Agenda and minutes

To receive any apologies for absence.

All Members were present and no apologies were noted.

To enable Members to disclose to the meeting any disclosable pecuniary interest they may have in any matter on the agenda for the meeting, where that interest is not already entered in the Authority’s register of interests, and any other pecuniary or non-pecuniary interests in any such matter that Members may wish to disclose.

Members were mindful of their duty to disclose at the meeting any disclosable pecuniary interest they had in any matter on the agenda for the meeting, where that interest was not already entered in the Authority's register of interests, and their ability to disclose any other personal interests in any such matter that they might have wished to disclose.

To confirm the minutes of the previous meeting.

The minutes of the last meeting were reviewed and agreed, and signed by the Chairman.

Pursuant to Standing Order 19, to receive any deputations to this meeting.

There were no deputations for this meeting.

To receive any announcements the Chairman may wish to make.

There were no Chairman’s announcements.

To consider the External Audit Planning report for the year ended 31 March 2019 and the Annual Audit Letter, which provides the Committee with a summary of the Audit findings for the year 2017/18.

The Committee received the External Audit Planning Report and Annual Audit Letter (Item 6 in the Minute Book), presented by Ernst and Young.  The representative from Ernst and Young, Martin Young was welcomed to the meeting.

Key issues in relation to the External Audit Planning report were drawn to the Committee’s attention.  The identified audit risks as detailed in section one of the audit planning report (page 17 of the agenda pack) were highlighted to Members and it was explained that there was no change in risk or focus for pension liability valuation or valuation of land and buildings, and these were both consistent with the previous year.  Members heard that a new inherent risk had been identified which related to two new accounting standards that would apply from 1 April 2018.  This would determine whether standards had been appropriately implemented by the Authority.

Members noted the typing error on page 5 of the Audit Planning report (page 17 of the agenda pack).  It was noted that the ‘Change from PY’ column should read ‘No change in risk or focus’ in relation to the risk/area of focus -  ‘Misstatements due to fraud or error’ and ‘Pension Liability Valuation’.

It was highlighted that although the planned external audit fee for 2018/19 had reduced by 23% from the previous year as set out at page 28 of the Audit Planning Report (page 40 of the agenda pack), Members were reassured that this would not result in a change to the scope of the audit, and external audit would continue to seek required assurances before presenting their opinions.

Members of the Committee thanked Ernst and Young for their thorough work.

RESOLVED:

The Standards and Governance Committee:

a)    Received and considered the External Audit Plan for 2018/19

b)    Noted the Annual Audit Letter for 2017/18

To receive a report of the Chief Internal Auditor updating the Committee on the progress of internal audit work for the period ending January 2019.

The Committee received a report of the Chief Internal Auditor updating the Committee on the progress of internal audit work for the period ending January 2019 (Item 7 in the Minute Book).

The Committee welcomed Beverley Davies to the meeting who worked with Karen Shaw as the Audit Manager, and would be attending some future Committee meetings.  The report was introduced and it was heard that this report kept the Committee up to date on the delivery and progress of the internal audit plan, which would then be picked up in the annual opinion report to be brought to Committee in July.  Members heard that there was one report on Contract Management for the period which had a limited opinion, and this had been brought before senior managers to agree actions, and these would be tracked until completion.

A query was raised about the training for Contract Management as detailed at the bottom of Section 5 (page 78 of the agenda pack), and it was explained that there had been an element of training support for procurement, and further training needs would be examined.  Officers highlighted that management actions for these were signed off internally so detail around training wouldn’t necessarily be included in the report, but assured Members that these were on track.

It was noted that there were agreed actions for each risk, and assessments would measure whether the actions were effective in mitigating each risk.  The ongoing tracking of these could be viewed in Section 4 (page 76 of the agenda pack) of the report which detailed the status of “Live” reports and reports closed.  It was highlighted that Officers would examine some of the overdue actions listed from 2015/16, but it was noted that the high risk items shown in brackets had been addressed. 

RESOLVED:

That the progress in delivering the internal audit plan for 2018/19 and the outcomes to date is noted by the Standards and Governance Committee.

To receive a report of the Chief Fire Officer providing an overview of the work to oversee the implementation of internal audit recommendations.

The Committee received a report of the Chief Fire Officer which provided an overview of the work to oversee the implementation of internal audit recommendations (Item 8 in the Minute Book). 

It was explained that this recorded medium and high priority recommendations and actions relating to safeguarding and information governance were highlighted as detailed on page 87 of the agenda pack.  Members noted that in relation to safeguarding as a high priority, a wider piece of analysis work had been undertaken since September 2018 to determine which roles within HFRS required Disclosure and Barring Service (DBS) checks, and at what level.  Members also noted that an Information Governance policy had been written and would be published in line with a new process being implemented across the Service.

It was queried as to whether there would be any slippage on achieving safeguarding actions by the revised date of March 2019, and Officers were confident that this deadline would be achieved, but were by no means complacent about ensuring the timely completion and recording of outstanding checks.  It was also noted that a further piece of work to compile a compliance report on DBS was currently being worked on with partners.

Officers confirmed that an update on the completion of these actions would be brought to a future meeting of the Committee.

RESOLVED:

That the progress made towards the implementation of the internal audit management actions is noted by Standards and Governance Committee.

To receive a report of the Chief Fire Officer regarding the inspection of HFRS by Her Majesty’s Inspectorate of Constabulary, Fire and Rescue Service.

The Committee received a report of the Chief Fire Officer regarding the inspection of Hampshire Fire and Rescue Service by her Majesty’s Inspectorate (HMI) of Constabulary, Fire and Rescue Service (Item 9 in the Minute Book). 

Officers set out the background to the report from HMI which was published on the 14 December 2018, and Members heard that the next step was to formulate a required action plan in response to the recommendations identified in the HMI report within 56 working days.  It was noted that every Fire and Rescue organisation would be inspected by HMI and Hampshire performed well as one of the first inspected organisations.

Some Members were concerned with some points raised in the report by HMI, and wanted reassurance that these issues would be addressed in the action plan.  Officers explained that since receipt of the report, analysis has been undertaken and a detailed action plan would be completed in response to this.

After discussions on the formulation of the action plan, Members wanted to ensure that all Fire Authority Members would have the opportunity to be briefed by Officers and analyse the plan before this was sent to HMI.  It was noted that Officers would take this forward and schedule a further meeting.

RESOLVED:

That the HMI report is noted by the Standards and Governance, and it is noted that the Fire Authority will be briefed on the associated action plan to ensure that measurable steps are taken to address any issues raised by HMI.

To receive a report of the Chief Fire Officer providing an update on information security.

The Committee received a report of the Chief Fire Officer providing an update on information security and the cyber-attack on Hampshire Fire and Rescue Service (HFRS) in August 2018 (item 10 in the Minute Book).

Members were taken through the report and it was heard because of the new requirement by organisations under General Data Protection Regulations (GDPR), HFRS was now required to report such data breaches within 72 hours of the organisation becoming aware of the incident.

It was confirmed that as a result of the data breach, action was taken to shut down access to HFRS systems, reinforce cyber security and force password changes on all accounts.  The root cause of the breach has since been identified, and infrastructure to ensure higher security standards going forward was being reviewed.  It was noted that the Information Commissioner’s Office (ICO) would investigate these actions to ensure they were sufficient, and the possibility that HFRS could be fined by the ICO as a result of this incident was highlighted.

Members queried the effectiveness of security, and it was heard that firewalls were monitored daily, and there had not been another successful breach of the system.

RESOLVED:

That the report is noted by the Standards and Governance Committee.

To receive a report of the Chief Fire Officer regarding a physical data breach.

The Committee received a report of the Chief Fire Officer notifying Members of a physical data breach (Item 11 in the Minute Book).

It was heard that the data breach was an isolated incident that occurred the week commencing 22 October 2018, and a bag containing a number of sensitive documents had been reported missing.  It was explained that following guidelines, the incident was reported to the ICO. 

Members heard that actions had been implemented as a result of the data breach to ensure that protocols for dealing with sensitive data within that specific team would be followed.  Members heard that only a small proportion of the overall HFRS workforce dealt with sensitive information as part of their role, but across the organisation the importance of complying with GDPR was regularly enforced.

It was noted that since the report was written, the ICO had confirmed that it would be taking no further action on this specific case.

RESOLVED:

That the report is noted by the Standards and Governance Committee.