Audit Committee - Wednesday 11 March 2026, 7:30pm - Wandsworth Council Webcasting

Audit Committee
Wednesday, 11th March 2026 at 7:30pm 

Agenda

Slides

Transcript

Map

Resources

Forums

Speakers

Votes

 
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
Share this agenda point
  1. Webcast Finished

Okay, welcome, everybody, to this meeting.
My name is Councillor Worrall, and I'll be chairing this evening's meeting.
What I'd like to start off with first is for the members of the committee, if you go around
the table, to please introduce themselves.
So switch on your microphones and then indicate who you are.
and also to welcome the two independent members to the panel, one of whom, Alexander Priest,
is new today, so a big welcome to you as well. So if we could start with you, Councillor Rigby.
Hi, Councillor Rigby.
Hello, Councillor Anna -Marie Critchard from Tooting Beck Ward.
Alexander Priest, you independent member of the Order Committee.
over for the Nick Harlow independent committee member
Councillor Lindsay hedges Ballen Ward
Councillor Kim Kelly Southfield's water
Great. Thank you everyone. We also have a number of officers present with us tonight
I will ask them to introduce themselves when they speak to the different papers
So start off with are there any declarations of either pecuniary not other vegetable or non -registable interests?
I always fall over that one.

1 Declarations of Interests

But anything to declare, as I say?
No? Great.
Thank you very much.

2 Minutes - 12 November 2025

So moving on, Agenda Item Number 2.
You've been given the minutes of the minutes meeting of the...
Sorry, let me start again.
Are the minutes of the meeting held on the 12th of November
agreed as a correct record?
Great. Thank you, everyone.

3 The Council's use of its Statutory Surveillance Powers under the Regulation of Investigatory Powers Act 2000 (Paper No. 26-102)

Great, thank you.
Before we proceed with the rest of the meeting, could I ask that in order to make this meeting
more accessible to the general public and better to understand, that we keep away from
jargon.
If jargon is used, please be prepared to be challenged to explain what you mean by that
jargon.
And that applies to counsellors and officers as well.
I think one of the concerns about meetings like this, that they can be impenetrable to
general public, so just as a general reminder in relation to that, so thank you.
So I'd like to move to the next agenda item, which is paper 26 -102, and who's starting
this up?
Paul?
Thanks, Chair.
So just noting your comments just now, I won't call this paper R .I .P .A.
I'll use its full acronym.
So this paper gives an update on our use of the surveillance powers under the Regulation of Investigatory Powers Act, otherwise known as RIPA.
For those new to the committee, what this is, is this is an enabling power that allows us to go out and do directed surveillance under certain circumstances which are outlined in the paper.
However, we also still will carry out surveillance where we're not able to use that shield, where
we think it's in the public interest to do so, and in accordance with the majority of
the rules that would protect us under that shield.
Notably, the only difference is that if you're using the power, that needs to be the option
of a sanction of having a six -month custodial sentence.
and you'll note when you look at the appendix we really only do have been
utilising these for abuse of blue badge frauds. The difference is why some are
under the shield and some aren't is it all depends upon what powers we're
looking to do it at. So normally if it is a if it's a we can evidence it's going
to be a fraudulent act ie that that badge was lost and reported lost or was
stolen then we knowing that it's been being used under that element and if
it's just being misused, we would normally do it under the other regime.
So paragraph eight outlines the outcome of the two cases where we did use the shield.
One of those is ongoing and the other one was found to be approved and therefore the
vehicle was impounded and the blue badges had been seized.
And then there were seven times where we still carried out
that surveillance without the formal shield.
And the details of the outcomes of that
are in paragraph 13.
So I don't propose to say anymore,
but if there are any questions, I'll either answer them
or I'll pass you over to Kevin.
Great, before we start, Paul, if I could just ask you
to introduce yourself.
Sorry, I'm Paul Gigliotti, Director of Financial Services.
Great, thanks very much.
Any questions from the committee members?
Okay, so I've got Councillor Rigby first and then Councillor Caddy.
Thank you. So I was just interested to know, are we using facial recognition at this stage with the technology here?
No. When we're doing our surveillance, it's officers going out in general.
They may use handheld equipment.
They may use cameras.
They may use CCTV.
Anything that we do and operate and how we,
types of things we would intend to use
would be documented in the application form
that's being used.
Jerry, any follow up?
No, because I was just quite interested,
because I know the police have been using it
down at Tooting Broadway and it's been really successful. I'm wondering if it was, if there
was any way of using it to sort of cut down on, you know, also increase the number of
investigations where we can't always have an officer.
The remit for where we were able to utilise the directed surveillance is prescribed under
this legislation. So it's only under a unique scenario and that is, if you indeed had in
report as to where we would go to do it. We use it sparingly, but we will use it
where appropriate. And clearly, you know, part of the reason why this got brought
in was the threat of authorities abusing their usage of, so it is there
to make sure we only use it as appropriate. Certain things that we would
be looking to do in accordance with the police, they have different powers and
are able to conduct surveillance under different setups to watch what we can as a
authority so it is quite prescribed in order to do so. If clearly legislation
changes and enables us to use other technology and I'm sure Kevin and his
team will no doubt be coming to me and asking us to do it more widely.
Thank you. Councillor Kelly. I just wondered why the the numbers seem to be
reducing and whether that's because we're sort of taking less action or
whether it's there's less activity less fortunate. I'll pass over to Kevin who can
probably talk to you about where his timelines
and workloads are.
Sorry, so Kevin Holland, Assistant Director
for Fraud, Risk, and Insurance.
So the numbers have reduced because,
but the cases haven't.
What we've had is we've,
we've had referrals of misuse, say, in Area A.
We set up the Ripper application,
either obtaining the full shield
or under the non -REPA who think it's a misuse of a friend or a relativity badge.
When the officer is out there doing the surveillance, obviously they're watching one vehicle but
they see several others.
So we are picking up sometimes the one application, we can pick up three or four other occurrences.
So the overall number has not diminished at all.
Thank you.
Councillor Crichard.
Thank you.
I've got two questions.
The first one is on paragraph 10, talks about the remote review of the Ripper, excuse me,
our use of Ripper.
I just wondered is this sort of like something that happens every four years, we get an independent
cheque that we are not abusing the powers that we have.
And then the second one was actually in the public, the general public tend to be very
interested in the misuse of blue badges.
And that's something that people do complain about because they think it's going on a lot.
What I'm quite interested in is, have you got any stats on the percentage of misused blue badges?
So you've obviously had seven cases here plus another two, so that's nine cases of misuse.
I just wondered how frequent they are as well.
and if that's something that you need to come back to us, but
It'd be great to have it. I can try to tackle both of the first one really there's nothing
Prescribed as to how frequent meetings will be they're ad hoc remember that we also work under a five borough partnership
So there are opportunities for other inspections to be able to be utilised in relation to what Kevin's team does
percentage wise
Some of the badges remember the abuse that we doing may not necessarily be a Wandsworth badge
It could be being misused of everything else.
So we're not going to be able to get those type of statistics because it's going to be
operational in our borough, but the badge itself may not be a Wandsworth's badge.
I don't know whether you wanted to add anything to that, Kevin.
I will, Paul, sorry.
So the inspection by the commissioner's office, the usual cycle is once in every five years.
Because we operate across five boroughs, I'm having annual inspections.
The processes we use are the same across all five.
So the process itself is tested and checked each time.
So that's why they moved and the Commission were happy to do that lighter touch because
they, our process has been fairly stable over a number of years.
It's evolved a lot with their help in the beginning, but they've been fairly stable
since and therefore they're satisfied with that process.
And then secondly, as Paul's one on the numbers, so the badges, it's – there are
further details of what's come through in the fraud update report, which bring on – where
I said there will be more prosecutions, you'll see, over and above the use of surveillance
because of that reason where we've done it in an area and picked up additional vehicles.
But quite often the misuse we're picking is not a Wandsworth issued badge, it would be
another authorities issued badge in sometimes even in another part of the country, because
that's where we get the higher bits of misuse.
Thank you.
I mean, does any – presumably somebody could get us the number of Wandsworth issued badges
just to get an idea as well from that at some point, yes?
Okay.
And yes, so thank you and what you're saying about the review is then for anybody who's interested in whether or not we are
Overstepping the mark. We're actually fairly pretty closely controlled on what we do with our special powers
Cancer hedges
Thank you chair and mine just relates to paragraph 9. I just wondered if there was a bit more information about
where it states my inspector is satisfied that the council's policy underpinning the use of the the Ripper is suitably comprehensive and
Also the order the auditable process in place just wondered if you had a bit more information
Just so that we can confirm that this was necessary and proportionate
Thank you. Well, I will not will answer that one
So I think when the inspection was done in the year it was done to this committee
we brought the whole report.
So since we haven't had an inspection in the past year,
it's just those comments are left in there.
But every time there's a new inspection done,
we will bring the full comments to this.
So it's, yeah.
Thank you.
Any further questions?
Nope, okay.
If there are no further questions,
we've been asked to approve paragraph four,
which is a specific purpose
of how the searcher used.
Are we in agreement?
Great.
Thank you very much.

4 Internal Audit Service's Charter, Strategy and Plan for 2026/27 and Strategic Plan (Paper No. 26-103)

Right.
Moving on to paper 26 -103, which is the Internal Service Charger Strategy and Plan.
If I could ask Paul once again.
Thank you, Chair.
So again, I'll just give a very brief overview.
This is an annual paper that comes to you which sets out our charter, the
strategy, the plan for the for the year ahead and also the rolling broader
strategic plan that's over five years shows you the two years previous and the
two years that as an indicative plan going forward. The key sort of change
really this time around is that there's been some changes to the way that we
to present the charter and some of the strategy elements
to it because of the new global internal audit standards.
So you won't see any real track changes in the document,
but there have been some wholesale areas
which have been altered.
Three sort of main clear elements of that is
that there is now an explicit identification
of the structural independence,
where there's some challenges.
doesn't really apply to the Wandsworth element.
But obviously, you met Andrew,
and you know the way that we operate
within the shared service arrangement
or the better service partnership.
Andrew reports through to me.
So technically, if I wasn't statuary head of audit here
and you had that same sort of principle,
the fact is is that we would now have to have to
to state that.
The fact that you both come,
both of us come to both committees,
you've got that unfettered access.
it's there and it stipulates how we report straight to the chair rather than
it through part of the executive or and then we've actually got real
independence from the cabinet and for other things because the nature and the
way they operates within the you know the audit committee structure and the
way that that sort of dealt with so there's no real key element but we now
have to articulate exactly how that works it also formalises the way that
what happens when there is perceived potential conflicts due to operational responsibilities.
Again, nothing really new here because we've been reporting for numerous years. You all
know I cover pensions, procurement, health and safety, there are audits in those areas
so it shows you how we would then address those sort of issues. So I'm just treated
as a standard auditee when it comes to that aspect. As the Executive Director, she then
steps up and arrangements would be done between Andrew and her as to how the audits would
be covered.
And then there is also more details around the stronger right of access and escalation
protocols.
So they're really some of the key sort of changes within the charter.
There's an introduction of multi -year internal audit strategies, but we've been doing that
as well for numerous years.
So it just sets out the three -year vision.
within the strategy though, without defining our strategic objectives and we
now have to ensure that we are aligned with those global internal audit
standards. But I'm sure you've got probably quite a few more detailed
questions and I will try and answer them otherwise no doubt I'll be asking Andrew
to give some more information. Okay any questions? I've got Councillor Critchard,
Councillor Rigby, Councillor Hitches.
So let me just write this down.
I've got then Ilver coming in after that,
and then Councillor Caddy, and then Alexander after that.
So, great.
When you ask your questions, if it's in relation to something that's in the paper,
please can you state the page and the paragraph,
just to help us keep a focus of what the reference is.
So starting off with Councillor Gritchard.
Thank you, Chair.
I'm looking at page 13, paragraphs 5 and 6,
well, 5 particularly, the audit charter.
Mr. Giuliani, you've given us some indication of how this has changed.
I would say I do find it quite difficult if I don't have those changes detailed in front of me.
Could you just highlight for us which paragraphs are the ones that we should look at?
So you've talked about specific changes, but if you could highlight the paragraphs in the Charter, that would be a good start.
And that's probably, that's my first question.
I guess there might be others about the Charter.
I'll defer to Andrew, but I think he'll say that there are wholesale changes, so it's
not going to be singular.
Thanks, Paul.
I'm Andrew Hamilton.
I'm the assistant director for the Shared Audit Service.
Paul's right.
So what's happened is we've moved from public sector internal standards to global internal
standards.
So there was a complete overhaul of the standards that we worked to.
And so this wasn't the case of updating a previous document.
this was rewritten, particularly to make sure that it's compliant with the standards.
So one of the things that we have to have as an internal audit section is an external
quality assessment every five years.
We had one a couple of years ago, so we'll be due for one in a couple of years' time.
One of the ways of demonstrating compliance with the standards is by making sure that
our charter is compliant.
So there's specific wording that's been changed.
There's a fair amount of repetition, so the charter refers to compliance with the
global internal audit standards and UK public sector throughout the document.
And that's referring to the fact that global internal audit standards are written by the
Institute of Internal Auditors, SITFA then assess those standards and they give further
guidance to make it relevant to public sector.
So there are certain challenges within in, not challenges, sorry, differences within
public sector.
So in a private company, for instance, the Audit Committee would set the budget for audit,
but in a public sector organisation, you know, this committee doesn't have control over budgets
and so deals with those sorts of things.
But we are required to say that we comply with the global internal audit standards in
the UK public sector each time we refer to it, and that's a requirement of both the global
internal audit standards and the SITFAR application note.
It strengthens the governance arrangements, it makes things more explicit, so there's
much more detail about the role and the responsibilities of the audit committee.
So there's a section in there for the role of the committee and there's a section there
for the role of senior management.
So this has been to the Director's Board, I took it there and spoke, I've had a conversation
with them.
Oh gosh, I knew you were going to ask that.
Yeah, hang on, I'll go through.
I'm just finding the paragraphs.
Bear with me a second.
So, for example, senior management responsibilities starting at paragraph 47 specifically sets
out what the senior management team is now responsible for.
That wasn't something we had in detail in the previous situation of the charter.
It also sets out Paul's role specifically at paragraph 48, so that details what Paul
is responsible for.
And then, sorry, that continues at paragraph 55 as well, so you'll see quite a lot of,
Paul's responsible for a lot of stuff.
I can't find the audit committee one at the moment.
Can I, I'll tell you what I can do is I can take the document, I can highlight the specific
sections and then I can distribute that to the committee.
I think that would probably be, is that okay if I do that?
Yeah, so I'll send you a covering email saying
that these are the specific paragraphs that you need
to be aware of and to note.
Okay, thanks.
Thank you.
Councillor Rigby.
Yeah, so page 14, paragraph 10, the risk management framework.
Could we have a timeline on this, please?
Okay, so there is, I think there is a paper later on on the risk management update and
everything else.
So this is work in progress.
There is already work that's been carried out with directors board on the identifying
and addressing the new, what will be the new corporate risks. There is going to be another
meeting with them in the next few weeks. So it is now, this isn't something that's gone
away, this is iterative and it's ongoing and it can't, and it's shown, and we now are now
already in that quarterly cycle. So that's there now. What we can't give guaranteed assurance
on is when we're going to get that digital platform in how to do it that will fully embed
it through those three -stage processes.
But the directors board element of it is in place now.
I wonder if the officers have anything else to comment on.
Kevin or Andrew, do you want to highlight anything else?
Okay, great.
Thank you.
Councillor Hedges.
Thank you, Chair.
Two questions.
One relates to the operational audit plan on page 47.
That's Appendix 6.
Really pleased to see the transformation programme on here.
I know we've mentioned it before.
Keen to just understand a little bit more information there
about what you're going to do.
And then the second question relates
to Appendix D around cyber security.
It looks like we're planning on doing audits every other year.
My question around that is, given the heightened sensitivity around the cyber attack that happened
in the Royal Borough of Kensington, Chelsea, also Hammersmith and Fulham, and then there
was a ransomware one in Hackney about five or six years ago, given this is high risk,
would we not want to do that every year?
Thank you.
So I'll take the first one.
I'll half tackle the second one and probably refer to Andrew for the other half of the second bit.
Again, transformation programme is something that is iterative and both Andrew and myself will be working with Anna Popovici and the team
in order to try to work out how is it best place to utilise our time and affecting it.
So we don't want it to be overly prescribed. This is one where quite often when we're doing audits it's a post -element review.
We think this is quite challenging and it's important that we don't want to do a post review.
We want to be involved during the process.
So that is what we're doing and that's what the planned timing is.
There might be a piece of work that we do post and on that Andrew comment,
he goes over to him if he wants anything else to add to it.
But that's where a lot of the time is going to be placed.
On cyber security, work that all it does and everything isn't just looking at reviews,
it's looking at what other elements and assurances can we have.
There has been training and basically some workshops that's carried out that can give
us that type of assurance, which is probably more important than us trying to do an audit
on angles.
The executive directors board have had case study which they worked through, as has the
finance department, which I got involved with with the team.
Both Andrew and Kevin were in attendance where we actually tried to work through what would
happen if certain events took place. Just to try to highlight are your business
continuity plans in force. What we can't really do no matter how many audits you
do is prevent something. So I'm loathe to spend loads of audit time on something
that's not really going to achieve much if I'm honest with you. It's more about
resilience planning, looking at have you got effective business continuity plans
in place when it happens. And as you know every time you ask me the question I
I always say when, not if.
So I don't know whether Andrew, you wanted to add to that.
Thanks, Paul.
In terms of the transformation programme,
yes, so it's gonna evolve as that programme gets underway
and it's in its early stages.
We'll certainly be covering off the risks
that were identified in the change programme audit.
There was a limited assurance opinion.
The controls were, have been carried forwards
into the transformation programme
and there's an undertaking to comply with those.
so we will be following those up.
But we'll look at each of the,
well, we'll look at some of the programmes
or each of them depending on risk.
But we'll come back with updates
as once we've got a better understanding
of what that looks like,
it may well be that one audit turns into three or four,
but we'll provide updates as we go along.
And cybersecurity, yes, it's in there biannually.
I guess first thing to say is
there's a cybersecurity audit going on at the moment.
Depending on what the outcome of that is, we may well do another one next year.
We might not cover everything.
We might have a follow -up. If there are significant recommendations, we'll follow those up and do those in more detail.
And then, I might pass this over to Kevin, actually.
So, Kevin sits on the Information Security Governance Board.
And the IT section do contract out some of the specialist cybersecurity protections.
Kevin, would you like to come in?
I think that's why I'm saying in terms of protecting the council's network, the council
we have specialists in the industry who oversee our network.
So we have a company who will monitor our network and our traffic 24 -7, something that
council can't do.
So in terms of the auditing to be able to identify something if something's gone wrong
or an attack has occurred, that's where we have the external company in to do.
They do that, but they also provide assistance where we, or as Paul says, when we're hit
with an attack, they will then provide us with that frontline support of how to address
and how to respond.
So the auditing on the network is something that's externally done continuously.
The audit of that process is what Andrew and his team will do on an annual or biannual
basis.
And I'm just coming with one more point, sorry.
There's also an audit in the plan called information security.
So that's kind of a catchall audit.
So the council has the ISO 27001 accreditation and the requirement for internal audit is
to audit against a whole series of controls and that includes network security and cyber
security.
So whilst it's not badged as specifically cyber security, we do pick up issues on an
annual basis as well. So there is probably more coverage than it suggests in the plan.
Thank you for that and thank you for the comprehensive response.
Ille, can I come across, do you mind me using your first name?
Yeah, that's fine. I have a similar question on housing management.
Given the C3 rating that we have received, sorry, can you hear me?
page 60, page 65 of the report.
So housing management, I can see that we are planning
to do an audit every other year.
And for housing compliance, we did one in 2024, 25
and the next one is planned for 27, 28.
So I was thinking, do we need to increase the controls in the area so that we identify
something before the regulator of social housing comes back again?
So the high risk audit areas are in the plan on a one to two year cycle, but then obviously
other things come into play as well.
Also some of that depends on what the output of the audit was.
So if we do an audit and it's a full assurance
or a positive opinion, we wouldn't feel as inclined
to do something the next year.
So I get what you're saying in terms of the housing
regulator particularly because there was a review
that wasn't favourable.
We do pick up some of those things in other audits.
So we'll do specific audits on fire risk assessments
for instance, we might do some specific audits
on gas safety or something like that.
So again that's kind of a bit of a catch -all title,
but within there we do cover other areas.
So we do cover stuff more than,
probably at least annually.
And even if we don't, on the year when we're not
doing an audit, we're still doing follow -up work
from previous work.
So we're kind of there, I suppose,
and we're working with the department
on a fairly regular basis.
Certainly for the last three or four years,
we've been doing regular follow -ups on fire risk assessments
where they haven't been at the point
where they needed to be.
So we've had quite a lot of coverage.
And I guess the other thing to say,
this is an aspirational,
and it's a flexible five -year plan
as opposed to a definite.
So each year we reassess whether we're gonna do an audit
in the plan or not.
So it may well be that,
it might say we're not gonna do something
in next year's plan,
but actually when we reassess it,
we might do it.
We also attend the department team management meetings
quarterly, have conversations with the executive directors
and directors and assistant directors at that point to reassess their risk profile and understand
whether they've got any specific challenges and then we'll flex the plan if we need to.
Councillor Curdie.
Quite a few audits where they're quite low risk and they seem to be audited every year
and I just wondered what was driving that so I'm just looking at things like the procurement
card continuous audit which is on page 60, Richmond Voluntary Fund charity account.
There's quite a few that look like they're audits of third party or other organisations
and it seems like they're low risk but they happen every year and then obviously sort
of setting that against some of the high risk areas that only ever happen every couple of
years. I wondered what was the sort of reasoning behind that.
So things like the procurement one, it's in here for time, it's not technically necessarily
an audit.
It's one of those ones where we've got continuous oversight on to make sure that things don't
creep into being a problem.
So that's why it's relatively low, part of the reason why it is low risk is that you
actually have that process in place to balance it off.
So there is who's got access to a card, what thresholds those cards are, where the, and
and then there's some sampling on where the spend is as well.
So that's why you've got that sort of
what seems to be a mismatch.
Thanks, Sander.
Cool, thank you.
I think on paragraph 26, we talk about bringing in
kind of extra skills when needed.
You've already referenced that you do this maybe in cyber,
but where else would you maybe bring in extra skill sets,
and do you have the required kind of knowledge
within your internal audit team
around various different sessions here?
Because I guess some of the rules and regulations
are maybe quite complex in some of these areas,
so do they hold the relevant kind of training for that?
So we have access, within our procurement,
we've got access to abilities to utilise
organisations like MSARS and PWC.
So if there is going to be a specialist for,
it may be a high profile type contract based audit,
an IT based audit for where we're not necessarily
skilled up to do, we'll draw down on those.
We obviously like to use them sparingly
because the cost associated with it will mean
that rather than being one audit day,
we might be paying two audit days for that one audit day.
So as and where appropriate, we will use those.
Sure.
Then the next question would be on Appendix B
when you start talking about KPIs.
So you've said that by 2027 you'll be having 50 % of your audits kind of covering data testing.
What is data testing exactly?
And should that be brought forward sooner maybe?
Because I guess in my role I'm an external auditor and the issues that we find tend to
be in underlying data.
So knowing that only 50 % of the audits, well internal audits right now only cover data,
Well, that's your target, so I was going to say, is that good enough, really?
Just before Paul answers, Alexander, can you give us the reference page?
Page 43, yeah.
I was going to pass you over to Andrew, so hopefully page 43 is easy for him to find
now.
Yeah, good question.
So the KPIs is something new that we haven't reported to Committee before.
I guess we're starting from an unknown position.
and we have a, and I guess it's also worth bearing in mind
that this is a partnership as opposed to this,
this isn't just looking at one's worth.
We have different people in the team
at very different levels of understanding
how to use data analytic techniques.
So at the moment, for example, at the moment,
we're going through a programme of making sure
that all auditors have a good level of use of Excel,
and you know, formulas in Excel that you might,
you know, you might understand perfectly well,
some of our auditors do, some don't.
So we're trying to get a benchmark.
And once we've got the benchmark of everyone can do the things
we would expect them to be able to do in Excel,
then we'll move on to things like Power BI
and more complicated data analytics techniques.
In terms of whether we should do it quicker,
well, yes, in an ideal world we would do.
We do have budget constraints in terms of the amount of training
that we can do.
And we have a mixed ability team.
People at different points in their careers,
some that are young and very keen to learn.
And for them, this sort of thing is, they'll pick it up easy.
And then we have other people that
are sort of towards the end of their career
that struggle a bit more with this sort of stuff.
And what we mean by data and using data in audience
is wherever there is a system that holds data,
and we can do transactional testing,
we hope to get to the point where
we can do a full population test rather than doing
the old -fashioned sample of 10 or 20.
So that's where we want to get to.
Cool.
Thank you on that.
Sorry, do you have a follow -up?
Could I just ask one?
It's on that one.
On the KPIs, it also says it's reported quarterly to each board.
What's each board in this?
That's you.
So under the new standards, the audit committee is the board.
Do you have another question, Alexander?
Yeah, yeah.
Sorry, I've got a few more.
So then I just...
amongst the risk.
Two more questions, thank you.
I guess on the actual strategic audit plans,
Appendix D, sorry I don't have the page reference number,
but emergency planning.
One thing that I've been thinking more recently
as a resident is kind of Thames Water
and reliance on other external kind of providers.
Now we saw Southwest Water or whatever have outages
and therefore an emergency plan
and kind of like the Army having to be brought in
to actually deliver water.
Now there's a lot of focus in this strategic plan
around that, but kind of where are our dependencies
of our key utilities and audits around that?
Because I know that Thames Water have issues
with their pumping station in North London,
and it is a serious concern for me,
because if a baby is without water,
okay, you need to provide it,
so there are serious health concerns.
So it kind of goes beyond that,
and maybe it's to take offline for another time, but yeah.
Okay, well, I can probably address that point.
I mean obviously Pan London has its own gold operation where you would trigger those sort
of messages.
We had it to, well what London saw in the not too distant past where you had a massive
set up where you had everyone from London having to pull together to help was in Grenfell.
We had it at a very smaller level with no casualties or injuries here at Fox House where
where people come together,
the planning operation is tested.
Barry Quirk did an independent review
and that's been reported through to council how it operates.
We're not in a position as internal audit
to look at how Thames Water operates
and any fallibilities that they have,
but we are able to look about when challenges happen,
how our emergency planning team deliver and operate.
That has been tested very recently in a real life case
in what happened in Fox House and the reports and lessons learnt from there.
Obviously there was real positive stuff going in there, but there were some challenges and
said it highlighted where we could have done better.
Action plan has been agreed and they will be implemented.
And that's really how we operate in that.
And the review on emergency planning will be looking at those types of plans rather
than things beyond our control.
Cool, thank you.
And then just this isn't a question but one point to note.
But for the kind of cyber part, I hope we're looking at third party service providers related to their cyber,
because looking at kind of many external organisations, that's where they typically find quite a few issues as well.
But yeah.
Thank you for that comprehensive range of questions.
Councillor Crichard, it's back to you.
You were first and then...
OK. Right.
Back to the early part of the paper.
Just a simple question. Paragraph 23 says expecting an Ofsted in 2026 and that has influenced
what's in the audit plan. I think that the Ofsted has actually happened, so I just wondered
if there were going to be any changes to the audit following that. And if you don't know,
So we can pick that up later.
That could be a question for the next audit thing.
So it's a conversation that we will have at the next DMT,
Departmental Management Team meeting that we attend with children's services.
Brilliant.
And then, starting with the operational audit plan on page 47.
One of the things I would like you to explain is how you determined between high, medium, and low.
So we've gone into discussing how, you know, different audits.
So if you could explain that.
And then I've got some questions about specific audits that are in this plan, if that's okay.
That's fine, Councillor Kirchner.
We need to also recognise that some of the questions might not be able to be answered
and information might need to be passed back to us at a later stage.
So in terms of the methodology for scoring the audit areas, so we risk assess all of
the areas in the audit universe.
We use the criteria of financial cost, changes in systems or personnel, so that would be
sort of, you know, significant people within the team at a senior level.
Reputation, sensitivity, political reputation, stature in legal, health and safety, safeguarding,
potential for fraud, links to strategic objectives
and corporate priorities, and we refer back
to the risk register itself, and we give a weighting
for each of those and we produce a score,
and that essentially translates into high, medium, and low.
And then what follows on from that is high risk is audited.
We aim toward every one or two years.
Medium is around three years, and low is five years or more,
unless it's something that Paul discussed earlier,
or it's something that we are paid to do.
So the CRM board audits, for instance,
that doesn't come out of Wandsworth's money,
that's paid for separately,
which is why it's completed every year.
And the other thing that's worth me noting is that
that risk assessment process hasn't been reviewed
for three years, so that it is due for a review.
You know, on the back of updating our charter
and our strategy, the next thing that we need to do
is look at our, is to reassess what the audit world is
for us in terms of the council because it's evolving.
Not only have we had changes in departments
with housing and environment merging,
within departments there's been changes as well
to teams and what they're delivering.
So we need to almost do a written branch review
in terms of identifying all of the functions
within the council and then reassessing
what those risks are.
So when we come next year, you might see some differences
in terms of how we've assessed risk,
but for this year, we're continuing to use something
that we've been using for the last several years.
I was just going to say, thank you, that what you said about what you use to assess risk was really interesting.
So perhaps maybe, Chair, that's something that the committee could look at at its next meeting, if any of us are here.
But, I've got some more, can I go?
Just checking on the transformation programme, I was quite interested to see we're looking at that as well.
Where are the risks for the transformation programme going to be reported?
I mean that would be a transformation board, that's you know who's in charge with operating
that process.
It's the same with anything really comes to that.
We're not charged.
So that okay it's reported the transformation board okay brilliant.
Then still on page 47 I was interested in the contract management particularly, don't
Because I think that we're due for a new contract management system, weren't we?
We have had one which has been, I think has been being implemented, but I can't remember when we last had the update on that.
And the other one on that page was around the customer service resident journey.
And that's a best services partnership audit.
but it strikes me that actually we are still functioning as two different councils.
So how do we manage to make sure, because we're interested in Wandsworth,
that Wandsworth is working the way it should be working,
rather than what happens across the best services partnership.
That I appreciate might be a question you need to come back to me, to us with.
Obviously I can't comment on the second one. I'll let Andrew try to address that.
But with contract management we don't have a singular contract management system.
What I think we were referring to is ATAMIS, which is a procurement system,
which talks about how they go out and how they seek to procure.
What we did do, we enhanced the framework and the guidance to support people in delivering their contract management.
So that in the past there wasn't a general oversight and some proper approaches to how and what they would do.
Clearly when Andrew and the team go out and audit, they will be audited ensuring that whether or not they are using that right,
that revised guidance that they've been supported to see whether that's helped to deliver improved approaches to contract management.
I don't know whether you wanted to add to that, Andrew, and all the second question.
I'll give a bit more detail on the second question.
Just for the, I guess, the audience, if there is any outside the room, BSP is Better Service
Partnership.
So we label audits as either Wandsworth, Richmond, or BSP.
The majority of our audits are BSP.
What that really means is we aren't just doing one audit for the two partners.
We're essentially doing two audits.
So we are specifically looking at Wandsworth arrangements
and we are looking at Richmond's arrangements,
but there will be crossovers,
so there will be similar people involved.
And so from our point of view,
we plan to audit as one thing,
but yes, we will report specifically for Wandsworth
and we will look to understand.
So we are actually undertaking the review
of the call centre at the moment,
but the reality is that's not the only place
that members of the public interact with the council.
There's all kinds of pathways,
which is the right word, isn't it, to get into the council.
And this review was actually requested
by the Executive Director for Change and Innovation,
Sam Olsen, because she wanted more assurance that actually,
okay, great, people can call the call centre,
they track that, they can, all kinds of KPIs
in terms of how quickly they answer the call,
how many rings it is, whether they get the answer right
first time, but they also understand
whether people can access websites easily,
That the pages have the right information in it
They're directed to where they need to be directed or if they ring something other than the call centres
They might ring a reception or they might ring a number that's on the website and they want to make sure that again
Members of the public can get through to where they need to get to or sign posted to the right place
So it's a bit more of a broad review, but it will specifically look at one's worth
As well as Richmond great. Thanks entry
Next up is council Academy and then councillor Rigby
It's really a question that was triggered by something
that Alexander said on the data testing.
I just wondered if the internal audit function
sits within the transformation planning at all,
because obviously that's an area where some investment
in data analytics and data management could potentially
have a really positive outcome,
and as I referred to earlier, perhaps lead to more
challenging targets than some of the ones that we see here
in terms of transforming the way that we do the audits?
So corporate services in general is one of the programme lines
where internal audit potentially will be covered.
It's slightly nuanced because we work as a shared partnership.
So some of the challenges and some of the reviews
and the ability to make some broader changes is,
you could say there's positive angles
and there's negative angles with working in that sort of partnership.
So there is that additional challenge that goes beyond it.
I don't know whether that fully answers your sort of query in a way.
But yes, no doubt we will be looked at, it will be going on, Roretti are clearly coming in to oversee how and where it operates.
Because clearly in order for other services to function, they rely upon key individuals,
whether that's HR, whether that's procurement, whether that's IT, and also internal audit.
So there will be some oversight how much time is spent on it can't say
But clearly it should form part of the pathway in that corporate services review. I
Have cancer would be up as the last question unless anybody else has any other pressing questions
I've got two questions on page 51. So the first is on the digital literacy review
I'm wondering if any of the sort of knowledge acquired from this review, if it's taken place
or not, will be transferred to resident comms.
And the second question is the on the table, in the table just below it.
It says resident services but it says commercial waste.
So I'm just really interested what that refers to.
Because if it's things like First Mile, I'm just a bit confused about why it's under resident
services.
Thanks.
So the digital, yeah, so digital literacy.
So this is acknowledging that the council is using technology in a way that it never
has done before.
And the pace at which that happening is almost snowballing.
So there's a lot of talk of fail fast, try something new,
get on, move on to the next thing.
What that results in is actually that officers have access
to a huge number of applications.
And the important bit to understand
is whether officers know how to use them,
and how to use them effectively and properly.
Now even down to something as simple as,
well, how am I going to communicate something?
Because you might use email, you might use Teams,
you might use a chat function, you might use,
There's all kinds of ways of doing things,
and there's a risk that you get a bit muddled
in terms of how you're using stuff,
and things aren't being used effectively.
Or you end up with one person in the team
that understands how to use something well,
and then you have a single point of failure risk
where the one person that knows how to use
a particular application leaves,
no one else knows how to use it.
So it's making sure that we have maybe taken a step back
to understand whether people do understand
how to use technology and how to use it effectively.
In terms of how we communicate the results of the audit, we wouldn't do a common space.
We will communicate issues that we find back to this committee if they're significant.
I'll just clarify the question.
First of all, on the fail fast, that was very trendy when Facebook was starting off and
it was Zuckerberg.
And I think we can see exactly where failing fast has taken us with matter. So
Really discourage us from using any of the lessons from matter
So what I'm meaning is any
learnings for how we
Were communicating within
Internally that we can apply to how we as a council
communicate with our residents
Yeah, you know what, I don't know the answer to that at the moment.
I think that will be drawn out when we actually do the work itself, quite possibly.
So there will be lessons, yes, so there will be lessons around communication and how we
do that.
And then that may be something that the department then takes externally as well.
And then the commercial waste?
So the commercial waste is essentially a contract management audit.
So it will be a review of the contract itself. It was due to be completed in this year's audit plan
There's been a change to the into the computer system, which has been delayed
And so it was pushed back. Yes, so again, sorry you've misunderstood the question
Like I'm just interested in why commercial waste is sitting under
resident services
Okay, because that's because that's where it sits structurally so what is it services was housing and environmental services combined?
So there's just been a change in department
No, what what commercial waste are we auditing?
Because we've got
Household waste and recycling so I'm just not getting it what what commercial waste
Yeah, sorry so this is about the collection of waste from business premises as opposed to members of the public's household waste
Okay so why is that sitting in resident services if it's commercial?
Because the name of the department that looks after is resident services.
The resident services department and under there sits dozens of teams including the service
that looks after commercial waste.
So ECS and housing have merged.
ECS were responsible for commercial waste.
That now sits in residential services.
So Paul Chadwick's team covers this area.
I just want to bring your attention to page 48, bottom of page 47 and page 48.
You have referenced the GDPR and Data Protection Act of 2018 as a specific piece of legislation.
Should you not also then be referencing the Data Use and Access Act of 2025 within this
as well?
and if so could that actually just be updated?
Yeah, good point, thank you, we will update that.
Councillor Critchard, you've got one last go.
I won't mention how awful First Mile are,
but commercial waste.
Last one was around adults.
And I just wondered, obviously, since the paper was published,
we've had initial comments on how we should be looking
at adult social care from Baroness Casey.
Have we got any idea about how this might affect the audits?
Will we have to be using her thoughts at this stage
or going ahead as we were and see what happens?
That's certainly not something we've worked through.
I mean, essentially, we are working on the basis
of what the most significant risk is for the service
and what they're delivering.
we will assess it and we'll have conversations with the Departmental Management Team and
Jeremy D 'Souza, who's the Executive Director.
And if there's a change to the plan, we will report that back to committee.
Great, thank you.
We have a series of recommendations and noting to be made.
If it's okay with you, Councillor Caddy, if we do A, B and C together as one agreement
and then D as a separate one.
So, are we all in agreement to approve A, B and C?
Agree?
Great, thank you.
And do we note D?
Great, thank you very much.
Okay, moving on to the next.
Is this the paper that we think we should refer up to Cabinet to note because it's got
the audits?
Sorry, I'm maybe jumping.
That's fine.

5 Fraud Update for 2025/26 and Indicative Fraud Plan for 2026/27 (Paper No. 26-104)

Would you like to make that suggestion?
I think I'm always keen that the Cabinet should see what we're planning to audit for this year.
So my recommendation would be that this is passed to Cabinet to note and make sure, yeah.
Great, thank you very much.
Just for the clarity in the minutes that we pass things on to note,
we recognise the Cabinet has no decision -making process in relation to this, but it's just for notification.
Right moving on to the next one 26 104 fraud
I'll be very brief because I'll pass you over to Kevin because this is this is his team
So this is basically annual report that outlines all of the work that he's done again
I will remind everybody that and for those that are new
That Kevin's team works with him. We've got the Southwest London audit for partnership, and we've also got the Southwest

6 Update Report on Review of Risk Management (Paper No. 26-105)

London fraud partnership. So the work that he does in the team is across the

5 Fraud Update for 2025/26 and Indicative Fraud Plan for 2026/27 (Paper No. 26-104)

five boroughs which is Richmond, Wandsworth, Sutton, Kingston and Merton.
But I'll let Kevin talk about you know the you know the key issues and the work
that they've done in this team.
Right, so thank you. I think this report is two parts.
So it is the indicative fraud plan.
It is very brief because fraud, well, it has its own timeline.
So it's not something that we can control.
It's something that the plan is set based on,
resources are allocated based on historical knowledge of cases
and referrals that we have and that we're
able to make good progress on.
So table one is that very brief indicative plan of how we look to utilise resource.
Always trying to squeeze as much as I can towards the four prevention elements because
whilst we have our triage system so we can't take on every single referral that we have,
We fully recognise that you can't investigate yourself out of fraud.
So we use the cases that we do to learn from, to help support some of the fraud prevention
messages and the message we feed back to the different services.
So that's an area we want to expand from because we think we'll get better fraud resilience
in that area.
And then the second table is just the KPIs that are reported to this Committee and to
the Chief Officers and the Shared Services Board.
The second part of the report is just reporting on the outcomes of activities undertaken this
year.
I did mention at the beginning of the report there has been the first local government
fraud survey since 2018 -19 that was undertaken by an organisation called the National Anti -Fraud
That's a network that all local authorities use.
They're a single point of contact that provides us information access gateways into gaining
information from other parties, so they're well placed because they deal with all the
local authorities, but they're also commissioned or we – I think authorities commission them
to do the survey. So at the beginning of the report there are just a few outcomes on that
survey where I've looked at, I've got the whole report, but I do think that the work
we do compares favourably with what they provide. And then as for the outcomes, there will be
more work being done this year where we are again looking at the savings and notional
savings figures that are used against the different fraud types. They constantly evolve
and some of the benefits, that's why they do need a constant review.
But I think across London with colleagues, we're going to take on a bit more of those.
Yeah, happy to take questions.
Before I take questions, if you're asking a question and referring to a table,
please be clear which table you're referring to and which column that you're referring to as well.
There's quite a few in here and it can be quite confusing, so just for clarity.
So, Councillor Rigby.
First of all, I wanted to commend the team for all the work they do here.
We often talk in the Council about money that needs spending, but this is about protecting
money, and I'm really interested in the work that's done here.
So I've got two points on this.
The first one is page 74, table 4.
Can we ask in future that instead of the total referrals being wrapped up in one box, that
we actually see the outcome of each of the investigation types, not by investigation,
but for example, tendency fraud abuse, we can see that it's, you know, over the years
it's been 266, 303, 222 year to date.
But we can't see as a committee and the public can't see how many of those were closed with
no fraud and how many were closed with sanction because they've been wrapped up.
So I think there's really good sort of information here about how we have a zero tolerance to
fraud and I think it would be great to see it in more detail.
My second point is about AI.
We all know that within AI lies a lot of
opportunity to speed up what we do and save money.
But we also know that at the other end of it,
there's a whole counterculture of people
using AI to try and defraud us as a council.
I'd really like to hear about the team that you've
got set up to deal with this because I think it's
kind of lost in some sort of vague words about this membership of the government counter
fraud and I think there's a lot more going on that we could hear about.
Thank you. So the first one, yes, I can look and see I can break down that table four and
provide some more details of cases that are closed where we can't take any further action,
the sanctions achieved and cases that are working, there will always be a working programme
that will roll forward to me each year.
I do have those stats so I can produce that.
The second part about the artificial intelligence AI in the fraud arena, from my perspective
the first thing I'm looking at is unfortunately is that the frauds are probably quicker to
adapt to take up the use of it.
There were probably even just two years ago,
some of the fraud activities and
frauds that we have to undertake,
they had to have a degree of technical knowledge.
The level of technical knowledge and
expertise that they now need is greatly reduced.
AI is one of those,
but it is a lead one where they no longer have to have
that specialist ability, they can easily buy or download.
So that increases the risk threat to us.
In terms of the team, so over recent years,
I've talked about how, as an authority,
we actually sought membership of the government counter -fraud
profession.
The benefit of that is that we're
part of a wide scale and well -supported organisation.
It's a profession, and therefore,
there are professional updates and
bulletins that are issued to us all the time.
In the arena of AI use both as a fraud benefit tool,
but also awareness of what the frauds are using,
that's very helpful to us.
In terms of the team's dynamics,
I think Andrew mentioned earlier, all teams, we've got a mixture of abilities.
We recognised a few years ago that we were, without being ageist, top -heavy in the experience,
shall we say, investigators, and we didn't want to lose their knowledge and expertise
just to see that drift away.
So in recent years, I have taken on, and I currently have five apprentices.
They are going through a two year counter fraud apprenticeship that has, I think it
is a public fraud apprenticeship, it is one where some within the team will take on the
new digital skills, digital knowledge, digital awareness. But this new guard of people we
are coming through, we're hoping that they're the ones who will, say, take on and lead that
for us.
That they are, we think, more, I think, a better place, but they're able to pick those
things up because they're picking up at the start of their profession.
It's also, it's slightly unusual in that most people and most in the team, the senior
investigators, they didn't start off in fraud.
They started off in some other disciplines and found their way into the fraud team.
But now that there is this public sector fraud profession, we have people starting a career
down that fraud profession route and seeing areas of growth where they can be in this
local authority or be across the public sector or even the private sector.
There is now a sort of growing career path for them.
So that's where we're seeing the development in them.
And that's a way of hoping to grow that expertise within the team.
So we are always best placed to try and combat what the fraudster might be up to.
And thank you, Andrew, for that.
I think that demonstrates in papers like this that richness of detail can sometimes help
us understand what's happening in that.
And congratulations on the apprenticeship work that's actually being done.
and look forward to, if I'm around and after the elections,
hearing more about that as well.
So, Councillor Cady, you're next.
Thank you very much, Chair.
I've got a couple of questions.
The first one is I was really interested
in the fraud prevention side of things,
and I wondered whether there was a particular report
whereby you sort of recommend to departments
what changes they could make in terms of preventing fraud,
and if so whether we track or someone tracks the sort of actioning of those recommendations
and whether there's a role for the audit committee in terms of encouraging them to enact those
changes.
So with that first part, where we have some of the significant internal frauds, there's
always that post -mortem review.
And that's where we look closely at to, well, how did it occur and what could we do better
to prevent that.
Those are the ones where now we do come up with our own recommendations, and that's
what I will discuss with Andrew, and I will, basically, I'll hand over the recommendations
to audit so they'll appear on the audit actions list so that it uses the audit mechanism for
making sure that the services and departments do follow through on it.
So, that's already in place, but we're looking to grow that in terms of our own analysis
of significant fraud issues.
Then the other bits on fraud awareness, we help produce the online fraud awareness tool
that is compulsory for all officers.
We target particular sections that we think that need additional fraud awareness training,
but we're also called in by some of the frontline services as well.
So we're very much reliant on their eyes and ears for their referrals to us.
Thank you.
Can I ask my next question?
Is that okay?
Thank you.
Obviously, data analytics is an area that we've talked about in the past in terms of
being able to use data to kind of identify potentially fortunate housing use, that kind
of thing.
I wonder whether there are any partners that we would like to work with but can't or would
like to get data from but can't where we could have an influence in terms of trying to get
that data like the DWP or other organisations?
Sadly there are still some of the government partners where it's difficult to get information
shared on a two -way basis.
The one you named is one of those, and unfortunately HMRC is another.
The legal gateways do exist, and because I'm part of the team for London Borough Fraud
Investigators Group, we do have discussions with the Cabinet about those issues.
So there is dialogue there to work on those and improve those.
Also, as part of London, in addition to the National Fraud Initiative, we have commissioned
our own London Fraud Hub.
Now at the moment we are aligned to the company that the Cabinet Office uses for NFI.
It was a good place for us to start because they are excellent in ensuring all the legal
gateways in terms of proper use of sharing and using data are met.
Some of the downside of that is that new changes or new ideas take longer than we would like
to process.
So we're currently looking at to see how that matches.
But we are also not just as this authority, we have several small IT companies who believe
they've got their own particular leisure market they can do.
And those do get trialled and piloted across London.
And because of that shared knowledge,
if it is something worthwhile, then we
will share it across London.
So whilst we don't necessarily have
to trial all those companies ourselves,
we have that collective approach across London
where we can benefit from.
Thank you.
And then just one more question just on temporary accommodation.
Obviously, there is a financial benefit in terms of us sort of discovering temporary
accommodation that's being provided that's not suitable.
But I'm not sure I can remember it being referenced in this paper that it also does get people
out of really unsuitable accommodations.
So there is also a human element in terms of the benefit.
Yes, yes, it is.
I think probably because my focus is looking on where it's misused, I don't pick up on
all those positive elements and positive aspects of it.
So, ours, the downside is the conditions for, I think the previous committee reported where
we were just doing an occupancy cheque visit to make sure that the person whose family
is placed in there are using it correctly.
But we found that it was a single mother with a young child where the bedroom was a mezzanine
level with open bannisters and things that just took it unsuitable.
So we are picking up on both of those and we will also pick up then on the providers
and what they are doing.
Thank you.
Councillor Critchard.
Thank you.
First of all, page 71 paragraph 7, we are talking about the national fraud network,
anti -fraud network.
And it mentions there the average is 259 fraud referrals per organisation.
One of the things that is notable for us is obviously ours is much higher than this.
And I just wondered if we've got a comparative borough that we could look at,
similar size that would give us an indication as to whether our fraud is particularly high,
high low or to be expected given the size of borough and our makeup so that
was the first question do you want me to keep if I answer that one quickly in the
second because there aren't too many I mean one of the reasons why ours is
higher or significantly higher is down to the size of our housing stock so
across London it is one of the highest and only southern more and it's
There's very few that are comparable, but that's the one that's one of the main
drivers in terms of the work we do.
The other area we have, which is high, and it's due to the local regulations over parking,
and also some of the transport centres that are within the borough, that we have an above
average concern over the blue badge misuse. Now I know that when I look at the other four
partners that we have in the scheme, they have similar issues, but they aren't quite
on the same scale because they don't have those other dynamics underneath it. So those
are a couple of reasons why the cases that we deal with are higher within one tool.
I'm also quite interested in paragraph 9 on the same page.
Talks about Merton Council have got additional resources to review and the implication is
we'd like to use those.
I just wonder what those are, if that's the implication.
Excuse me.
And then while I'm on it, table 2 on page, oh no, hang on, it's not there.
Table 6, we, sorry, table 5, I thought it was table 6, table 5 on page 75, there's been a change to the notional amounts we use to work out how much money we're saving.
and I'd be interested to know what the changes are and also sort of what they
are what why why these have changed and the net result seems to have been that
the other which I was assumed was a bit of a capsule has gone up from about
fifty five thousand seventeen thousand and then it's at two hundred and thirty
eight thousand pounds this year so what's going on there
It is a type of mine similar to what I do have a digital for doing this TA work.
So we are utilising that.
That's the core finding behind the digital apprentices that I've been able to take
on board.
So we do, for want of us.
In terms of the table now, the notional figures, because they're notional, they're always subject
to review.
The National Fraud Initiative, they publish.
So they have people who will do research, and they will come up with figures that they
believes are a fair approximation of what a saving is.
We also do that locally across London.
And when we look at the changes, it is difficult because everyone, you know, it's more of a
rule of thumb rather than absolute so that it can be some comparisons done.
But, you know, each case they can vary tremendously.
And that last line in the other, that one is because that includes the outcomes of one
of the NFI data matching reports.
And that's where I have to report that figure and the amount and the savings of applications
cancelled.
And there were two of these.
These are both in the area of blue badges and in the housing application side, where
there's some work being done to find out that the people are perhaps, they're in a different
area.
Strictly speaking, they should need to notify us that they've now achieved housing in somewhere
else.
They haven't.
They're still not on our list.
The danger is that because they're on our list that they could come to the top of that list and they could be offered another property and whilst it's a very small percentage, some of those people in those situations will accept that second property because it's of value to them.
So that's why there is a notion of value to those.
But most of that sum in that total, I would call it data cleansing, where we are being
able to tidy up our waiting lists and also be specific on some of the blue badges, where
we've been able to take off the list so that the civil enforcement officers are able to,
on their system, a blue badge has been taken off the system, it's no longer valid, because
it's either been reported stolen or the badge holder is deceased.
And what it allows us to then act on it, those are then being misused.
Are you happy with the other, the explanation of the other?
Yes, I think so.
I think I'll be, I hope Miss Ritchie's managed to make a note of that, but hopefully we'll see that also in the minutes.
So that would be good.
I've got a couple more to go.
If there's anyone else?
I'm going to bring in Alexander before you then come back.
Yeah, yeah, thanks.
Cool.
Thank you.
Yeah, I also have the question on the other side.
Yeah, thanks for that.
I think still focusing on table five, is it possible to kind of break out what ones were referrals as well?
So this is still on page 75.
Because you're saying that you've got all these cases which have saved money.
Are all of these referrals or are they coming off the back of your own independent investigations
as well?
Like what percentage sort of thing?
We don't need to break it out.
High proportion referrals.
So the vast majority of the cases that we deal with come through the offices, through
housing teams, contacts with them.
So that's the vast majority, except numbers, no, I don't have.
It theoretically could be done, but then it's a lot of time to produce those.
We do have our own proactive exercises.
We do have hot spots for various types of fraud.
We do know issues of the one where it's difficult to address,
but the areas now of the short -term subletting, which is still an offence.
We have some success with some platforms
who are willing to share their data
with difficulties with other platforms
who you have to go through to a tremendously
level in order to get information from them.
I think that makes sense.
And finally, just a quick point is
I see there's a lot of blue badges here,
so a lot of focus on that,
but most of the actual savings will come from
housing, like, what, do you have an idea of what the potential savings are?
So if you had more resources, or if you were to refocus resources from one place to focus
on more on kind of the data cleansing matching on the house, or whatever, whether there could
be more achieved in this space?
Very good question.
And it's one, there's always going to be competing or conflicting priorities for the
resources we have.
And what I'm charged with, at times from yourselves as members, but also information
referrals come from the public and also discussion from the executive directors, is that you
I could say that if we put everything into social tendency fraud, we might see a higher
figure there, but then we'd have issues with all the other areas of fraud because they're
not addressed.
What we're finding is that the resources that I have, and as I mentioned earlier on, it's
a general acceptance now across the public sector, generally across London.
we're not going to be able to investigate our way out of fraud.
What we look for in the cases that we do do is to get, because not all of them will go
forward for a prosecution, some will end before then, but we'll look to see if we can get
good examples of cases which are prosecuted so that we can get the publicity material
out there to support that fraud deterrent message.
And we need that work balanced across the different fraud types.
Even some of these where they come back to the internal side, that will get messages
internally that we would have to do or discuss it as HR, but it also has issues and implications
around supporting the work that's done on contract management.
We're in the liaison with those.
So it's one where, as I said, I look at the volume, historic volume of referrals, where
they're coming from and that's why I try to allocate a reasonable percentage in
that table one of reasonable percentage to the different fraud types rather than
committing everything to one fraud type. That makes sense. It's up to
councillors where they determine to put their resources. I guess it's just
whether you need any more resources and then for councillors to maybe answer
that question if you're gonna say that you could double the savings in
housing with just a minimal cost on employee costs. Thank you and I also
recognise that as we're coming up to the election period and that's a question
that may be carried over to the next post -election discussions. Councillor
Cressyard, you have the last go. Too short? Depends. The first one was on the, I just
wondered if we've effectively for Wandsworth we've got 4 .85 full -time equivalent investigators.
Just wondered in terms of a cost benefit and I absolutely understand that it's not a straight
cost benefit because obviously what we're also doing is investigating fraud to deter
but I just wonder if we have, you know, an idea per full -time equivalent what's happening
And again, that may come, maybe something you need to work on to give us later.
And the second question was about the programme for the government assured for cyber, which
I gather is a government initiative about cyber.
I think I can give an answer to the first one might
have to come back for that second bit.
So, the core fraud partnership where the officers are all trained investigators working on,
you know, what was fraud, that's a 4 .85.
That includes my time, so it includes the management time, it includes a administrative
intelligence offer, it includes their time.
So all of this and attending these meetings is all within that allowance.
You mentioned earlier the bit about work on temporary accommodation and the apprentices.
So that was based on a business case for an investor to save.
They're not – I agreed to take them on and get them trained up because I knew I was
in need of trained investigators going forward in a couple of years' time.
The funding, I think the funding comes from the Housing and Homeless Prevention grant.
Their work they're doing, so the first year they've been doing, has been compliance verification
visits.
So they're sort of not totally 100 % about fraud.
That's why they don't appear in that total, because it's about supplementing the services
that the housing would do.
As they go through their training, then the fraud element they will do will increase,
and that's where we would look closer at the provider frauds on it.
But in terms of getting value out of it, that's an area where it did have a problem for a
successful business case for an investor -save option, and we've been able to meet that part
of it.
The cyber -aware, cyber -assure, what's the question?
The question is how are we working with it? I mean I gather it's an annual review programme that happens.
So, I think that's probably more for Andrew's, his area, and the IT people, because there
are cyber aware, cyber assured certification.
And because of the, we've evolved on some of that in looking after the data protection
elements of it.
But that's what the council are.
Are we cyber assured now in the late last time it was done?
So the Council is cyber -assured in terms of there's a self -assessment review process that
is undertaken against that government standard and we meet that standard.
But the work that the Council does and the IT services does goes way beyond that and
that's because it's necessary because of the dangers of, not dangers, the consequences
of a significant cyber attack, that we are able to pick it up
at its earliest moment and able to respond appropriately.
Great.
Thank you.
If there are no other questions, the recommendations
are that we note the Indict of Ford plan,
a funny of my words, and the Ford progress report.
Is it noted?
OK, thank you.
I'd also like to give thanks to the teams that
are involved in this area of work,
I need to recognise it's a tough job.
They're not the most popular people in the world,
and probably half the world hates them
because of the type of job that they're actually doing,
but also recognise that they are giving reassurance
to the public that we are tackling fraud
and looking for fraud within the council.
And as I said, please give my thanks
and hopefully the thanks to the rest of the committee
to the staff members involved.
If I could ask you to convey that, I'd appreciate it.
Yeah, I will do, Chair.
Thank you.
Okay, we're down to the last paper now.
So this is the last paper of this committee cycle and the last paper this evening.
So it's paper…
The last paper for Council Kelly.
And the past paper.
I was going to refer to Council Kelly after we finished.
So, but yes, the last paper for Council Kelly as well.
So it's paper 26 .105.
Paul.
Thank you, Chair.
I mean, this paper was going to give an update on where we are with the review of risk management.
It's been covered, actually, as part of the questions already tonight, namely that
obviously a follow -up review will be coming in the summer.
We've delivered our sort of first review with the directors board on what their corporate
risks may look like, and we've got the training plan in place.
But as I said, we've addressed questions already on this throughout the course of the
night.
but if they're already extra, I'm happy to answer them.
Any further questions?
Councillor Caddy.
I can't resist just having a parting comment.
I think probably one of the criticisms that is often made of local government and I guess
government in general is that we are very risk averse and I guess an observation going
into the future would be that we've obviously got a huge, huge financial challenge in front
of us given the reduction in funding that we're going to be receiving.
and I wondered how we go about sort of assessing risk appetite in our different areas so that we can perhaps take a bit more risk to achieve a sort of a better outcome
and to be able to move more quickly and adapt more nimbly to some of the very difficult situations that we're going to find ourselves in in terms of providing services.
Very valid question and that is something that was picked up as part of the review.
One of the things we're doing on our scoring matrix now is looking at obviously inherent and residual risks.
And then whilst there may be a default number when it comes up to score to say that should be elevated to a high risk
and therefore we should be looking at putting maybe additional controls in place.
There's a process to allow you to accept that risk based on risk appetite.
Who sets that risk appetite?
It's collective.
Clearly, obviously, the initial point will be the service head.
But there is oversight by Kevin and myself in when we're looking at how we approach the
risk management, when we're looking at a consolidation basis.
And when reporting through to the governance board, which is, again, something relatively
new that Andrew Travers has brought in, it still is part of the directors board.
But clearly on a quarterly cycle now they are looking at governance in general, more specifically one of which is risk.
So therefore all of the EDs will be able to look at how each of them are covering it.
And that is a point that got raised as part of the indicative sort of review that we did first time around.
So the first time where we can collectively see everyone looking at each other's risk and how they've scored them,
it was noticeable that some departments
were looking at elevating quite a larger number
up to corporate, others had minimal.
That's not to say that was wrong,
but obviously that oversight now and how it's operated
will be seen by directors board
on advice by Kevin himself.
Oops, any further questions?
No, if not, we've been asked to note the question
contained in this paper.
Is it noted?
Great, okay, before we finish then,
I'd like to say a couple of thank yous.
First of all, to the officers tonight
for facing some really difficult and technical questions
and giving us the information that we actually needed.
So a big thank you for the time and input
that you've provided.
Also welcome and thank you to our independent members
for one first time around.
I hope you enjoyed it tonight.
and I look forward to your participation in the future.
Also a big thank you to Councillor Caddy.
It's your last meeting ever, I think,
in terms of the Council, so a big thank you.
I know we sit on opposite sides of the spectrum,
but a big thank you for your participation and your input,
and good luck post -Council.
And to those people that are standing,
good luck for the elections coming up.
Hopefully we'll get together in some way,
see each other in some ways, who knows what the future would hold.
But a big thank you to everybody for participating in this OSC over the last, over the months,
and as I said, good luck for the future, and a big, big thank you from me.
And good night.
Thank you.
Thank you.