Meeting documents

To approve, and sign as a correct record, the Minutes of the meeting of the Committee held on 14 November 2018 (Item 2)

Subject to the following amendment to the Minutes of the meeting held on 14 November 2018:

Councillor Irwin be removed as present.

RESOLVED –

That the Minutes of the meeting of the Overview and Audit Committee held on 14 November 2018, be approved and signed by the Chairman as a correct record.

To note that there has been no covert surveillance conducted by officers since the last meeting of the Committee.

RESOLVED –

To note that there had been no covert surveillance conducted by officers since the last meeting of the Committee.

To consider Item 6a

The Audit Manager advised that the purpose of this paper was to update Members on the findings of the finalised Internal Audit reports issued since the last meeting. There was one report the 2018/19 Information Security Audit that had been finalised. Two recommendations had been agreed with the Information Governance and Compliance Manager, and a suitable deadline date for implementation had been identified. Internal Audit would monitor implementation of the recommendations as they fall due.

RESOLVED –

That the recommendations raised in the finalised Internal Audit Report be noted.

To consider Item 6b

The Audit Manager advised that the purpose of this paper was to update Members on the progress of the implementation of audit recommendations made as at 1 February 2019. There were 21 audit recommendations to report on, 15 had been implemented, three were on track but not yet due, and three were not implemented and the due date revised. There were no outstanding recommendations to be brought to the attention of Members at this time. Internal Audit continued to actively monitor implementation of all outstanding recommendations throughout the year.

RESOLVED –

That the progress on implementation of recommendations be noted.

To consider Item 6c

The Audit Manager advised that the purpose of this paper was to update Members on the progress of the annual Internal Audit Plan since the last meeting. Work was progressing according to the 2018/19 plan and regular discussions had been held with the Director of Finance and Assets to monitor progress. The audit of Information Security had now been completed and issued as a final report. The draft report for the Project Management Audit of the Blue Light Hub had been issued for management comments. The Performance Management Audit had been deferred to 2019/20 to avoid impeding on the HMICFRS inspection, and was replaced with the Stores Audit as agreed with the Director of Finance and Assets. The field work for the Stores audit was in progress and the Core Financial Controls audit fieldwork had been completed with the draft report due for issue before the end of the financial year.

A Member asked if all 100 audit days would be used and was advised that no, included in the 100 audit days, were 10 contingency days, that had not needed to be used.

RESOLVED –

That the progress on the Annual Internal Audit Plan be noted.

To consider Item 6d

The Audit Manager advised Members that this paper set out the Internal Audit Strategy and the proposed Internal Audit Plan for 2019/20. There were no material changes from the strategy of previous years, however, there remained some flexibility through a small provision of contingency days to enable the Director of Finance and Assets to work with Internal Audit to direct work to the most appropriate areas.

The Audit Manager advised Members that the Internal Audit Service was provided as part of a service level agreement with Buckinghamshire County Council. The Council’s Internal Audit Service was delivered in partnership with the London Audit Framework, hosted by the London Borough of Croydon. This partnership arrangement included an element of a ‘call off contract’ should it be necessary to outsource specific technical audits such as ICT or complex contracts.

The Audit Manager advised Members that a risk based methodology would be applied to audit assignments, providing assurance that key controls were well designed and operating effectively to mitigate principal risk exposures. Terms of reference would be prepared for each audit assignment, in consultation with the relevant manager, to ensure that key risks within the audited area were identified.

A Member asked who would be undertaking the Cyber Security audit and was advised that an outside auditor from Mazars IT Auditors would be used.

A Member asked if the Strategy needed to be brought to the Committee annually and was advised that as it was a three year strategy, only updates/amendments needed to be brought to the Committee annually and this was agreed by Members.

RESOLVED –

That the Internal Audit Strategy and Annual Internal Audit Plan be approved.

To consider Item 7

The External Auditor highlighted to Members the dashboard on page 65 which summarised the significant accounting and auditing matters outlined in the report. This provided the Committee with an overview of Ernst & Young’s initial risk identification for the upcoming audit and any changes in risks identified in the current year. The changes were highlighted as follows:

• PPE Additions (change in focus) when an expenditure transaction was carried out, there was a further opportunity for it then to be capitalised. Apart from management review, there were no controls in place to prevent an item being incorrectly capitalised. This emphasised where Ernst & Young would look in the audit.

• IFRS 9 Financial Instructions (increase in focus) the new accounting standard was applicable for the 2018/19 financial year and would change how financial assets were classified and measured; how the impairment of financial assets were calculated; and the disclosure requirements for financial assets.

• IFRS 15 Revenue from contracts with customers (increase in focus) this new accounting standard was applicable for the 2018/19 financial year. The impact was likely to be limited as large revenue streams like council tax, non-domestic rates and government grants would be outside the scope of IFRS 15. However, where that standard was relevant, the recognition of revenue would change and new disclosure requirements introduced.

The External Auditor advised Members that with regard to materiality, Ernst & Young would report all uncorrected misstatements relating to the primary statements (comprehensive income and expenditure statement, balance sheet, movement in reserves statement and cash flow statement) greater than £33k. Other misstatements identified would be communicated to the extent that they merit the attention of the Committee. With regard to materiality of the Firefighter’s Pension Fund this would be anything greater than £8k.

The External Auditor advised Members that the fee had reduced to £24,162k this year.

A Member asked what the rules of capitalisation were and what limits applied and was advised that the Authority would capitalise something if it lasted for more than a year and was worth more than £6k.

A Member asked if the two new IFRS changes were relevant to the Authority and was advised that they were very low risk.

RESOLVED –

That the Audit Plan 2018/19 set out in Annex A be noted.

To consider Item 8

The Director of Finance and Assets advised Members that the purpose of this report was to highlight the performance of the Service relative to other fire services. The key points to note were:

• The Service was one of the most efficient services in England and Wales when measured on net expenditure per 1,000 population.

• Each of our fire stations serves a slightly higher number of the population than average, but covers a slightly smaller land area.  This indicates that the number of stations currently held is within a reasonable range.

• The number of appliances (including specialist appliances and officer cars) was slightly higher than average both in terms of the population and land area covered.

• The number of wholetime operational staff per million population was significantly below the national average.  This was because the bank system allows appliances to be made available with fewer staff.  This was also one of the primary reasons the Authority was one of the most efficient services.

• The number of on-call staff per million population was significantly below the national average, while the number of support staff was almost exactly on the national average.

• The number of incidents and our average response time were all broadly in line with the national averages.

• The amount of home fire risk checks undertaken per 1,000 dwellings was significantly lower than the national average.  Despite this the prevention outcomes for the Service were still positive.

• The number of fire safety audits undertaken was below the national average. However, the effectiveness of the audits undertaken was significantly greater that the national average. The Service was also increasing the establishment of protection officers to further strengthen this area.

Members agreed they would like to see this report annually.

A Member asked if this report had been circulated to operational staff on station and was advised that it had not, but the senior management team would discuss the best way to circulate the information to all staff.

It being proposed and seconded:

RESOLVED –

That the report be noted and that the information contained within the report be taken to the next Fire Authority meeting.

To consider Item 9

The Principal Accountant advised Members that the accrued interest earned for the first nine months of 2018/19 was £158k, which was £46k higher than the budget (£150k) for the period. In the second quarter of 2018/19, the Bank of England base rate increased by 0.25% and currently remained at 0.75%. As a result of this increase, the market was expected to follow suit and on the back of this, the level of returns the Authority received had shown some slight improvement in Q3.

RESOLVED –

That the Treasury Management Performance 2018/19 – Quarter 3 report be noted.

To consider Item 10

The Corporate Planning Manager advised Members that the report provided an update on the current status of identified corporate risks. At the Strategic Management Board (SMB) meeting on 15 January 2019 the following changes to the Risk Register were agreed:

1. Progress in addressing the Pager Service risk, and its continued green RAG status, indicated that it was appropriate to remove it from the Corporate Risk Register.

2. Central Government had instructed public service providers to undertake contingency planning for a scenario in which the UK leaves the EU without a formal withdrawal agreement on 29 March 2019. In light of this, the potential short-term risks had been scoped and evaluated and were shown at page 8 of Annex C. Given the imminence of the potential EU withdrawal date, it was agreed that this risk be added to the Corporate Risk Register. It was also recommended that any longer term financial risks arising from this scenario be addressed in the funding and savings risk when more was known and the exit scenario clarified.

The Corporate Planning Manager advised Members that officers were also currently considering any potential risks to the Authority that may arise from the Court of Appeal’s recent decision regarding the Fire Brigades Union’s 2015 firefighters’ pension scheme age discrimination case against the Government.

The Corporate Planning Manager had reviewed the individual risks as follows:

Staff Availability: Although staff retention remained an issue, good progress was being made with the apprenticeship recruitment programme and another 16 apprentices were due to start this month. The Authority was also attempting to capitalise on the recent national awareness campaign to attract more interest in on call staff and was also working to identify potential existing staff to step into leadership roles and meet the succession and resilience planning requirements via the Development Centre Programme.

Funding & Savings: Although the Authority had agreed a balanced budget for the period 2019/20 – 2021/22 the risk score and RAG status remained unchanged at Red as this had been achieved at the expense of the Authority’s capital reserves which if continued would leave the Authority with no capital reserves by 2024/25. There were also other factors that may come into play, such as from Brexit that were, as yet, unknown.

Information Security: There had been no major intrusions or disruption to information systems from malware since the last report to Members in November. Members would note from the latest entry on the risk register that the National Fire Chiefs Council (NFCC) had been gathering information on behalf of the Home Office regarding cloud hosting of fire and rescue services data outside the UK. The Authority was able to provide a nil return as none of its data was held outside of UK hosted sites.

No Deal Brexit Scenario: The overall assessment of this, drawing on input from the NFCC and the Thames Valley Local Resilience Forum (TVLRF), was that the likely short term physical impacts of a withdrawal from the EU without a comprehensive exit agreement were low/medium  ...  view the full minutes text for item 10.

To consider Item 11

The Business and Systems Integration Project Manager advised Members that since the last Overview and Audit Committee meeting the Premises Risk Management System was moving on well, the trial had been extended to Great Holm and training was now being undertaken with all other stations who do safe and well visits. Safe and Well visits were a new version of the home fire risk checks, but expanded just covering the fire risk to checking the wellness side including falls, social isolation, home warmth etc. The other part of the Premises Risk Management System was Protection which was the audit of commercial properties. This was on track to go live at the beginning of April and streamlined the process that had to be followed.

The Resource Management System was now live across whole-time and day crewed stations. All station watches had received face to face training. This had also recently gone live across on call stations as well. Due to a delay with integrating to Vision our Command Control System, the on call crews had to do part of the process manually to share their status with Vision.

A Member asked if the Safe and Well visit information was shared locally with other relevant agencies and was advised that yes it was, where appropriate.

A Member asked if the Resource Management System was live across all staff and was advised that it was live across all operational staff with support staff to be added over the next couple of months.

RESOLVED –

That the report be noted.

To consider Item 12

The HR Development Manager advised Members that this report presented the updated Equality, Diversity and Inclusion policy, which had been reviewed in line with normal practice. This document had undergone formal consultation and all feedback had been considered and incorporated into the updated document, as detailed in Appendix 1.

The HR Development Manager advised Members that Appendix 2 detailed the feedback received during the formal consultation process and the responses to each, as incorporated into the updated policy. As noted, some changes had been made to the document, such as including reference to the structured groups established throughout the Service who would support and promote inclusion and engagement. The section on monitoring sensitive personal information had been amended to confirm that whilst submitting information was optional, it was encouraged, as this data was an important component to identifying inequality, initiating activity and evaluating progress as required to meet legislation under the Equality Act (2010). The nine protected characteristics had also been added to aid understanding for the reader. In addition, minor amendments had been made to the document to ensure relevance to current working practices and alignment to other procedures.

A Members asked if something had not been declared would the Authority be liable and was advised that it would depend on the individual case.

RESOLVED –

1. That the content of the EDI policy, as detailed in Appendix 1, be approved for presentation to the Executive Committee for adoption ;

2. That the proposed changes to the current EDI policy and consultation feedback as detailed in Appendix 2 be noted.

To consider Item 13

The HR Development Manager advised Members that this report presented the updated Code of Conduct, which had been reviewed in line with normal practice. This document had undergone formal consultation and all feedback had been considered and incorporated into the updated document, as detailed in Appendix 1.

The HR Development Manager advised Members that Appendix 2 detailed feedback received during the formal consultation process and responses to each, as incorporated into the updated Code of Conduct. As noted, some changes had been made to the document, such as making specific reference to the Authority’s values and other sections had been amalgamated to give a more concise document. In addition, minor amendments had been made to the document to ensure relevance to current working practices and alignment to other procedures.

RESOLVED –

1. That the proposed changes to the current Code of Conduct and consultation feedback as detailed in Appendix 2 be noted.

2. That the content of the updated Code of Conduct as detailed in Appendix 1 be approved for presentation to the Executive Committee for adoption.

To consider Item 14

The HR Development Manager advised Members that this report presented the updated Whistleblowing procedure, which had been reviewed in line with normal practice. The proposed amendment to the updated procedure was for clarification purposes around the Whistleblowing hotline service. This change was shown as additional text underlined in Section 11 of Appendix 11.

RESOLVED –

That the updated Whistleblowing procedure as detailed in Appendix 1, noting the proposed additional wording in the updated document, be approved for publication.

To consider Item 15

The Lead Member for Health and Safety and Corporate Risk advised Members that the Authority was making good progress in providing resilience records management processes that were GDPR compliant. However the Authority was not there yet and, as the Information Commissioner had said "The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning" The Authority was also monitoring any information made available regarding the likely impact of Brexit on information privacy. At this time, there didn’t seem to be any risks to the Authority. 

The Information Governance and Compliance Manager advised Members that as they were aware the GDPR came into effect on 25 May 2018 and although the Authority was following the ICO’s twelve step programme that had been released, limited guidance was in place. In terms of GDPR and Brexit the Authority had received good guidance, and as mentioned earlier, all of its cloud hosting was in the UK. The real risk of cloud hosting was not down to GDPR, but bad implementation of the cloud. There had been 70M incidents in the last year of lost or stolen data.

RESOLVED –

1. That the GDPR implementation progress, the impact of Brexit and associated risks be noted.

2. That periodic progress reports on implementation progress be received.

To note Item 16

RESOLVED –

That the Forward Plan be noted.

THE CHAIRMAN CLOSED THE MEETING AT 11.26 AM