Agenda and minutes

The Committee noted the attendance of the following Substitute Members:

Councillor Mrs McKenzie-Boyle was substituting for Councillor Wade.

Councillor Mrs Green was substituting for Councillor for Councillor Mrs Hayes.

Members are asked to declare any disclosable pecuniary or affected interests in respect of any matter to be considered at this meeting.

Any Member with a Disclosable Pecuniary Interest in a matter should withdraw from the meeting when the matter is under consideration and should notify the Democratic Services Officer in attendance that they are withdrawing as they have such an interest. If the Disclosable Pecuniary Interest is not entered on the register of Members interests the Monitoring Officer must be notified of the interest within 28 days.

Any Member with an affected Interest in a matter must disclose the interest to the meeting.  There is no requirement to withdraw from the meeting when the interest is only an affected interest, but the Monitoring Officer should be notified of the interest, if not previously notified of it, within 28 days of the meeting.

There were no declarations of interest.

To approve as a correct record the minutes of the meetings of the Committee held on 24 July 2019.

RESOLVED that, subject to the amendments above, the minutes of the meeting of the committee held on the 24 July 2019 be approved as a correct record and signed by the Chairman.

Justine Thorp from Ernst and Young provided an update on the assurance letter from BerkshirePension Scheme auditors. Deloitte were the overall auditor for the scheme and had communicated that they were unlikely to be able to provide their assurance letter until the end of September, but no specific date had been confirmed. All the other Berkshire Authorities would be in a similar position and the draft accounts had been uploaded to the Bracknell Forest website with an covering note.  

There were no urgent items of business.

To receive an update on both the business continuity and cyber security items included in the Council’s Strategic Risk Register.

The  Governance and Audit Committee had requested at its meeting on the 26 June 2019  that an update be provided on both the business continuity and cyber security items included in the Council’s Strategic Risk Register

Kevin Gibbs, Executive Director: Delivery provided an update on the Cyber Attack risk.

The key points covered included:

• The business continuity risk underpinned the cyber attack risk.
• All public Local Authorities were subject to cyber attack, this had been well publicised with the Lincolnshire attack and the NHS disable a few years ago.
• There was a high likelihood of attack, as the authority relied heavily on IT systems to undertake day to day work.  It was important to do everything possible to keep up to date with system developments.
• Keeping staff up to date an aware of issues was very important. For example fishing emails used to be easy to identify, now they were more crisp and often could fool electronical systems.
• To help combat and lower the likelihood of the risk actions that had been undertaken so far included ensuring that proper security arrangements were in place an ensuring that staff were trained to a high standard.
• All staff had undertaken mandatory GDPR training.
• The Council was a Member of various government early warning groups.
• Microsoft SCP ATP II License had been acquired for advanced security on Office 365- Outlook, Office, SharePoint and Teams as well as security and compliance on all Council data.
• As Microsoft was a global player, it added a level of assurance.
• The move to cloud was expected to happen by the end of 2020. The email system had already moved to Office365.
•   The national infrastructure around cyber security sees the UK as a soft target for attack. The risk appetite didn’t corollate with the national picture but related to the local picture and what was happening around us.
• The risk appetite was what the Council wanted and what could be foreseen. 

There was no benchmarking data available to compare the risk scoring to.

• The appetite score was low as this is where the Council wanted to aim towards.
• It was important steps were taken to make sure that the Council wouldn’t be impacted.
• The unmitigated risk had increased due to the sophisticated environment we were living in.

Kevin Gibbs, Executive Director: Delivery provided an update on the Business Continuity Management risk.

The key points covered included:

• The risk appetite had decreased.  The spike in the graph had been investigated and a review of arrangements was undertaken and as a result work was undertaken to elevate gaps.
• Service Business Continuity Liaison Officers and Emergency Planning Liaison Officers had been identified to work with the Emergency Planning Unit.
• Brexit monitoring arrangements have been put in place and action plans were being developed
• The risk was higher than in 2016/17, it was thought that the organisational restructure had caused this increase. The recent increase was due to the Executive Director instigating a review which highlighted that continuity plans were not robust.  ...  view the full minutes text for item 20.

To consider the following motion:

That pursuant to Regulation 4 of the Local Authorities (Executive Arrangements) (Access to Information) Regulations 2012 and having regard to the public interest, members of the public and press be excluded from the meeting for the consideration of item X which involves the likely disclosure of exempt information under the following category of Schedule 12A of the Local Government Act 1972:

(3)        Information relating to the financial or business affairs of any particular person.

NB:      No representations have been received in response to the notice under regulation 5 of the Local Authorities (Executive Arrangements) (Meetings and Access to Information) (England) Regulations 2012

RESOLVED that pursuant to Regulation 21 of the Local Authorities (Executive Arrangements)(Access to Information) Regulations 2000 and having regard to the public interest,members of the public and press be excluded from the meeting for the considerationof item 6 on the agenda (Item 22 in the minutes) which involves the likely disclosure of exemptinformation under the following category of Schedule 12A of the Local GovernmentAct 1972:

(3) Information relating to the financial or business affairs of any particular

To receive a summary of Internal Audit activity during the period April to August 2019.

Sally Hendrick, Head of Audit & Risk Management provided a summary of Internal Audit activity during the period April to August 2019.

During this period During the period April to August 2019, two grants were certified, one memo without an opinion had been finalised, seven reports were finalised, five reports were

issued in draft awaiting management responses, one draft report was being

discussed and in sixteen cases audit work was in progress.

New definition’s for opinions and priorities were being issued with recommendations to ensure that they were more meaningful and to provide a clearer insight into the degree of severity of opinions and recommendations. These would be included in the Internal Audit Charter which would be brought back to the committee for approval.

Delivery against the planned programme was behind original schedule due to the number of audits which have been requested to be deferred to later in the year. These deferrals would give officers chance to look at areas of weakness and address before audits took place.

The main audit contractors have already raised concern about pressure to deliver the Plan as it is now end-loaded. In some areas there will be pressure on officers with multiple audits ongoing for the same service areas within the same quarter.

Major issues had been identified in the GDPR audit, where ten major recommendations had been found. Lots of work was being undertaken and would be re audited in January 2020.

In the home 2 school transport audit, a major recommendation was raised again due to weaknesses where DBS checks have not yet been received.

In the AGRESSO audit two major recommendations were raised relating to the

absence of a Data Protection Impact Assessment (DPIA) and overdue review of the support agreement. The opinion also reflects ongoing issues around the system that needed to be sorted. A consultant had been appointed to investigate the issues.

One major recommendation was raised in the disabled facilities grant audit due to procurement weaknesses with procuring stairlifts and not testing for best value.

Within a school audit, two major recommendations were raised in relation DBS

checks for governors and frequency of budget monitoring by governors.

As a result of the members questions, the following points were made:

• The Head of Audit & Risk Management was unsure whether the GDPR audit was made against EU or UK derogations, but would check and report back to the Committee.
• The market for procuring stairlifts under disabled facilities grants had not been tested for some time and this was now to be addressed. For other works the required number of quotes was not being sought at the time earlier in the year due to backlog in grant applications.
• The home 2 school transport issues had been a long-standing issue, Members hoped that this would finally be resolved.
• It was thought that the home 2 school transport team didn’t have the control over DBS checks for drivers within their team as this was undertaken by licensing for all taxi drivers.
• Members requested  ...  view the full minutes text for item 22.