Agenda and minutes

There were no declarations of interest.

The minutes of the meeting held on 8 February 2018 were accepted as a true record.

The report of the Executive Manager – Finance and Corporate Services

Mr Andrew Bush, a Director at KPMG, the Councils external auditors, provided a report that summarised their plan for external audit activity with regard to the final accounts process and their approach to value for money work in relation to the financial year 2017/18.

Mr Bush highlighted a number of risks concerning the audit, focusing on both financial statements and value for money. Mr Bush provided examples in respect of pension liability, financial resilience and ensuring that our accounts are closed down in a timely manner given the tighter constraints in the new legislation commencing this year.

The Executive Manager – Finance and Corporate Services provided supporting information and noted that due to new legislation the audit cycle had now changed which meant that Statement of Accounts was now required to be approved by Council by the end of July, rather than by the end of September, as in previous years. It was noted the conclusion of the work undertaken by KPMG, the final Statement of Accounts, and the auditors Annual Governance Report, are to be considered by Corporate Governance Group on the 17 July 2018 and by Council on 26 July 2018. Members of the Group asked several specific details about the plan.

The Chairman and members of the Group thanked Mr Bush for attending and answering their questions.

It was RESOLVED that the External Audit Plan 2017/18 be supported.  

The report of the Executive Manager – Finance and Corporate Services

Mr Chris Williams, Head of Internal Audit at RSM, the Council’s internal auditors presented the Council’s Internal Audit Progress Report 2017/18. It was noted that the progress report was the third report for the financial year 2017/18 and that it provided the current position on the audit programme, along with details of any significant recommendations concerning the audits completed during this period.

Mr Williams advised the Group that the Internal audit Plan 2017/18 had included 14 planned reviews, all of which had been completed. The report highlighted the completion and issuing of 8 reports:

·       Corporate Governance

·       Main Accounting

·       Data Protection

·       Contract Management

·       Creditors and e-procurement

·       Follow up

·       Allowances

·       Cyber Security an ISO27001

Mr Williams noted that all assignments had received a positive assurance. In terms of findings there were four medium priority recommendations:

·       Corporate Governance – Transparency Code information needed to be kept up to date on the Council’s website.

·       Contract Management – The Council’s Contract Register needed to be reviewed and updated

·       Contract Management – to ensure that formal agreements were in place with all contractors

·       Follow up – one medium priority relating to Land charges reconciliation which remained outstanding

Members of the group considered the report and questioned the risk in respect of cyber security and ISO27001 and whether RSM had the expertise in house to conduct audits in these areas. The Executive Manager – Finance and Corporate Governance assured the group that RSM had the required expertise to manage this type of audit. Mr Williams advised that because of the testing undertaken by RSM, the six low priority findings that had been identified had had management actions agreed in respect of the findings.

Members of the Group expressed concerns on the findings and implications in respect of Contract Management, where out of the 20 samples that had been tested three were found to not have a formal signed contract or could not be located. The Executive Manager – Finance and Corporate Services provided assurance that an additional step would be added to the procurement process to ensure that the contract could not be marked at complete until a formal contract had been entered into with the Contractor, adding that the target date  that all contracts would be up to date and completed is by 31 July 2018.

It was RESOLVED that the report be noted.

The report of the Executive Manager – Finance and Corporate Services

Mr Chris Williams, Head of Internal Audit at RSM, the Council’s internal auditors, presented the Council’s Internal Audit Annual Report 2017/18. It was noted that the report was the last report for the financial year and showed that all audits had been completed for the year, along with recommendations made.

The report highlighted the completion of the Internal Audit Plan for 2017/18 in accordance with the Public Sector Internal Audit Standards. Mr Williams advised that the overall opinion was positive and that the Council response to previous audits and recommendations was good. Mr Williams advised that RSM had concluded that the Council had an adequate and effective framework for risk management, governance and internal control.

The group considered the report and questioned on what basis were areas considered for audit sampling. Mr Williams advised that the plan was flexible and provided a broad spectrum for internal audit and felt that a 3-year plan was sufficient.

It was RESOLVED that the report be noted.

The Report of the Executive Manager – Finance and Corporate Services

Mr Chris Williams, Head of Internal Audit at RSM, the Council’s internal auditors presented a report and on the Internal Audit Strategy 2018/19 – 2020/21. Mr Williams advised that the approach that RSM had developed the audit plan with regard to the Council’s corporate objectives, risk profile and assurances framework, as well as other factors affecting the Council in the year ahead, including changes within the public sector.

Mr Williams concurred with the Council’s view that it was best practice to produce an annual fraud report and that this was not currently included within the Council’s plan for 2018/19. Mr Williams proposed, with the support of the Executive Manager – Finance and Corporate Services that, 2-3 days should be allocated from the 10 days contingency included in the plan for a fraud report to be produced, with a view to it being considered by Corporate Governance Group at its meeting in July 2018.

Members of the Group considered the report and raised their concerns regarding business continuity and the Council’s ability to respond as a result of a ‘disaster’, for example; cyber-attack, fire or flu pandemic. The Executive Manager – Finance and Corporate Services informed members that business continuity did not currently form part of the strategy and suggested that he met with Mr Williams at a later date with a view to adding it into the Strategy (possibly taking some of the days from the Health and Safety Audit). The Interim Chief Communication Officer added that IT had recently completed a disaster recovery exercise successfully.

It was RESOLVED that:

a)    the Internal Audit Strategy and Audit Plan 2018/19 to 2020/21 be approved.

b)    an annual fraud report be included in the Audit Strategy and Audit Plan 2018/19 to 2020/21, with the intention that the report be brought to the July 2018 meeting of the Corporate Governance Group for approval.

The Report of the Chief Information Officer

The Interim Chief Information Officer provided a report and presentation to to provide an update on the implementation the General Data Protection Regulation (GDPR) and the progress being made towards ISO27001.

It was noted that with regard to the implementation of actions and changes in readiness for the General Data Protection Regulation (GDPR) on the 25 May 2018, the Council had made good progress in identifying, assessing and implementing the changes required to meet its obligations associated with the new data protection legislation.

The Interim Chief Information Officer noted that November 2017 a formal GDPR Project Board had been established and that an action plan had been implemented based on the twelve work streams recommended by the Information Commissioners Office regarding the implementation of GDPR. The Interim Chief Information Officer advised that the Project Board had met regularly to assess progress and to review and update the GDPR action plan. To date it was reported that significant progress had been achieved and the action plan was providing an effective framework for delivering and embedding further improvements relating to information management and data protection.

The Interim Chief Information Officer advised that the Council has been tracking its Information management arrangements and compliance against the Information Security Management Standard ISO27001:2013 (Standard). The ISO27001:2013  standard was a more comprehensive set of controls covering not just technical controls but addressing areas related to GDPR such as physical security, human resources, training, information classification, supplier management and compliance with legal and contractual requirements. The Interim Chief Information Officer advised that the progress the Council had made in relation to management and due diligence around its IT systems and supplier contracts had had a positive impact on some control areas within the standard.

The Interim Chief Information Officer noted that consideration was being given in regard to applying for external assessment against the ISO27001 standard and added that achieving certification would demonstrate the Council’s professional approach to ICT management which would be a positive achievement as the Council sought further commercialisation opportunities in the future.

Members of the Group supported the ambition of the Council for applying for the ISO27001 accreditation and the Chairman noted that this was an internationally recognised assessment and suggested that the Council should consider applying for a UKAS accreditation.

It was RESOLVED that the report be noted.

The Report of the Executive Manager – Transformation and Operations

The Service Manager – Transformation presented a report on the progress made since the meeting on 8 December 2017 and to provide a summary of the activities associated with updating the Council’s risk register and the work relating to the Council’s emergency planning and business continuity functions.

The Service Manager – Transformation advised that there were currently 34 corporate risks and that this number was unchanged since the last report. The number of operational risks had remained at 29, with one risk deleted and a new one added bringing the total number of risks to 63. Members of the Group were assured that the risk register was a live document which was reviewed regularly by risk holders and the Executive Management Team. Members of the Group requested that for the next Corporate Risk Update that a matrix be added to the table, so that comparisons could be made with the figures previously reported.

The Service Manager – Transformation updated the Group on Emergency Planning and provided an overview of the work carried out by the Emergency Planning Officer.  Members were assured that training had been delivered to three staff on the Resilience Direct mapping software, providing support to the Executive Management Team and multi-agency coordinating groups. Training on water awareness had also been delivered to three new depot officers who would be responsible for responding to flooding incidents. It was noted that work was being conducted around counter terrorism and hostile vehicle mitigation measures and that this work was being led by the Nottinghamshire County Council Emergency Planning Team. Members of the Group were advised that the main focus of this work was the replacement of the temporary barriers around the Forest Ground and Trent Bridge cricket ground. The Service Manager – Transformation advised the group that multi-agency emergency planning exercises had been implemented and that members of the Executive Management Team and the Emergency Planning Officer had attended these events.

Members of the Group expressed concerns over Councillors expectations and involvement in the emergency planning processes, and proposed that Councillors  be provided with information on their role regarding emergency planning. Members of the Group noted that in the event of an emergency that it was not for the ward Councillor to be contacted by residents in the first instance. The Executive Manager – Finance and Corporate Services proposed that that he would come back with a response for the next meeting..

It was RESOLVED that:

a)    the report be noted.

b)    That the Executive Manager – Finance and Corporate Services provide further information on Members’ role with regards to Emergency Planning by the next meeting..

c)     the actions taken to review the risk management arrangements and implement internal audit recommendations be supported.

d)    the work of the Emergency Planning Officer  be supported and that the work of the Local Resilience Forum be endorsed.

The report of the Executive Manager – Finance and Corporate Services

The Service Manager – Finance and Corporate Services presented the Annual Governance Statement 2017/18 in accordance with the Accounts and Audit Regulations 2015.

The Service Manager – Finance and Corporate Services highlighted the significant governance issues covered in the statement as well as what remedial action would be taken in order to address the risks identified. Members of the Group were satisfied that an action plan addressing issues and risks would be incorporated into the final version of the Annual Governance Statement which would be considered by the Corporate Governance Group, alongside the Statement of Accounts 2017/18 at its meeting on 17 July 2018.

It was RESOLVED that Annual Governance Statement 2017/18 be approved.

The report of the Executive Manager – Finance and Corporate Services

The Executive Manager – Finance and Corporate Services provided a report that set out the Work Programme for Corporate Governance Group for the next year, adding that the Group’s Annual Fraud Report would be considered at the meeting on 18 July 2018.

It was RESOLVED that the Work Programme as set out below, be approved.

Work Programme

17 July 2018

·       Statement of Accounts 2017/18

·       External Auditors Annual Governance Report 2017/18

·       Health and Safety Annual Report

·       Corporate Governance Group Annual Report 2017/18

·       Fraud Annual Report 2017/18

·       Work Programme

20 September 2018

·       Internal Audit Progress Report Quarter 1 2018/19

·       Treasury Management Outturn 2017/18

·       Revenue and Capital Budget Monitoring – Quarter 1 2018/19

·       Annual Audit Letter

·       Work Programme

4 December 2018

·       Internal Audit Progress Report – Quarter 2 2018/19

·       Health and Safety Interim Report

·       Treasury Management 2018/19 – Six Monthly Update

·       Risk Management Progress Report 

·       Revenue and Capital Budget Monitoring - Quarter 2 2018/19

·       Work Programme

7 February 2019

·       Internal Audit Progress Report – Quarter 3 2018/19

·       Treasury Management Strategy 2019/20

·       Revenue and Capital Budget Monitoring – Quarter 3 2018/19

·       Certification of Grants and Return Annual Report 2017/18

·       Work Programme

9 May 2019

·       External Audit Plan 2019/20

·       Internal Audit Progress Report 2018/19

·       Internal Audit Annual Report 2018/19

·       Internal Audit Strategy 2018 – 2021

·       IT Progress Report

·       Risk Management Progress Report 

·       Annual Governance Statement

·       Work Programme

Action and Sheet

CORPORATE GOVERNANCE GROUP – THURSDAY 10 MAY 2018