Joint Audit Committee -Thursday 12 May 2022
Joint Audit Committee Meeting Minutes
Date: Thursday 12 May 2022
Time: 1300hrs Location: Microsoft Teams
Melvyn Neate (MN) Chair
Liz Mackenzie (LM) Vice-chair (Apologies received) Peter Lloyd (PL)
Katherine Pears (KP) Gordon Manickam (GM)
Richard Croucher (RC) Chief Finance Officer, HC Andrew Lowe (AL) Chief Finance Officer, OPCC
Jason Kenny (JK) Chief Executive, OPCC
Lucy Hutson (LH) ACC Corporate Services, HC Catherine Akehurst (CA) ACC Joint Operations, HC Mike Lattanzio (ML) Chief Information Officer, HC
Ace Dann (AD) Strategic Risk Manager, HC
Kevin Suter (KSu) Ernst & Young
Karen Shaw (KSh) Chief Internal Auditor, OPCC & HC
Jane Goddard (JG) PA to Richard Croucher, HC (minutes)
Declaration of Interests (Item 1)
There were no declarations of interest.
Apologies (Item 2)
551. Chair’s Report (Item 3)
The Chair updated that the morning training session covered the topics of the OPCC reorganisation and the relocation of the office.
552. Minutes, Matters Arising and Action Log (Item 4)
PL raised that an extra word was included in section 543, line 8. It was agreed the additional ‘by’ would be removed.
PL highlighted an inaccuracy in section 540, regarding the discussion around increases in interest rates, rather than inflation rates. Replacement wording suggested: “In the context of 6% inflation and the likelihoods of interest rates increasing, this would to some extent benefit the OPCC because it is a net investor.” All happy with this change.
Action 99 – Future training session to be arranged on the Professional Standards Department (PSD). It was confirmed this topic has been added to the training list and will be the subject of a future training session.
PL raised item 543 from the previous minutes, which suggested there may be pressure to increase external audit fees for 2021 and was interested to know the outcome. KSu advised this has been raised with RC and AL, who have provided their comments to the PSAA and we are now awaiting their decision. Further details are included within the Audit Plan and would see a proposed increase in fees from
£46k to £85k
553. SIRO Annual Report (Item 5)
Report presented by ML and verbal summary provided, noting this is a joint report for HC and TVP.
The key themes were discussed, noting this has been a busy year, with a focus on cyber threats, linked to the conflict between Russia and Ukraine. Demand for subject access requests and Freedom of Information (FOI) requests has also increased, however there has been strong performance throughout the year.
ML updated on the key delivery areas for 2021/22 and discussed the use of penetration tests. These are carried out by external third parties and are a pre- cursor to signing off any new technology. ML also advised that departments are predominantly using Windows 10, which offers better security protection.
The National Management Centre (NMC) was discussed, which is a service providing a capability in terms of threat detection and monitoring. This provision would have been difficult for forces to implement individually and we have already benefitted following a recent vulnerability. ZScaler software has also had a positive effect on remote working, offering high-level protection and a better user experience.
ML updated that, as SIRO, he has set up and now chairs a new joint Cyber Threat & Management Board, focusing on risk. There are two elements to cyber security – the technology itself and the users. The users are deemed to be the biggest threat, so keeping the workforce aware of the risk of malicious activity is a priority.
Mandatory training is in place and continuing efforts to communicate that it is everyone’s responsibility.
KP asked for further details of the Op Doctor exercise run in force, which focused on phishing emails and physical security. Results were tracked to show how many people looked at the emails, how many clicked on the link and then the number of those who followed it through and divulged personal information. These results have been shared and a plan has been put in place..
Question from PL regarding the references made to the legacy infrastructures we are looking to remove. ML assured there is nothing fundamental that needs changing, or an overarching system to replace, and confirmed this will all be achieved in due course.
ML mentioned internal audits and the work generated from the ICO audit, advising we are in a good position around this. The only outstanding item related to the Retention Policy, to ensure data is not over-retained. A proposal on this area is due out in June and work with the ICO has now finished.
Due to the additional demand and increased volume of FOI and subject access requests, there has been recent agreement to increase staff numbers. GM asked whether processes have been reviewed to determine how much of this information can be made available on the website, to allow individuals to obtain themselves. ML advised we do publicise FOI requests where we have data and that work on automation is being considered. Regarding the workload, it was confirmed that subject access requests are always prioritised over FOIs, due to the personal impact on individuals.
Discussion around the different types of security breaches. It is noted that the number of reports of smart phone losses is fairly high, however figures are not increasing from previous years. As with the loss of security cards, timely reporting is key to ensure these items are deactivated and unable to be used. In the case of smartphones, these are also already encrypted, which reduces this risk.
There have also been reports of breaches linked to casefile submissions and sharing superfluous data with the Crown Prosecution Service (CPS). ML advised that this predominantly relates to content not being redacted, however some of the decisions could be considered questionable. MN asked about the differences between the rates in HC and TVP, as the position in HC is shown to be more favourable. ML explained this could be due to the differences in the CPS teams working with the two forces but work is ongoing to try to fully understand.
KP asked about the threat from ‘Auditing Britain’ group. ML stated this is more about a risk from physical security, e.g. drones and disruption activity.
Question from KP regarding access to banned websites, such as pornography, on work devices. ML confirmed this is completely blocked, in the same way as gambling websites and individuals are physically unable to access from a force device.
554. External Audit Plan (Item 6)
Slides shared by KSu and update given on the audit plan for the period 2021-2022, which has just ended. KSu noted there are very limited changes compared to plans for the previous year. There are no risks identified in S3, value for money responsibilities.
KSu provided a further update on the proposed increase in fee, linked to PL’s question earlier in the meeting. It was explained that this has been recalculated due to the additional work required every year. AL and RC provided comment on their positions and their support for the PSAA to make the overall decision.
Update from KSu on the new PSAA contract process, as the contract for post 2023 is now out. This is similar to the previous tender process and involves splitting the country into geographical areas,. When the contracts are awarded, the PSAA will start discussions on which bodies fall into which contract. The timescale to have those awards made is December 2022
Question from PL regarding the tender process and how new, or smaller, companies have a chance to become involved in the audit process. KSu advised there are two small lots of approximately 2%, reserved for challenger firms, which may offer an opportunity for new companies to become engaged in the first instance.
555. Internal Audit Progress Report (Item 7)
Update from KSh regarding the internal audit progress report, closing off the 2021/2022 year.
It was confirmed this work is still being finalised for the annual report, with apologies given that the data is not available for this meeting. Papers will be circulated in advance of the next JAC meeting in September.
Overall there are very few outstanding actions. Of note, for the 2022-23 plan, the shared services plan has been included, showing the scope of the work and giving an overview of progress so far.
556. OPCC Annual Governance Statement (Item 8)
Overview provided by AL and JK, noting there are few changes in the statement compared to last year. Comments made by exception regarding the following sections:
· 1.3 – Slight amendment around Covid and the size of the statement has been reduced, noting there are no major issues on a continuing basis.
· 3.1.4 – Noted new Chief Exec appointment.
· 3.2.1 – Noted new Police & Crime Plan published in November 2021.
Reviewing the actions from the previous year, it is noted there are more recommendations than would usually be expected. JK explains these almost exclusively relate to the restructure and the new governance as a result.
Question from PL regarding which documents are suitable to be published on the PCC’s website. It was confirmed that the agenda and minutes for the open session are to be published, however the confidential minutes are not.
ACTION 100: Clarify whether the agenda for the confidential JAC meeting can be published on the PCC’s website (AL)
PL sought clarity on the wording of section 3.3.1, specifically the strategic aim to deliver “positive, economic, social and environmental outcomes for Hampshire and the Isle of Wight.” It was asked whether this is part of the PCC’s remit? AL advised this is one of the headings from the Government’s statement that needs to be commented on, however noted there is a difference between defining the vision and being required to deliver on it.
ACTION 101: Make further enquiries regarding the wording of section 3.3.1 (AL)
557. Constabulary Annual Governance Statement (Item 9)
Presented by RC.
There are few changes to the body of the text. Similarly to the PCC’s statement, the Covid assessment has been reduced and is now a monitoring position. The following was noted by exception:
· 3.3 – Reference to Op Olympus. This is new work to improve performance, particularly in the Investigation area, being introduced through Op Falcon and the processing of detainees in custody.
· 3.4 – Contact management platform and continuing to stabilise CMP function. One of the new changes is the introduction of a digital team, who will look after major systems, including CMP, RMS and Pronto.
· 3.5 – reference to acting up allowance. This is an ongoing piece of work, discussed elsewhere on the agenda.
Section 4 of the report provides an update on what we have achieved in the last year, including Uplift (4.3) and future demand mapping work (4.4).Future Estates work on Southampton Central and Vickery, will also mean teams will need to be temporarily moved out of these sites and continues to be monitored.
The public session closed at 1420hrs.