Governance & Audit Committee - Friday 24 October 2025, 2:00pm - West Yorkshire Combined Authority Webcasting

Governance & Audit Committee
Friday, 24th October 2025 at 2:00pm 

Agenda

Slides

Transcript

Map

Resources

Forums

Speakers

Votes

 
Share this agenda point
  1. Debbie Simpson, Chair (Independent Member)
  2. James Mowbray, Committee Services Officer (West Yorkshire Combined Authority)
  3. Debbie Simpson, Chair (Independent Member)
Share this agenda point
Share this agenda point
  1. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Nikki Deol Assistant Director Legal, Governance & Compliance
  2. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Rob Winter (Independent Member)
  2. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Cllr Barry Anderson (WYCA Scrutiny Chair)
  2. Debbie Simpson, Chair (Independent Member)
  3. Nikki Deol Assistant Director Legal, Governance & Compliance
  4. Debbie Simpson, Chair (Independent Member)
  5. Cllr Stewart Golton
  6. Nikki Deol Assistant Director Legal, Governance & Compliance
  7. Cllr Stewart Golton
  8. Cllr Stewart Golton Leeds City Council
  9. Cllr Stewart Golton Leeds City Council
  10. Debbie Simpson, Chair (Independent Member)
  11. Cllr Silvia Dacre (Calderdale Council)
  12. Debbie Simpson, Chair (Independent Member)
  13. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  14. Debbie Simpson, Chair (Independent Member)
  15. Cllr James Homewood
  16. Debbie Simpson, Chair (Independent Member)
  17. Rob Winter (Independent Member)
  18. Debbie Simpson, Chair (Independent Member)
  19. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  20. Nikki Deol Assistant Director Legal, Governance & Compliance
  21. Debbie Simpson, Chair (Independent Member)
  22. Rob Winter (Independent Member)
  23. Debbie Simpson, Chair (Independent Member)
  24. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  25. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Nicola Hallas Mazars Auditors
  2. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  3. Debbie Simpson, Chair (Independent Member)
  4. Rob Winter (Independent Member)
  5. Nicola Hallas Mazars Auditors
  6. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  7. David Merrett (Independent Member)
  8. Debbie Simpson, Chair (Independent Member)
  9. Cllr Stewart Golton Leeds City Council
  10. Cllr James Homewood
  11. Nicola Hallas Mazars Auditors
  12. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  13. Jo Dent Assistant Director People & Transformation
  14. Cllr James Homewood
  15. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  16. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  17. Nicola Hallas Mazars Auditors
  18. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  19. Jo Dent Assistant Director People & Transformation
  20. Debbie Simpson, Chair (Independent Member)
  21. David Merrett (Independent Member)
  22. Debbie Simpson, Chair (Independent Member)
  23. Kate Taylor, Director West Yorkshire Combined Authority
  24. Debbie Simpson, Chair (Independent Member)
  25. David Merrett (Independent Member)
  26. Debbie Simpson, Chair (Independent Member)
  27. Jo Dent Assistant Director People & Transformation
  28. Kate Taylor, Director West Yorkshire Combined Authority
  29. Debbie Simpson, Chair (Independent Member)
  30. Rob Winter (Independent Member)
  31. Jo Dent Assistant Director People & Transformation
  32. Debbie Simpson, Chair (Independent Member)
  33. Nicola Hallas Mazars Auditors
  34. Rob Winter (Independent Member)
  35. Debbie Simpson, Chair (Independent Member)
  36. Cllr Silvia Dacre (Calderdale Council)
  37. Jo Dent Assistant Director People & Transformation
  38. Cllr Silvia Dacre (Calderdale Council)
  39. Debbie Simpson, Chair (Independent Member)
  40. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  41. Cllr Silvia Dacre (Calderdale Council)
  42. Debbie Simpson, Chair (Independent Member)
  43. Cllr Angela Tait
  44. Debbie Simpson, Chair (Independent Member)
  45. Nicola Hallas Mazars Auditors
  46. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  47. Debbie Simpson, Chair (Independent Member)
  48. David Merrett (Independent Member)
  49. Debbie Simpson, Chair (Independent Member)
  50. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  51. Debbie Simpson, Chair (Independent Member)
  52. Rob Winter (Independent Member)
  53. Nicola Hallas Mazars Auditors
  54. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  55. Rob Winter (Independent Member)
  56. Nicola Hallas Mazars Auditors
  57. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  58. Debbie Simpson, Chair (Independent Member)
  59. Rob Winter (Independent Member)
  60. Debbie Simpson, Chair (Independent Member)
  61. Rob Winter (Independent Member)
  62. Nicola Hallas Mazars Auditors
  63. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  64. Debbie Simpson, Chair (Independent Member)
  65. Cllr Silvia Dacre (Calderdale Council)
  66. Debbie Simpson, Chair (Independent Member)
  67. Debbie Simpson, Chair (Independent Member)
  68. Nicola Hallas Mazars Auditors
  69. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  70. Nicola Hallas Mazars Auditors
  71. David Jenkins
  72. Nicola Hallas Mazars Auditors
  73. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  74. Debbie Simpson, Chair (Independent Member)
  75. Nicola Hallas Mazars Auditors
  76. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  77. Debbie Simpson, Chair (Independent Member)
  78. David Merrett (Independent Member)
  79. Debbie Simpson, Chair (Independent Member)
  80. Jo Dent Assistant Director People & Transformation
Share this agenda point
  1. Debbie Simpson, Chair (Independent Member)
  2. Rob Winter (Independent Member)
  3. Jo Dent Assistant Director People & Transformation
  4. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  5. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  6. Debbie Simpson, Chair (Independent Member)
  7. Rob Winter (Independent Member)
  8. Jo Dent Assistant Director People & Transformation
  9. Debbie Simpson, Chair (Independent Member)
  10. Jo Dent Assistant Director People & Transformation
  11. Cllr Silvia Dacre (Calderdale Council)
  12. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  13. Debbie Simpson, Chair (Independent Member)
  14. Cllr James Homewood
  15. Debbie Simpson, Chair (Independent Member)
  16. Nicola Hallas Mazars Auditors
  17. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  18. Nicola Hallas Mazars Auditors
  19. Debbie Simpson, Chair (Independent Member)
  20. Rob Winter (Independent Member)
  21. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  22. Debbie Simpson, Chair (Independent Member)
  23. Jo Dent Assistant Director People & Transformation
  24. Debbie Simpson, Chair (Independent Member)
  25. Jo Dent Assistant Director People & Transformation
  26. Debbie Simpson, Chair (Independent Member)
  27. Jo Dent Assistant Director People & Transformation
  28. Kate Taylor, Director West Yorkshire Combined Authority
  29. Debbie Simpson, Chair (Independent Member)
  30. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  31. Debbie Simpson, Chair (Independent Member)
  32. David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority)
  33. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Nicola Hallas Mazars Auditors
  2. Debbie Simpson, Chair (Independent Member)
  3. Rob Winter (Independent Member)
  4. Kate Taylor, Director West Yorkshire Combined Authority
  5. Debbie Simpson, Chair (Independent Member)
  6. Nicola Hallas Mazars Auditors
  7. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Nikki Deol Assistant Director Legal, Governance & Compliance
  2. Debbie Simpson, Chair (Independent Member)
  3. Nikki Deol Assistant Director Legal, Governance & Compliance
  4. Debbie Simpson, Chair (Independent Member)
  5. Nikki Deol Assistant Director Legal, Governance & Compliance
  6. Chris Thompson
  7. Debbie Simpson, Chair (Independent Member)
  8. Rob Winter (Independent Member)
  9. Nikki Deol Assistant Director Legal, Governance & Compliance
  10. Jo Dent Assistant Director People & Transformation
  11. Debbie Simpson, Chair (Independent Member)
  12. Jo Dent Assistant Director People & Transformation
  13. Rob Winter (Independent Member)
  14. Debbie Simpson, Chair (Independent Member)
  15. Debbie Simpson, Chair (Independent Member)
  16. Cllr James Homewood
  17. Cllr James Homewood
  18. Nikki Deol Assistant Director Legal, Governance & Compliance
  19. Debbie Simpson, Chair (Independent Member)
  20. Cllr Silvia Dacre (Calderdale Council)
  21. Debbie Simpson, Chair (Independent Member)
  22. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Nikki Deol Assistant Director Legal, Governance & Compliance
  2. Debbie Simpson, Chair (Independent Member)
  3. Nikki Deol Assistant Director Legal, Governance & Compliance
  4. Debbie Simpson, Chair (Independent Member)
  5. Nikki Deol Assistant Director Legal, Governance & Compliance
  6. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  7. Debbie Simpson, Chair (Independent Member)
  8. Nikki Deol Assistant Director Legal, Governance & Compliance
  9. Cllr James Homewood
  10. Nikki Deol Assistant Director Legal, Governance & Compliance
  11. Cllr James Homewood
  12. Nikki Deol Assistant Director Legal, Governance & Compliance
  13. Debbie Simpson, Chair (Independent Member)
  14. Nikki Deol Assistant Director Legal, Governance & Compliance
  15. Bronwyn Baker, Officer (West Yorkshire Combined Authority)
  16. Debbie Simpson, Chair (Independent Member)
  17. Nikki Deol Assistant Director Legal, Governance & Compliance
  18. Rob Winter (Independent Member)
  19. Nikki Deol Assistant Director Legal, Governance & Compliance
  20. Debbie Simpson, Chair (Independent Member)
  21. Nikki Deol Assistant Director Legal, Governance & Compliance
  22. David Merrett (Independent Member)
  23. Nikki Deol Assistant Director Legal, Governance & Compliance
  24. David Merrett (Independent Member)
  25. Nikki Deol Assistant Director Legal, Governance & Compliance
  26. Debbie Simpson, Chair (Independent Member)
  27. Nikki Deol Assistant Director Legal, Governance & Compliance
Share this agenda point
  1. Debbie Simpson, Chair (Independent Member)
  2. Nikki Deol Assistant Director Legal, Governance & Compliance
  3. Cllr James Homewood
  4. Nikki Deol Assistant Director Legal, Governance & Compliance
  5. Debbie Simpson, Chair (Independent Member)
  6. Nikki Deol Assistant Director Legal, Governance & Compliance
  7. Debbie Simpson, Chair (Independent Member)
  8. Nikki Deol Assistant Director Legal, Governance & Compliance
  9. Rob Winter (Independent Member)
  10. Nikki Deol Assistant Director Legal, Governance & Compliance
  11. Debbie Simpson, Chair (Independent Member)
  12. Nikki Deol Assistant Director Legal, Governance & Compliance
  13. Ben Still, Chief Executive (West Yorkshire Combined Authority)
  14. Nikki Deol Assistant Director Legal, Governance & Compliance
  15. Debbie Simpson, Chair (Independent Member)
  16. Nikki Deol Assistant Director Legal, Governance & Compliance
  17. Cllr Silvia Dacre (Calderdale Council)
  18. Debbie Simpson, Chair (Independent Member)
  19. Nikki Deol Assistant Director Legal, Governance & Compliance
  20. Cllr Silvia Dacre (Calderdale Council)
  21. Debbie Simpson, Chair (Independent Member)
  22. Nikki Deol Assistant Director Legal, Governance & Compliance
  23. Debbie Simpson, Chair (Independent Member)
Share this agenda point
  1. Webcast Finished

Debbie Simpson, Chair (Independent Member) - 0:00:00
A gender item 1, apologies for absence. Can I ask a governance officer to confirm any apologies, please?
We have apologies just from Councillor
Mohsin, but Councillor Tate is
James Mowbray, Committee Services Officer (West Yorkshire Combined Authority) - 0:00:16
substituting for it. Okay.
Debbie Simpson, Chair (Independent Member) - 0:00:25
Thank you. Gender item 2, declarations of interest. Has anybody got anything they wish to declare before we start?

1 Apologies for Absence

2 Declarations of Disclosable Interests

Thank you.
Debbie Simpson, Chair (Independent Member) - 0:00:35
Agenda item 3 is items for exemption.

3 Exempt Information - Possible Exclusion of the Public & Press

We have two items on the agenda today for exemption.
The first one is agenda item 8, appendix 1, which is the data protection officer report.
Actually in the packet it is listed as agenda item 8, I think it is actually agenda item
9.
That is appendix 1.
and then the second one is detailed in the packet of gender item 9 but that is
actually a gender item 10 so I think there's just been a slight mix -up with
the numbers there and that's risk management report appendix 9. So members
are asked to consider whether to accept the officers recommendation that these
two items are dealt with in the private session. Can members confirm if they're
happy with that recommendation?

4 Minutes of the Meeting of the Governance & Audit Committee held on 25 July 2026

Nikki Deol Assistant Director Legal, Governance & Compliance - 0:01:33
Debbie Simpson, Chair (Independent Member) - 0:01:34
agenda item 4 minutes of the last meeting held 25th July. Any comments or amendments
required to the minutes. Rob?
Rob Winter (Independent Member) - 0:02:03
Thanks, not an amendment as such but I noticed on page 4 of the minutes reference to a couple
of workshops that presumably will be taken forward and planned before the next meeting,
one on audit planning and one on assurance mapping.
Debbie Simpson, Chair (Independent Member) - 0:02:20
Yes, there will be. I think that also relates to the fact that we were going to record actions
and started sharing those with the committee. It hasn't quite worked out for this committee,
but that will happen after this committee. So once we've had this meeting, the actions
will be circulated outside of the committee as soon as they're complete, and then we'll
bring those back to the following meeting. So we'll start to get in a rhythm with all
the action so we're tracking them.
Okay, any other comments or can members show that they accept the minutes as a true and
accurate reflection?
Yeah, do you want a show of hands again, please?
Yeah.
Okay, thank you.
We can record that.

5 Scrutiny Recommendations

So moving on to agenda item five.
This is an item I asked to come to the committee having had a discussion with Councillor Anderson
about a review that the Scrutiny Committee held on the school's travel policy.
So Councillor Anderson chairs the committee and I wanted to speak to him about the outcomes of this work
and I felt that the outcomes flagged matters of relevance to this committee.
So I noted concerns around meeting management and it led me to reflect on GNA's role in assuring the flow of governance works
and bigger questions about how we ensure we've got visibility of all the related documents
that we need for this committee to be able to decide whether governance is working as it should be or not.
So I asked Councillor Anderson to come to this committee and just talk to us about this piece of work
and then I think it's important the committee has a chance to reflect on what this means in terms of the work of this committee
and any actions that we maybe need to take away in order to improve how we get
that disability that we need for our work. So Councillor Anderson, would you
like to speak to us and thank you for attending by the way.
Cllr Barry Anderson (WYCA Scrutiny Chair) - 0:04:28
Not at all, thanks very much Chair. This came about because there was a call in about some
transport related matters. We released the decision, we don't have to get in the niceties of that,
But what came out of that was whether or not all the dots had been dotted and the T's crossed
and who actually made the decision at the end of the day and was there enough of an
audit trail to show what challenges there had been and this culminated just before that
at the actual CA meeting itself when the paper was brought forward there wasn't a great deal
of discussion or debate about it.
When we asked what discussions had taken place
at Transport Committee,
Transport Committee had discussed it
under a larger document.
There was a paragraph in about it.
So had it been brought to people's attention
so that they could make a comment on it?
No.
So as a result of that, we came forward
with a number of recommendations
which are on page 14 of them.
And in terms of the recommendations that were there,
Just to give you an update, recommendation one
is in progress and being led by our scrutiny officer, Khalid.
Recommendations two to five are part of a general governance
review.
Items six to nine will be part of a report template
and a guidance review.
In terms of I personally felt that a number of these points
had relevance to G &A. And I wanted
your views, your thoughts as to what we can do about them.
So I'd like, not necessarily today, your thoughts on it,
but also would like to invite three or four of you
to join the working group that I'm setting up
so that we can have a look at.
Because at the end of the day, where we were coming from
is we've got a whole raft of new things
coming through devolution.
And is the combined authority ready to take
on these responsibilities?
or if not, why not, and what can we do to put in place.
Under the current chair, the G &A committee
has moved on leaps and bounds in the last 12 to 18 months.
We want to continue that progress to make
West Yorkshire Common Authority the exemplar
on the way that things should be done.
We want to try and prove that.
And so that the mayor, when she's out there,
she can talk about how good we all are,
We get we join a part of the success the one that we've not got any progress yet is on item 10
Which was on which needs the mayor herself to decide is she going to have something called commissioners one of the new?
Proposals that's in the government agenda are bringing forward commissioners and basically someone like Alison low
Deputy mayor's who would have responsibility now is she going to appoint those or is she going to keep the leaders of council?
effectively in portfolio positions. That's a decision for her to make and
also when it came to the specific one on the transport, when we had the call -in
we had the deputy chair from the Transport Committee who specialises in
bus related issues and he was absolutely fantastic in terms of explaining what
the logic behind the decision was, what his involvement had been privately in it
and
Explaining why it hadn't gone through the full transport committee and that led us to question
Now he was so you and we would also have suggested that when it came to the combined authority
It should have been him that came to present the paper
Because then people could have asked questions and the other thing as well. Is that as a
Argumentative counsellor. I like to ask political questions and in some cases I've seen in Wicca
where it's officers that are being asked
to answer political questions.
And I think there should be a politician there
to give a politician's explanation as to why they've
chosen route A as opposed to route B.
We might not agree with the solution,
but at least we've got a logic behind what we're trying to do.
So in summary, what I'd like, if possible,
is that you reflect on these, pass back some comments
to them, and three or four of you
I am a volunteer to join the working group I am being set up with.
And Nicky to my right, she is undertaking to take responsibility and control
for getting a report written up as quickly as possible
so that we can present things with a view to when the new West Yorkshire year starts next June,
that these things are all in place.
Debbie Simpson, Chair (Independent Member) - 0:09:14
Thank you, Councillor.
And I think Ron will testify that one of the things that keeps me awake at night about this committee
is I don't want this committee to hear that governance has failed at that point.
It's all to me, it has to be about prevention and I think this report does
indicate a number of weaknesses in terms of governance. So it's about you know
reporting, it's about decision -making, it's about scrutiny at officer level in
committee, so there's quite a large number of challenges and so I think you
know if we can get some members represented on that working group it
would be extremely valuable to the work of this committee.
Do you want to pick up on that?
I just wanted to add an addendum to Councillor Anderson's point
Nikki Deol Assistant Director Legal, Governance & Compliance - 0:09:56
that actually the mayor was at scrutiny this morning
answering questions on the point of political comments
and on officers' roles as well in relation
to projects and schemes.
We've already seen that play out this morning.
So these recommendations are being
implemented where appropriate.
and that was a really good session in looking at particular schemes and scrutinising those
To provide assurance really to those members that are on the scrutiny board. So they're already underway
Debbie Simpson, Chair (Independent Member) - 0:10:30
Thank you counsel did you want
Cllr Stewart Golton - 0:10:36
Yes, thank you, I was going to put myself forward that's all right
I've been lucky enough to be involved in
Nikki Deol Assistant Director Legal, Governance & Compliance - 0:10:45
Combined Authority Board decision making and also on Leeds City Council I am a chair of
Cllr Stewart Golton - 0:10:54
a scrutiny board and one of the difficulties in the developing devolution decision making
environment is where the responsibility of the constituent authority ends and the combined
Cllr Stewart Golton Leeds City Council - 0:11:12
authority begins and vice versa, particularly when a lot of the decision making is delivered
Cllr Stewart Golton Leeds City Council - 0:11:21
in what is called pipeline decision making where permission is given for a project to
be pursued but the points at which it gets reviewed, it's very opaque as to who is responsible
for that review and what information should be gathered in terms of engaging with stakeholders
to ensure that what was intended at the very beginning is being delivered towards the end.
And I think I would take great interest in that and be able to offer a certain perspective
Debbie Simpson, Chair (Independent Member) - 0:11:58
from my role within Leeds as a local authority. Thank you, that would be very welcome.
Yes, Ben.
Councillor Baker's performing.
Cllr Silvia Dacre (Calderdale Council) - 0:12:13
Yes, thank you. So, I think it's wider than scrutiny in that my perception is that there are issues across the combined authority about who is responsible for decisions and that opaqueness sometimes.
and so there's frustration on committees, never mind on scrutiny about who exactly was
making this decision and there is frustration by members of the constituent authorities
about who is making decisions within the authority. So I think all of that needs resolution because
unless you have resolution of that, you're going to have breeding dissatisfaction all
the time. And I would just say that there does need to be, I think, a balance between
the information that the politically accountable person gets and when they get it, and the
information that scrutiny gets and when they get it. And I always feel slightly uncomfortable
that scrutiny would get before the politically accountable person gets it. But one of the
problems I think the authority has is that it's trying to do so many things so fast that
it's actually really difficult to get the information to people in a timely fashion.
So when you're trying to telescope both the politically accountable people and the scrutiny
and the committees, it all just gets squeezed out. So I think it's really important to talk
try to get it right but I also think it's going to be challenging to get it
Debbie Simpson, Chair (Independent Member) - 0:13:58
right thank you then and then council
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 0:14:07
so really helpful conversation and I think as council and as it is indicated
and the command authority in and officers are accepting of and welcome
the recommendations I think the points that council day could has made are
actually spot on, there's a lot going on.
And we're trying to ensure that there
is the right amount of transparency
and the right person knows the right information
at the right time.
And that's always challenging in a fast moving environment.
I guess I would say that from an officer perspective,
the delegations and the combined authority constitution
makes it pretty clear who should be deciding at what point.
And I think the interesting thing about the scrutiny of the investigation into the school
bus decision making process was, from my read of it, Councillor Anderson, was enough time
given for public debate about the issues from a committee that knows that it wouldn't be
the final decision making body but has got the time and space to have that conversation
in advance of the combined authority then making the final decision.
I think there's a lot in that.
So I really welcome the fact that this has been discussed,
agree that it has implications across the organisation
and across committees and for governance and audit.
The substantive point I wanted to make
is that I think it is actually slightly more complicated
in that when Councillor Anderson talked
about doing a governance review, we
are doing that in part because of the work we're
doing with central government for something
called the integrated settlement, which is in effect an updating of the way the central
government provides funding to the Combined Authority. That gives us a greater level of
discretion, not full, but a greater level of discretion to be able to move funding between
funding pots and requires not only us to think about actually how does the Combined Authority's
processes need to have flexed to accommodate that, how does it fit with the cycle of meetings,
business planning, etc, but also how, what does that mean for the current committee structure
and the way that things should run. So we're wrapping all of that up together. There are
really only three combined authority meetings between now and the end of the municipal year,
so that creates a real pressure in order to do the work that Councillor Anderson has talked
about, be able to have that in draught to discuss and debate it before taking it to the Combined
Authority for Agreement before we're timed out. So there's a real pressure to move quickly.
So really welcome members and others stepping up to take part in this work. I guess my plea
is we need to do so in a really timely manner in order to meet the deadlines that we're
set. Thank you.
Debbie Simpson, Chair (Independent Member) - 0:17:10
Thank you. Councillor Holmwood, did you want to come in?
It was just to say the only thing I thought when I was reading this report
Cllr James Homewood - 0:17:19
was when we got to the recommendations I wasn't certain sort of who was
responsible for those recommendations and how they've been delivered which I
think you've kind of covered a little bit more now but I was just thinking of
from a governance perspective when there are actions to take how do we measure
those and know that they've been followed through on because I think that
will help us assure ourselves and I think that is a bit of a challenge
sometimes with scrutiny because some of it is about culture and you know so
if we're talking about pre -scrutiny it is the attitude in the
organisation, this is a good thing to get more understanding of issues to get
feedback or is it something that you have to get through to get you know get
a decision made and I think there's a same culture on which is probably hard
for us to how to exactly track in that sense that's where
obviously yourself a councillor would come in in terms of maybe coming to this committee
and updating us and us being part of that as well. But I think my only thing would be
is is there anything we can build in where we can sort of track and be clear on who's
owning things, how they're being delivered, because obviously we can all want to have
a really good scrutiny process but how do we evidence that it's actually working that
way.
Thank you. I think that's something I would support in terms of the tracking. I think
Debbie Simpson, Chair (Independent Member) - 0:18:27
that's a good idea. Thank you. Rob, did you want to come in?
Rob Winter (Independent Member) - 0:18:34
Yeah, thanks chair. First of all I thought this was a really good example of scrutiny
and audit committees in that relationship being understood and working, highlighting
governance issues for us to consider. I was going to mention the action plan as well and
obviously having that being tracked and say if Councillor Anderson comes back. I was interested
about the governance review and then you've obviously explained that a bit more. If there's
governance review, where does the governance and audit committee sit in helping it be right
first time because the last thing anybody wants to do is something to come after the
event and then the audit, the governance and audit committee say oh you should have done
it differently or what about this, of how we play into that. Now that might be yourself
Debbie or other members representing the committee but also looking down the room to Bronwyn
as head of internal audit as I would expect to be part of that governance review process
to help shape it, sort of right first time. But given that sounds like a fairly chunky
piece of work to do in a fairly short order of how that interface with this committee
would work so that we were getting sort of almost real time assurances about its development
and obviously potentially to feed into it. Ben did you want to come back on that?
Debbie Simpson, Chair (Independent Member) - 0:19:57
Yes, but only to pass the buck to Nikki.
So Nikki's leading this piece of work for us.
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 0:20:04
She's developing its terms of reference
and the consultation and engagement strategy for it.
Actually, I need to be very careful of my language there.
I mean engagement.
But I don't see any reason, Nikki,
why we can't share that plan with G &E members
as soon as we have it.
No, that's absolutely right.
Nikki Deol Assistant Director Legal, Governance & Compliance - 0:20:27
we really do recognise the value that the engagement around this review would bring
to the process, but equally we've got a very tight time scale to deliver this, so we're
going to have to think a little bit more strategically and outside the box in delivering that, but
we will be making sure that those cheques and balances and engagement are undertaken at
the right time whilst keeping our eye on the target that we've got, which is outside of
control it's been set by government as well so there are some competing pressures here.
Debbie Simpson, Chair (Independent Member) - 0:21:02
Rob Winter (Independent Member) - 0:21:06
Rob? Thanks Nicky, obviously whatever we can fit
into that timescale I'm sure we'll collectively do our best. I suppose the other challenge
is pace versus scrutiny and just whether the whole arrangement allows with the pace that
things need to happen, whether there actually is time for scrutiny and how in the governance
review that gets factored in, of how scrutiny can be preserved as a very important part
and discipline of governance that doesn't almost get, I'll use the word sort of disregarded
just because of the pace at which something has to go through the process and I suppose
from my committee's perspective is assurance is that space for scrutiny is always preserved
and can be effective even in very high paced situations.
Ben?
Debbie Simpson, Chair (Independent Member) - 0:22:05
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 0:22:10
Just absolutely give you that assurance because most of our decisions are about the expenditure
of public money and we're not going to do that in a way that would breach any of the
protocols that we operate when doing so.
And I think it's fair to say that Councillor Anderson's proposals in the report are about
how we enhance scrutiny to make it more efficient and effective by bringing it in earlier into
the process.
Now, that raises the issues that Councillor De Kloet has raised because everybody wants
than everything first, but how we do that is going to be the trick of the review.
But please make no mistake, the intention here is to make sure that proper scrutiny
is built into all of these.
We should never be using PACE as an excuse for not allowing scrutiny.
Thank you.
Debbie Simpson, Chair (Independent Member) - 0:23:05
I think my observation would be if some things need doing outside of committee, I think that
needs looking at as well, how that would work, because that would help the pace wouldn't
it? We can't afford to wait for the next three months to start to look at things. So, yeah,
so we could see, I think it would be helpful for this committee to see the terms of reference
definitely before we go, but I think we were aware that this work was in the planning because
Bron's mentioned it to us before, haven't you, in terms of the review. So, it's just
making sure that we're kept abreast of it, as Rob said, and making sure it's progressing
in a timely manner and being involved at the right point so that we end up with the right
governance structure for both us and for scrutiny.
Any other comments on that? I would suggest that if we reflect on it and if people do
have any thoughts on it before the next meeting, do come back to me, myself or one of the officers
and we'll make sure that those are fed in because it is a very important piece of work
and we need to make sure it's right.
Thank you and thank you, Councillor, for joining us and going through the paper.

6 Internal Audit Progress Update

So that moves us on to agenda item 6 and that's the standard agenda item for members to receive
the update on the internal audit plan 2526 and also members are asked to provide feedback
on the new report format.
So if we can firstly concentrate on considering the content of the report, once we've done
that we'll discuss the format of it.
So Bron, did you want to highlight any key points?
One for me I'd quite like you to expand on was point 3 .4 because I wasn't entirely clear
on what that was trying to say.
Thank you, Jo.
I'm happy to do that.
I am gonna take the reporters read
Nicola Hallas Mazars Auditors - 0:25:04
So I'm going to move into questions as quickly as possible because I think you probably all have things you do want to raise
And I want to give ample time for that
But just before we kick off chair you mentioned at the start of the meeting a number of actions that came out of the last meeting
One of those and Rob's already mentioned the training sessions
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:25:18
I wanted to just confirm that we are down to do the 3rd of December
session, it's an internal audit session. What I'd like to cover, subject to the
committee being comfortable with that, is that we bring you our new IA strategy.
The process that we went through to do the self -assessment against the new
global audit standards and to give the committee a chance to understand what
those changes are, where they may impact on things and to give some confidence to
the committee that we've already built that into our new ways of working. You'll
a little bit of it reflected in the reporting arrangements, etc.
I want you to come back to the data analytics that we shared back in April, just to give
you an update on where we are with that, and then about, you know, sort of the audit planning,
how we actually go through that process each year, because we'll be building up to starting
that again in December, January time, to make sure that the committee understand the process
and can add value by suggesting some other things
that we might want to consider as part of that.
And I wanted to sneak another item on there
about managing resources and looking
at the ways in which we can make the audit function as efficient
and productive as possible.
And I know there's a lot of valuable experience
and knowledge around the table that I'm
hoping people will come to that as a proper workshop
session with the idea of helping us to think about what
we might do in that space.
So I'm just throwing that out there at the beginning
so you can muse on it and have a think.
And if you want to let me know whether that is an acceptable
agenda for that workshop, we'll plan it up
in accordance with what I've just said.
So you said 3 .4, timely completion of audits
and impact on resource.
That's a little bit of what we want to explore
in that workshop.
How can we do this better?
We can talk you through the process
we're going through at the moment about looking at that,
what we want to change, what we might want to do differently.
and I think the recommendation follow -up we're gonna pick up in the item 7 agenda
so
You know that that is an opportunity
I think that workshop not just for us to tell you what we're doing but for you to actually
Give a bit of challenge and some thought around what we could do differently
Was there anything specific in relation to 3 .4 chair?
Okay, that's great in which case we we put in here this is a new report style
We really do want to know what you think of it. We thought it was really jazzy, but then we're auditors
I mean it had a bit of colour that makes it jazzy for us
So it was it was really does this tell you what you need to know?
we are trying to build in more and more analysis and
Feedback on what we think this this is actually telling us but it's a starter for ten because obviously
We want to know what you want to know so that we can give you that information so you can challenge around that more effectively
So I am really really keen to get feedback and not with as to having it outside of the meeting if anyone wants to
Chat it through if it's if you've got some really specific thoughts
So can I take it as read in terms of the report itself and just invite questions?
Debbie Simpson, Chair (Independent Member) - 0:28:29
Thank you chair. Thank you. And any questions from members on this rather think did you have some?
Rob Winter (Independent Member) - 0:28:37
It was just really thanks chair about the workshop in my diary. It's an hour
which sounds quite ambitious to do what you've just described justice, so whether that might
need to be looked at perhaps.
Nicola Hallas Mazars Auditors - 0:28:51
There is going to be a follow -up workshop in the new year, but that is designed to really
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:28:56
focus on assurance mapping. So I'm hoping some of these might be quick agenda items.
I'm happy to tag an extra half hour on for those who feel really invested in helping
us to improve and I was also going to suggest that because the team will be in
the building if anybody wanted to meet in person we can do a joint a hybrid
session both online and in person and you can meet the team. Thanks Councillor
David Merrett (Independent Member) - 0:29:24
Debbie Simpson, Chair (Independent Member) - 0:29:27
Holmwood. Yeah can I just clarify on the workshop because maybe it's just me but
that that seemed so I think was so I think members understand knowing who
members of the audit team are and seeing what they do is interesting.
Cllr Stewart Golton Leeds City Council - 0:29:41
But I find it a bit unusual to ask members of the Audit Committee to give an opinion
on how audits should be taking place.
I'm not quite sure I'd agree with that.
Is that what you meant or have I misinterpreted that?
Cllr James Homewood - 0:29:48
So really it's more about how we report, how we present to you,
are you getting the information that you want.
Nicola Hallas Mazars Auditors - 0:29:56
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:29:58
If you've got ideas about what we could do differently to make that easier and better,
we're really on board with taking suggestions and improvements. We're led
by the global audit standards in terms of how we audit, so that's pretty
prescribed. We wouldn't really expect the committee to be trying to tell us how to
do the audit. But I think there's always learning to be had from others around
the table. I'm very conscious there is a lot of experience around this table, so
it is an opportunity I think to do that you know in a much more workshop style
fashion rather than just a show -and -tell.
Thanks. Could I just ask one question on the actual report itself? It was just, it's quite
Jo Dent Assistant Director People & Transformation - 0:30:35
specific but I just wanted to understand how it works because on one of the audits, the
one that relates to Brownfield housing, there were some actions, I mean there's a reasonable
finding, but there were some actions which were then not accepted. And what I was unsure
Cllr James Homewood - 0:30:53
on is that, I mean I know it's probably minor in the scheme of things, but the one that
referred to around programme risk effectively documented. So it sort of said they're
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 0:31:05
effectively documenting TRACT but they don't have a register which I was
thinking felt a little bit contradictory like is that not the same
thing but also what I was thinking is that whilst you understand things
might be risk accepted that seems a strange thing to me to risk accept so if
if if internal audit says we should have proper risk management and a risk
I would expect that to happen.
I would expect something to be risk accepted whereby we're taking a more risk approach
to some sort of activity where we're, do you know what I mean?
I just found it a bit of an unusual thing to accept as a risk, but I don't know if there's
any more specific details on that.
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 0:31:44
We found that a little bit unusual too.
Nicola Hallas Mazars Auditors - 0:31:45
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:31:52
We did flag in the final report that we issued that we weren't retracting the recommendation.
We still think it is the right thing to do but management have confirmed that they they wanted to stick with just a programme risk
Register rather than risk registers for individual projects. So there's not no risk management there
It is just from our point of view for individual projects to be flagging risks
surely informs what the programme overall is doing and it was a matter of
The team were balancing whether they felt they had the resource to do that or not
So we have flagged it in the final report that is a recommendation that remains as far as we're concerned
but the management are accepting that there is a risk there that
Jo Dent Assistant Director People & Transformation - 0:32:33
Programme register may not capture all of the risks and it's up to them to accept that or not
We did say that we thought that would be
The source of concern for the committee. So we did highlight that actually we thought that would warrant some conversation
I don't know if there's anybody from the from management here to answer to that
But it is one that we can we can call somebody into to talk through
Debbie Simpson, Chair (Independent Member) - 0:33:04
Thanks, that would be helpful if you could for the next meeting. Yeah. Thank you Dave
David Merrett (Independent Member) - 0:33:11
Thank you. Yeah similar point on on that particular audit, but just an overall point on the internal audit
Reports again, and I got lost this a couple of times now
seeing just a short summary paragraph on the report itself is really not sufficient, particularly
where we've got a really quite poor internal audit report in 23 and then that big question
I think over the management's reaction to that in 34. So I think we need, I believe
there's ongoing progress with this getting access to the full reports themselves, so
answer many of those questions before we get into the committee.
Having said that, I think those two, the really poor report for payroll and processing compliance
and the brown board housing, I would certainly like to hear from the executive in some way
today as to what the situation was in payroll and processing, how it got to that point,
how it's allowed to continue in that manner and what the actions are being taken and how
much urgency there is for that.
So if there's somebody from the executive who can respond to that here today, that would
be ideal.
Thank you.
Debbie Simpson, Chair (Independent Member) - 0:34:12
Is there an officer who can respond to that?
Kate.
Thank you, Chair.
Kate Taylor, Director West Yorkshire Combined Authority - 0:34:20
So the payroll report, as makes clear in the detailed report, actually, quite a lot of
this we moved to a new system as part of the ERP.
Through there, there were a number of teething issues that came through that.
So it refers to a number of the controls that are in there.
This is I guess a little bit around we have spent some time
Making sure the system we were able to pay people and now we need to step back and make sure that we've built those controls
In some of those are wider controls around the system control. So we're working with the systems team around that
But also around we documenting the new processes now, we have a better understanding of how those
work a majority of the actions were due for completion at the
well in fact next week at the end of this month and or on track to be
completed by the end of this month so we are well in terms of taking those
actions through and taking those in a timely manner as agreed with internal
audit. Thanks, did you want to come back on that? Yeah thank you for that. It's a little bit
Debbie Simpson, Chair (Independent Member) - 0:35:21
David Merrett (Independent Member) - 0:35:22
concerning that some of the the basic the really basic controls in there
haven't been put in place by looks of it in terms of that implementation of a new
system there's only sort of review that's gone on about how you implement
Systems like that. It's going to change actions going forward regarding
Generally system implementation rather than specifically payroll
Okay, can you come back on that again?
Debbie Simpson, Chair (Independent Member) - 0:35:45
So certainly we have done a number of lessons learned around
Jo Dent Assistant Director People & Transformation - 0:35:52
That that current system in today because you're absolutely right the the payroll system was part of our wider ERP
Kate Taylor, Director West Yorkshire Combined Authority - 0:35:56
implementation. We are still doing some of that work but we have done kind of in -flight
lessons learned reviews that are now informing that further work that we are doing and going
forward. Thank you. Rob?
Debbie Simpson, Chair (Independent Member) - 0:36:14
Rob Winter (Independent Member) - 0:36:16
Thanks, Chair. Just on that, given payroll is not an insignificant part of such financial
management just wonder where external auditor was in terms of considering the implications
of a minimal assurance report on such a major part of the CA's financial systems?
Jo Dent Assistant Director People & Transformation - 0:36:37
Yes, obviously, external audit, look at the work of internal audit, we don't actually
Debbie Simpson, Chair (Independent Member) - 0:36:40
rely on the work of internal audit, we get our assurance from substantively testing payroll,
Nicola Hallas Mazars Auditors - 0:36:49
so in that respect it wouldn't impact directly on the external audit but we would take it
to account when looking at the overall control environment. Thanks.
Thank you.
Rob Winter (Independent Member) - 0:36:57
I know you obviously can't rely on bronze work, but in the light of what the audit has identified, are you likely to do any sort of
Payroll transaction within the accounts they're going back to record. So not looking at the controls that have been placed
So yeah, we can get our assurance elsewhere. So we wouldn't directly
Okay, thank you for that councillor day care
Debbie Simpson, Chair (Independent Member) - 0:37:35
Cllr Silvia Dacre (Calderdale Council) - 0:37:40
Thank you. So on page 10 with the key themes
Jo Dent Assistant Director People & Transformation - 0:37:41
Since we're here to contest the
the working of internal audits such as not perhaps the specific workings that you yourself
Cllr Silvia Dacre (Calderdale Council) - 0:37:56
are auditing, it's concerning that say at number four and five you're talking about
risk management a recurring theme as if you're not getting through and then governance and
oversight audit recommendations consistently high need for clearer governance structures
And so and then you've got the list of what management say of the blockers and
It's got to be a concern to the committee if order isn't a isn't operating effectively because there's not the buy -in from the
organisation to the work that you're doing and you're just saying the same things over and over again and I mean in
Relation to that. I think it comes back into the next item
but there's
the talk about
the difficulty in getting responses from management and that just seems wholly
unsatisfactory as an organisation that's happening. You are and it's at the
worst possible time. I know for everybody because everything is growing and
changing but that just means it's all the more important that people are
actually listening toward it and working with it. I don't know what the
organisation is doing to strengthen your arm really in that.
Okay, Ben did you want to come back on that one?
Debbie Simpson, Chair (Independent Member) - 0:39:16
So it is a major concern for us as you would expect and we are doing a significant amount
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 0:39:25
in terms of tightening up the, essentially how the organisation creates workstreams and
ensuring that, particularly through bringing
to the fore projects and programme management arrangements
that at the outset set out very clear governance arrangements,
very clear structures about who is doing what,
very clear programme plan.
So very much moving towards the process
of having what are called project initiation documents
and issuing clear mandates once we're
satisfied that the governance arrangements are in place.
So to make no mistake, this is of a concern to me
and to the leadership of the organisation.
As I said earlier, I don't think that everyone
being very busy or pace is an excuse not to do those things.
I think that it's core about good projects and programme
leadership.
Can I just come back on that?
So I suppose the follow on from it
is that I would expect that were I here in, I don't know,
Cllr Silvia Dacre (Calderdale Council) - 0:40:31
six months nine months a year's time that I wouldn't be seeing those same problems being flagged up because if we were
Then the organisation is not doing what you
committed to it doing
Thank you, so I think there's something in there about tracking again, isn't there for this committee councillor Tate's and then Dave
Debbie Simpson, Chair (Independent Member) - 0:40:55
Just on the management actions side of it so there's
Cllr Angela Tait - 0:41:00
there was 19 in there that are overdue but with revised date not agreed so it's going back to this.
So some of the audits so the recommendations are not accepted but it's only a couple so I guess there's explanations behind that as to why not.
But these actions that are overdue but are revised date not agreed it then becomes a kind of a not accepted because if there's no fresh date put in
Are you really taking action on it?
Debbie Simpson, Chair (Independent Member) - 0:41:29
Thanks. Is that Rob or Bron? Do you want to come back on that?
Nicola Hallas Mazars Auditors - 0:41:36
I'll step in quickly. We have got in the next agenda item obviously the report to go through.
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:41:43
I think one of the big learning points that we have as a team been thinking about recently is the kind of awareness raising that is needed.
So we've done a lot of work working with the senior leadership team and the directors and
I think the directors are all very on board.
They get the importance of what we're doing.
They are absolutely engaged with us.
It's about that promulgating all the way through the business.
So you know at that level we get great engagement but when we're actually doing the work we
get less great engagement.
Is that a term that's appropriate?
So I think there is an awareness piece for us and our strategy is very focused on trying
to make sure we're getting out, raising the actual understanding of what assurance is
and what we're trying to do and what we're trying to achieve and how the organisation
needs that all to be working for the foundations to be strong.
So we've got a massive piece in our strategy that we'll talk about at the workshop around
doing that engagement, but we've already come out to, so I've been to one of Jo's service
area sessions to talk about what is audit, what do we do, why do we do it, how do we
do it.
We have offered that to others.
We have about three more lined up in the near future.
You are not wrong in terms of, and Councillor Dacre's point about whether the worry that
we are not getting the engagement that we need.
I think a lot of it is a lack of awareness and it is a lot of new people in the organisation
that have come in.
We need to do this as a rolling programme so that actually people understand what we
are trying to do.
There is also something though about coming back to directors and I am not wishing to
put any of the directors on the spot, but it is about them taking that responsibility
for making sure that they tell their teams and their heads of service to engage with
audit when they are asked to reply to draught reports, get your management actions back
within the two -week deadline.
We almost get an automatic response saying, can we have longer, instead of, yeah, we'll
get on.
We're not asking you to have completed the actions.
We're just asking you to agree what you're going to do, put your deadlines on them, and
then motor on with it.
So I think there is a sort of a just drip feeding
that through.
And somebody made the point about, I think,
Councillor Daykert, with you about risk management.
We're going through a massive process of
upskilling the organisation around risk management.
So you're right, we need to not be in this position
in nine, 10 months time.
We need to see the results of all of that effort
and work that is going in now to get people aware
of what is required of them and why it's required.
Why do we need strong foundations?
Why do we need good control frameworks?
So it's massively at the front of what we're trying to do as a team at the moment
to raise the awareness in the business,
as well as making sure we're doing our job in the best possible way we can,
meeting the standards in full.
So, yeah, does that answer?
I think I picked off a few there, but please tell me if I didn't cover them.
Dave?
Thanks, yeah.
Debbie Simpson, Chair (Independent Member) - 0:44:39
David Merrett (Independent Member) - 0:44:43
and understand the efforts that Ron and her team are making to get the right impact, to
get the right engagement and heard Ben what you said about the process side of things
and getting that in place. But I think what's coming through here clearly is there's a need
for some sort of communication potentially from yourself through the organisation, through
your directorates to say that we would expect a better standard of engagement with internal
audit and to use the internal audit's resources effectively. We need that sort of engagement.
and I don't expect to do some sort of response like that
from the executive to make that point clear,
because it comes through here and this section
and the next section as well,
section seven when we get to the internal audit follow up.
Dan?
Debbie Simpson, Chair (Independent Member) - 0:45:22
So believe it or not, we have done that already.
And what we've also done is we've made it clear
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 0:45:29
that where there are outstanding actions
that aren't being addressed
or the committee's rightly concerned about
or is likely to raise questions about
have what the relevant officers are here in the room and they are here in the room partly
for the next item. So we will continue a process where we aim to identify specific issues where
this is happening and address them and we will change the culture of the organisation
in a way that I think many people, as Bron said, are keen to do but it's just about instilling
the importance of this into their daily working process.
Debbie Simpson, Chair (Independent Member) - 0:46:02
I was going to suggest, and it sort of overlaps with the next agenda item, that this committee
agrees principles against which we call in some of the offices where there's outstanding
actions, where we're not happy with the response, et cetera, et cetera. And I was going to offer
to try and put something together as a starter and share it with the committee, and then
we could maybe shape it up together remotely.
So if you're happy with that suggestion,
I'll take that one away.
Yeah, I'm seeing notes around the table.
Okay, thank you.
And Rob, I think he wants to come in.
Yeah, thanks, Chair.
I've got a couple of points.
Rob Winter (Independent Member) - 0:46:40
I won't stack the questions, so one at a time.
Bron, just whether you could give us an update
on the vacancy position.
Nicola Hallas Mazars Auditors - 0:46:51
So I have the audio manager role
going to our job evaluation panel
on the 6th of November.
Hopefully that will sail through.
And we'll go out to advert for that as soon after that
as possible.
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:47:01
And the apprentices, we're working
with the two awarding bodies, CIPFA on the Counter -Broad
apprenticeship and the IIA on the Internal Audit
apprenticeship to make sure we bring them in at the right time
to meet the next cohort of entrants.
Because we have to put them on a fixed -term contract.
We need to make sure we give them enough time to actually do
their apprenticeships, so we can't recruit too early for those, but it's all in train.
Very excited, just for the record.
Rob Winter (Independent Member) - 0:47:38
Thanks, Madam Chair. Just picking up on the stat that was two grant certifications, just
from experience, they can be quite challenging, and just whether there have been any issues
you found with data quality or timeliness that has enabled you to certify those grants.
Again, whether there's learnings, I know it's not an area that you would qualify in normal
audit terms, but there can be quite important learning from how services and finance coordinate
and corral information that enables you to do the certification on time.
Nicola Hallas Mazars Auditors - 0:48:19
Yeah, and as always, you are spot on because one of the grants that we just did was quite
a big one.
We were also doing an audit.
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:48:25
Coincidentally, it was just about the timing of when we were asked to do the grants search.
And because we were looking at both sides of the coin as it were, it did identify a
number of areas.
So we were actually minded as a result of the grant certification work to issue an audit
memo to make those recommendations.
We have been working with Kate's finance team to just look at the pipeline of grant work
and the understanding within the business of how important it is to identify where certification
is required, whether that's mandatory or just a nice to have so we know where we can actually
be a bit, you know, we don't have the capacity to do that or actually we really do have to
do that one.
So there's quite a lot of work going on and I think it does come on the back of having
some more resource to do this.
We've got some roles identified in the finance team. Although I think you're still going out on some of those
But it does it does it does require us all to work together
It absolutely does need everyone to understand how their bit impacts the next bit
impacts the next bit and that's partly why we issued that memo just to make sure that there was that kind of be clear on
the roles and responsibilities
Debbie Simpson, Chair (Independent Member) - 0:49:40
Rob Winter (Independent Member) - 0:49:44
Debbie Simpson, Chair (Independent Member) - 0:49:46
Rob Winter (Independent Member) - 0:49:48
If I may, I'm on a roll. It was just picking up on the increased prevalence of fraud or
suspected fraud within adult skills and the extent to which or how we, you, get assurance
around their anti -fraud arrangements because obviously we're divesting that responsibly
to other providers, but what are the arrangements in that audit process to be satisfied about
their anti -fraud and control arrangements?
Nicola Hallas Mazars Auditors - 0:50:19
So we do those third party audits very much as a kind of an all -purpose audit. So we don't
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:50:25
just look at exactly what they do in terms of the adult skills set up. We do what we
would do with any order of an organisation per se. So we look at all the policies, we
look to make sure that they have all of those counter -prol
policies in place.
We look at what kind of monitoring they do, et cetera.
It is an area, a market area, that is a little bit
rife with these issues.
And we've noticed that particularly the adult skills
fund side of things, which is the training, the more stuff
that we're familiar with and has been around for a while now,
that is getting better and stronger.
But the boot camps that were brought
in to do those really quick sort of get people into jobs bit is more problematic.
And we're trying to get the all of the learning from the adult skills stuff
transferred into the way they're setting up the funding agreements and the
contracts on the boot camp side. So there has been an uptick but that's because we
did a lot a lot more boot camp contracts. I think it's a you know the best will in
world it's an area we are always going to have to be very mindful of the flags
and what we need to be looking for so the audit team that looks after adult
skills regularly make referrals to our counter fraud team who will cheque it out
you know just to make sure that actually there's nothing more untoward so we
work very much in tandem between those two teams as well. Thank you. Can I move
Debbie Simpson, Chair (Independent Member) - 0:51:57
Cllr Silvia Dacre (Calderdale Council) - 0:52:02
to Councillor De Klerk. Thank you. So I agree we should have some of the audits come to
us. I just would ask that everybody tries really hard not to start doing the job of
internal audit when we look at them and we concentrate on the process and why isn't the
process working and what are the difficulties in the process and not into the minutiae of
what is being audited. Thanks. Yeah, no, that's a good point. I'll bear that in mind when
Debbie Simpson, Chair (Independent Member) - 0:52:23
Debbie Simpson, Chair (Independent Member) - 0:52:30
I write the proposal. Thank you. Any other queries on that particular paper?
Yes, this is probably a naive question. On page 13, so the agreed audit plan has got
I'm particularly interested like in the home energy project which I think was meant to
start in the spring and doesn't look specific until the start of maybe the new year. So
What does it mean when you have a draught report, scoping,
and fieldwork?
And what role can we have in that process,
or where do we come in?
Nicola Hallas Mazars Auditors - 0:53:09
So those particular descriptors are very much
to give you an idea of progress of the plan,
rather than a particular role for committee
in those actual descriptors themselves.
So that will tell you where on the audit plan we kind of are with the process
So scoping is when we are we've usually done our planning stage by that point and we're with the business
Agreeing what we're going to cover what we're not going to cover so that the actual scoping document for the review is quite clear
The field work stage is a bit like it says on the team
It's when we're actually in there doing the testing looking at all the documentation doing the interviews
etc. And draught report is when the auditors concluded their work, they've pulled it all
together into what they consider to be the pertinent facts, etc. And they then feed that
back to the business with the view of the business, then checking for factual accuracy,
making sure we haven't got something really, really badly wrong. And eventually, obviously,
final report is when it hits the completed column with a nice tick and an audit opinion
in the final column.
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:54:16
Audit opinions are only issued for those audits that
are assurance pieces.
Where we do advisory work, we don't give an opinion.
But we can still make formal recommendations
for the organisation to address.
Does that help?
Have I answered the question?
Nicola Hallas Mazars Auditors - 0:54:32
I think the trouble is that I was on scrutiny last year.
And so I could ask more detailed questions about,
say, the home energy project.
you know, and why has it been delayed?
David Jenkins - 0:54:44
So is that a question I'm allowed to ask?
Nicola Hallas Mazars Auditors - 0:54:49
So it's not actually been delayed.
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:54:54
It has just been quite an intensive piece of work.
So it has taken us longer than we would have liked to do it,
but it is at the draught report stage now.
So the audit work is effectively finished.
What we're doing now is getting management actions agreed.
Again, taking a bit longer than we would have liked,
And I think that's a little bit of an indication of some
of the themes that we highlighted with the delays
that we're getting.
We are asking people to come back to us quite quickly
with management actions, although I
would say two weeks is ample time
to say what you're going to do.
So it is just about that understanding in the business
that actually you need to do your bit when we've
done our bit so that we can actually
move on to further assurances, further advice work and deliver the whole of the audit plan,
which is quite ambitious.
Debbie Simpson, Chair (Independent Member) - 0:55:52
Any further questions? No. Okay. Any questions from anyone else on this paper? No. Okay.
So if we can please note that the matter has been considered and discussed. Bron, I have
I've got a few presentational suggestions,
so I'll just send those through to you
outside of the meeting.
So that moves us on to the related paper,
which is Agenda Item 7, and that's
for the Committee to Note Updates on the Outstanding
Audit Queries.
So again, I think if we take this as read,
and unless there's anything you want to add to that branch,
we'll move straight on to questions.
It was just one item.
Nicola Hallas Mazars Auditors - 0:56:28
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 0:56:31
The PCI DSS action at, let me just sort of count where it is.
On page five in the actual audit report, that first one has now closed.
So just wanted to give the committee confidence that we have had the evidence through to support
the closure of that and just to make that point again that we don't close the actions
until we've seen the evidence. So that's sometimes why there's a bit of a delay between the business
might think it's closed but actually it's not closed until the auditor's confident that
the evidence has been seen. But that one is definitely closed.
Debbie Simpson, Chair (Independent Member) - 0:57:12
Thanks Bron. Questions? David.
Yeah, thank you. Just to comment on this, the quality of the report is much better than
David Merrett (Independent Member) - 0:57:18
I think now it's back in your hands bonus
Seeing much better in much better shape a few points that we've looked we seem to have lost the owner in each risk
I think we useful to have
Understanding who the owner is and there may be some timing on when the management updates were given and then when finally on the format
Which is the use of the blue and category in here
There's quite a few in here where if you read the management updates, I wouldn't say it was blue
I'd say it's more like red or amber given slippage and potential slippage
There's quite a few places in here where we just need to be a bit tighter with that use of blue or red
But I think coming to sort of substantive points about
The various open quite a bit. I'd start I guess with on page 45 the one below the PCI DSS
Vulnerability management and it's clear that we've got
An ongoing vulnerability here last time I remember we're told this was going to be completed by the end
By the end of August clearly hasn't been as clean now seems to be an unopened standoff
can somebody maybe explain what's going on there from the executive?
Thank you David.
Debbie Simpson, Chair (Independent Member) - 0:58:20
Jo Dent Assistant Director People & Transformation - 0:58:24
This has been delayed because of some competing demands and priorities to do with various projects
which are delaying the server audit work.
There's been some legacy systems that need decommissioning,

7 Audit Recommendation Follow Up

there's been some ongoing work with Windows 11 which is a rollout, quite a significant rollout
and that has meant that the word that is required to complete that audit has been put back.
We think that that will be complete by the end of the calendar year.
It will be complete by the end of the calendar year.
Thank you. Rob?
Debbie Simpson, Chair (Independent Member) - 0:59:04
Rob Winter (Independent Member) - 0:59:08
Yeah thanks chair, just picking up on that, obviously I don't know the full risk implications
of this delay but from what you've just said somebody has made the priority of progressing
projects at potentially the expense of cyber security and resilience so I suppose understanding
where that decision was made and whether everybody saw really understood the implications of
that. I can see it's a competition for time and resource, but faced with a glowing red
and delays in addressing vulnerability, we're just delaying it more by choosing to spend
your time on projects.
Jo Dent Assistant Director People & Transformation - 0:59:56
We are dealing with the most critical cyber risks. They are the ones that take in priority
and they are the ones which this work has been slightly delayed by. All the servers
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 1:00:07
are completely monitored and controlled. We are on top of the risks that are across the
estate in terms of servers. We know precisely what is on every single server. They have
managed day in day out. I don't believe that there's any significant risk as far as this
particular work is concerned, we prioritise the most acute risk to the organisation in
terms of cyber by the prioritisation of the work I mentioned a moment ago.
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 1:00:42
Debbie Simpson, Chair (Independent Member) - 1:00:44
Rob Winter (Independent Member) - 1:00:46
Thanks, Chad. I suppose it highlights the importance of the narrative in this to de -concern
us if the head of IT is giving this sort of assurance and explanation it'd be
probably helpful to in cases like this where there's a red issue to make sure
we understand the full context of of the current position. Thanks.
Thank you Chris and then Councillor Zafiaka.
Jo Dent Assistant Director People & Transformation - 1:01:21
Debbie Simpson, Chair (Independent Member) - 1:01:23
Jo Dent Assistant Director People & Transformation - 1:01:25
the time lag.
But I think it is important to mention here that as a result of following this process,
It's actually generated a further deep dive and that is part of also what we're doing. So I expect
actually quite a lot more to come on to this register in the next month or two and
Because as a result of my going through these with a team
We want further work further investigation and further independence. So I just wanted to give you some
reassurance
It's actually put it further up the list rather than it going off
of the radar.
So we're doing a deep dive, as Bronz aware,
on two different areas here.
So one is cyber, and then one is a bit further down,
where there's a series of projects that
have been running behind what I've requested,
and it's just been completed.
Another special audit on that programme of work.
So we need to make sure that that's reflected in here
to give you that reassurance.
But I think from an operational perspective,
as somebody who's actually trying
to deliver this from that end, this
is a result of the embedding that we're trying to do.
That it's going to generate a bit more before it gets.
And that's a positive thing in a strange kind of way.
I just wanted to make that point that there will be more.
and we've done two further deep dives as a result.
Thank you, Councillor De Kair.
Well, I think it's probably been said,
Cllr Silvia Dacre (Calderdale Council) - 1:03:14
but yes, the way it reads is that these applications,
which are no longer supported by their creators,
are having to be babysat by your staff.
And it says in here, they're going to remain operational
till 2030, and that just seems absolutely absurd
as a security risk because you're just building in a layer of failure and risk.
But I mean I understand what you're saying and I think it's no point in you answering
me that really because I think you've already answered it.
But I do just think it when you read it as somebody who doesn't know what's going on,
it just looked really frightening.
Do you want to come back on that one?
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 1:03:58
Can I just mention that we are looking at ways of removing those applications while
supporting staff and officers, the data they need. So there is ways of getting the data
out of the application so it can be continued to use in a different, more safer environment
so the application will be removed and deleted.
Debbie Simpson, Chair (Independent Member) - 1:04:22
Thank you. So maybe for next time we can have an enhanced report update on that one that
be useful. I think we've got Councillor Homewood and then Rob.
Yeah it was just a general point we sort of made earlier it was just that when I
Cllr James Homewood - 1:04:38
looked through this it seems to be a lot of blue in progress but then when you read
the commentary the date seems soon and the commentary doesn't suggest they're
going to be completed so I don't know whether, in progress it just seems to
mean it hasn't met the due date yet. We don't actually know whether any
progress necessarily has happened. So I know that's a tricky one because you know you can't
confirm it's going to be completed before it's completed and then trying to have a RAG status within an
ongoing rate is probably too tricky, but I'm just kind of conscious that by the time we get to January
we might have a whole page of, more pages of red.
Debbie Simpson, Chair (Independent Member) - 1:05:15
So I think you're absolutely right and part of a conversation I was having before the meeting started was
Nicola Hallas Mazars Auditors - 1:05:18
what more we can do as an audit function to flag those in a different way so that
you don't just get the management response you also get an audit view of
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 1:05:28
what that's saying because we do chase recommendations every single month and
we have a tracker we know what's been said up to this point we share we are
certainly planning to open that up to the business so they can see what they
said last month and the month before and I think what we need to bring here is
that audit opinion on whether that is on track actually and whether in progress is an adequate
reflection. It will create a little bit of tension to begin with because I think we'll
have differences of opinion as to what that is, but I think that is what you want us to
do. You want us to give our professional opinion on whether things are in progress. So I think
Nicola Hallas Mazars Auditors - 1:06:11
there's a bit more we could do to give you more to go at, as it were.
Debbie Simpson, Chair (Independent Member) - 1:06:14
Just quickly, Cheryl, I was just going to say I think something like that will be really
in terms of where we might want to request people to come to because if we know there's
something that isn't really being actioned or is of a significant concern that will help
us to prioritise that so I think that would be really useful.
Yeah I think that's a good idea, yeah absolutely, thank you. Rob?
Rob Winter (Independent Member) - 1:06:37
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 1:06:39
Thanks Chair, I might be a lone voice in this but I just wonder whether it would be useful
for the committee to have a non -technical sort of briefing on the CAE's arrangements
for sort of cyber resilience and general information governance. It's all linked to the DPO's report
as well. Because from my experience and perspective, it's a matter of when rather than if there
are issues that arise. And so it's always, as it's such a huge issue for all organisations,
for the committee to just perhaps understand a little bit more about the broader arrangements
for cyber security, you know, some of the actions that you highlighted that weren't
in this report I think might be useful, certainly for me would be useful to just understand
it a little bit more.
Debbie Simpson, Chair (Independent Member) - 1:07:35
I'm more than happy to share the deep dive as we go through that. I think that would
Jo Dent Assistant Director People & Transformation - 1:07:40
be quite sensible. I think the only other thing to note is it's a confidential paper
and it needs to not be shared publicly and likewise that's the same with our risk but
more than happy to actually share and give you some more detail on where we go with that.
That's a good idea.
Debbie Simpson, Chair (Independent Member) - 1:08:05
Thank you. I was slightly concerned about the reds against the health and safety audit
recommendations and they seem to be not standing for a very long time and I can
see no good reason for that I think health and safety really should be
prioritised so I'd welcome some feedback on that please Joe. So two issues
with the health and safety one of them is primarily the asset audit that was
Jo Dent Assistant Director People & Transformation - 1:08:31
going to be complete by September won't be complete until December so as a
result of that, those particular actions will need to wait until that asset audit is complete.
There's an order to how they can be completed.
The delay in the asset audit is also being picked up and it's on the risk register.
It's something as an organisation that we have been managing and dealing with.
The second slight issue with these has been a sickness.
So a person who's responsible.
So we were having the conversation about what we would do temporarily
and that person has then just come back into work.
We had a form of absence that we've been trying to manage.
So that person is now back and that's why these will absolutely be picked up and managed.
And then there is also as part of business planning which is yet to be formalised or agreed,
but there's some additional resource in terms of that resilience for the organisation that we are put forward as part of our business planning
and ahead of facilities management which will cover health and safety has been agreed and
we're looking to recruit that and hopefully get a post out for that before Christmas.
So there's quite a lot of activity to try and build in the resilience that we realise
as a result of one person not being around how tricky it was to actually cover some of
those actions.
Debbie Simpson, Chair (Independent Member) - 1:10:16
I suppose just following on from that, which committee would make the decision that a health
safety issue wasn't sufficient priority to bring in interim resource to address it.
Jo Dent Assistant Director People & Transformation - 1:10:37
So from an operational perspective, that is something that we would I'm not sure the answer
to be honest which committee would report interim looking at Katie says she was ultimately
Kate Taylor, Director West Yorkshire Combined Authority - 1:10:53
the appointment of resource sits with where it is budgeted and is in, sits within our
internal delegations and ultimately sits with the head of paid service.
For those, so it would be a request through where it is not within budget, again it comes
through to head of paid service, so it wouldn't be a committee, it is an operational decision
ultimately around resource.
Okay, I just wonder if that's a bit of a weakness that needs looking at because I think to sit
on the health and safety risk for this long
Debbie Simpson, Chair (Independent Member) - 1:11:22
is probably not very acceptable, I would suggest.
So I'm not sure if that's something that can be taken away
and looked at.
Ben?
So just to echo what Kate and Joe have said,
so this is a risk that we are very alive to.
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 1:11:39
And none of this is an excuse for the fact
that this has remained red for too long.
But there's a kind of sequencing of the condition surveys that are required in order to understand
the states of the assets.
This is in the context and light of the closure of Bafford Interchange.
We wanted to make sure that all of our facilities, there were no hidden issues in there.
That work is underway, some work was completed but some of it is taking longer.
And then the follow through into the actual health and safety assessments that then follow
from that. It is fair to say there's been a lot of work but it's still running
behind where we'd like it to be and the decisions around, as Keita said, the
decisions around how we resource that and whether we needed to do more in
that space. The accountability sits with the relevant director but the kind of
additional resource outside of budget sits with me.
Debbie Simpson, Chair (Independent Member) - 1:12:44
Thank you. The other one I'd like to bring up is the benefits realisation risk, which
also concerns me, because it's got red against it. I know the reds are around benefits realisation,
however if we can't be clear on the benefits, how does the organisation know it's working
on the right things to start with is sort of where my thinking was going.
And so I'm just wondering what's being done around ensuring that the benefits are
quantified from the outset and aligned with strategic objectives.
Dave?
David Gill (Head of Digital & Technology Services) (West Yorkshire Combined Authority) - 1:13:29
We have done a lot of work in this area regarding benefits realisation.
We have reviewed the benefits in terms of all the business cases and ensuring that there's
a thread between the original business case and project documentation and closure reports
and status reports.
So over the last two weeks we've made quite significant progress and at least one or possibly
two of those items in the pack can be closed.
Most of them are quite significantly progressed and will be closed within the next two weeks.
OK, thank you.
Debbie Simpson, Chair (Independent Member) - 1:14:05
So we'll look for the changes on the next report back to reflect that.
Thank you.
Any other queries from anyone on that paper?
No?
OK, thank you.
So if we can note the committees, discuss the updates on the actions.
So, agenda item 8, that's a standard agenda item asking members to note the update on
the 24 -25 external audit, which covers the approach to be taken, materiality, value for
many arrangements and the audit fees.
So, I think Nicola, will you be talking to that one, please?
Thank you.
So, I'm presenting the audit strategy memorandum for the year ended 31st of March, 2025.

8 External Audit Report

I will take the reporters read because it's quite a lot but and I just wanted to highlight a cute a few key things
Nicola Hallas Mazars Auditors - 1:14:57
So as you can see from the report, we do intend to issue a disclaimed opinion in 24 25
Which has been the case for the last two years
The issues of impact in the combined authority are quite complex
So it would not be possible to rebuild assurance within one year
Issuing a disclaimed opinion will allow the authority to meet the backstop deadline, which is actually the 27th of February
2026 and although we don't intend completing a full audit we will be doing some audit procedures and they're set out on page 72
So just to reassure you we are committed to rebuilding assurance and to enable a clean opinion to be issued
But this will take time and we need to understand the scale of the risk of material misstatement within the opening balances
So you don't have an audit for the last couple of years and as mentioned the combined authority that the issues are quite complex
So in 23, 24, in the audit opinion,
you may recall that there was a issue highlighted
around some material discrepancies with the movement
in reserve statement.
Had the backstop not come into effect,
there would probably have been a modified opinion
on that basis.
So we do need to understand what work
has been done by the combined authority
to address those issues.
And there is a risk that the opening
balance on the usable reserves is not materially accurate
and then therefore takes more rebuilding.
So a key element of determining the programme of work
to rebuild assurance is understanding
what combined authority have done to address the issues.
There has actually been quite a lack of consistency
and experience within the finance team
and there's not many people in post
that have been in post for the last few years,
so therefore your corporate history,
sort of knowledge is quite sparse.
So it's just understanding how the issues
have been rectified, but we are committed
to working with Kate and her team to rebuild assurance.
So that's all I was going to say,
but obviously we'll take any questions you've got.
Thank you.
Can I just cheque?
Debbie Simpson, Chair (Independent Member) - 1:16:46
I think when the issue arose with the last set of accounts,
some of the committee here today
weren't part of the committee at that point.
Would you welcome a brief summary of the challenges
that were found last time,
or are you comfortable that you've got enough understanding?
You're okay? Yes, everyone content? Yes, okay, thank you. So we'll move on to questions,
Rob Winter (Independent Member) - 1:17:18
I think Rob. Thanks, Chair. I feel your pain as external
auditors working with other councils going through this. I suppose from a committee point
of view, understanding what you're not able to do and the implications for how we might
get complimentary assurance because we're not going to get it directly from you, there's
a limit to how much internal audit can step into this space, perhaps some, but obviously
the onus then is on Kate to sort of give us additional assurances as Gary did, as Damien
did last year, to obviously fill the potential void that we have because obviously there
So at some point, understanding exactly what you're not able to do and the implications
of that on our assurances would be helpful, I think.
Thank you, Kate.
Thank you, Chair.
And just to say, obviously, we have been very clear with Ms. SARS that we are effectively
open for audit.
Kate Taylor, Director West Yorkshire Combined Authority - 1:18:22
We are incredibly open to being audited and we want this work done as quickly as possible
because we want to get this cut over with is the wrong type of word but have
that kind of full audit that allows us to effectively move forward with with
that kind of clean opinion. So we very much welcome the team coming in but yeah
absolutely we are 100 % there. I'm less bothered about the backstop date as long
as that work continues after to do that so that offer is very much there and
I've been very clear that this needs to be working towards a full clean audit
opinion for 25 -26 and upset that kind of gauntlet and down on there in terms I
think we you know kind of the external order is always a sample based approach
in terms of that is never giving complete assurance across there it gives
a form of assurance to you around our numbers and our backwards -looking
numbers for that year in kind of conjunction with the work that you will
see from internal audit where if you'll see coming through of the committees and
of course going through combined authority boards.
I think that that has given you the richest picture
that there is.
In there, we have done a significant amount
of work within the team.
The team is on a very strong delivery path
at the moment in terms of that.
The people that we have brought in are incredibly dedicated
and working through things very diligently at the moment.
So we are really starting to see a real shift change, I think,
in terms of that particularly around the the controls and seeing strengthening
through there so we are definitely on the right path and I feel very
comfortable with where we are now. In terms of what we do we may have moved
Debbie Simpson, Chair (Independent Member) - 1:20:09
away from this traditional audit timetable that a lot of you might be
familiar with so as we do do work we won't wait until a normal audit timetable
Nicola Hallas Mazars Auditors - 1:20:18
we will bring any matters to your attention as we find them and as would
be appropriate. So I hope that gives a bit of assurance as well.
Debbie Simpson, Chair (Independent Member) - 1:20:26
Thank you. Any other questions on that paper? No, thank you. So if we can say it's been

9 Data Protection Officer Report

noted and move on to Agenda Item 9, and that's the Data Protection Officer Report, which
is looking at the management and assurance of data protection and the reports for note.
This item contains the exempt item appendix 1.
So, who's going to talk to this papers?
You, Nicky?
Yeah, thank you.
So, members, this is the first time this data protection report, as I understand it, has
been presented to you in this format.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:21:02
Happy for it to be taken and read.
It really sets out the factual position in terms of the combined authorities' obligations
under GDPR and data protection act.
Just pulling out some key themes, there is going to be some discussion around the risk
register, but 3 .2, it sets out the position regarding how data interacts with cyber risk
as well, which has been picked up by Rob already.
We can talk about that further in the next paper if you so wish.
data protection approach but it really
sets a picture of some minor arrangements
that extra work needs to be placed at.
Specifically around records management and noncompliance.
That's a legacy issue given the change in systems at this
organisation and we are working through that so we can deal with
the disposal of written documents and hard copy
and information is GDPR training.
There is a requisite that we ensure
that all staff are appropriately trained and have awareness
on this.
And that is being modelled through the help
of human resources to ensure that we are getting
full compliance in that as well.
There's some information around statutory handling
and also engagement around some of our complaints
that have been closed that have gone to ICO.
and also information around one that is ongoing which relates to transparency and accountability,
information that the requester considers that we may hold, which is with the ICO to consider.
You'll notice that there's some reference to an ICO accountability framework.
I'm not sure if you're familiar with this framework,
but what I would propose is the framework is quite a complex piece of material and I'm
really keen for members to have something that they can engage with, that they understand
fully, but when we've done some analysis against this framework it sets out that there is one
area that appears red for the organisation in relation to records of processing activity,
but that very specific red is outside of the control of this organisation because it relates
to legislative changes that are going through Royal Assent. So what I would propose is,
so rather than providing information in graphs that don't materially make any ad value, I
should say, we will bring another report setting out where we are in terms of that data and
and the records management around that as well.
And I'm happy to take questions.
I've got the data protection officer in the gallery
as well to assist members if that would be of value.
Thank you.
Debbie Simpson, Chair (Independent Member) - 1:24:03
So I think if you could bring that back,
that would be useful.
And it would probably address a couple of the queries
I had in terms of where you are with some data protection
matters.
Is anyone any questions just on the cover paper, not
appendix one?
We'll close after these initial questions
to take questions on the appendix.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:24:21
Thanks chair. I suppose from a governance perspective, I suppose it's understanding
where DPO issues, information governance is considered within the framework of internal
of management sort of oversight of whether you had an information governance board or
something like that where there could be specific visibility of key arrangements for good information
governance but also on the cyber stuff as well which obviously is probably a matter
of when rather than if. So I'll stop with that and just with that question first.
Who wants to take that?
Debbie Simpson, Chair (Independent Member) - 1:25:11
Yes, thank you, I'll take that chair.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:25:14
We don't have a specific group that is foreign information governance group,
however as part of our internal boards, which is performance board and corporate board,
in particular the corporate board does have within the terms of reference that a DPO report will be provided on an ad hoc basis.
Chris Thompson - 1:25:36
that meeting is as far as I believe chaired by Ben as the Chief Executive so that direction
of the more senior people within the organisation from an officer's perspective being aware
of things from a data protection perspective does happen.
Do you want to come back Rob?
Debbie Simpson, Chair (Independent Member) - 1:25:53
Yeah please chair, it's interesting what you say there because obviously you're the data
Rob Winter (Independent Member) - 1:26:00
protection officer aren't you? I would have expected you to be presenting your report
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:26:11
to that board do you? In person? No I do because this area of work sits under the assistant
director so under the scheme of delegation I present that report with the assistance
of the data protection officer. But it is a collaborative approach because clearly the
the expert in that field but I'm intrinsically involved in this work because of the legal
Jo Dent Assistant Director People & Transformation - 1:26:34
obligations that flow from that. I just raised it obviously because the regulations
Debbie Simpson, Chair (Independent Member) - 1:26:37
Jo Dent Assistant Director People & Transformation - 1:26:38
Rob Winter (Independent Member) - 1:26:41
stipulate the very specific independence of the DPO and their ability to raise and speak
the head of internal audit and obviously for that role as the statutory data protection
officer has that access to management if that is necessary.
Debbie Simpson, Chair (Independent Member) - 1:27:03
Just to provide you with assurance on that, so first of all Nicky also holds the role
as well as being the command authority monitor officer of the senior information risk order
and secondly from the experience of the past, certainly the amount of time that I've been at this organisation,
I've had those directors accessible when I've needed them, so there's been things that have been passed directly to Ben when we've needed to have that.
So those those lines are available and there is a very strong recognition within this organisation
of that statutory role that I hold which is ultimately taken taken seriously.
Thank you.
Debbie Simpson, Chair (Independent Member) - 1:27:48
Councillor Homewood.
Yeah, I just had one specific question and just a general comment.
So the question I just had was about where you're talking about the risks.
there's a reference to being breached for compliance
Cllr James Homewood - 1:28:01
around stats requests like freedom of information.
But then later in the packet kind of suggests
that we're doing really well on FOI.
So I just wondered why that was like a specific risk
that's called out, because it seemed like,
I don't know if it's just because we get a lot of them.
Well, to be completely clear with you, Councillor,
is we have identified it as being a challenge
regarding the lack of resource for which we have a plan in place to be able to
recruit. What I would say on that is the team will always prioritise those
statutory requests so we we are aware of it we've added it to as local risk
register so then we can prospectively stop and prospectively mitigate against
any potential breaches that may occur so it's a good thing that it's addressed as
both a risk and we're performing well because what we're trying to do is say it is a risk
currently but we want it to stay as a risk, we don't want it to become an issue further
down the line so that's the reason that we've highlighted that.
Okay, the other thing I was just going to comment on because you mentioned this was
Cllr James Homewood - 1:29:11
the first time this has come here, I was just going to say that just from my experience
in council it might be an idea of having something a bit like some of the similar to the other
reports of like a dashboard or something because there is things and I don't know
whether it's just because it's less relevant and a combined authority but
there is things that are not in here like you know data privacy impact
assessments, data breaches, such as DAX requests, stuff like that and which might
be good for us to be able to track and see whether we're hitting time scales
whether we have any any issues around those. Actually you make a really good
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:29:41
point this is actually been prepared but it needs to be edited so that it's
user friendly. So like the framework, we want to present it in a fashion to you as a committee
so that it hits the right points. But we'll certainly make sure that that's developed
and presented to you, I should say finalised and presented to you for the next cycle at
which this report is presented.
Thank you. Any further questions on the cover paper? If not, we'll move to closed session.
Yes, Councillor Dacre.
Debbie Simpson, Chair (Independent Member) - 1:30:12
Cllr Silvia Dacre (Calderdale Council) - 1:30:17
Just very quickly, trivial question, page 95. Combined autoloty risk LG 71 is identified to mitigate against 5 .2 .3. I don't know where 5 .2 .3 is.
That is a typo
Councillor so so so very well spotted
it relates to the
three point three point three point three
At three point two point three sorry, that's that's further up in the page
Debbie Simpson, Chair (Independent Member) - 1:30:59
Yes, my apologies for my oversight on that.
Debbie Simpson, Chair (Independent Member) - 1:31:01
We'll make a note of it and make sure it's noted. Thank you.
So before we close, just to reconfirm that we'll receive the ICO framework and some metrics next meeting.
Lovely. So can we just move to closed session, please, for the appendix one.

9 Data Protection Officer Report

Debbie Simpson, Chair (Independent Member) - 1:31:21
We just need to now note formally that agenda item 9 has been considered.
We will move on to agenda item 10.

10 Risk Management

That again is a standing agenda item on risk management.
This paper has got an exempt item which is appendix 8.
So the paper is very detailed and it's got plans for embedding risk outlined in the documents
that we've been sent. So Nicky are you talking to the paper for this one please?
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:32:07
Thank you chair. So members this is a standing item on your agenda. As you know this organisation
is now an embedding phase of risk management and assessment and implementation. We are
currently looking to ensure that we've got a robust framework in place that has got a
top -down approach and we do this because of a number of issues around our legal obligations
and also around CIFFA and SOLIS guidance in discharging particular statutory duties around
risk given the number of projects that we have underway. So as you can see there's a
number of appendices that are attached to this paper alongside the risk registers. There
are some matters that need to be considered in private as well. So I'll take it into two
parts. As you can see there's a lot of information there in terms of how we've approached risk
as an organisation. Now this is a very new approach and it is in the embedding stage
and we are undertaking a number of workshops both with members, there was one last Friday,
and now it's sort of transitioning to officers, those ones that are the risk sponsors, those
officers that work on the projects themselves, but also the leadership team as well, given
the important role that directors play in assessing risk and making sure that
it's properly managed. Now throughout this paper you'll see there is a really
there's a stepping approach in how we look at risk as an organisation and I'm
happy to move to the corporate risks first of which you'll see it 3 .5 is set
out and these reports and statuses are as of September 25 so they're fairly
recent and before we get to that there are a number of key takeaway appendices
on the risk management strategy, on the policy itself and this is designed on
for officers to utilise when they are incorporating risk into their projects
and making sure they're having the right conversations,
understanding that risk is really an approach
that we need to take as an organisation
through the cycle of a project or scheme,
and not being afraid to consider the risk appetite
against what the outcomes are and the objectives are
of the organisation as well.
I'm happy to talk to the appendices
that were created by the risk manager, but equally I'm happy to go to the corporate risk
register as well. If members have any questions, I'm happy to take those.
Debbie Simpson, Chair (Independent Member) - 1:35:09
Thanks, Nicky. There's a huge amount of work going on in terms of shaping this over the
last minute, and I think the committee really appreciates that and recognises the efforts
that have been made to get this right. I suppose one of my questions is what's the measure
of success, how does this committee know that the new measures that are being put in place
really are being embedded and working?
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:35:31
I think it's about time, if I'm very, very honest with you. Now we've got a lot of controls
in place from the project sponsor through to the leadership team. The leadership team,
it's seen at performance board, it's seen at corporate board, it's bought here, it's
at various situations, it's bought to various leadership boards for that scrutiny and management
as well. How we manage it, I think we've got to consider the embedding of this risk approach
for the organisation first and foremost. And as we move along that process, we'll be able
to look back and manage and see whether they've been successful, whether we've properly treated
that risk accordingly to the appetite that we've set, and then we can look back and continuously
do an audit on the risk itself and make sure that it's measurable and we report
to you and the other forums as well so that we're ready to to ensure that
risk is the language that we speak as an organisation and something that we're
not afraid of and that we've got an appetite for. Thank you, so is there a role
Debbie Simpson, Chair (Independent Member) - 1:36:37
for Bron's team in this? There will be. So we do do an annual audit of risk management
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:36:41
and absolutely have it on the plan for this year, but we will do it right at the end of
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 1:36:47
the year so that it's given it as much time to embed as possible.
Debbie Simpson, Chair (Independent Member) - 1:36:52
Questions from anyone else? If we have Councillor Holmwood then Ron.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:36:58
Just a quick one, I might be just missing it somewhere. You know in these different
documents, where's the actual section that explains to somebody what matrix they're supposed
Cllr James Homewood - 1:37:06
to use to assess risks and it's referenced like an impact of risk, is that within these
documents? Yeah it is within these documents but what I would say is as part of the workshops
we're going through these with officers so that they can utilise and pick up the right
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:37:28
key skills document to make sure they're applying the right matrixes to their projects themselves.
So it is within this suite of documents. Is the actual matrix in there? I was only thinking it for two reasons.
One was because obviously if I was somebody working in the combined authority
I might want to, that's something I might need access to, to understand how I go about assessing my level of risk
So, from those two understand, we have an impact on like the matrix, what are our kind
Cllr James Homewood - 1:38:08
of thresholds of risk, but I'm not sure which document is that.
Yeah, I think I understand what you're referring to.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:38:17
I think what we're trying to do is we're trying to find out where the risks lie first, and
then do an assessment of the risk in accordance with financial viability and financial risks
as well.
And if you look at page three in appendix four, which
relates to risk placement framework,
that assists the officers in how they place
that risk within the register.
But we're building a reporting measure as well for officers
as well.
Bronwyn, can you assist?
Yeah, I just wanted to say, these
are the simplified takeaways.
Debbie Simpson, Chair (Independent Member) - 1:39:00
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:39:01
there is a whole suite of risk documentation on a hub on our intranet that officers can
Bronwyn Baker, Officer (West Yorkshire Combined Authority) - 1:39:04
access and that has all of the computations for risk assessment, the likelihood, the maturity,
et cetera. So it is all there. It's just we tried to do something that was a little bit
more readable, a little bit more so you got a quick takeaway, the simplified version.
But all of that other stuff is there.
Debbie Simpson, Chair (Independent Member) - 1:39:25
I think we saw some of that last time as well didn't we? Rob?
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:39:33
Thanks chair. The point you made about what success looked like for us, I think there's
Rob Winter (Independent Member) - 1:39:35
two things. One, a glowing report from Bronwyn at some point when there is, if there is such
a thing, about the review of risk management and then from a practical point of view I
I think seeing the whites of risk owner's eyes
to walk through how they have actually used the framework
and affected the risk issue, the concern in a positive way,
which obviously will be down the line.
So in nine, 12 months or whatever
is appropriate for us to see and feel it.
Yeah, absolutely.
And this was picked up in the workshops
as well about giving real life examples of projects
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:40:12
that we've held and going through that cycle of risk
assessment.
So I think that would add value to this process as well.
Thank you.
Debbie Simpson, Chair (Independent Member) - 1:40:26
So maybe we could schedule that along with Bronwyn's risk reports on our plan.
On our, yeah.
To come back on the forward plan.
Any other questions on that before we move to closed session?
Yeah, David.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:40:44
Just looking at the overall picture on page 132, which is the corporate risk register.
David Merrett (Independent Member) - 1:40:49
Our risk appetite statement has no low or minimalist areas in it. They're all moderate,
high, very high risk appetite. So therefore when I look at the target risk rating column,
it's got a couple of lows in it on mass transit and protective security and I don't see any
high or very high is on there.
I can't quite square the two.
I think these particular projects are currently
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:41:17
under review at the moment in terms of,
they've been reviewed recently.
So I take your point and then when this is presented
at the next cycle, make sure that that information
is provided to you.
So just to be clear though, so for this to reflect
the risk appetite statement that we've approved,
we would expect that column to include really only moderate highs and very highs for the
David Merrett (Independent Member) - 1:41:42
target risk we're planning to take in all these areas, is that right?
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:41:47
Generally speaking, yes, but the risk owners are looking at whether that risk appetite
is properly being aligned with what the project status is at the moment.
Does that answer your question, David?
Yes.
Okay, thank you.
Debbie Simpson, Chair (Independent Member) - 1:41:59
Any other questions on that?
So if we move to closed session. Thank you.

10 Risk Management

Nikki Deol Assistant Director Legal, Governance & Compliance - 1:42:11
Debbie Simpson, Chair (Independent Member) - 1:42:17
Okay, thank you. So just to close agenda item 10, and just to make a note that the committee
has considered the report. And final agenda item is agenda item 11, and that's compliance
dashboard which is again for the committee to note the performance of directorates and
the direction of travel for the combined authority as an organisation.
So Nicky is this back to you again?
This is my final report for members.
This is a compliance dashboard paper and it's split in two parts.

11 Compliance Dashboard Reporting

Nikki Deol Assistant Director Legal, Governance & Compliance - 1:42:51
If you look at the paper itself, it talks about the quarter one revenue position.
This is the information for members. I'm sure that you may have seen this information already
but it relates to
the fact that we are continuing a balanced position until the
the end of the position of Q1
And there are being that that is a consequence after transfers have taken place
And then it moves to these dashboards which were appended to the report
These dashboards are set out per directorate for ease and during the pre -meeting there
was a bit of an introduction to these dashboards and some socialisation around what they mean
in practise and there are some points of improvement to these dashboards that officers are going
to take away.
I'm happy to speak to the content of these, I've also got the data protection officer
in the back that can assist with any questions that might arise from the
information on corporate risk which we've discussed all the way through the
three reports and any other matters in relation to commercial committees DTS or
health and safety. Thank you any questions from any members?
Debbie Simpson, Chair (Independent Member) - 1:44:15
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:44:24
I was asking for this, I was talking about this which was actually in a different item,
Cllr James Homewood - 1:44:29
sorry I missed, I forgot about that, so that was the kind of thing I was talking about
in terms of information governance, that's useful, thank you.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:44:39
Okay, thank you. One of my questions was why freedom of information requests don't appear
Debbie Simpson, Chair (Independent Member) - 1:44:44
to be being closed on time? On the dashboard?
I think for this particular pack it was because there was a data protection report but we
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:44:54
can certainly add that to the compliance dashboard for next time.
Any other queries from anybody on this, Rob?
Thanks, Chair.
Debbie Simpson, Chair (Independent Member) - 1:45:05
It was on page 159.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:45:10
I was just sort of amazed at the low level of sickness absence.
Rob Winter (Independent Member) - 1:45:14
That seems extraordinarily low for any organisation, never mind one under significant stress and
strain. Current year 1 .6%, is that what it's telling me?
That seems extraordinarily low. I mean it's great if that's true.
We are a smaller organisation compared to if you are benchmarking the matrix on that, it is a smaller organisation, so that would correspond with the number of employees I've been told.
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:45:49
Are you sure?
I've been told from the data protection officer.
Behind you, fine.
He's compiled this dashboard then.
Debbie Simpson, Chair (Independent Member) - 1:46:02
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:46:03
Then I'll defer to the quality of the data. It feels low to me too.
It may be one just to have a cheque on now it's been raised.
Ben Still, Chief Executive (West Yorkshire Combined Authority) - 1:46:10
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:46:12
Debbie Simpson, Chair (Independent Member) - 1:46:14
Okay, thank you.
Any other queries on this?
No?
Okay, thank you.
So if we can, sorry, Councillor Daycare.
Thanks.
It was just really to make it clear for the benefit of anybody who's watching that it's
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:46:32
not that we were incurious or don't have an interest in this topic, that we did have a
workshop beforehand when I think some of the questions that might have been asked in the
Cllr Silvia Dacre (Calderdale Council) - 1:46:39
meeting had already been asked, just about the nature of the dashboard and how it presented
and things like along those lines.
Debbie Simpson, Chair (Independent Member) - 1:46:47
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:46:48
Cllr Silvia Dacre (Calderdale Council) - 1:46:51
Thank you, Councillor Darker. For the purpose of clarification, that's entirely correct.
Debbie Simpson, Chair (Independent Member) - 1:46:53
Nikki Deol Assistant Director Legal, Governance & Compliance - 1:46:54
There was a workshop, but that wasn't to talk about the specific content, but how it's presented
and officers will take that away and present it in a more useful fashion for the next time.
Thank you.
Debbie Simpson, Chair (Independent Member) - 1:47:05
OK, if there are no more comments, we'll close that item as noted.
And that brings us to the end of this meeting.
The next meeting is on the 30th of January, 2026, can you believe.
So happy Christmas, everybody.

12 Date of Next Meeting

Thank you very much.