Issue - meetings
Internal Audit Progress Report
Meeting: 28/01/2025 - Audit and Governance Committee (Item 319)
319 Internal Audit Progress Report 
PDF 530 KB
Purpose
To present a summary of the audit work concluded since the last meeting of this Committee.
Recommendation
That the Audit and Governance Committee resolves to NOTE the report.
Additional documents:
- ANNEX A CDC Internal Audit Plan Progress Jan 2025, item 319
PDF 1 MB
- ANNEX B Agreed Actions Jan 2025, item 319
PDF 508 KB
- ANNEX C CDC Draft Internal Audit Plan 2025, item 319
PDF 495 KB
- Webcast for Internal Audit Progress Report
Minutes:
The purpose of the report was to present a summary of the audit work concluded since the last meeting of this Committee.
The Assistant Director of SWAP Internal Audit Services presented the report which was an update on the Internal Audit team's work for Cotswold District Council. The report was extensive, covering eight final audit reports—three with substantial assurance, two with reasonable assurance, and one with limited assurance. Additionally, two advisory reports were issued due to service transitions back to the Council from Publica, with no assurance ratings provided.
An update on Open Agreed Actions was included in Annex B, along with a draft plan for 2025-26, which members were invited to review and provide feedback on.
Councillors asked for clarity around the Emergency Planning function. It was confirmed that this service would remain within Publica, and that a Section 113 agreement was in place, allowing statutory officers across Cotswold, Forest of Dean, and West Oxfordshire District Council to provide strategic-level emergency planning support. Tactical-level support was adequately covered by Publica staff within the emergency planning team, with a detailed on-call rota and guidance in place. The Emergency Planning Service, when reviewed by the three partner councils, was considered to be robust under existing arrangements. While the nature of strategic-level support had changed for major incidents, tactical-level coverage remained sufficient.
The Committee raised concerns about the data protection and data breaches section and asked if the suggestions offered in the report were mandatory as the issues reported needed to be addressed. It was noted that the advisory report was conducted during a period of transition within Publica, and the data breach register was initially found to be of poor quality. Since then the data breach register had improved to meet expected standards as per the audit which followed best practices based on guidance from the Information Commissioner's Office.
A broader issue was identified regarding internal controls, particularly as services transferred from Publica to the Council. The Deputy Chief Executive emphasised that these concerns would not be ignored, and assured Members that a review of internal controls would take place.
Specific concerns were raised about human resources, including the lack of corporate monitoring of sickness absence reporting. It was acknowledged that approaches that had worked for Publica might not be suitable for the Council and might require modification. Assurance was given that advisory findings and best practice recommendations would be addressed. The Audit and Governance Committee would receive an update at its next meeting in May, detailing identified issues, actions taken, and further steps required.
The Planning Advisory Service was expected to review the planning service in March, likely recommending improvements related to internal controls and governance.
The Committee raised concerns about potential GDPR breaches in relation to data breaches. It was unclear whether a statutory breach had occurred, the Assistant Director of SWAP committed to reviewing this and updating the Committee. A follow-up audit for both HR and data breaches would be included in the 2025-26 audit plan to ensure ... view the full minutes text for item 319