Agenda and minutes

Audit Committee - Tuesday, 24th September, 2019 7.00 pm

Venue: Meeting Room 1 (2nd Floor) - 3 Shortlands, Hammersmith, W6 8DA. View directions

Contact: David Abbott 

No. Item


Minutes of the Previous Meeting pdf icon PDF 271 KB

To approve the minutes of the previous meeting and note any outstanding actions.



The minutes of the meeting held on 23 July 2019 were agreed as a correct record.


Apologies for Absence


Apologies were received from Councillor Jonathan Caleb-Landy and Kim Smith (Chief Executive).


Declarations of Interest

If a Councillor has a disclosable pecuniary interest in a particular item, whether or not it is entered in the Authority’s register of interests, or any other significant interest which they consider should be declared in the public interest, they should declare the existence and, unless it is a sensitive interest as defined in the Member Code of Conduct, the nature of the interest at the commencement of the consideration of that item or as soon as it becomes apparent.


At meetings where members of the public are allowed to be in attendance and speak, any Councillor with a disclosable pecuniary interest or other significant interest may also make representations, give evidence or answer questions about the matter.  The Councillor must then withdraw immediately from the meeting before the matter is discussed and any vote taken.


Where Members of the public are not allowed to be in attendance and speak, then the Councillor with a disclosable pecuniary interest should withdraw from the meeting whilst the matter is under consideration. Councillors who have declared other significant interests should also withdraw from the meeting if they consider their continued participation in the matter would not be reasonable in the circumstances and may give rise to a perception of a conflict of interest.


Councillors are not obliged to withdraw from the meeting where a dispensation to that effect has been obtained from the Audit, Pensions and Standards Committee.


There were no declarations of interest.


Annual Audit Letter 2018/19 pdf icon PDF 111 KB

This item presents the annual audit letter and audit fee variation letter from Grant Thornton, the Council’s external auditors.

Additional documents:


Andrew Smith and Keyasha Pillay from Grant Thornton presented the Annual Audit Letter. The letter was a public document that provided a summary of the results of the auditor’s work that was presented to the Committee at its previous meeting. Andrew Smith noted that the papers also included a letter on fee variations for additional audit work carried out. The areas of additional work were:

·         Implementation of the new ledger system (SAP)

·         Assessing the impact of the McCloud ruling

·         Pensions (IAS 19)

·         PPE valuation


Andrew Smith commented that, even with these additional fees the Council, the total cost was still 15 percent below what the previous auditor was charging.


Councillor PJ Murphy asked how the fees were calculated. Andrew Smith said they were based on time sheets and the hours were multiplied by the company’s standard rates for audit work. He added that there were different rates that related to the staff grades but estimated the blended rate at around £500 to £600 per day.


Councillor Murphy noted that he felt the additional fees for Pensions (IAS 19) and the PPE Valuation were questionable. He said it seemed as though Grant Thornton were charging again for work that should have been done better the first time around. Andrew Smith clarified that the Financial Reporting Council had requested auditors carried out further steps and it wasn’t a comment on the quality of the work they had done.


Councillor Murphy said he didn’t think the Council should pay the third and fourth fees. He added that the fee for additional work in light of the McCloud ruling was troubling because it suggested the Council could be charged for any external changes. Andrew Smith said auditors were empowered to charge additional fees for any additional work carried out – whether due to internal or external circumstances.


Councillor Alex Karmel said surely Grant Thornton tendered for a full audit to the satisfaction of the Financial Reporting Council. Assumptions around additional work should have been built into the tender. Andrew Smith said the framework allowed the auditor to come back to the Council for additional fees where necessary.


Councillor Karmel said it was not the fault of the client and in his own business experience the original tender should be honoured. Andrew Smith agreed that it was not the authority’s fault - but said the tender was not fixed fee and the framework allowed additional fees.


Councillor PJ Murphy asked Grant Thornton to reconsider the additional fees. Andrew Smith said they had agreed a standardised approach and would be submitting the additional fee request to Public Sector Audit Appointments Ltd.


Councillor Matt Thorley suggested the auditor could provide discounted fees next year.


Councillor Rebecca Harvey asked for clarification that the auditor was not seeking approval for these fees but was telling the Committee that is what the Council would be charged. Andrew Smith agreed.


The Chair asked if the auditor was aware of these changes ahead of the audit. Andrew Smith said they were only  ...  view the full minutes text for item 4.


Cyber Security Update pdf icon PDF 267 KB

This report gives an overview of the actions undertaken by the Council’s IT team and its suppliers to protect its network and communication channels.


Veronica Barella (Chief Information Officer) presented the report that gave an overview of actions the Council had taken to reduce its exposure to cyber-security risks. A report went to Cabinet on 9 October 2017 entitled ‘Cyber Threat Remediation’ recommending the following key actions that had since been implemented:

·         The introduction of multi-factor authentication

·         An enhanced level of Microsoft licensing

·         Better monitoring of suspicious login attempts

·         A review of file types used to block malicious files


Multi-factor authentication, the use of an associated device or authenticator app to verify identity, had been well received.


The licensing upgrade involved trusted machines and trusted networks which meant the IT department could remove onerous authentication steps for users but keep the same high level of security.


The IT service desk (delivered by Agilisys) monitored suspicious login attempts (e.g. from an unexpected country) and would lock account then contact the user directly to recommend they changed their passwords.


Councillor Rebecca Harvey asked if the system linked accounts to IP addresses. Adrian Dewey (IT Security Manager) said it did – the network addresses for all devices were logged and marked as ‘trusted’.


Veronica Barella noted that one of the key risks was Office 365 because it was cloud-based. Cloud based applications gave greater flexibility (they can be used from most internet connected devices) but presented some additional risks as data was stored outside of the Council.


The Council was also in the process of moving all file-shares to the cloud-based SharePoint Online. IT carried out a risk analysis and identified an issue with users sending sharing links with sensitive data which made it difficult to manage. In response to this, additional controls were put in place for Children’s Services and Adult Social Care – users in those departments can’t send links to anyone outside of their department. This meant they still got many of the benefits of collaboration but couldn’t expose sensitive data to anyone without permission to see it.


Veronica Barella reported that new laptops with Windows 10 and mobile phones had been successfully rolled out to all officers. The previous version of Windows, Windows 7, would no longer being supported by Microsoft from January 2020. Before carrying out the Windows 10 roll-out, IT had their prototype Windows 10 device independently assessed by security experts. They found no critical vulnerabilities and some minor issues which were fixed before the roll-out to staff.


Veronica Barella noted that the Council was due for an updated Public Service Network Certificate in September. The certificate was granted by the Government to enable access to Department for Work and Pensions data. The Council had asked for a six-month extension to the September deadline because of imminent changes to the security patching process. This had been agreed with the Department for Work and Pensions and was considered low risk.


Veronica touched on the Council’s social media accounts and the security around them to prevent unauthorised access that could cause reputational damage. Veronica said she had confirmed with the Communications department that  ...  view the full minutes text for item 5.


Risk Management Update pdf icon PDF 353 KB

This report provides an update on risk management within the Council and presents a revised sovereign strategy and corporate risk register for consideration.


David Hughes (Director of Audit, Fraud, Risk and Insurance) and Mike Sloniowski (Risk Manager) presented the report that gave an update on risk management within the Council. David Hughes noted that the risk register presented as part of the report received regular review by the Council’s Strategic Leadership Team.


Mike Sloniowski highlighted the following key risks:

·         Risk 26, No-deal Brexit – The Council’s preparations for Brexit (continuity planning etc.) were ongoing and there had been a lot of activity in the last quarter.

·         Risk 3, Commercial & Procurement – There had been positive movement on commercial and procurement with a refresh of the Council’s approach to social value and more robust monitoring of contracts and spend.

·         Risk 5, Business Resilience - H&F was a leading authority on business resilience with its community emergency response website.

·         Risk 6, Information management – In addition to the work the Council had been doing to improve general data management and cyber-security there had been a number of recommendations made to reduce the number of data breaches in Children’s Services. Training had been provided to staff and technical controls had been put in place.

·         Risk 33, Hammersmith Bridge – The Council was exploring installing a bailey bridge for pedestrians and cyclists to remove them from Hammersmith Bridge and speed up construction.


The Chair noted there was a new risk around preparedness for a snap general election and asked if the Council was looking at the level of voter registration in the borough. Mike Sloniowski said the Council had a very well administered elections team and voter registration was a high priority for them.


Councillor Alex Karmel, in reference to Risk 32, asked where the property with the notice of deficiency was located. Mike Sloniowski said he would check with colleagues and update members by email.

ACTION: Mike Sloniowski


Councillor Alex Karmel, in reference to Risk 33, asked how advanced plans were for the proposed bailey bridge and whether the cost of that was included in the £25m budget or whether it would be a further draw on the Council’s resources. Hitesh Jolapara (Strategic Director of Finance and Governance) said he would discuss with Sharon Lea (Strategic Director for Environment) and provide a response.

ACTION: Hitesh Jolapara / Sharon Lea


Councillor PJ Murphy, in reference to Risk 21, noted that King Street Civic Campus was one of the Council’s biggest projects and asked if the team responsible was getting all of the help and support they required to make a success of it. Mike Sloniowski reported that he and David Hughes were attending the programme management team meetings to provide support where necessary.


The Chair, in reference to Risk 19, asked if officers were confident that the coroner’s office was now operating correctly. Mike Sloniowski reported that the responsible Assistant Director, Rhian Davies was confident it was well managed from the Council’s perspective. A lot effort had been put in to support the service.


Councillor PJ Murphy noted that a recent report to the Finance, Commercial  ...  view the full minutes text for item 6.


Internal Audit Quarterly Update pdf icon PDF 191 KB

This report summarises internal audit activity up to 13 August 2019.


David Hughes (Director of Audit, Fraud, Risk and Insurance) presented the report that summarised internal audit activity up to 13 August 2019.


He reported that a total of five audit reports had been finalised since the last report to the Committee in July. All five reports in the areas of Gas Safety, BT and Agilisys Contract Monitoring, Housing Rents, Coroners, and Cemeteries and Bereavement Service achieved satisfactory assurance. There were no issues of significance or concern to report to the Committee.


The Chair asked officers to provide more information on the gas safety audit given the issues with the service in the past. Councillor Alex Karmel asked officers to check how many, if any, warrants were needed to carry out the gas safety checks.

ACTION: David Hughes


That the Committee noted the contents of the report.


Internal Audit Charter 2019 pdf icon PDF 230 KB

In accordance with the requirements of the Public Sector Internal Audit Standards, the Council has an Internal Audit Charter. The Charter is reviewed annually. The Committee is asked to consider the Council’s compliance with its own and other published standards and controls.

Additional documents:


David Hughes (Director of Audit, Fraud, Risk and Insurance) presented the annual update to the Council’s Internal Audit Charter – changed included reference to the

CIPFA Statement on the Role of the Head of Internal Audit in Public Sector

Organisations and organisational changes during 2019.


David Hughes highlighted section 9.2 of the charter that gave assurances over the independence of the Director of Audit, Fraud, Risk and Insurance and ensured that internal audit reviews of the functions he was responsible for would be carried out and supervised independently of the Director.


Councillor PJ Murphy said it would be helpful for the Committee to have the changes from the previous year highlighted. David Hughes said section 9.2 was the key difference and he would be happy to do that next time.


ACTION: David Hughes


Councillor Alex Karmel asked if the register of potential conflicts of interest for staff in the internal audit and anti-fraud services (9.3 of the charter) was available for public inspection. David Hughes said it was held internally in the department. As with other declarations of interest by officers that information was not typically made public.


Councillor Karmel asked that the Council considered making the register public in the spirit of being open and transparent. David Hughes said he would discuss it with the Monitoring Officer.

ACTION: David Hughes


That the Committee noted the contents of the report.


Dates of future meetings

Dates of future scheduled meetings:

·         9 Dec 2019

·         11 Mar 2020


The following dates of future meetings were noted:

·         16 December 2019

·         11 March 2020