Agenda item

Report of the Director – Finance and Corporate Services

Mr Armstrong from BDO, the Council’s Internal Auditors, presented the Internal Audit Progress Report Quarter 2.

Mr Armstrong referred to page 17 of the report which showed the table detailing progress of work completed so far and work due. He confirmed that five of the nine reports had been fully completed, that one was in draft and one was ongoing, with two outstanding, with the final reports due in February and June 2026. He confirmed that all were in line with and on time with the Audit Plan.

Mr Amstrong said that the two audit reports completed within this quarter related to Main Financial Systems and Business Continuity and Emergency Planning.

In relation to Main Financial Systems, Mr Armstrong explained that it was an annual review as part of the core assurance auditing and that different areas of the financial systems were reviewed each year. He said that for this year, accounts payable and procurement cards had been reviewed and that a moderate rating for Design and substantial rating for Effectiveness had been given, with one medium and one low level finding.

Mr Armstrong advised that the medium rating related to the procurement card log, but not the use of the cards, as there were some late submissions of logs and receipts to the Finance Team. He noted that procurement cards could be an area of risk hence why it had been raised even though no misuse had been found. He referred the Group to part B of the response which listed actions taken to log and chase up card holders. He referred to the low finding regarding the absence of a written audit trail for a card limit increase.

In relation to the review of Business Continuity and Emergency Planning, Mr Armstrong said that a substantial rating for both design and effectiveness had been given with two low level findings. He said that one low level rating related to a structured multi-year programme for scenario testing of business continuity risks not being in place, although there were ad hoc testing sessions on a range of different vulnerabilities. The other related to reporting to the Executive Management Team not being supported by documentation summarising risks and action implementation and also that Resilience Review meetings were not documented.

Mr Armstrong noted that the budget had been released since the audit had been published, with key announcements around council tax changes and business rates revaluation which would have administration and cost impacts for local authorities, and whilst the Government had said that local authorities would be fully compensated for administration costs, this would need to be monitored. He also noted announcements regarding additional investment in planning and licensing.

Councillor G Wheeler asked about future impacts from the budget and Mr Armstrong said that BDO had put out an announcement about potential impacts and that as part of the audit reviews the broader landscape of risk was considered with possible impact from the budget.

Councillor G Wheeler asked how the Council’s business continuity planning compared to other local authorities and whether a full business continuity exercise was expected to take place each year. In relation to benchmarking with other local authorities, Mr Armstrong said that substantial assurance was not often provided. He said that it was hard to define what risks needed to be covered for future years and resource implications in trying to provide scenario training for all, but it would be prudent to develop a multi-year plan to provide broader coverage of potential threats that the Council may face.

Councillor Om asked about scenario planning in relation to physical and financial testing and regarding IT services. Mr Armstrong said that testing could take place in many different ways and that it was designed to ensure that Officers were prepared when facing an incident. The Assistant Director of Finance said that Officers from the various service areas were involved in exercises so that the wider impacts from an incident were considered and prepared for. She confirmed that the Council had held a cyber security scenario session and that regular disaster testing was carried out within the IT Team.

Members of the Group asked about procurement cards, how many had been issued, at what level of seniority and what credit limits were given. The Assistant Director of Finance didn’t know how many had been issued (subsequently confirmed at approximately thirty cards) and said that issuance was an operational decision based on the needs of a specific role. She said that credit limits varied, dependent on the card holder’s role, and that they were kept as low as possible, with the ability to do temporary limit increases if the need arose.

The Chair asked about documentation and governance and the process of authorisation for procurement cards. Mr Armstrong referred to the Council’s financial regulations and also specific procurement card holder regulation documents which set out the permissible usage of the cards and said that the card logs assessed whether expenditure was aligned with policy and was reasonable, with a process for escalation if not. He confirmed that the audit had not identified any instances of misuse. 

The Chair asked about potential misuse of procurement cards and whether there were proactive measures of control in place and the process for determining credit limits. The Assistant Director of Finance explained that every card holder went through training on how to use and treat their card and had to sign confirming their responsibility for its use before they were allowed to make any expenditure. She said that card holders were expected to seek approval from their line manager before making a purchase and that after purchase they would submit receipts to them. She added that the Finance Team received an itemisation of all purchases from the bank which was checked by the Team for any untoward or unexpected transactions which would be raised with the bank and the card holder’s line manager. She confirmed that card limits were set on an individual basis with a documented agreement with the card holder’s line manager.

Councillor Regan asked whether the Council had been impacted by the recent cloud flare outage and the Assistant Director of Finance was not aware of any impact but thought that a third party provider may have been.

The Chair asked about the relationship between the risk register, risk profiling and the Business Continuity Plan. Mr Armstrong said that a risk register came before the Group every six months and that Internal Audit considered the Council’s Business Continuity Plan to be sufficiently robust and in line with expectations for a local authority. The Assistant Director of Finance said that risks were identified by Officers and this Group and that when new risks were identified as requiring a continuity plan the Business Continuity Plan was updated, with plans in place for critical risks so that Officers knew what to do in the event of that risk materialising, with them all being linked.

It was RESOLVED that the Governance Scrutiny Group considered the quarter 2 progress report for 2025/26 (Appendix A) prepared by the Council’s Internal Auditor.