Audit & Governance Committee - Thursday 26 March 2026, 7:00pm - Epping Forest District Council webcasts

Audit & Governance Committee
Thursday, 26th March 2026 at 7:00pm 

Agenda

Slides

Transcript

Map

Resources

Forums

Speakers

Votes

 
Share this agenda point
  1. Cllr Jon Whitehouse
Share this agenda point
  1. Laura Kirman
  2. Cllr Jon Whitehouse
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
  1. Shane McNamara
  2. Cllr Jon Whitehouse
  3. Heather Kneale
  4. Shane McNamara
  5. Cllr Jon Whitehouse
  6. Shane McNamara
  7. Cllr Jon Whitehouse
  8. Shane McNamara
  9. Owen Sparks
  10. Cllr Jon Whitehouse
  11. Shane McNamara
  12. Cllr Jon Whitehouse
  13. Shane McNamara
  14. Cllr Jon Whitehouse
  15. Owen Sparks
  16. Cllr Jon Whitehouse
  17. Shane McNamara
  18. Cllr Jon Whitehouse
  19. Shane McNamara
  20. Cllr Jon Whitehouse
  21. Heather Kneale
  22. Shane McNamara
  23. Cllr Jon Whitehouse
  24. James Warwick
  25. Cllr Jon Whitehouse
Share this agenda point
  1. Sarah Marsh
  2. Cllr Jon Whitehouse
  3. Sissel Heiberg
  4. Martin Crowe
  5. Cllr Jon Whitehouse
  6. Sarah Marsh
  7. Cllr Jon Whitehouse
  8. Martin Crowe
  9. Cllr Jon Whitehouse
  10. Heather Kneale
  11. Martin Crowe
  12. Heather Kneale
  13. Cllr Jon Whitehouse
  14. Owen Sparks
  15. Cllr Jon Whitehouse
Share this agenda point
  1. Sue Linsley
  2. Cllr Jon Whitehouse
  3. Owen Sparks
  4. Cllr Jon Whitehouse
  5. Sue Linsley
  6. Cllr Jon Whitehouse
  7. Owen Sparks
  8. Cllr Jon Whitehouse
Share this agenda point
  1. Martin Crowe
  2. Cllr Jon Whitehouse
  3. Sissel Heiberg
  4. Martin Crowe
  5. Cllr Jon Whitehouse
  6. Sissel Heiberg
  7. Martin Crowe
  8. Cllr Jon Whitehouse
  9. Martin Crowe
  10. Cllr Jon Whitehouse
Share this agenda point
  1. Webcast Finished

Cllr Jon Whitehouse - 0:00:00
Welcome everyone to tonight's meeting of the Audit and Governance Committee.
Thank you for coming along.
The meeting will be webcast, so I just want to remind everyone that the meeting will be
filmed and available for repeated viewing, so by taking part you're consenting to being
filmed and to the use of images and recordings.
And if anyone on Teams doesn't want to have their image captured, you should ensure your

1 Webcasting Introduction

video settings are turned off but it is nice to see your face when you're
speaking. Okay are we got an apologies for absence?
Laura Kirman - 0:00:40
Chairman we have several apologies for absence we've got apologies from
Councillor Hadley, Councillor Sunger, Councillor Owen and Councillor Heather.
Cllr Jon Whitehouse - 0:00:50
Right well I'm very glad we've got our independent members here. The meeting is
That is good to hear, thank you.
And are there any declarations of interest?
Nope.
So we can move on to the minutes.
We've got two sets of minutes,

2 Apologies for Absence

3 Declarations of Interest

the first from the 16th of February.

4 Minutes

And I think we're just gonna clarify
towards the top of page seven, second paragraph,
the word talks about disposals, that refers to the council
and not to the council subsidiary,
So just there's no ambiguity there.
I'm sure that's changed, Chairman.
Thanks.
But people are happy to agree the minutes of the 16th of February with that?
And then we had our second February meeting on the 24th.
Are people happy to agree those accurate?
Thanks very much.

5 Matters Arising

The work programme is on page 11.

6 Audit & Governance Committee - Work Programme

We're at the final meeting of the year and all those items are on the agenda.
So we can just note that and then we'll look at the work programme for the new year
or the new committee will look at the work programme in the new year.

7 Procurement update

And so item 7, I'd like to welcome Shane and James to the meeting.
I think we asked for this partly because now we felt under informed about as a committee
and clearly it's where both governance and finance and audit meet.
So it seemed like an area that we ought to know more about.
And second, various specific issues had come up in internal audits and in the trackers
and so forth.
I think we are looking for assurance on where we were with those items.
So, I will hand over to you if that is all right and then invite the committee to comment.
Thanks very much.
Thank you, Chairman.
Shane McNamara - 0:02:49
If you just bear with me a second, I will bring my slides up on the screen, hopefully.
I've just got a few points I wanted to go through which I think would hopefully answer
some of the questions that were raised.
So, Epping Forest has a set of procurement rules and a procurement strategy that were
recently updated.
That was done in October of last year.
They're available online and on the internet for staff to see.
Those documents set out the responsibilities and the requirements that are placed on offices
when they're purchasing on behalf of the Council.
We're also part of the Essex Procurement Partnership.
That's with a few other Essex authorities, including County, Braintree, Castle Point
and a few others.
What they do is they help us to run procurement processes,
particularly ones that are over $50 ,000 in value,
and they provide us procurement advice and support
across the piece.
The updates that were done to the procurement rules
in October, part of that was a wider piece of work
to align our thresholds and our strategies with the partners
in the Essex Procurement Partnership
so that we're all operating under the same principles.
Another thing that we've done is we've
created a procurement channel on Microsoft Teams
for our staff. That contains things such as the documents I mentioned earlier, the strategy
and the rules, but also a procurement checklist that officers can work through as they're
going through their processes, project initiation documents to sort of get those projects off
the ground, make sure that SLT and people are happy with it. And also there's documents
on there around timelines for procurement and how long things may take.
There's also on the Teams channel some procurement training.
There's a video of a procurement training that I've undertaken in the past, so that's
available to new members of staff if they've joined since.
Another thing that the partnership do with us is they run some training, and I've spoken
to them and some of the training they're doing in 26 -27, which I've mentioned there, is on
fraud in procurement and on contract management.
So we'll certainly be taking them up on that in the next financial year.
So a little bit of a repeat here in terms of I wanted to just cover again some of the support and the resources that we're offering in procurement.
So the partnership is a great support thing there that they help us with our procurement to help us to run the market engagement, evaluate tenders and things like that.
The Microsoft Teams channel, as I've mentioned, has got all those documents for people, the training and development that we're planning for next year.
I think the other point to mention is that the procurement and contracts team manage
the whole of the procurement life cycle.
So as well as running the procurements or supporting the partnership with the procurements,
we also draught the contracts.
And when we do that, we keep a central register of those contracts, which is obviously updated
constantly, but it's also put on the open data section of the website, and that's updated
quarterly.
When we do that, we also share a copy of that with the service managers so that they can
see what contracts they've got when they're running out,
et cetera, so that we can plan and try to prevent any risks
of contracts expiring without renewals.
With regards to local government reorganisation,
we are part of a procurement workstream with all of the
other Essex authorities, and we're focusing collectively
on getting standardised contract data.
So we've agreed a format of a contract register,
and we're all working to fill that up with everything that we know we have.
And obviously in the near future we'll be able to then put that into the groupings that
it needs to be and so that people can work together.
But obviously before we had the magnitude decision we were working on that anyway because
that data was available to us and something we could try to get.
So we're capturing that and working with colleagues across Essex to improve that.
I've got a part there on the slide about governance and reporting.
I've mentioned there that some quarterly reports to SLT in terms of things like exemptions
and waivers, if there's been any, I will report to them, particularly if there's anything
of note that they may want to have been aware of.
Obviously, if there's anything of a higher value, it goes through the monitoring officer
anyway, so they would already have known.
But just in case, that also gets mentioned, as well as obviously that contract data.
So in terms of the audit recommendations which you mentioned, Chairman, there were some audit
recommendations in relation to procurement, some of which were making amendments to the
rules to improve processes.
It took a bit longer than we'd hoped, mainly because of the fact that we were also trying
to align with the partnership at the time, so obviously had to try to align our rules
and strategy with all of those other partners.
We had a few new partners join along the way, so then that process took a bit longer because
Obviously, there was a new voice in the room and so on.
We also had to factor in the new Procurement Act, which came into effect in early 2025,
and there were some legislation changes that needed to be factored in from that as well.
So it took a bit longer than we hoped, but the recommendations have been factored into
the new rules and strategy, and they are available now.
Things like monitoring spend and distributing the contract data were all part of that, so
they've now been done.
As I mentioned earlier, I do attend SLT occasionally to report on these things.
I'm going next on the 15th of April and I will be sharing the latest contract data with
everybody, so something for you to look forward to, Owen, just to update them on the actions
being taken to capture all the information and obviously probably another plea for help
from officers to make sure that that information is up to date and complete.
And again, any exemptions and waivers and other things that may have happened in that
quarter, we'll talk about those, just to really give assurance that those processes
are robust and everything's working as it should.
So to summarise, I think the Council does have a comprehensive framework for procurement.
It's supported by the new updated procurement rules and the strategy which we adopted late
last year.
We set clear responsibilities for officers and we ensure that consistent compliance is set across the Council.
We strengthen that oversight through the quarterly reporting and we ensure that any risks or non -compliance issues are caught at the earliest possible moment so that we can try to fix those if they need to be.
My team working on the full procurement lifecycle, as I've mentioned, to maintain and publish that register.
We work closely with the services to make sure that if they do need renewals, that we capture that at the earliest possible moments,
that we can give them time to run a proper procurement process and get the result that they need.
I've also mentioned there around the procurement teams channel, which I think is a great thing for staff.
Obviously, they do know where I am and they do come and ask me
lots of questions and also that of my team,
but it's a really useful tool to have that there for people
to look at.
So I think between the things I've mentioned, hopefully,
I'll give you some assurance that the processes are robust
and transparent and working as they should be.
Thank you.
That's really helpful.
Thanks very much.
And very relevant to what we were, you know,
Cllr Jon Whitehouse - 0:10:32
asking about and wanting to know about.
Do members have any?
Yeah, Heather.
Heather Kneale - 0:10:40
Just a quick question, because obviously we asked for a bit more insight, which is really helpful, thank you for these slides, it's really useful to have.
We asked for a bit more insight because there was a non -compliance issue that was flagged in one of the earlier committee reports, I think it was a little while ago.
So are we confident that those sorts of things won't happen again and has that been addressed through training or the policy changes or both?
Shane McNamara - 0:11:02
Yes, thank you. I think it is through a combination of all of them, to be honest. Also, the updated
register going out more often means that we are all able to see when contracts are expiring,
for example. I don't know the specific example, but contracts expiring and not being renewed
in time is a common one. So people, obviously, they have their day job, as it were, and contract
management isn't always seen as something that they feel they can keep on top of. So
So that's something we help with by making them aware.
Normally, with around 12 months to go,
we try to tell them that they need to start thinking about
what they would like to do.
Even if they don't start the procurement then,
it just gives them time because equally,
if they decide they want to go down a different route,
or they want to try and extend the current contract,
et cetera, they just need time to factor that in.
So we're quite confident between the measures that we've explained
today that that shouldn't be an issue.
Cllr Jon Whitehouse - 0:11:55
The other thing that sort of came out currently was the
thing that Q &A spend and not identifying and quite sure
whether it's on the lelly with the service or ley with
procurement centrally or how difficult a process it was,
given the systems we've got to work that out.
But hopefully we can expand a bit more on how that's
been addressed.
Yes, of course.
So one of the recommendations was around
Shane McNamara - 0:12:19
monitoring of spend, so I've worked with the finance team
and we've got access to the E -analyzer system where we can
look at spend by suppliers, we can search different,
look at different reports.
So we've always had access to the marketplace system,
but it's only as good as the information that people put into
it in terms of when they raise an order, what they say they're
going to need and how much it's going to be.
Obviously, the money that goes out the door is hopefully not a
different factor, but it can be.
So by looking on the e -financial system, we can
see accurate data in terms of how much we spent with the
supplier in a certain period.
So the fact that we're now able to do that, if we do
notice anything that goes beyond the thresholds in the
procurement rules, we can address that straight away.
Okay.
So every supplier, presumably, we've got some
Cllr Jon Whitehouse - 0:13:06
sort of unique reference, and you can run a report
against that reference to see how much in a period, and
that's just a sort of standard operating procedure
thing now, is it?
So, yeah.
Shane McNamara - 0:13:17
Owen Sparks - 0:13:19
I think that helps us corporate as well, because it can be, for example, there's two different
services using the same contractor but not linked, so again that helps us understand
that corporate position as well, which is another benefit of it.
Okay, that's good to hear.
Cllr Jon Whitehouse - 0:13:36
I was going to pick up, I mean you've said yourself, I mean you've said that for most
people dealing with procurement it's not the only thing they're dealing with, you live
the process, what do you think other members of staff find most challenging about the procurement
rules or the things that trip people up?
Shane McNamara - 0:14:02
Probably their capacity really in terms of doing their day job.
I think the compliance with actually following the rules in terms of getting a contract in
place the first time is usually good.
Sometimes when it needs to be renewed or if it's expiring, et cetera, sometimes that's
not the part that people are quite so good at coming back to say, oh, by the way, we
need to go back out or we need a new contract or, you know, like I've said, we reach out
to them, but we don't always get responses back in a timely fashion.
So I think sometimes once a contract's in place and it's running, remembering to keep
track of it when it runs out, how much, things like that.
That's sometimes the bit that can be weaker.
So that's why some of these actions in terms of sharing that register more regularly, making
sure people know what contracts they've got when they expire, how much they're for, will
hopefully help to prompt those conversations sooner so that we can deal with it.
Okay.
Cllr Jon Whitehouse - 0:15:03
And obviously the Council's got the sort of the mega contracts, things like waste management
and leisure and so forth, which I imagine you and legal and people at all sorts of levels
absolutely go through the fine tooth comb.
There's a lot of more mid -level contracts, I don't know contracts for interim staff or
contracts for, which it must be easy to run on, perhaps less scootiny.
And then I imagine there's a lot of long tail of contracts going out and buying widgets
and things or getting the stuff fixed as a day -to -day, and I wonder how you balance your
team's time across those different areas.
Yes, of course.
Shane McNamara - 0:15:49
I think the lower value ones, so the procurement rules state that for spend that's less than
$25 ,000, it is up to the budget holder to decide what's best value.
In a lot of those cases, that is left to them.
We will obviously advise, happy to advise them if they request it, but a lot of the
lower value stuff they will just get on and do the way that they think is best.
If it goes higher than that, which depends on obviously for a multi -year contract it
may not be too difficult to reach that threshold, that's where we probably spend most of our
time advising people, so from £25 ,000 upwards, but equally we're available to them for any
value.
Sometimes a lower value one can be complex or could be a long -term arrangement we need
to sign, so that's when the contracts team would still want to see that.
And there is a part in the procurement rules that says if an officer is signing anything
on behalf of Epping Forest, regardless of the value, it should come through my team
and be checked.
So sometimes it might not need a procurement process, but equally they might be signing
up to things that we would want to have checked before they do.
Okay.
That's helpful.
Cllr Jon Whitehouse - 0:16:51
Owen Sparks - 0:16:55
Just alongside that, what we're trying to do this year as well is link all the stuff
that Shane's talking about to wider governance.
That's linking the context register to make sure that contracts that come in due are reflecting
and service plans, individual services, and then how that links some of the key decisions
onto the forward plan as well. So I want to give that more wider view of procurement as
well so we can track it and we've got different cheques that support each other as we go through
the process.
Okay, thanks. So that £25 ,000, is that the value of the contract in total or the value
Cllr Jon Whitehouse - 0:17:19
over a year or?
Shane McNamara - 0:17:25
So that's, it would be over the life of the contract if the length of the contract is
known. If it's not, it would be an annual value in the sense that, you know, if they
don't know, they use that to measure. But equally, if someone was spending 20, 24 ,000
pounds a year and it was a repeated thing, then we would be speaking to them about making
that into a, you know, a procurement arrangement and putting the contract in place. But normally
we're talking lower value things that may repeat a few times. But anything that's, to
be honest if it's close to 25 we normally suggest that they go with the
route that above 25 just to be on the safe side but yeah generally if we know
the length we'll use that to calculate but if we can't then we'll use here okay
Cllr Jon Whitehouse - 0:18:10
thanks that and the only other thing I had was a couple of times you talked
about exemptions and waivers what the sort of circumstances where you might
need to extend things or waive the procurement rules there can be there
Shane McNamara - 0:18:23
could be several reasons. I think one of the more common ones, there have been times which
I mentioned earlier that perhaps it's gotten quite close to the expiry of the contract
and the time may not be there to run a formal procurement at that point. So what we would
potentially allow is a short -term extension of that contract to allow a procurement to
be run. That's something that's happened. There can be cases where there is a specific
supplier that we need to use or perhaps we've used before so therefore they have the sort
of specific knowledge or experience we need to go ahead.
But there is a request form for waivers or exemptions that people have to complete.
There's the first section where the officer actually explains what part of the procurement
rules they're asking for an exemption from and why.
And there's a section for myself and my team to approve or not as the case may be and also
the authorising officer.
so the budget holder or the person, because there are thresholds in the procurement rules
that say what level of officer can sign off for each value.
So that level of officer has to sign off the waiver as well.
If it's, I think it's 150 ,000 or higher, then the monitoring officer needs to sign
as well.
So there's some steps in place that they're not done frivolously.
But yes, we do cheque them to see the reasons why.
For example, if it was the short -term extension to allow a procurement, we would be clear
that this will be approved once, so that just enough to give them
time to run a formal process, if they were to come back in six
months and say they still weren't ready, then unless
there's a very good reason, that wouldn't be approved.
Okay. Thank you very much.
Yeah.
Cllr Jon Whitehouse - 0:20:01
Heather Kneale - 0:20:14
Just to pick up on one of the earlier points and that point as
I'm thinking about with the exemptions and reminders going out for people about contracts
12 months before they end.
Do you have a prioritisation or your own risk register really of key contracts that we wouldn't
want to be interrupted and escalating when you're not getting responses from people when
contracts are coming close to an end?
Shane McNamara - 0:20:41
I don't think we've got a risk register in that sense in terms of the priority, but I
I do understand your point.
I think what we find is the higher profile contracts are very well managed.
They are looked after and we haven't had a situation where they've come close to the
sorts of situations that we've described here today.
It's generally the smaller contracts that people have perhaps gotten on with their day
job and not realised that that was still going on in the background and so on.
But no, the contract managers for those particular contracts,
things like the wastes and ledgers that we've talked about
have been managed very, very well.
And we haven't had any issues with those.
Okay, well, we really appreciate your time.
Thanks for coming along.
Cllr Jon Whitehouse - 0:21:24
I've not been looking at the tools.
Is there anything you wanted to say, James, or are you?
No, I was gonna comment when,
on the point you raised around some of the,
James Warwick - 0:21:38
some of the reasons or some of the issues that people face
or should say challenges with procurement.
And I think the most common one is time.
People don't factor in enough time for or appreciate
how long procurement could take.
Obviously, the larger value of the contract,
the likelihood is the more complex
and the more time it would be.
So quite often, Shane and his team will be approached
with very little time to do.
So I think obviously developing the contract register,
and I think it is a really good point
that was just raised around maybe prioritising
some of those contracts on the register.
So we kind of are well aware
and have a bit more prewarning to factor in that time.
But, yeah, that was the only point.
Just reiterating to all members of staff that, yeah,
please factor in enough time so we can run compliant procurement.
Okay, thanks very much.
And there are only two procurement items,
Cllr Jon Whitehouse - 0:22:57
as we've mentioned, on the tracker at the moment.
And by the sounds of things,
they'll disappear for the next audit committee.
So that will be a really positive thing.
If that's everything, well, thanks very much.
You're welcome to stay, you're welcome to go, but thanks very
much for your time.
Okay.

8 Internal Audit Progress Report

So let's move on.
And our next report is, starts on page 19, and that's the
Internal Audit Monitoring Report.
Thanks very much.
Thank you, Chair.
Sarah Marsh - 0:23:37
So this is our usual update report, setting out the work of internal audit and corporate
fraud team since the last meeting.
Appendix 1 sets out the progress against this year's audit plan.
We are seeking approval for deferring two audits at this meeting.
the people strategy and the economic development audit. So both of these
strategies are being revised so we're waiting until they've been in place and
then we can audit them next year. The business continuity final report has
been issued and given reasonable assurance. So there's been a huge improvement in business
continuity arrangements in the Council since the last audit. We've got business continuity
plans in place for all services. Critical services in the Council have been identified.
The corporate business continuity plan has started on revision.
This needs to be completed and expected this will be done by the end of June.
We also need to have some business continuity testing just to make sure the plans are working
as intended and that staff are aware of what they have to do in the event of an incident.
So moving on to the tracker, we've got three high priority recommendations which are not
yet due and these relate to the tree strategy audit.
Work is ongoing with these and we've also got three medium priority which pass the due
date.
I would just like to point out Shane talked about two of the procurement ones and although
they have got a process in place now, we haven't taken them off the tracker until we have seen
the reporting go through to SLTs, but they should come off by next time.
The corporate fraud team updates continuing with their background cheques on All Right
to buy, although I believe this is starting to come to an end.
And we've been working with the corporate fraud team,
investigating some suspicious chargebacks which
have occurred.
The last part of the report gives progress
against the 24 -25 annual governance statement.
An action plan with the target dates
there sets out the work that we've done to date.
I'm happy to take any questions.
Thank you very much.
Cllr Jon Whitehouse - 0:26:40
Any questions from the list?
Thank you.
Sissel Heiberg - 0:26:47
A couple of questions, if you don't mind.
The first one, I was wondering if you could expand a bit on the Companies House fraud
And I note that there's a reference here to follow up on three other organisations, but
could you also expand on how we, do we have any mechanisms for making sure that that doesn't
keep happening?
How do we monitor that going forward?
Yeah.
Martin Crowe - 0:27:17
If I take the last bit of your question first, we didn't have any mechanisms.
This has highlighted the fact that we should have a mechanism and we are going forward putting mechanisms in place.
What happened was that we got notified by a member of the public that there was a company going around in a London borough handing out flyers.
And the address on the flyer was ours.
It was a company that were doing roofing, roofing repairs,
guttering, you know, that kind of thing.
And they were using our address.
Subsequently, we checked the company's house, yes,
they were using our address, which they should have done.
I checked to make sure that they weren't,
we weren't using them, they weren't under contract,
No, Qualys wasn't using them either.
So I got in touch with the company director and asked him outright why are you using our
address.
It was a mistake apparently.
He said he would change it.
Never did.
So I contacted company's house, let them know that we had a company there that wasn't
authorised to use our address.
And they've subsequently now changed it.
They've changed the address of the company back to a company's house address on the basis of that.
During the investigation of that, we looked or looked to see how many companies were registered at the civic office address.
There were nearly 40.
However, I managed to break them down.
The majority of the ones that are registered are registered via Regus on the second floor.
And we contacted Regus, we've done a reconciliation with Regus against their tenants.
So it just leaves us now with another three, no sorry, I beg your pardon, another two that no one knows anything about.
So we're investigating those companies and if so, we will do the same.
So, going forward, we plan to just meet with Regus to instigate sort of an informal approach
for them to ask if anybody's going to register a company using this address, can they make
sure they put in second floor or care of Regus, just to differentiate it between the second
floor and the council per se.
So that will be monitored now going forward.
Thanks for that.
On the topic of fraud and so forth, the chargebacks.
Cllr Jon Whitehouse - 0:30:13
This is people paying for council services via debit card or something
and then seeking to get the money refunded presumably is it?
Is this just an increase in people doing this
or is the suspicion that it's some sort of organised
or systemic issue?
Yes, that's right.
Sarah Marsh - 0:30:39
So it was the payment solutions team that notify corporate fraud
team that there was some suspicious chargebacks.
I mean, we do get them.
It's where a customer can dispute a payment on a debit
or a credit card payment.
But we found that they had a lot of chargebacks from on the same account.
So we looked into that, reviewed their processes and dealt with it that way.
Okay, so did we get our money at the end of the day?
Okay.
Cllr Jon Whitehouse - 0:31:18
Martin Crowe - 0:31:24
In terms of this particular one, the only money we lost per se was I think it was nine
or ten pounds that we have to pay for every charge back.
What happened in this instance is that it was one person who was having payments paid
on to their council tax account.
And then the chargebacks were coming in.
And in total, I think there was about 13 or 14 chargebacks,
which led to us investigating it.
Unfortunately, the person wouldn't
come in to see us talk about it.
But they did provide an explanation
that it was a love affair gone wrong, shall we say, and a bit of revenge going on.
I'm not quite sure how it was revenge, but it was the next partner making these payments
onto her account and then charging them back.
Okay, so it was resolved.
Cllr Jon Whitehouse - 0:32:32
That's the key thing, so thanks for your work on that.
Any other questions?
Yeah, there.
Heather Kneale - 0:32:42
Just on that, on the chargebacks, do we have, is it possible, because I believe it is in
other countries, to put a block on somebody using that card?
If we see anything like that again in the future, can the Council put a block on receiving
payments from that card?
Because we would then not incur, I mean, there are obviously small charges in the grand scheme
but there's still costs to the council that can be avoided.
Martin Crowe - 0:33:09
My honest answer to that is I don't know.
That is something that we can look into,
whether we can block individual cards.
I mean, in this instance, there were four or five different cards being used.
That was suspicious in itself, and we've referred that to CIFAS.
We did look at payment solutions.
This particular one was via the telephone payment system.
We were contemplating, can we do away with these payment solutions?
In the end we said, well no, because what we want to do is we want to make it easier for the public to be able to pay their bills.
If we take away a payment solution, then it's counter -productive.
But going back to your question, the AI staff said, I don't know,
and it's something that I can look into and feed back to you.
Heather Kneale - 0:34:04
Cllr Jon Whitehouse - 0:34:06
I just wanted to ask one more thing about the annual governance summary work.
The artificial intelligence work, which is ongoing,
I just wanted you to say a little bit about the AI policies
that are focused on encouraging people to use AI or warning people about the risks of
using AI and now that we're sort of six months or so into it being there, what are the initial
impressions of take up and feedback from staff?
Owen Sparks - 0:34:42
So we launched the policy, we've done some sessions and briefing sessions with staff.
So it's really around encouraging people, I suppose, not to be scared and to embrace
using AI, but also sets out some of the dangers and some of the rules about making sure data
is preserved and things like making sure you cheque what comes out.
So it's really about, this is some of the AI tools we've got for you to be able to
use as part of your work.
Please do embrace it.
Please do try it.
Please do share good practises for your teams.
But obviously it's set out very clearly the limitations and the cheques, what needs to be in place when staff do use it.
So it's early days and obviously we'll review that as we go forward.
Cllr Jon Whitehouse - 0:35:26
Yeah, no, I feel this is a counter -oriented question but it'll be interesting as it gets more embedded and people get more used to it to sort of see what the outcomes of the Council are.
Okay, if there's nothing else on this we can go to the recommendations.
So, yes, we just note the work.
Are people happy to defer those two audits for the reasons given?
Thank you very much.
And we have noted the progress of the actions in the Annual Government Statement.
So that brings us on from looking back to looking forward.

9 Internal Audit Strategy and Audit Plan 2026/27

and the internal audit strategy and plan for the next two years.
Sue Linsley - 0:36:14
Thank you, Chair. I don't propose to go through Appendix A and B. We had a briefing session
beforehand and I have gone through those, but if you want to ask questions about those,
feel free to do that at the end. So I'm just going to take you through the internal audit
strategy, which has been devised in line with the global internal audit standards as applicable
to the UK public sector. So it's starting in section six then, so a strategy in the
plan is about providing that independent assurance to you as a committee and to the Council.
And I have to give an annual conclusion on internal controls, governance and risk management,
so it's important that I cover those areas. And it's very important that the plan is
risk -based and aligned to the risks of the Council and the assurance might be very much
demonstrates that. It's very important that we add value in all the work we do. We could
do some traditional boring audits but that wouldn't add any value so we're always looking
to give that a little bit of extra, especially benchmarking against the other councils in
the shared service. As I said, making sure that we are compliant with the global standards.
So when you get my annual report in June or July time, I would have done that gap analysis
against the standards that came into effect from 1 April last year.
Moving down to the key deliverables, there is an item 11 about delivery of the audit
plan. We don't just do that, we are also making sure that it is an integrated approach to
assurance. We are looking at the other assurances that are provided through external audit,
or through consultant's report or through officer's report,
and reporting up to committee -wise.
Management commitment is really important.
No point making recommendations.
Nothing's going to change, and that's
why we bring the tracker to you each time.
And we're always continually developing the server.
So we're just on our infancy of using AI,
but we've been doing a lot of work
in the last couple of years around data analytics
and making sure we're making best use of data.
And then lastly, it's that business insight.
So making recommendations that actually help the council and not just doing what
the purest internal audit recommendation should be. Moving further down then
around quality assurance and performance management. So a lot of people ask me
Sarah who audits internal audit. So we do get audited every five years by an
independent person. So we had that last done in 23 it covered the complete
shared service and we were pretty compliant with the standards at that time which was
the public sector internal audit standards. So that does mean that I don't need another
one for five years and that will take me past LGR. So that's good news. But I am doing my
own gap analysis as I said and then if there's anything that I feel that we still need to
do, I don't think there's much left more to do, then there will be a quality improvement
plan and that will come to the Audit Committee. We've got some KPIs to make sure that we're
on track there and the ones we're proposing for next year are the same ones as we've used
this year. So developing the internal audit plan, section
22. So started off with the risk -based assurance map. We do a lot of talking around the Council
to the key movers and shakers to see what their priorities are. Is there somewhere audit
that we can give value? Sometimes it's nice to give them positive assurance that things
are actually working well as well as areas that could be improved.
Also look to see what's happening within the external environment as well as the internal
environment and again always looking to see what's happening in the other councils. It
It was interesting that we did the tree strategy audit this year and because of the findings
there we're now replicating that audit in our other councils.
So the audit plan under section 27 is split into three different layers and that's to
make sure I can give that assurance around internal controls, governance and risk management.
So we have the top layer, corporate framework, then I start splitting it down into strategic
themes and then down to service areas. I could just give you a list of audits that we're
going to give, that we're going to do, but I don't think that adds a lot of value into
your understanding. So thinking about the priority areas for
26, 27 are very similar to last year's, although, so we've got information governance,
risk management, we do a lot of work around risk management, don't own the risk management
process but I help officers to articulate their risks, is around local government reorganisation.
So I don't know at this stage what that's going to mean for the audit plan but if there's
any significant changes to the plan then it will come to you. So it's going to be a mixture
of business as usual, make sure things aren't falling through the gaps, as well as seeing
how the LGR process is going. Work very closely with the corporate fraud group and the joint
investigations there and then the focus on value for money around the 3Es. Can things
be done better, more efficient, more cost effective? We are always here to support you
as an Audit Committee, giving you the briefing and the papers that you need to make sure
that you can fulfil the roles in your terms of reference. If there is anything you need,
just let me know and we will get that for you.
Dropping down again to the operational level, there is a governance review taking place
around Qualis and Terra Verde. I think it is important that we look at that and make
sure it has been set up correctly. Key financial control audits still continue. We do those
on a cyclical basis. Then looking at various governance frameworks, so information management,
health and safety, risk management, business continuity and things like that
and then a nod there to the data analytics that we do. So I put that all
together, shake it all up, see what pops out and then you get your plan as a
appendix A and I work out how many days that I'm going to deliver. So I'm going
deliver you 439 days. That is a slight drop on last year. The reason for that is that
two of my team are hoping to start their internal audit apprenticeships, level 6 in October.
We are just waiting for it to be released by the Institute for Internal Auditors. Happy
to take any questions.
Thanks very much for taking us through that.
Cllr Jon Whitehouse - 0:43:22
Are there any questions from members?
A couple of things I wanted to pick up on.
I mean, you highlighted the work on Qualis and Terra Verde services governance.
That will depend in part presumably, or at least will need to follow on from the work that's going on with members in the Portfolio Hold advisory group.
So is that on schedule and going as planned?
Owen Sparks - 0:43:54
Yeah, that's on schedule. Hope to finish that in the next couple of months.
Obviously those control changes, so we'll pick them up and give her a view on that going forward.
Cllr Jon Whitehouse - 0:44:04
Okay. And the other thing was, you talked about LGR, which is the great unknown, particularly as we move into the period when the shadow authority is going to be there.
I mean, it's actually going to be for you sort of several different work streams in
a sense, isn't it?
Because there's the sort of legal compliance side, which I suppose you won't lead on but
want to be sort of assured about, because all these deadlines that legislation is going
to acquire, you know, the authorities to hit.
Then there's sort of wider risk management stuff around business continuity and so on.
And then there's thirdly, and I'm sure there's a fourth and fifthly, but I can only think of three at the moment.
But only the thirdly, there's all the sort of financial stuff around.
I mean I was at an event the other day when they were giving a reserve, as an example, needing to be really clear about reserves,
and which are, as it were, committed, which are contingencies, which are free reserves.
reserves, I mean that presumably comes as part of the treasury management work that you've got in the schedule.
You know, all the stuff around substitute companies and so forth and, you know, being really clear on what exactly
the predecessor councils are handing over to the new councils and don't necessarily
comment on how you see the sort of relative priorities, what you're going to do and,
you know, what your focus will need to be on.
Yes, there's a lot that we can get involved in.
Sue Linsley - 0:45:41
So it's where can we add the value?
Where can we already get our assurances that things are working well and things are in
hand?
So a lot of this is going to be talking to people.
So we've got a particular lead within the council, have regular catch -ups with that
person to see how that's going.
And then we're going to do business as usual type audits as well.
So I don't know what that looks like at the moment,
and it's a topic of conversation with all my heads of internal audits
that I'm in contact with.
So watch this space, and if you've got any good ideas, do let me know.
Cllr Jon Whitehouse - 0:46:22
Owen Sparks - 0:46:25
I think a lot of some of the foundation work has already started.
So, for example, there is a risk register at the moment
held corporately, as in Essex wide. There's various work teams that have been doing initial
work and they've got risk registers and we've got a risk register for our bit of it as well
that feeds into it and obviously that will develop now we know who we're with and the
monitoring students come out, the structural changes will as well. So over the next couple
of months that will come a lot clearer until then Sarah can plan her resources and see
what she needs to move about to make sure that's covered effectively.
Okay, thanks very much.
Cllr Jon Whitehouse - 0:47:05
So if we're done on that, we've considered the effectiveness and contribution to the
insurance framework.
I think it was helpful to see how that related to the Council's risks and, you know, different
areas of the Council's work.
And so asked to approve the strategy and plan.
The Member's happy to do that?
Thank you very much.

10 Corporate Fraud Team Plan for 2026/27

And then this brings us on to our final item, which is the corporate fraud strategy.
Thank you, Chair.
Martin Crowe - 0:47:36
The corporate fraud working programme is going forward, follows as you can see mainly the
two operational methods used by counter fraud teams, namely reactive work and proactive
work and projects.
Reactive work will continue based on referrals and information coming into the team from
varying sources such as staff members, members of the public, et cetera.
And each referral will be continued to be risk assessed and investigations resources
even assigned to those referrals which are prominently categorised as high risk.
Following the year, which predominantly seen our team dealing with investigations into
the plethora of right -to -buy applications that were received as a result of the discount
change, I'm pleased to say that we're now in a position to undertake more proactive
work, and details of which we've put into the plan.
Whilst I won't go through each one, there are a number that we particularly wish to
focus on during the year.
The first one being that ensuring that our anti -money laundering safeguards are up to
date.
This will include reviewing processes such as income and payments as well as training
and or refreshers for relevant staff involved in any area that deals with money, pretty
much.
Housing fraud forms a very large part of our work year.
So as well as dealing with the reactive side,
we're planning to undertake a number of initiatives
using data matching to highlight any cases of potential fraud,
such as illegal subletting, et cetera.
Unfortunately, for operational reasons,
I can't elaborate too much on that further in a public forum,
but feedback will be given to this committee where possible via our usual
update for each meeting. I think my other word would have been said, we're working with our
colleagues in internal audit on a programme of comprehensive fraud risk
assessments for each service area within the council. So this will
include engaging with staff in each area, working through data collection,
and things like face -to -face meetings with people in those service areas to help us understand
what the fraud risks are in those areas.
Whilst we have a list of what the fraud risks are, one of the ideas is that we talk to staff
to try and work out whether there's any new fraud risks emerging or things that we're
not aware of that maybe we should be going forward.
And also, you know, it's also to make sure that we can strengthen processes and identify
knowledge gaps and training needs, et cetera.
We're also working with our internal audit colleagues on an action plan in respect of
the ECTA legislation, which came in fully in September 2025.
and this will encompass areas such as awareness, training and legal compliance.
And the LGR, in light of yesterday's decision, we now have a clearer picture,
particularly in terms of fraud going forward, who our partners are going to be.
So it's going to allow us to collaborate more successfully and understand the fraud landscape
that we're going to look forward to going into the new unitary setup.
And it's also, it'll create a large number of new opportunities to cover areas of fraud
investigation that previously have not been applicable to us as a district council.
And also one of the aspects of work that we'll continue to do, we're expecting a new batch
of National Ford Initiative data matches sometime this year,
isn't it, I think.
So we'll continue to work closely with our colleagues
across the various service areas, as well as other
local authorities, public sector organisations, to review
the data matches and undertake any resulting
investigations as appropriate.
Happy to take any questions regarding it.
Cllr Jon Whitehouse - 0:52:23
Okay, thanks very much for that and I think it brings out sort of clearly the breadth of the work that you and your team does.
Ekta was a new one on me but it's a lot easier to say the Economic Crime and Transparency Act or whatever the reference is.
Members, any questions?
Sissel Heiberg - 0:52:42
Yeah, as the Chair says, clearly a lot of activity going on and you mentioned that you had more space now for more proactive work which is really positive.
My query was in relation to the reactive side where you mentioned that you're doing risk
assessment of everything that's coming through.
And also in your report you mentioned that the team is smaller than it has been historically.
Do you or have you felt that the risk assessments have perhaps needed to be on a different tier
or a different level of risk where beyond your comfort level
as a result of that?
Martin Crowe - 0:53:21
Yes, because the team is smaller, we've had to refine
our risk assessment process.
Because the team's smaller, resources are fewer
to investigate things.
So we've had to be, for want of a better phrase, a bit more
fussy in terms of the referrals that come in to make sure that
we can allocate those resources and get value from allocating
those resources.
So, yeah, it has had an impact on the way that we do risk
assess.
Yes, previously we were able to perhaps take on matters that didn't quite reach the threshold
to perhaps be looked at, but we could.
We had the resource to do that.
But as I say, now we have to be a bit more, as I say, fussy, if you like, about what we
take on.
Yeah.
Cllr Jon Whitehouse - 0:54:23
Sissel Heiberg - 0:54:27
And could you expand a bit on what the potential implication has been for the organisation
on that?
Where does that work then go?
Do other people pick it up in the organisation?
Have you got other ways of providing input that might not
have been, you know, a full involvement?
Or, you know, what's the risk to the organisation overall as a
result of you not being able to be as involved perhaps as you
might have been?
Martin Crowe - 0:54:52
In terms of the referrals, particularly internal ones,
if you like, they don't go anywhere.
We don't sort of put them on the too hard pile and forget about them.
What we do is we try to, if we can deal with them in different ways, we will do.
If it's just a case of perhaps we need to give somebody some advice
or signpost them somewhere else in terms of where to go, then we will certainly do that.
So, and we will try and come back to the ones that we can't
look at straight away.
We do look at 100 percent of referrals, and as I say,
we can and do return to the ones that perhaps sometimes don't
quite meet the level.
Okay, thanks.
Cllr Jon Whitehouse - 0:55:40
And this is just a thought that was sparked off by your
reference to face -to -face meetings, but are there risks
associated with the fact that so much now is done remotely, you know, remote meetings,
remote interviews, remote working.
I mean, there's the thing that sort of crops up occasionally about people sort of working
more than one job at the same time because of remote working.
But it just struck me that, you know, a face -to -face meeting with both of you there, you know,
has a sort of level of authenticity that speaking to a face on a screen, particularly if it's
not a face you're familiar with doesn't.
Yes.
Martin Crowe - 0:56:20
As most people will tell you, I'm a big fan of face to face.
That's the way I've always worked.
Yes, I mean, the changes in working practises,
not just for Epping, but I think for most councils,
hybrid working, et cetera.
In terms of fraud risk, yes, it does elevate it,
particularly in terms of, we use the example of polygamous working people with two jobs.
I'm not speaking for Epping, but the fraud community have noticed that there is a rise
in that kind of thing, because it is more difficult to monitor staff, if you like, knowing
whether they are working or whether they're sat in an office.
And it gives people the flexibility to kind of go off and do that kind of thing.
So yes, it has raised those risks, but we try to mitigate them as much as we can.
I mean, the principal burden is really on the manager, isn't it, to understand how much
Cllr Jon Whitehouse - 0:57:29
productivity they should be expecting from an employee and if it's not being delivered
to sort of look into that through the performance management framework, I suppose.
But yeah, no, sorry, that's an interesting thought.
It's good to know it's sort of on the radar as an issue.
Okay, so we're asked to approve the Corporate Fraud Team's plan
for the forthcoming year.
Are members happy to do that?
Okay, well, I think this brings us to the end of the meeting.

11 Any Other Business

So I shall close it and thank you all for attending.
Thanks very much, everyone.
Thank you.
Martin Crowe
Corporate Fraud Team Manager
Epping Forest District Council
View profile Martin Crowe
Sissel Heiberg
Co-optee - Audit & Governance Committee
View profile Sissel Heiberg
Laura Kirman
Democratic Services Officer
Epping Forest District Council
View profile Laura Kirman
Heather Kneale
Co-optee - Audit & Governance Committee
View profile Heather Kneale
Sue Linsley
Senior Auditor
Epping Forest District Council
View profile Sue Linsley
Sarah Marsh
Chief Internal Auditor
Epping Forest District Council
View profile Sarah Marsh
Owen Sparks
Interim Strategic Director / S151 Officer
Epping Forest District Council
View profile Owen Sparks
James Warwick
Service Director - Contracts Partnerships and Procurement
Epping Forest District Council
View profile James Warwick
Cllr Jon Whitehouse
District councillor for Epping East ward
Liberal Democrats
View profile Cllr Jon Whitehouse