The Welwyn Hatfield Borough Council Audit Committee was scheduled to meet on Wednesday 3 September 2025 to discuss the anti-fraud progress report, the shared internal audit service progress report, and the risk management for quarter 1. The meeting was also scheduled to discuss any urgent business and any other business of an exempt nature at the discretion of the Chair, Councillor Frank A Marsh.

Anti-Fraud Progress Report

The Audit Committee was scheduled to receive the Anti-Fraud Progress Report from the Shared Anti-Fraud Service (SAFS). The report detailed the work undertaken by SAFS and council officers to protect the council against fraud, and the delivery of the council's Anti-Fraud Action Plan for 2025/26.

The Anti-Fraud Plan for the current financial year was approved by the Audit Committee at its March 2025 meeting. The plan covers all areas recommended by CIPFA¹ and the Fighting Fraud and Corruption Locally Strategy for the 2020s. Between April and August 2025, SAFS issued two fraud alerts, including a reminder about fake documents, and published reports on the propensity for people to commit fraud, as well as guidance on the new 'Failure to Prevent Fraud' offence. SAFS also provided regular Fraud Threat Reports that summarise new and emerging risks, and provide officers with the latest guidance to assist with identification and prevention. SAFS issued six such reports this year, focused on multiple employment fraud, housing application fraud, fake blue badges and 'mandate' fraud.

SAFS provides Executive Reports to senior management and internal audit where investigations identify that fraud or attempted fraud occurred due to system/process weaknesses, and provides recommendations for management to consider the removal/reduction/mitigation of any ongoing fraud risk. There were reportedly two Executive Reports at draft stage for the council, one relating to procurement processes and the second for housing allocation.

The report also noted that a new offence of 'Failing to Prevent Fraud', introduced by the Economic Crime and Corporate Transparency Act 2023, takes effect from September this year. Along with all other councils, Welwyn and Hatfield will be caught by this legislation and SAFS have begun to provide advice and guidance for all SAFS Partners.

Between April and August, 44 allegations of fraud had been received, affecting service areas such as housing, council tax, procurement, and Blue Badge misuse. 24 referrals were made by council officers. SAFS currently has 55 cases under investigation, or at referral stage, with estimated losses of just under £1.5 million recorded in this caseload, and £173,000 in savings (from prior to 25/26).

SAFS officers have reviewed 22 'Right to Buy' (RTB) and 23 succession applications to ensure that there were no fraud or money laundering concerns with these. Four of these applications required further investigation and these are still pending the outcome of those investigations.

SAFS and council officers ensured that all data required for submission as part of the Cabinet Office 'National Fraud Initiative' (NFI) was uploaded in late 2024. The output from this exercise produced 2,069 general matches, creditors and council tax reports. Officers from SAFS and the council are reviewing all matches at present with the intention to clear and close this work by the end of Q2. This work has already identified 45 cases of fraud and error and savings to the council of £203,000 have been reported, with another 47 matches under investigation.

The council has signed up to the Herts FraudHub for 2025/26. Activity on the FraudHub has been suspended until Q2 to focus on clearing the matches from the main NFI exercise.

The report also included the Annual Report 2024/2025 for the Shared Anti-Fraud Service. According to Nick Jennings, Head of Shared Anti-Fraud Service, in 2024/2025, SAFS received 1,667 referrals, uncovering fraud worth over £4.7 million from these cases alone. Overall, SAFS' efforts in 2024/25, in collaboration with its partners, identified more than £15 million in fraud prevention / loss.

Shared Internal Audit Service - Progress Report

The Audit Committee was scheduled to receive the Shared Internal Audit Service (SIAS) Progress Report. As at 15 August 2025, 32% of the 2025/26 Audit Plan days had been delivered. One final audit report had been issued since the previous progress report:

Four medium-priority IT audit recommendations were scheduled for follow-up. Of these, one has been fully implemented. The follow-up review indicates that the service has made substantial progress, with implementation nearing completion. Revised target dates have been updated to the end of September 2025 to reflect the proposed actions and ensure alignment with current progress.

Risk Management

The Audit Committee was scheduled to receive a report presenting the current identified strategic risks facing the council, and those operational risks assessed as having a residual risk level of serious or severe (those with a score of 10 or more) as previously presented to Cabinet. The report is an assessment of risk as at 30 June 2025.

The report presented the risks under this framework. Narrative is provided by the risk manager, and is shown against each risk individually.

The strategic risks are contained in Appendix A, and the operational risks with a residual assessment of serious or severe, are contained in Appendix B.

Contained within the appendices, is a comparison of how each individual risk to the previous reporting period. This will assist members with identifying how a risk may have increased or decreased between periods, and narrative will be provided to assist in understanding what has led to this change in assessment.

One of the risks identified was that of Equalities and Safeguarding. The description of the risk was:

Failure to comply with equalities and safeguarding legislation & best practice could lead to challenges to council decisions as a service provider, employer and in the procurement of products and services. This in turn could have severe financial, legal and reputational implications.

The controls in place to mitigate this risk were listed as:

• HR polices and procedures
• Equality and Diversity Strategy
• Equality and Diversity Action Plan
• Equality, Diversity and Safegaurding Working Group
• Training and development
• Safegaurding policies and procedures

The risk manager's commentary stated that the EDI action plan has been approved by SLT and delivery will be monitored by the equalities, diversity, inclusion and safeguarding steering group. Working parties are now leading on each priority and agreeing timescales for completion. It was agreed at Employee Forum to Neurodiversity strand. Equalities Impact Assessments are being Audited over the summer. Preparing for changes to Equality Bill to include race and disability pay reporting in 2025.

Another of the risks identified was that of Cyber Security. The description of the risk was:

Issues with cyber security, could lead to loss of sensitive and operational data and render systems unuseable, in turn impacting on the Council's ability to deliver key and statutory services. A major incident could lead to extended downtime, which could impact financially, legally and have a significant impact on the Council's reputation.

The controls in place to mitigate this risk were listed as:

The council has a range of measures which prevent or mitigate the manifestation of cyber security risks. These include technical measures, including: Firewalls Web Proxy service (preventing access to unsuitable and suspicious sites) Email gateway which quarantines suspicious emails, intercepts spam and malware, etc. Regular security patching Multi-factor Authentication for remote access Anti-malware and Security Information and Event Management (SIEM) software Back-ups Application whitelisting And non-technical measures, including: Risk awareness, with information provided from multiple governmental and non-governmental sources Independent assessments from Cabinet Office approved consultants, as well as internal audit Staff Awareness and Training

The risk manager's commentary stated that the council's ICT environment is subject to 3rd-party testing and accreditation as part of Public Sector Network membership, with any vulnerabilities identified and remedied. The council was reaccredited for 2024/2025 and the ICT team continue to work with the Cabinet Office on accreditation for 2025/26. The ICT Team employ a strong range of technical preventative and mitigating measures (including firewalls, timely security patching, anti-malware software, etc.). We include Cyber Security as a core consideration in all major infrastructure and application renewal. The council has adopted Security Information & Event Management (SIEM) system, successfully flagging and mitigating cyber attacks in real time, and more recently a 24/7 managed Endpoint Detection & Response service and Incident Response contract to enhance its network security. We have recently introduced multi-factor authentication to protect account security, upgraded firewalls in February 2024 and have blocked access from overseas by default. Defensive technologies are regularly reviewed to ensure effectiveness. The council undertakes phishing simulations to maintain high awareness of this risk, which are run quarterly. Staff are required to undertake cyber security awareness training annually with similar training recently provided to members. Significant security updates are provided to Senior Management and members when relevant.