An apology was received from Councillor Nigel Lumby.  Councillor Chris Schofield substituted for him.

Members are reminded that they must declare their disclosable pecuniary interests and other registrable or non-registrable interests in any matter being considered at the meeting as set out in Appendix B of the Members’ Code of Conduct and consider if they should leave the room prior to the item being considered. Further advice can be sought from the Monitoring Officer in advance of the meeting.

Members were reminded that they must not participate in the discussion or voting on any matter in which they have a Disclosable Pecuniary Interest and should leave the room prior to the commencement of the debate.

The Minutes of the meeting held on the 20 July 2022 are attached for confirmation.

Contact Michelle Dulson (01743) 257719

Paragraph 5 – Third line assurance: (a) Internal Audit Performance Report and (b) Annual report 2021/22

It was confirmed that the action contained in the second paragraph in relation to receipt of a management report for five audits within IT/ Information Governance and one relating to Dog Wardens that had attracted unsatisfactory and limited assurance opinions had not been actioned for this meeting but first line assurance reports would be presented at the November meeting0

Paragraph 16 – Second line assurance: Approval of the Council’s Statement of Accounts 2021/22

The Chairman commented that it was unacceptable that the Statement of Accounts for 2020/21 had not been signed off 18 months later.  In response, the External Auditor confirmed that work on the 2021/22 accounts had been completed however there had been a delay in relation to receipt of guidance setting out how infrastructure assets should be accounted for.  CIPFA were proposing to change the Code, but this was not expected until November or December and would necessitate some additional audit work being undertaken but it was hoped to finalise this in November or December.

Members expressed concern about the fact that the accounts were not before the Committee at this meeting but accepted the explanation of the External Auditor. 

RESOLVED:

      That the Minutes of the meeting of the Audit Committee held on the 20 July 2022 be approved as a true record and signed by the Chairman, subject to the above.

To receive any questions from the public, notice of which has been given in accordance with Procedure Rule 14.  The deadline for this meeting is 5pm on Friday 9 September 2022.

There were no questions from members of the public.

To receive any questions of which Members of the Council have given notice.  The deadline for this meeting is 5pm on Friday 9 September 2022.

There were no questions from Members.

The report of the Assistant Director Finance and Technology is to follow.

Contact:  Ben Jay 07815 473236

The Committee received the report of the Assistant Director Finance and Technology – copy attached to the signed Minutes – which identified the current use of cloud-based services by the Council and considered its use of these systems (including wider networks and data centres) to house its data and network systems.  It focused on the approach to assurance for internal controls and risk management for these services.  The report also considered the current position in terms of consistency of approach across different types of use of the cloud and the desirability of increased controls and risk management and consistency how these were being applied.

The Assistant Director Finance and Technology introduced his report and drew the Committee’s attention to the key points.  He explained that although there were risks associated with systems hosted within the cloud, the Council and the Council’s IT team did not differentiate in terms of the ways that internal controls and risk management were approached between cloud-based systems and on premises systems.  Overall, there was considerable confidence that there were good internal controls and a good level of engagement risk management around the core network and core systems of the Council to the extent that they were hosted in the cloud or similar arrangements.  There was however an ongoing increase in the level of risk in the external environment, eg cyber-attacks, cyber-resilience and cyber-security so it was important to constantly review the arrangements around internal controls and risk management.  The report sets out where they were and the Committee were invited to comment on whether or not that was felt to be sufficient or whether there were any areas where controls could be included or improved.

The Infrastructure Security and Innovation Manager took members through the report.  He gave the background to the Council’s use of the cloud, which was not new as the Council had been using cloud services for over ten years.  Things had changed slightly recently due to the elevation of cyber risk which had meant putting some additional controls in, including setting up an IT Business Continuity Recovery Group and working with risk, audit and data protection around ensuring that controls were in place.

The Council currently had a ‘cloud where appropriate’ model which aligned to the Government’s approach of how to implement cloud systems.  Cloud services were suitable for some things but not for others and also, the authority had to be conscious of value and often cloud services did not provide best value and so the Council currently had a mix of cloud based and on-premises based approaches.  Some of the smaller system providers for particular service areas had not previously been in a position to provide cloud-based services but as these reached their maturity level, these options were now available to these business areas and would be considered during the procurement process.

The Infrastructure Security and Innovation Manager highlighted some of the controls and compliance areas that were in place.  He explained that ICT had specialist teams and also  ...  view the full minutes text for item 28.

The report of the Risk Manager is to follow.

Contact: Jane Cooper 01743 252851

The Committee received the report of the Risk Management Officer – copy attached to the signed minutes – which provided an overview of the activity of the Risk, Insurance & Resilience Team during 2021/2022 and a synopsis of the current risk exposure of the authority in relation to Strategic, Operational and Project risks.

The Risk Management Officer introduced and amplified her report.  She reported that the Audit review of risk management this year had identified the assurance level as ‘Reasonable’ with actions required of service managers in relation to operational risk management.

The Risk Management Officer drew attention to the June 2022 review when there were 14 strategic risks on the Strategic Risk Register, set out in Appendix B, 10 of which were high, three medium, and one low. 

Turning to operational risks, these were now embedded into a SharePoint site and as such could be updated in real time.  There were currently 126 operational risk registers in place (compared to 128 last year) containing 1,385 risks in total (1299 last year), as set out in Appendix C.  The Risk Management Officer drew attention to the 954 project risks, set out in paragraph 8.3 and Appendix D of the report.

The Risk Management Officer highlighted the work undertaken in relation to Business Continuity Management, set out in Paragraph 9 of the report.  She reported that as part of the Business Continuity arrangements, a cyber incident preparedness business impact analysis was being developed and would result in an Action Plan to address any areas of concern.  It was hoped to hold the postponed inaugural Shropshire Resilience Conference in May 2023 to coincide with the national business continuity awareness week.

In response to a query about the continued high level of risk due to Covid, the Risk Management Officer explained that it was hoped to see this risk reduce by November and the Council have moved to the recovery phase and were getting back to business as usual and work that was delayed.

In response to a query the Risk Management Officer explained that the strategic risks were the high level risk exposure and there would be elements of all those strategic risks within some of the project risks and operational risks and from the November review they would be linking through the operational risks through to the strategic risks so it would be much clearer how those strategic risks were impacting operationally, but also at an operational level, what was being done to mitigate the strategic risk in that area as well.

The Risk Management Officer went on to explain that as part of the operational risk review, which was a month before the strategic risk review, any themes that were linked through to the strategic risks which were of a concern, would feed through to that, along with any emerging theme from the operational risk review that it was felt needed to be considered as a strategic risk in its own right would be raised with the Executive Director team for  ...  view the full minutes text for item 29.

The report of the Executive Director of Resources (Section 151 Officer) is attached.

Contact: James Walton 01743 258915

The Committee received the report of the Executive Director of Resources (Section 151 Officer) – copy attached to the signed Minutes – whichshowed the borrowing and investment strategy for 2021/22, the outturn for the financial year and the investment performance of the Internal Treasury Team, confirming that activities align with the approved Treasury Management Strategy.

The Executive Director of Resources (Section 151 Officer) drew attention to paragraph 4.3 of the report which confirmed compliance with the relevant Codes and Policies to enable the Council to manage the risk associated with Treasury Management activities and the potential for financial loss.

Members’ attention was then drawn to the minimum reporting requirements, set out in paragraph 7.3 of the report, and it was explained that the Executive Directors and Cabinet also received quarterly treasury management update reports.  The reasons for the report coming to Audit Committee were set out in paragraph 7.4 of the report.  The Executive Director of Resources (Section 151 Officer) explained that the detail was contained in the Debt Maturity Profile, Prudential Indicators and the Council’s Borrowing and Investment Strategy and Outturn position for 2021/22, set out in Appendices A, B and C respectively. 

The Executive Director of Resources (Section 151 Officer) reported that the Internal Treasury Team had outperformed their investment benchmark which had been the case for many years.  He confirmed that the Council’s Treasury activities during the year had been within the approved prudential and treasury indicators set and have complied with the Treasury Strategy.

The Chairman congratulated the team for their good work and for never failing to outperform the benchmark.  In response to a query in relation to the Public Works Loan Board rates, the Executive Director of Resources (Section 151 Officer) reported that these were regularly monitored and were expected to increase in the long term.  They were not however at the levels seen in the 1990s when borrowing rates were very high.

RESOLVED:

To accept the position as set out in the report.

The report of the Head of Audit is attached.

Contact:  Ceri Pilawski 01743 257739

The Committee received the report of the Head of Audit – copy attached to the signed Minutes – which summarised Internal Audit’s work to date in 2022/23. The Head of Audit explained that delivery had been impacted due to resourcing challenges which were currently being recruited to and supported by contractors. Lower assurances from reviews were highlighted, providing members with an opportunity to challenge further.

The Head of Audit drew attention to the summary of planned audits, set out at Paragraph 8.2 of the report, along with the planned verses actual Audit days across all Directorates, at paragraph 8.3.  The table set out in paragraph 8.4, set out the assurance ratings of all 12 completed audits, broken down by service area.  The Head of Audit reported that there was one area that had been assessed as unsatisfactory and that was the Payroll 2021/22 audit and Members therefore requested a management report for the November meeting.  The table at 8.5 showed the spread of audit assurances whilst table 8.6 showed the recommendations.

The Head of Audit highlighted the areas where Audit had added value with external clients and unplanned, project or advisory work, set out at paragraph 8.14 of the report.  In conclusion, the Head of Audit reported that it was too early to draw any sound conclusions as to the overall assurance framework.

In relation to the unsatisfactory assurance level for Payroll, the Head of Audit explained that improvements were not just in the power of payroll staff however she had no reason to believe that other stakeholders would not engage.  The Committee expressed their concern if any stakeholders were unable to comply.

In response to a query as to how the unsatisfactory assurance level had come about, the Executive Director of Resources (Section 151 Officer) explained that fundamentally there had been a shift from a dedicated payroll system to a module in the ERP.  When they brought in the new ERP system, it was a case of getting that implemented and in place within the right timescales and ensuring that the fundamental principles of staff were paid and staff were paid the right amount.  So that part was achieved however, as it was not a system dedicated to payroll, whenever there were any changes whatsoever to any terms of conditions, or requirements, or national changes in legislation etc, whereas other dedicated systems the supplier would automatically update them, with the system that we have we have to wait for those to be input by our supplier who are supplying across a wider ERP system. 

He went on to say that there were also specific arrangements within Shropshire that then had to be built into that system so therefore there were processes that enabled those to happen which were not as slick or simple as we would like them to be and require constant testing and updating to make sure they are working.  On top of that, there was a complete change in relation to the way in which the  ...  view the full minutes text for item 31.

The report of the Engagement Lead is to follow.

Contact: Grant Patterson (0121) 232 5296

The Committee received the report of the External Auditor – copy attached to the signed Minutes – which set out the Audit Findings for Shropshire County Pension Fund for the year ending 31 March 2022.

The External Auditor informed the Committee that the Pension Fund Audit was substantially complete and would be presented to Pensions Committee the following day.  The report came to the Audit Committee as those charged with governance in respect of the Council’s Financial Statements within which the Pension Fund accounts sit.

In terms of timelines, the External Auditor explained that delivering audits continued to be a challenge for the sector as a whole but they were aiming to get most audits finished by the end of November.  Work on the Pension Fund had however been prioritised and they were aiming for the end of September to finish their work on the Pension Fund.  He confirmed that the work was substantially complete subject to finalising some work around IT, journal testing and review of final accounts and financial statements.  The External Auditor explained that under the current legislative framework, he could not issue an opinion on the Pension Fund financial statements, nor complete his consistency opinion on the Pension Fund accounts until work had been completed on the Council’s financial statements.  Signing of the accounts would be delayed until hopefully November depending on the infrastructure matter.

The External Auditor drew attention to an unadjusted misstatement of just over £19m which was below the level of materiality (£23m) but above performance materiality of £17m, and as stated in the report, whilst not a material issue, it was close to the materiality level and given the current regulatory environment within which all Auditors were operating, it did kick in additional risk management procedures. Although he was comfortable with how assets had been dealt with and that the asset figure was fairly stated, sample testing was required which could have led to a misstatement that was missed therefore there were certain procedures that he had to go through (as set out in his report) and which would be reported to the Pensions Committee the following day.  The Partner Panel wished him to discuss with management potentially amending the financial statements for that figure as it was so close to materiality.

The Executive Director of Resources (Section 151 Officer) went into more detail around the reason for the misstatement and why it was being proposed by Officers not to adjust it.

RESOLVED: 

That the contents of the report be noted.

The report of the Engagement Lead is to follow.

Contact: Grant Patterson (0121) 232 5296

The Committee received the report of the External Auditor - copy attached to the signed minutes – which provided an overview of the planned scope and timing of the statutory audit of Shropshire Council for those charged with governance.

The External Auditor drew attention to the key points set out in the report.  She explained that External Audit were responsible for expressing an opinion on the Council’s financial statements and as the Audit Plan was a constantly moving document, she confirmed that the risk assessment around payroll would be revisited and would be reported back as it had not been flagged as a risk. 

The External Auditor explained that they had to consider whether the Council had proper arrangements in place to secure economy, efficiency and effectiveness in its use of resources and whether there were any significant weaknesses. Planning in this area was ongoing and further details would be provided to the Committee as part of their progress update.

The External Auditor drew attention to the significant risks identified (as set out on pages 6-8 of the report) for which External Audit would undertake a significant level of work, and which included the risk that revenue and expenditure may be misstated, management over-ride of Controls, valuation of land and buildings and annual Pension Fund valuation.

They also had to build in work around accounting estimates and related disclosures (set out on pages 10 to 11) including how the Council deals with its accounting estimates and identifies its significant accounting estimates in particular.

The External Auditor discussed materiality and logistics (set out on pages 14 and 15 of the report) and she confirmed that any changes would be reported back to the Committee.  She then drew attention to the Audit fees set out on page 16 of the report and highlighted other pieces of work that they complete for the Council eg certification claims in relation to housing capital receipts, teachers pensions and housing benefit claims.

In response to a query, it was confirmed that with the exception of infrastructure, they were not aware at present of any outstanding information.  In response to a query about the number of objections relevant to the Council, it was confirmed that there were two, one in relation to highways and one in relation to planning.  The External Auditor confirmed that these had been progressed and it was hoped to bring them to a conclusion shortly.  It was confirmed that this would cause additional fees.

In response to a query, the Executive Director of Resources (Section 151 Officer) explained that the increase in the number of children in care was a key financial risk and had been reported through the quarterly monitoring reports for last year and this year and was discussed the previous day at Performance Management Scrutiny Committee in relation to the Performance report and the Financial Monitoring Report.  He confirmed that this was an area where they were seeing growth, partly due to lockdown when normal procedures weren’t able to operate  ...  view the full minutes text for item 33.

The report of the Engagement Lead is to follow.

Contact: Grant Patterson (0121) 232 5296

The Committee received the report of the External Auditor - copy attached to the signed minutes - which updated the Committee on some important areas of the auditor risk assessment where External Audit were required to make inquiries of the Audit Committee under auditing standards and which contributed towards the effective two-way communication between Shropshire Council’s external auditors and the Audit Committee, as those charged with governance.

A query was raised in relation to the number of firms of Solicitors utilised by Shropshire Council, as set out on page 7 of the report, and whether this was considered to be cost effective.  In response, the Executive Director of Resources (Section 151 Officer) explained that the Council had a relatively small internal legal team and so to ensure appropriate legal advice was taken for the Council’s ambitious and complex programme of works, different firms were employed for their specialisms in particular areas.  It was felt that this was cost effective and that the structure of the internal legal team was appropriate.

RESOLVED:

That the contents of the report be noted.

The next meeting of the Audit Committee will be held on the 27^th October (provisional date) / 24^th November 2022 at 10:00am.

Members were advised that next meetings of the Audit Committee would be held on the 27 October 2022 (Provisional Date) and 24 November 2022 at 10.00 am.

NB. The provisional meeting scheduled for 27 October 2022 was subsequently cancelled.

      It was with great sadness that the Chairman informed the meeting that the Head of Audit was retiring and that this would be her last Audit Committee meeting. He explained that the Head of Audit had been appointed thirteen years ago and that he had been her Chairman for eight of those years.  He went on to say that it had been a partnership and a relationship which had been very fruitful and he could not speak too highly about how well as chairman during those eight years that he had been supported by her and how easy their working relationship had been.  She had been an absolutely splendid servant of this Council in the thirteen years she had served it and as a Council and in particular an Audit Committee she was owed a considerable debt of thanks for the dedicated way in she has managed the Council’s Audit services over those thirteen years.  The Chairman therefore proposed, and the Committee endorsed, the following resolution:

      RESOLVED: 

      To thank Ceri Pilawski for her services to the Council as Head of Audit over the last thirteen years and to wish her a long and happy retirement. 

To RESOLVE that in accordance with the provision of Schedule 12A of the Local Government Act 1972, Section 5 of the Local Authorities (Executive Arrangements)(Meetings and Access to Information)(England) Regulations and Paragraphs 2, 3 and 7 of the Council’s Access to Information Rules, the public and press be excluded during consideration of the following items.

RESOLVED:

      That in accordance with the provision of Schedule 12A of the Local Government Act 1972, Section 5 of the Local Authorities (Executive Arrangements)(Meetings and Access to Information)(England) Regulations and Paragraphs 2, 3 and 7 of the Council’s Access to Information Rules, the public and press be excluded during consideration of the following items.

The Exempt Minutes of the meeting held on the 20 July 2022 are attached for confirmation. 
Contact: Michelle Dulson 01743 257719

RESOLVED:

      That the Exempt Minutes of the meeting of the Audit Committee held on the 20 July 2022 be approved as a true record and signed by the Chairman.

The report of the Principal Auditor is attached.

Contact:  Katie Williams (01743) 257737

The Committee received the exempt report of the Principal Auditor which provided a brief update on current fraud and special investigations undertaken by Internal Audit and the impact these have on the internal control environment, together with an update on current Regulation of Investigatory Powers Act (RIPA) activity.

RESOLVED:

      That the contents of the report be noted.