Agenda and draft minutes

It was moved by Councillor Nicholls and seconded by Councillor Williamson, that Councillor Woollcombe be appointed Vice-Chair of the Audit and Governance Committee for the civic year 2024/25. After being put to the meeting and a vote taken, the motion was declared CARRIED.

RESOLVED – that Councillor Woollcombe be appointed as Vice-Chair of the Audit and Governance Committee for the civic year 2024/25.

To receive any apologies for absence

There were no apologies for absence.

To approve as a correct record the minutes of the meeting held on 30 January 2024.

It was moved by Councillor Nicholls and seconded by Councillor Woollcombe, that the Minutes of the meeting of the Committee held on 30 January 2024 be confirmed as a correct record and signed by the Chairman. After being put to the meeting and a vote taken, this motion was declared CARRIED. Councillor Willcocks abstained from the vote.

RESOLVED – that the Minutes of the Committee meeting held on 30 January 2024 be confirmed as a correct record and signed by the Chairman.

The Chairman welcomed all to the meeting, and this welcome was also extended to Councillor Willcocks as a new Member of the Committee.

To receive any declarations of interest.

There were no declarations of interest.

The Shared Anti-Fraud Service (SAFS) Manager gave a training presentation to the Committee, this focused on a recent SAFS investigation which concluded at the end of the last financial year.

The SAFS Manager said that the case related to two planning applications for a property development in an exceptionally rural local area. He said that the first planning application established a development of six mixed use units – to be utilised by each unit occupant for seventy percent residential and thirty percent business use.  

The SAFS Manager said that the second planning application was for a change of use for the units - from business to solely residential. This resulted in an East Herts Planning Officer visiting the site for inspection and finding that all of the units were already being used solely for residential purposes, although each were registered for business rates with the Council Tax Department.

The SAFS Manager said that the case was referred to them for further investigation on this basis, and it was found that the property developer had provided false documents in respect of tenancy agreements and business rates forms.

The SAFS Manager said that the case was sent to St Albans Crown Court where £44,000 was recovered. He said that the case had identified areas which could be exploited, and that subsequent mechanisms were in place to stop such reoccurrences. He said that SAFS was now receiving referrals from Planning Teams, and that the successful prosecution sent a direct deterrent message.

The SAFS Senior Investigator continued the training presentation, focusing on the emerging risks and threats from Artificial Intelligence (AI). He said that it was imperative that SAFS got ahead of the curve using local and national intelligence to protect partners.

The SAFS Senior Investigator said that AI was growing rapidly and was here to stay. He said that the emergence of ‘deep fake’ technology meant that fraudsters only need capture three to five seconds of a person’s voice to create a false identity.

The SAFS Senior Investigator said that historically deceptive emails and letters which were sent by fraudsters where easily identifiable with poor English and grammar. He said that AI however allowed for more professional formatting, meaning that red flags were not so visible, and therefore staff diligence imperative.

The SAFS Senior Investigator said that email compromises which encouraged users to use false links had been seen in schools and at one local authority. He said that such compromises allow the fraudster to read and divert a victim’s emails without them knowing, also copying their tone and style.  

The SAFS Senior Investigator said that these risks were real, and that increasing awareness of these methods raised the human firewall, ensuring policies and procedures were followed. 

The Chair thanked the SAFS officers for their presentation.

Councillor Hart asked how the first defence of the human firewall would work if such fraudulent emails were so realistic.

The SAFS Senior Investigator said that in the first instance staff needed to be thoroughly trained and  ...  view the full minutes text for item 25.

The SAFS Manager introduced the report which provided details of the work undertaken by SAFS to protect the Council against the threat of fraud and deliver the Anti-Fraud Action Plan for 2023/24.

The SAFS Manager said the objective was set for SAFS to deliver two hundred and eight five days of work for the Council, and that two hundred and eleven days (which was seventy four percent of this number) had been recorded against this. He said that this target had not been met due to a new case management system being unable to correctly record time during the first half of the year. He said that this functionality had since been corrected and the recording of time in the second half of the year was at the expected level. 

The SAFS Manager said that SAFS were unable to report on Key Performance Indicator (KPI) three as the new case management system could not be configured as hoped. He reiterated that again this was not to say that the response was not being met, just that a complete data set could not be provided.

The SAFS Manager said that the number of cases being referred to SAFS had increased slightly over the last year, which followed a consistent increasing trend. He said that an explanation of ‘failed referrals’ was provided within the report, with it important to understand the reasons as to why these cases were not pursued further.  

The SAFS Manager said that forty-eight low risk cases were identified last year, which had been dealt with by way of a compliance approach. This approach resulted in the identification of forty-two thousand pounds of Council Tax and Housing Benefit fraud.  He said that were it not appropriate to bring a criminal prosecution, fifteen financial sanctions were issued, totalling one thousand and fifty pounds.

The SAFS Manager said that of the cases closed in the past financial year, sixty-one thousand pounds of recoverable loses and savings were identified. He said that closures in the year had reduced, which was in part due to the move to a compliance. 

The SAFS Manager said that the National Fraud Initiative (NFI) and the Fraud Hub were both fraud and error detection opportunities as well as an opportunity to reduce ongoing losses. He said that the NFI was a biannual process, due to commence again in the Autumn and that the Fraud Hub was a rolling three-month programme managed by SAFS to capture fraud earlier. 

The SAFS Manager said that data matching was also used to analyse National Non-Domestic Rates (NNDR), which had seen additional and new revenue of sixty-three thousand pounds for East Herts Council in this area.

The Senior Fraud Investigator drew Members attention to page 26 of the report, which detailed fraud awareness and prevention. This detailed culture, controls and mitigations and fraud reporting methods. He confirmed that the Council’s website had links for the public to report by email, telephone and by using the SAFS online reporting tool.

The Senior Fraud  ...  view the full minutes text for item 26.

The Shared Internal Audit Service (SIAS) Manager introduced the report, which was the annual report for 2023/24. He drew Members attention to page 51 which gave assurances for the year.

The SIAS Manager said that details of the audit outcomes could be seen on pages 52 and 56 of the report and noted the   narrative throughout. He said that SIAS performance was tabled from page 53 of the report and that the Audit Charter for 2024/25 (which was approved each year by the Committee) remained vastly unchanged at page 62.   

Councillor Deering asked if the current position with external audit compromised the work of SIAS.

The SIAS Manager said that SIAS work was internal focused and was nor duplicated by work carried out by the external auditor.

The Chair sought assurance from the Head of Strategic Finance and Property that the scope and resources for internal audit were not subject to inappropriate limitations in 2023/24.

The Head of Strategic Finance and Property gave this assurance to the Chair and the Committee. 

It was moved by Councillor Nicholls and seconded by Councillor Williamson, that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, this motion was declared CARRIED.

RESOLVED – that (A) the Annual Assurance Statement and Internal Audit Annual Report be noted; and

(B)   that the results of the self-assessment required by the Public Sector Internal Audit Standards (PSIAS) and the Quality Assurance and Improvement Programme (QAIP) be noted; and

(C)   that the SIAS Audit Charter for 2024/25 be accepted; and

(D)   that management assurance that the scope and resources for internal audit were not subject to inappropriate limitations in 2023/24 be sought.

The Executive Member for Wellbeing introduced the report, which gave an annual review of East Herts Council’s fifteen-year leisure contract with Everyone Active (EA). She drew Members attention to the recently opened soft paly facility at Hartham Leisure Centre, which was attracting on average two thousand, five hundred visits per month and the weekly regular club and group bookings which were bring made in first full operational year of the 3G pitch at Grange Paddocks Leisure Centre.

The Executive Member for Wellbeing said that work to attempt to reinstate the closed Ward Freeman swimming pool continued. She introduced the EA Contracts Manager who then delivered a slide presentation to the Committee, which gave a twelve-month review of the East Herts Leisure Contract.

The Chair thanked the Executive Member and the EA Contracts Manager for the report and presentation.

Councillor Williamson asked for clarity as to what the extra funding of seventeen thousand pounds (which was mentioned in the slide presentation) represented.  

The EA Contracts Manager said that external funding was received from the Herts Sports Partnership which enabled the Grange Paddocks Leisure Centre to run Health Activity and Food Programmes – which were traditional school holiday camps for children from disadvantaged households.

Councillor Nicholls said that the loss of the Ward Freeman pool was a massive loss to the community, and she extended her thanks to those who had given help to the Pool Group. She asked if there were any penalties incurred for the early closure of the pool.

The EA Contracts Manager said that the Ward Freeman swimming pool closure was very sad, and a step which nobody wanted to take. He said that no penalties had been issued, as this did not benefit the community. He said that the closure of the pool had resulted in small redundancies and that there were minimal site costs for the closed building.

Councillor Nicholls asked if there was any data to show if those who were using the Ward Freeman swimming pool were now using the pool facilities in Ware and Hertford, and if the centres offered concessions.

The EA Contracts Manager said that this information could be obtained by proxy by looking at the Ware and Hertford pool data. He said that leisure centre users could choose to ‘pay as you go’ and that concessions were available.

Councillor Deering thanked the EA Contracts Manager for his excellent presentation and extended his appreciation to staff for the success of the facilities. He said that the investment driven success of the facilities could be attributed to the previous administration.

Councillor Hart said that health and safety was paramount, and asked why there were significantly more reported accidents at Grange Paddocks Leisure Centre.  

The EA Contracts Manager said that there was a higher foot fall at Grange Paddocks Leisure Centre, and that the facilities available, such as the 3G pitch, gave an increase in the number of potential incidents from tackles and head clashes.

Mr Sharman asked if a significant increase  ...  view the full minutes text for item 28.

The Information Governance and Data Protection Manager introduced the report, which detailed fourteen reported breaches from September 2023 to April 2024.

The Information Governance and Data Protection Manager said that one of these breaches was reported to the Information Commissioner’s Office (ICO). This was due to a cyber-attack on a sub-processor used by Gatherwell, who provide community lottery services. He said that given the actions taken by the supplier and the council’s assurance of security arrangements, the ICO took no further action and were satisfied with the council’s response.

The Information Governance and Data Protection Manager said that of the thirteen other reported breaches:

·               Nine were due to correspondence being shared with an incorrect recipient.

·               One was due to not correctly using the BCC function when sending an email.

·               Two were due to a calendar invite being sent to multiple attendees, revealing their email addresses.

·               One was due to data not being fully redacted before publication on the council’s website.

The Information Governance and Data Protection Manager said that the following actions were taken in response to the above breaches:

·               Where possible, email recalls were issued.

·               The incorrect recipient was asked to destroy personal data and confirm this by email once completed.

·               Where errors were due to software issues these were immediately rectified with the relevant supplier.

·               Data published in error was immediately corrected or removed.

The Information Governance and Data Protection Manager said that the following actions were taken to prevent similar breaches from occurring in the future:

·               Officers were advised to regularly clear their auto-complete cache to reduce the possibility of sending emails in error.

·               Officers were reminded of the serious implications of a data breach and, where relevant, were advised of further actions or given training to reduce the likelihood of future breaches.

·               A MailTip feature has been activated on outlook which will notify officers when they enter an external email address.

·               Officers were reminded of the importance of liaising with the Information Governance and Data Protection Manager prior to engaging new suppliers, that will process council controlled personal data so that a supplier assurance assessment can be carried out.

The Information Governance and Data Protection Manager said that there had been no increase in the number of reported breaches. He said that had been five subject access requests from September 2023 to April 2024, with all requests processed and responded to within the statutory time limit.

The Chairman thanked the Information Governance and Data Protection Manager for his report.

Councillor Nicholls asked if any of the reported breaches were made by Members, or if they were all caused by officers. 

Information Governance and Data Protection Manager said that all of the reported breaches in the report were attributed to officers.

Councillor Willcocks sought the definition of a subject access request.

The Information Governance and Data Protection Manager said that a subject access request was the right for an individual to access their own personal data, held by an organisation. He said that this type of  ...  view the full minutes text for item 29.

The Head of Strategic Finance and Property introduced the report, which was in a new succinct format, with work underway to replace Pentana software with Microsoft Viva Goals.

The Head of Strategic Finance and Property said that the waste contractor’s vehicle maintenance supplier recently went into administration, but due to the mitigations in place another supplier was quickly found, and that there was no impact upon the Council’s services.

The Head of Strategic Finance and Property said that the Council was awaiting the Local Government Association report following a DMA review, and that this would be used to deal with staffing risks.

Councillor Williamson said that the report was now the best it had been, with the table and scores clear. He extended his compliments to officers regarding this.

Mr Sharman agreed with Councillor Williamson’s positive comments regarding the format of the Risk Register, he noted however that the likelihood and impact number formatting appeared to be the wrong way around.    

The Chair said that the register highlighted the high residual risks regarding technology and finances, and asked if the Council’s IT Department could provide more information in relation to cyber security.   

The Head of Strategic Finance and Property said that the Council’s IT Service was outsourced from Stevenage Council, and that a presentation on cyber security could be arranged for the Committee.   

It was moved by Councillor Nicholls and seconded by Councillor Williamson, that the recommendations, as detailed, be approved. After being put to the meeting and a vote taken, this motion was declared CARRIED.

RESOLVED – that (A) The 2023/24 quarter four corporate risk register be reviewed, and officers advised of any suggested improvements to the format of the risk register; and

(B)   the 2023/24 quarter four corporate risk register be reviewed, and officers advised of any suggested improvements to the format of the risk register.

The Head of Strategic Finance and Property introduced the report. He drew Members attention to the vacant training slots for the September 2024 and May 2025 meetings of the Committee and welcomed Members suggestions for topics for these slots.

Councillor Williamson observed that the Committee had four meetings scheduled for the 2024/25 civic year, which was a decrease from the six meetings held each year until 2022. He asked for clarification if this reduction was due to when the reports could be delivered, or if there was an opportunity to return to more meetings each year, to make each agenda more manageable. He said that the proposed agenda for the January 2025 meeting looked heavy and included budget scrutiny. 

The Head of Strategic Finance and Property said that the meetings were programmed to fit with the accounts and audit regulations, and when the expected outcomes would be. He reminded Members that draft accounts were expected at the end of May, with audited accounts at the end of July, and that meetings had been timetabled around these dates.

The Head of Strategic Finance and Property said that the external audit market had since experienced well know national issues with significant delays to audits. He said that the Council was now in a position where they were expecting to receive a disclaimer from their previous external auditor for 2022/23, and that their newly appointed auditors were attempting to get back to the audit timetable. He said that this is why the agenda for January 2025 meeting of the Committee looked heavy, but that the circumstances were beyond his control.  

The Head of Strategic Finance and Property said that the option of convening a Sub-Committee had been removed as the Committee had previously decided that the accounts should be approved at a full meeting of the Committee.   

Councillor Williamson said that he understood the problems which surrounded external audit and that officers would need to look at the programming of meetings. He said that he also understood that adding in an extra meeting may not work for the reasons explained by the Head of Strategic Finance and Property.

Councillor Deering endorsed the points raised by Councillor Williamson.

Councillor Woollcombe asked if BEAM (formally Hertford Theatre) would feature in the Committee Work Programme.

The Head of Strategic Finance and Property said that that Leadership Team were currently working with BEAM management, and that the intention was to bring a BEAM annual report to the Committee, which would be in the same format as the report heard tonight from EA. He said that this would be added to the May 2025 meeting agenda, but that as the venue was due to open in August 2024 the report would not cover a full year of operation.

Mr Sharman asked if a Data Protection Update was required for the September 2024 meeting.

Members debated this issue and agreed that the Data Protection Update should be received by the Committee twice per year.

Members debated and agreed that  ...  view the full minutes text for item 31.

To consider such other business as, in the opinion of the Chairman of the meeting, is of sufficient urgency to warrant consideration and is not likely to involve the disclosure of exempt information.

There were no urgent items.