Agenda and draft minutes

Apologise for absence were received from Councillor Adrian Pascu-Tulbure and Sharon Lea (Chief Executive).

If a Councillor has a disclosable pecuniary interest in a particular item, whether or not it is entered in the Authority’s register of interests, or any other significant interest which they consider should be declared in the public interest, they should declare the existence and, unless it is a sensitive interest as defined in the Member Code of Conduct, the nature of the interest at the commencement of the consideration of that item or as soon as it becomes apparent.

At meetings where members of the public are allowed to be in attendance and speak, any Councillor with a disclosable pecuniary interest or other significant interest may also make representations, give evidence or answer questions about the matter.  The Councillor must then withdraw immediately from the meeting before the matter is discussed and any vote taken.

Where Members of the public are not allowed to be in attendance and speak, then the Councillor with a disclosable pecuniary interest should withdraw from the meeting whilst the matter is under consideration. Councillors who have declared other significant interests should also withdraw from the meeting if they consider their continued participation in the matter would not be reasonable in the circumstances and may give rise to a perception of a conflict of interest.

Councillors are not obliged to withdraw from the meeting where a dispensation to that effect has been obtained from the Standards Committee.

There were no declarations of interest.

To approve the minutes of the meeting held on 9 December 2024 as an accurate record.

The minutes of the meeting held on 9 December 2024 were agreed as an accurate record.

The Institute of Internal Auditors (IIA) published new Global Internal Auditing Standards (GIAS) in January 2024 with the Internal Audit Standards Advisory Board (IASAB) and CIPFA publishing the Global Internal Audit Standards in the UK Public Sector Application Note, in December 2024.  The existing Internal Audit Charter and Audit Strategy have been reviewed and updated to take into account the requirements of the new Standards.

This report seeks the Committee’s feedback on the Strategy and approval of the Charter and Mandate.

Moira Mackie (Head of Internal Audit) briefed the Committee that the new Internal Audit Strategy 2025-2028, Charter and Mandate were reviewed and updated taking into account the requirements of the new Global Internal Audit Standards (GIASs) (please see information paper on page 83). CIPFA had helped adapt the private-sector focused GIASs for the use of the public sector.  For example, the Board was interpreted as equivalent to the Audit Committee in local authorities.  The GIASs also set out the roles and responsibilities of the Internal Auditors who should act in an ethical and transparent manner while maintaining communication to the satisfaction of the Audit Committee. Moira further said that the Strategy was developed to show continuous improvements over time along with progress reports submitted to this Committee.  The Charter and Mandate had been completely refreshed to align with the new GIASs and required the Committee’s approval.  Members noted that while the GIASs were applicable in the UK from January 2025, the public sector were implementing the new Standards from 1^st of April 2025.

Councillor David Morton was concerned about the liabilities of this Committee for the wrong doings such as fraud cases found in the Statement of Accounts it had signed off.  David Hughes (Director of Audit, Fraud, Risk and Insurance) assured that under the Accounts and Audit Regulations 2015 and the Council’s requirements made through the S151 officer, robust arrangements had been in place for risk management and for internal control and protection against frauds.  As regards personal liabilities, David Hughes pointed out that according to the Council’s insurance policies, all officers and members were covered in carrying out their duties as part of the Council.

Councillor Florian Chevoppe-Verdier appreciated the Strategy and quoted some favourite sections on pages 19 and 22. He sought examples on ways to leverage technology for ‘enhanced efficiency’ during service delivery. David Hughes highlighted the benefits of using data analytics in audit works, for example, by looking for areas of anomalies or trends among the whole population of data before deciding to carry out an audit of a particular area. The Internal Audit team was already working closely with the Council’s Business Intelligence team to collect internal data on potential issues around fraud.  The continuous audit approach in the Internal Audit Plan 2025/26 was also using data analytics to track potential concerns and provide assurance in a more efficient and less costly way.

Addressing Councillor Lisa Homan’s questions, David Hughes noted that the new GIASs superseded the previous one promulgated in 2018 and applied similarly globally to all UK companies around the world.  He acknowledged that the Council could under the new Standards look at potential contractors’ internal audit strategies. 

In reply to Councillor Homan’s further concern about contractors’ risk assessment, David Hughes said this fell within the scope of contract management audits which involved risk management.  The audits would look at how departments were managing the risks of major suppliers/contractors and details of their contract management particularly those key ones on the  ...  view the full minutes text for item 4.

The Strategic Audit Plan documents significant, persistent risks that the Council faces and the associated business areas and is used to support the annual planning process to ensure that internal audit continues to provide assurance over the breadth of the Council’s operations.

The ‘3 plus 9-month’ plan approach allows for the first three months to be identified in detail with the remaining nine months being more flexible to reflect the risks and needs of the Council at the time. 

Moira Mackie (Head of Internal Audit) introduced the report and explained that to ensure the Annual Audit Plan (the Plan) was more responsive to changing risks and challenges, it had been developed as a ‘3 plus 9-month’ plan since 2021. Besides, the Internal Audit Service was considering where a programme of continuous auditing could be developed. For example, ‘health and safety’ which used to be audited in isolation might be considered as an area for continuous auditing (pages 42 & 43) where ongoing data would be collected and assessed.  The 2025/2026 Plan had also identified general areas for audit coverage, some of which were confirmed audits with timing while others were evolving audits under discussion. The Committee would be updated about the 2025/2026 Plan during the year.

Councillor Florian Chevoppe-Verdier considered the ‘3 plus 9-month’ approach highly agile allowing priorities to shift in response to local and national events. Separately, he looked forward to hearing more about continuous auditing, how technologies/tools could help achieve better value for money and meeting the increasing demands for auditing from central government.

Noting that ‘Building Control’ was one of the confirmed audits included due to changes in legislation, Councillor Lisa Homan sought more details as it was related to residents’ concerns over planning applications. Moira Mackie said as agreed with the Department of Place, the audit would better be done in Q2 of 2025/26 as there had been a lot of changes in the building regulations. David Hughes (Director of Audit, Fraud, Risk and Insurance) referred to the learnings from the Grenfell Tower tragedy, with the new building safety regulator in place to carry out audits of building control functions. The Internal Audit Service would help the local authority to meet the new regulatory requirements in terms of training, supervision and quality management from planning permission to inspections. 

On Councillor Homan’s concerns about contracting building control functions out from the Council and the resources implications, David Hughes said the Grenfell Tower Inquiry Report had recommended the Government to undertake a review of the provision of building control functions by local authorities as well as approved inspectors in the private sector. The audit would also review the regulatory and enforcement roles when delivering building control services while providing advice to residents.

On the Chair’s question about possible delays in completing the audits due to staff turnover, Moira Mackie said there was usually some other staff who could support the audit work with the scope perhaps changing to be more supportive and advisory than assurance.  Also, it might be worth carrying out the audits with the new people as they might do things differently.  She added that changes might be triggered by changes in people, system or legislation. 

The Chair requested that when assurance could not be provided for any confirmed audits, explicit explanations on the situation like people change should be provided to avoid misunderstanding of the presence of ongoing issues. 

ACTION: Moira Mackie

In this connection, Sukvinder Kalsi (Executive Director of Finance & Corporate Services) remarked  ...  view the full minutes text for item 5.

Local authorities are required to have risk management arrangements in place. The Council’s approach to managing risk is explained in the Risk Management Strategy which is being presented to the Committee for approval.

David Hughes (Director of Audit, Fraud, Risk and Insurance) presented the Risk Management Strategy 2025-2028 which reflected a global evolution of risk management in response to the economic situation resultant from the pandemic and world events.  During the past few years, risk management had changed a lot particularly in the public sector.  This Strategy embedded the risk management culture of the Hammersmith and Fulham (H&F) Council where there was really good engagement/ of the Chief Executive and the Senior Leadership Team (SLT) and good support of the Audit Committee. David then highlighted the organisational benefits of effective risk management, the structure of the Strategy and an Annual Assurance report on risk management.   He said that upon the Committee’s approval of the Strategy, training would be provided to ensure all staff were aware of the Strategy and knew how to use the risk management toolkit to support the senior management and service teams in maintaining their risk registers.

Jules Binney (Risk and Assurance Manager) remarked that the new Risk Management Strategy was developed based on experience and knowledge of the entire industry.  He was confident that the Council could have even more control over the risks going forward with the residents in a better informed position.

Councillor Florian Chevoppe-Verdier appreciated the roles and responsibilities of all staff and all elected members had been set out clearly in the Strategy so that each could play their part.  He sought elaboration on outcomes of engagement with directorates or the internal teams.  David Hughes said he and his team held regular meetings with the SLT and service teams on risk management arrangements regarding some of the key programmes and projects listed on the risk registers. More training would be provided to bring staff at junior managerial ranks to involve themselves in risk management.

On Councillor Chevoppe-Verdier’s question about insight sharing and industry collaboration with the risk management sector, David Hughes referred to expertise and knowledge sharing among heads of internal audit via the London Heads of Audit Network and the UK-wide Local Authority Chief Auditors Network. In addition, the Institute of Internal Auditors (IIA) provided a good summary of emerging risks identified globally each year.  Materials around emerging risks were also produced by the private firms engaged to help some of H&F’s internal audit work.  As such, H&F was well connected to look at risks from a much wider base over a range of avenues.

The Chair was concerned whether the risk management toolkit was robust enough to respond to the different scenarios resulting from unprecedented events.  David Hughes highlighted the importance of training for staff to adopt the risk management practices and think about the kind of risks (which should be differentiated from issues) that the service teams were facing. Jules Binney added that while it was never possible to anticipate the situations fully, more leeway would now be available by implementing the measures in the new Strategy.  He outlined horizon scanning which helped identify emerging and potential risks over  ...  view the full minutes text for item 6.

The purpose of this report is to provide members of the Audit Committee with an update on risk management across the Council.

David Hughes (Director of Audit, Fraud, Risk and Insurance) briefed the Committee on the Risk Management Update and Corporate Risk Register 2024/25. He highlighted the increase or reduction in risk scores and the addition of three new risks (page 75). He further noted that the Risk Register had been reviewed by the SLT Assurance which suggested the narratives for each risk be focused on the current arrangements and mitigation plans. Going forward, lead directors/risk owners might attend committee meetings and report the outcomes of the arrangements and any changes to the planned actions.  Members might deep dive a particular risk to make sure it was maintained or reduced. David added an update on risk management arrangements on cyber security would be presented at the June meeting.

Jules Binney added that the Risk Register was under evolution where the risk narratives were outlined with specific mitigations making them easier to understand. A new Risk Register with defined actions and responsibilities taken by the risk owners would soon be rolled out after testing.  While reducing the number of risks was preferential (like the dropping of the risk relating to the Hammersmith Bridge because it no longer held a systemic risk to the Council), the Council had to live with some risks such as cyber security because cyber-attacks would continue to happen regularly. 

Believing the risk related to cyber security had to remain “Red” in future, Councillor Lisa Homan observed that the risk relating to the management of complaints, requests for information, members enquiries (risk no. 18) should be resolved soon and show progress from “Red”. David Hughes acknowledged her observation as the SLT Assurance was leading actions in that direction.  He undertook to provide more assurance by bringing a more detailed report on this to a future meeting.

ACTION: David Hughes

On Councillor Homan’s concern about the progress of any risk escalating from “Yellow” to “Red”, David Hughes said the financial management and medium-term planning (risk no. 19) had been a key focus for the S151 Officer and the Cabinet Member for Finance and Reform. While a lot of good work had been done to bring a balanced in-year budget, the position of the Medium-term Financial Strategy (MTFS) at H&F, like that of many other authorities, was becoming increasingly challenging.

Councillor Florian Chevoppe-Verdier recalled this Committee had agreed to the recommendations of having more risks while adopting the approach of risk ownership. Referring to the risk of failure to comply with the new Building Safety Act and certification of 49 Higher Risk Buildings (HRBs) (risk no. 10), he asked if this was a one-time thing or an annual exercise and whether the Building Safety Managers recruited for the purpose could meet the workload to certify the remaining 23 HRBs.

David Hughes noted that local authorities were required to register HRBs by September 2024. The Building Safety Regulator (BSR) had invited H&F in January this year to certify 26 of its 49 HRBs. The building safety cases involved very detailed submissions  ...  view the full minutes text for item 7.

New Global Internal Audit Standards were published in January 2024, these will become mandatory for the profession in early 2025. Further guidance on the application of the Standards in UK public sector and local government will be provided by IASAB and CIPFA respectively and comes into force from April 2025.

This report provides the Committee with an overview of the standards and some materials to assist Members in gaining a better understanding of requirements.

David Hughes (Director of Audit, Fraud, Risk and Insurance) introduced the information paper on Global Internal Audit Standards (GIASs) which were covered in earlier discussions. He reiterated going forward, the reporting of audit work would include a full gap analysis to the GIASs to reflect compliant. Moira Mackie added that things done differently shall fall under gap analysis the outcome of which would lead to acceptable practices.

As regards Councillor Florian Chevoppe-Verdier’s question on the industry feedback about the proposals in GIASs, David Hughes said there were a lot of feedback across the globe from different sectors during the lengthy consultation period.  Local authorities in the UK responded quite strongly that the GIASs did not give enough recognition to the public sector, in particular local governments.  Further guidance on the application of the Standards in UK public sector and local government had been published by IASAB and CIPFA respectively.

Moira Mackie said H&F had shown how it would be compliant to the GIASs through the Internal Audit Strategy. In addition to complying the GIASs, the audit work would also be subject to external assessment similar to the last year against a set of slightly different measures.

Councillor Chevoppe-Verdier asked whether this Committee would adopt one or more of the following (page 91) as recommended by the Chartered Institute of Internal Auditors (IIA):

• An agenda item covering the transition at every Audit Committee meeting until the transition was completed.
• Deep Dives commissioned by the Audit Committee on aspects it felt were key to meet the requirements.
• Appointment of an independent third party to provide assurance to the Audit Committee on the transition arrangements. This might be part of an External Quality Assessment.

David Hughes said the Internal Audit Services planned to highlight the key things going on during the transition as part of the audit update. The Committee might raise any particular areas that members would like to dive deeper through briefings or formal reports. Moreover, unlike the previous arrangement whereby internal audit works were subject to reviews by peers at other London local authorities with no conflict of interests, they would now need to be externally assessed by independent third parties once every five years.

On Councillor Chevoppe-Verdier’s further question about the frequency of gap analysis, David Hughes advised it would be an annual exercise with refreshed information being fed into the annual self-assessment and the Head of Internal Audit’s Annual Reports. In addition to these annual engagements, the internal audit works would be subject to external assessments once every five years. During the interim, the Audit Committee would be briefed on a regular basis about the gaps and steps taken to address them. David said the Committee could give some thoughts on the appointment and engagement frequency of the independent external reviewer in order to obtain an assurance sooner when the GIASs were newly implemented.

In response to the Chair’s concern about the acute shortage of auditing professionals in the market and hence possible delays of assurance, David  ...  view the full minutes text for item 8.

To note the dates of future meetings:

·       9 June 2025

·       22 September 2025

·       1 December 2025

·       16 March 2026

·       8 June 2026

The Committee noted the dates of future meetings:

· 9 June 2025

· 22 September 2025

· 1 December 2025

· 16 March 2026

· 8 June 2026