a flexible approach was taken towards audit planning.  This allowed for any changing and emerging risks within the Council to be identified and appropriately managed.  The aim was to cover sufficient areas of the Council, with all work matched against an assurance framework.  Consultation work in respect of the proposed areas of coverage had been undertaken with the Audit Committee and senior management teams.

Regular discussions/ meetings regarding the scope and timings of audit work would be carried out with officers and management teams throughout the year; updates on coverage, scope and findings of work would be presented to the Audit Committee.

Regarding the Counter Fraud Work Programme, the proposed areas of counter fraud work in 2024/25 were set out in Appendix 2.  There was no time estimation allocated for each area as this was dependent on the levels of suspected fraud reported to the team.

The priorities for the work programme were set annually in the Council’s Counter Fraud Strategy Action Plan and annual Fraud Risk Assessment, which were presented to the Audit Committee in October 2023.

The total number of days allocated to counter fraud work in 2024/25 was 150.

A Member referred to the recent changes made to the Council’s scrutiny structure and commented upon its robustness.  It was queried whether the audit team could investigate this.  In response, the Auditor indicated that this suggestion would be taken away and reviewed.

AGREED that:

1. The 2024/25 planned programme of internal audit was approved.
2. The Counter Fraud Work Programme 2024/25 was noted.
3. Internal Audit would look into the possibility of reviewing the Council's scrutiny arrangements. 

The Committee was advised that the Forward Work Programme was a working document used to track the business of the Committee.

In terms of planning for November 2024 and the suggestion of an additional meeting to manage the workload of the Committee, Members agreed with this.  Members also agreed that an additional meeting in April 2025 would be beneficial.  The Democratic Services Officer would follow this up.

It was anticipated that a mid-year update in respect of Risk Management would be provided at the 6 February 2025 meeting.

Regarding the 13 March 2025 meeting and the proposed Performance Management and PPMF Assurance report, it was explained that these matters would be reported on separately.

A brief discussion ensued with regards to the scheduling of meetings and the need to hold a meeting in August.  Although acknowledged that this was holiday season, owing to both diary management and the workload of the Committee, unfortunately this could not be avoided.

AGREED that:

1.      Arrangements would be made for two additional Audit Committee meetings to take place: one in November 2024 and one in April 2025.

2. The information, as presented, was noted.

Future Meeting Arrangements - Change to Start Time

The Chair requested that the start time for all future Audit Committee meetings, currently

2.00 p.m., be changed to 1.30 p.m.  Members agreed; Democratic Services Officer to action.

AGREED that future Audit Committee meetings would commence at 1.30 p.m.; Democratic Services Officer to action.

Minutes - Audit Committee - 14 March 2024

The Chair referred to the minutes of the previous Audit Committee meeting and requested updates regarding two agreed actions, as follows:

• Page 2, Minute No. 23/29 - Corporate Governance Improvement Plan and Section 24 Action Plan Progress Report - 3. Copies of minutes of Middlesbrough Development Company Board Meetings would be circulated to Committee Members.

Members were advised that the Chief Executive had written to the Directors to request the release of the minutes; no definitive response had been received as of yet.  Reference was made to company law and the duty of Directors to comply with this.  Directors were responsible for ensuring that the release of any documentation into the public domain was appropriate and in the best interest of all parties.

• Page 6, Minute No. 23/33 - HR Assurance Presentation - 2. Further statistical data in relation to employee sickness absence would be provided to the Committee.

Members were advised that this had been raised with the Head of HR and statistics would be provided as soon as possible.

NOTED

Auditor Attendance – EY

A Member wished to record a note of thanks to the External Auditor from EY for the support provided to the Committee.  The External Auditor thanked the Member for the comments made and advised that attendance at meetings would continue until the EY work had been closed off.

NOTED