Agenda and draft minutes

RESOLVED that the minutes of the meeting held on 25 March 2025 be confirmed and signed by the Chairman as a correct record.

Minute 54 from 25 March 2025 – Internal Audit Recommendations Follow-Up - Resolved that an update be provided at this Committee on the overdue internal audit recommendations relating to IT. An update was provided to the Committee as follows:

•         Regular updates were being made to CMT on the overdue recommendations to keep these on track.

•         An upcoming exercise on disaster recovery was being developed currently looking at opportunities to also coordinate with neighbouring authorities and the Lincolnshire Resilience Forum. Information from the National Cyber Security Centre had been reviewed and external providers were available to assist where needed.

•         A major piece of work was underway to reduce the number of documents held in files and on servers.  Data retention and disposal policies were being reviewed to ensure that documents no longer needed could be deleted.  So far efforts had reduced the number of obsolete documents from 10million to 7.5million stored on Council servers. A small project team had been set up to continue momentum and support services. An internal spring clean campaign would be promoted for managers and teams to get on board.

•         The internal Information Governance Group would be updated on the Cyber Risk Register at the next meeting.

•          

•         Mobile phone compliance was working through replacing devices which had been identified for upgrade.

•         There were no significant issues on the Cyber Incident Log, however close attention was being paid to the aftermath of the recent Marks and Spencer and Co-operative cyber-attacks.

•         Asset management actions were ensuring those staff whose equipment was at end of life would receive replacements.

•         Under the Asset Disposal Policy, where devices needed to be disposed, there were key regulations to follow for the removal or destruction of data and the disposal of electronic equipment.  A contractor had been identified for this.

Questions from the Committee confirmed the following:

•         IT assets were used for as long as possible and not replaced on a shorter cycle like some organisations and were often end of life which made donation for community use to improve digital inclusion challenging, however, once sensitive information was removed and if there was still use available in the device, this would be actioned where possible.

•         IT assets were bought outright and owned by the Council.

•         Many of the outstanding recommendations from the internal audit were due to be completed by July 2025 and the Committee would continue to receive updates on progress as necessary.

Please note that, in accordance with the Members' Code of Conduct, when declaring interests members must disclose the existence and nature of the interest, and whether it is a disclosable pecuniary interest (DPI) or personal and/or pecuniary.

No declarations of interest were received.

The Data Protection Officer presented the Information Governance Update and directed members to the Information Governance Risk Register. All risks required ongoing mitigation, and the four main risks highlighted for comment were:

?         Training (Risk 1)

?         Policies and Procedures (Risk 3)

?         Retention and disposal of Personal Data (Risk 5)

?         Data Subject’s Rights and Freedom of Information Requests (Risk 8).

The report also included monitoring of the Council’s compliance with its legal obligations under the Freedom of Information Act 2000.

During discussion and questions arising from the report, the following points were noted:

?         An Artificial Intelligence (AI) Acceptable Usage Policy was in development which meant no AI programmes or applications were authorised for use on the Council’s computer network until the policy had been approved and deployed. AI would provide many benefits for staff, but the risks also needed to be considered.

?         A retention and disposal policy had been approved for the automated deletion of 1-1 chat messages on Microsoft Teams after six months.  The policy would come into effect on 1 July 2025. There had been no guidance from the Information Commissioner’s Office on the length of time such transitional messages should be kept, however six months was decided upon after discussing the matter with other authorities whose retention policies varied from one week to three years. The length of time could be changed, if necessary.

?         Recordings on Microsoft Teams should be managed by the owner of the Channel who had responsibility for ensuring videos were saved only if required for future reference (such as for training) otherwise, they should have a short retention.

?         The number of Data Subject Access Requests received in quarter October – December 2024 was 41, 88% of which had been completed within the required time. Most requests for personal data had come from third parties such as the Police, NHS or the Home Office. In these cases, the subjects in question were not notified of the request as it was likely for the purpose of crime detection or investigation. The number of requests received had been steadily increasing and it was thought this was due to the public being more aware of their rights around data protection.

?         Being a public body, the Council was subject to Freedom of Information (FOI) requests and performance statistics were published online. January to March 2025 had seen the largest number of FOI requests to date, and consideration was being given to allowing more accessibility to data via the Council’s website. Data transparency requirements were being met by the Council, but further analysis on the nature of requests was needed.

?         It was suggested that protectively publishing more datasets could be used on the website to ensure requests were being made to the correct organisation. Under the Freedom of Information Act, the Council had 20 working days to respond to a request, so each application took officer time to process, even when only signposting.

RESOLVED that the report, including the Information Governance Risk Register, be noted.

A report on the progress of the internal audit plan was considered. It explained the current position and summarised the outcomes of audits completed since the previous meeting of the Audit Committee.

The third quarterly follow-up spot check of implemented actions had been completed. This was done to ensure that actions had been implemented as reported to Internal Audit.

Seven reports had been issued during the period. Executive summaries for all of these were provided in the public Committee report with more detailed summaries for the limited reports included in the exempt Appendix A in the private part of the agenda.

Other work completed included the administration of the whistleblowing referrals, completion of a grant claim review, completion of the annual fraud report and scheduling for the 2025/26 Internal Audit Plan.

RESOLVED that the Internal Audit Progress Report be noted.

 A report was considered detailing the risk management framework adopted by the Council, and the risk management activity during the last 12 months. The Risk Management Strategy was appended to the report, and the Strategic Risk Register for Quarter 4 of 2024/25 formed Item 15 in the private and confidential part of the agenda.

Risk management training was available to the City of Lincoln Council via Lincolnshire County Council with the last round completed in spring/summer 2023. There was also e-learning available for staff and Members.

The latest internal audit of the Council’s risk management arrangements had been undertaken in 2024/25, with an overall assurance level opinion of substantial. There had been four recommendations made: two medium (amber), and two low (green) which had all been in relation to completion and review of directorate risk registers. Three of the four recommendations had already been completed, with the fourth (green) not agreed for implementation due to the impact on resources.

It was noted that the change of political leadership at Lincolnshire County Council following the local elections in May 2025 was not expected to affect City of Lincoln Council’s strategic risk register.

RESOLVED that the Risk Management Framework adopted by the Council and the Risk Management activity undertaken during the year be noted.

The Public Sector Internal Audit Standards required that the Internal Audit Manager deliver an annual opinion and report that could be used by the Council to inform its governance statement. The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk and control.

The Committee considered a report which covered the Annual Internal Audit Report for 2024/25 and came under the 2017 Internal Audit Standards. Future reports to the Audit Committee would reflect the requirements of the 2024 Internal Audit Standards which took effect from April 2025 for public sector bodies.

Overall, the result was positive with opinions remaining the same as for the 2023/24 result with three areas: governance, risk and internal financial control receiving the highest level of assurance.

During discussion and questioning, the following was noted:

?         Progress was being made on obtaining responses from management in a timely manner, however for the 2024/25 report, only 56% of management responses had been received within the 10-day response period. This impacted on audit reports not being issued when expected and additional resource taken up in chasing responses. Members offered support from the Committee should officers need to reinforce the deadline.

?         It was noted that the Internal Audit team was now back to full capacity following a period of sickness and a vacancy in 2024/25. The Internal Audit Manager assured the Committee that she could not foresee any issues with her team in the coming year.

?         There was an error noted on page 22 of the Internal Audit Annual Report (page 75 of the agenda pack) that action number 4.4 Continue to review the PAQ process and look at ways to improve completion of the questionnaires and linking the comments back to improvements should have a completion date of March 2026, not 2024 as printed.

RESOLVED that the contents of the report and appendix, and comments made, be noted.

A report presenting the Council’s Annual Governance Statement for 2024/25 was considered. The Council was required to publish an Annual Governance Statement that reviewed how it complied with and applied the Code of Corporate Governance. The Code was reviewed annually and, following a recent update in February 2025, the new version was presented with the report.

It was noted that Appendix C to the report was removed from the agenda prior to the committee meeting.

There had been no significant issues in the Annual Governance Statement for 2023/24 or 2024/25 however, Internal Audit had issued limited assurance reports for two new issues in the 2024/25 Statement relating to the housing fleet and debtors/recovery. Whilst neither met the threshold to be classed as significant, they did warrant monitoring over the coming year to be addressed.

It was highlighted that from the RAG rating of the seven Chartered Institute of Public Finance and Accountancy (CIPFA) core principles, none had been given a ‘red’ RAG rating, and the two rated ‘amber’ were directly linked to the two governance issues identified for monitoring. The remaining five principles had been rated ‘green’.

Following a question, it was confirmed that the outstanding action featured on the Action Plan for the Annual Governance Statement was 90% complete and would be finalised shortly.

RESOLVED that the Annual Governance Statement 2024/25 and the content of the two appendices be noted.

A report was considered which informed the Committee of the performance against the 2024/25 Counter Fraud Work Plan, outcomes of the proactive fraud work, fraud cases and an update of the fraud risk register.

A number of actions had been taken by the Council in relation to fraud which were set out in the report. There had not been any significant frauds to report during the 2024/25 year, nor had there been any whistleblowing cases, however there had been 16 confidential reports, and a large increase in reports related to private landlords. New concerns had been raised during the year around National Non-Domestic Rates (NNDR) in relation to splitting up businesses to claim reduced business rates.

The completion of the annual single persons council tax discount review had resulted in 1039 discounts being removed from the scheme.

During discussion, the following was noted:

?        A question was asked about how many direct debits the Council had on its bank accounts. The Internal Audit Manager would seek the answer and respond to the members of the Committee.

•         Reference was made to tenancy Notices to Quit being issued for non-occupation.  A question was raised concerning what is meant by non-occupation and the Internal Audit Manager would seek the answer and respond to the members of the Committee.

•         Issues were raised regarding the removal of 1,039 single person council tax discounts, and whether there had been any follow up to ensure none of those households were entitled to it, and had it removed incorrectly. A question was also asked whether there was any checking of the household identified, as part of the review, to other records that might confirm whether it was a single occupant household. The Internal Audit Manager would find out the answer and respond to the Committee.

•         Work was currently in progress to undertake a rolling review of single person council tax discounts through an external provider.

RESOLVED that the report and appendix, and comments made, be noted.

The Committee considered the External Audit: Audit Plan and Strategy for the year ended 31 March 2025 provided by KPMG, currently appointed as the Council’s external auditor.

Rashpal Khangura from KPMG presented the progress report and summarised the planned audit approach, highlighting significant audit risks and setting out the approach to forming the value for money conclusion.

There was a discussion about the increase in fees paid to KPMG over recent years, and it was explained that following the abolition of the Audit Commission in 2015, fees were reduced. They had however risen to what was now considered to be the correct level as the amount of work needed to deliver the audit opinion had also increased.

A question was asked about the membership of the sector led Public Service Audit Appointments (PSAA). It was confirmed this was not a membership and not a paid for service. The Audit Committee was given the opportunity every five years to decide whether to continue to opt into the PSAA for the procurement of external audit services.

RESOLVED that the content of the External Audit Plan and Strategy for 2024/25 be noted.

The Committee considered its Learning and Development Plan for 2025/26 which contained a combination of directly delivered sessions, self-led learning through the Local Government Association website, and reading.

In addition to the learning programme, a series of short topic-based videos would be shared with the Committee with one or two being shown before the start of the next few meetings.

It was noted that the two new members appointed in May would be required to complete the skills and knowledge self-assessment.

As per the agreed action from the review of audit Committee effectiveness, Appendix A to the report provided details of each committee member’s attendance at the four directly delivered training sessions in 2024/25.

RESOLVED that the Learning and Development Plan 2025/26 be noted.

The Committee considered its work programme for 2025/26 and noted that the training session on Local Government Financial Statements which had originally been scheduled for 2 June 2025 would be moved to 14 July 2025 at 5pm, immediately prior to the Committee meeting.

RESOLVED that the Committee note and agree the work programme for 2025/26

You are asked to resolve that the press and public be excluded from the meeting during the consideration of the following item(s) because it is likely that if members of the press or public were present, there would be disclosure of ‘exempt information’.

RESOLVED that the press and public be excluded from the meeting during consideration of the following item(s) of business because it was likely that if members of the public were present there would be a disclosure to them of ‘exempt information’ as defined by Section 100I and Schedule 12A to the Local Government Act 1972.

RESOLVED that the information in Appendix A to Information Governance Update be noted.

RESOLVED that the information in Appendix A to Internal Audit Progress Report be noted.

RESOLVED that the information in Appendix B to Risk Management – Annual Update be noted.