Agenda item

Internal Audit Progress Report

• Meeting of Audit and Governance Committee, Tuesday, 30th September, 2025 4.00 pm (Item 36.)

Purpose

To present a summary of the audit work concluded since the last meeting of this Committee.

 

Recommendation

That the Audit and Governance Committee resolves to:

1.    Note the report

 

Minutes:

The purpose of the report was to present the progress of the Internal Audit team.

The Chair explained that this report consisted of four items and requested any comments from members. The Head of Internal Audit noted that of the listed actions on page 12 in Annex B, only one was currently still active in addition to one having been subsumed into another active project (Business World).

• The Committee asked which leisure centres were reviewed to generate this report to which the officer confirmed that this report was only based on Cirencester Leisure Centre and the Corinium Museum, while reviews of other leisure centres were either ongoing or expected to be completed by the end of the year.
• The Committee queried whether, once completed, the reviews of other leisure facilities would be provided as multiple, separate reports or combined into one – the officer advised that both could be provided to members to which the Committee confirmed its preference that points be listed for each report, to allow members to more easily identify the facilities with concerns.
• The Committee queried why the ‘leisure and culture facilities’ section was listed as ‘high’ on the operational risk assessment and what the main concerns were therein. The officer clarified that this was due to noncompliant health and safety risks as identified by the auditor, including safeguarding around CCTV usage, which may constitute an operational risk to the Council – the Committee further asked whether these were being actioned, to which the officer confirmed that the two Priority One agreed actions had already been completed as detailed further in the report.
• The Committee commented that it was promising that these major concerns were being promptly addressed but queried whether there were any KPIs in place for the Council’s ongoing relationship with the relevant management/facilities provider, to ensure compliance, and that the option existed for a ‘commercial impact’ on suppliers for breaching relevant requirements.  The Head of Economic Development and Communities clarified that during the investigation, development, and production of this report since around November 2024, the contract for management of this leisure centre had transferred from Publica into the Council’s direct responsibility, meaning there had recently been a transitional period for who had direct oversight over this issue – there was a work plan from the officer who took the relevant post in July 2025, and of those findings some had been actioned immediately, but the recent focus had been on developing a robust process for identifying and rectifying issues with suppliers. This was previously conducted on an ad-hoc basis but was now a regular agenda item to improve oversight going forward.
• The Committee further questioned the Council’s contractual status with the company delivering these services, and whether the Council could ensure compliance through commercial consequences for them. The officer clarified that while there were KPIs in place with the contractor to monitor standards, there was limited ability to enforce fiscal consequences due to the profit-sharing nature of the contract– something like withholding payment would not be an option due to this arrangement. The Committee requested a confirmation that this would imply a ‘shared interest in ensuring compliance’, to which the officer confirmed that on many issues listed in the report the direct legal obligation was on the supplier rather than the Council as owners and as such the relevant legal consequences would be applied to them if it were necessary.
• The S151 Officer added that in his view there was no specific range of KPIs to monitor as such; the officer considered a supplier to be either compliant or not, and if not, they should be providing clear and actionable steps to the Council to explain how they intend to remedy such a position. He explained that other local authorities or other types of contracts may have considerations for lower-priority health and safety risks wherein a point system for severity was implemented, but that this contract did not have this as it was a partnership arrangement with the supplier and as such compliance was in both parties’ interests.
• The Committee queried whether there was a protocol in place for continued testing and auditing in future for things like fire alarm and water pH testing, to which the officer confirmed that there were regularly external contractors who attended to test pool water and fire alarms among other facilities already agreed but that this would be a concern for the management onsite to monitor.
• The Committee noted the second sentence of page 91, reporting that officers were unable to confirm how CCTV was managed in facilities owned by local schools and commented that previously there had been some confusion regarding responsibility for compliance on this matter. The officer advised that they could provide a more detailed written response to members on this issue outside of the meeting, but that the concern regarding dual-use facilities lay in whether the relevant facilities were under local authority or local education control, particularly regarding CCTV use as there were strict safeguarding guidelines to be aware of in any school usage scenario.
• The Committee observed that previous reports noted a requirement for replacement security cameras at the Corinium Museum and this report included a similar comment on page 93. The Committee was concerned that these essential security measures may leave the collection of artifacts stored in the museum potentially at risk. The Deputy Chief Executive Officer suggested that this query would also be suited by a more detailed written response and that there were GDPR concerns with the installation of surveillance onsite, although there was already a CCTV policy in place for the Council.

The Chair introduced the final item in this report, the audit of the Counter Fraud and Enforcement Unit. The officer noted that this was directly requested by the manager of the counter-fraud team and that the result has been a ‘glowing review’. The officer explained that this was requested due to the team’s access to confidential information from multiple local authorities and the increasing importance of data security, and that it was decided that an objective review of the team’s existing procedures would be appropriate to ensure a high level of compliance. The Chair noted that he considered this a responsible action and encouraged other managers who may be unsure to request similar audits.

RESOLVED: The Committee noted the report.

 

Supporting documents:

• Agenda XX IA Progress Report Sept 2025, item 36. PDF 546 KB
• ANN A CDC Internal Audit Plan Progress Sept 2025, item 36. PDF 1 MB
• ANN B CDC Agreed Actions Sept 25, item 36. PDF 503 KB

 

Related Pages

• Browse agenda/minutes
• Constitution
• View meetings calendar
• Search all documents
• View new publications