The Waverley Borough Council Audit & Risk Committee met on 10 September 2025, and among other things, members noted the success of fraud investigation activity, the updated strategic risk register, the internal audit annual conclusion for 2024-25, the arrangements for the pending external quality assessment of the Southern Internal Audit Partnership, the Internal Audit Strategy 2025-28, and the Internal Audit Progress Report July 2025. The committee also approved the Annual Governance Statement and revisions to the Internal Audit Charter 2025-26.

Here's a breakdown of the key discussions:

• Annual Governance Statement and Audit Update The committee approved the final version of the Annual Governance Statement (AGS) for 2024/25, which will be included in the council's statement of accounts. The AGS acknowledges progress in governance practices but recognises ongoing organisational challenges. The committee also noted the update on the progress of the 2024/25 audit of the statement of accounts. The council's external auditors, Grant Thornton, expect to complete the audit by the end of September 2025. Once formal sign off is received from Grant Thornton, the audit chair and Section 151 officer[^1] will sign the accounts, and they will be published on the council's website. [^1]: In local authorities, the Section 151 officer is a statutory appointment, responsible for the proper administration of the authority's financial affairs.

  The committee reviewed changes made to the AGS following comments on 18 June 2025, including issues identified by the Building Safety Regulator (BSR) audit of Waverley's building control functions. The BSR found three areas of contravention, detailed on pages 11 & 12 of the AGS.

• Risk Management The committee noted the updated Strategic Risk Register, which had been reviewed and refreshed for Quarter 1 of 2025/26. The register includes detailed mitigations and risk scorings. Key discussion points included:

  • Cyber Security: Councillor Julian Spence, Chair of the Audit & Risk Committee, said that more information on systems networks training tests, penetration tests and dates those tests took place would be provided directly to councillors.
  • New Planning Policy Framework (NPPF) and the new local plan: There was a query on why failing to deliver on the new figure risking losing local control over development lead to increased pressure on inadequate infrastructure. It was explained that as part of plan making, the council planned spatially and then it planned the infrastructure needed to support that growth. If the council did not have an up-to-date plan and a five-year housing land supply, some growth was happening outside the infrastructure delivery plan.
  • Risk scoring: There was disagreement with some of the ambers, and it was requested that officers spend time with members outside the meeting to go through those. Officers would reach out to members for a refresher on risk management, given there were some new members of the committee.
  • Local risk registers: A member reported an issue with Farnham Park's car park lining, which had faded away and was now causing congestion and could be blocking access for emergency vehicles. It was noted that the asset management team look after the car parks and are responsible for managing them in a way that mitigates and controls the risk, and they would deal with that risk as part of business as usual and clearly part of managing that risk will be regular inspections but also acting on any reports of defects in the fabric of the building. It was requested that such query were forwarded over these concerns and they would be passed on to the relevant team to pick up.

• Internal Audit The committee discussed several items related to internal audit:

  • Annual Audit Conclusion 2024-25: The committee noted the Internal Audit Annual Conclusion 2024-25, which stated that the council's framework of governance, risk management and management control was considered to be 'Reasonable'.
  • External Quality Assessment: The committee noted the arrangements for the pending external assessment of the Southern Internal Audit Partnership[^2] against the Global Internal Audit Standards in the UK Public Sector. [^2]: The Southern Internal Audit Partnership (SIAP) is a shared service providing internal audit services to a number of local authorities.
  • Internal Audit Strategy 2025-28: The committee noted the Internal Audit Strategy 2025-28, which aims to deliver a quality internal audit service, aligned to organisational objectives and improved outcomes.
  • Progress Report July 2025: The committee noted the Internal Audit Progress Report July 2025, which provided an overview of internal audit activity and assurance work completed in accordance with the approved audit plan.
  • Audit Charter 2025-26: The committee approved revisions to the Internal Audit Charter 2025-26.

• Fraud Investigation Summary The committee reviewed the results of housing fraud investigation activity for the period 1 April to 30 June 2025, noting that one property had been recovered.

• Covert Surveillance Reports The committee noted the annual report on the council's use of covert surveillance operations, as regulated by the Regulation of Investigatory Powers Act (RIPA) 2000, in accordance with the council's policy.

• Audit Committee Recurrent Annual Work Programme The committee noted its recurrent annual work programme.

Councillor Paul Follows, Leader of the Council, provided an update on Local Government Reorganisation, and Richard Bates was unable to attend the meeting, so the Solace Review was tabled for the next meeting. Claire Upton-Brown introduced the report that updated the Committee in respect of current plans to review the Council's arrangements in respect of its application and administration of Community Infrastructure Levy so that the Committee could satisfy itself that steps were progressing to ensure a robust governance arrangement. Jose Ribeiro presented a report that provided the Committee with an overview of Waverley's fraud investigation activity completed in quarters 1 to 4 of 2024-25 (1st April 2024 to 31 March 2025). Candice Keet, Head of Finance introduced the report that presented and sought approval for the Annual Governance Statement. Jenny Sturgess, Senior Policy Officer introduced the report that provided an update on the Strategic risk register. Deborah Upton, introduced the report that presented the annual Whistleblowing Report of the Audit and Risk Committee to improve transparency and accountability. The report summarised the whistleblowing activity over the last year and analyses the effectiveness of the Council's system. Nora Copping, Information Manager (Data Management) presented the report that outlined the current framework and governance arrangements put in place within the organisation, to ensure good data management practices. Additionally, the report included high level business-as-usual activities and the improvement initiatives which have taken place in 2024-25 to improve practices and also outlined priorities for the year ahead. Ciaran Ward, Information Governance Officer & Jenny Sturgess, Senior Policy Officer presented a report that outlined the activities and performance related to information governance and data transparency practices. Kimberly Soane, the Regulatory and Review Advisor presented the report that detailed the work undertaken by the Audit Committee over the municipal years of 2023/24 and 2024/25. The purpose of this annual review of the work of the Committee is to help Members review the previous year's work and plan for the coming year.