The Audit Committee of Wandsworth Council met on Wednesday 11 March 2026 to review the council's use of surveillance powers, its internal audit strategy, and its fraud prevention efforts. Decisions were made to approve the council's internal audit strategy and plan, and to note the fraud progress report and the annual review of risk management.

Use of Surveillance Powers Under RIPA

The committee received an update on the council's use of surveillance powers under the Regulation of Investigatory Powers Act (RIPA), as detailed in the document Councils use of RIPA for the year 2025-26 ¹. Paul Gigliotti, Director of Financial Services, explained that these powers are used in specific circumstances, primarily for investigating abuse of blue badge fraud. He clarified that surveillance is conducted either under the formal RIPA shield or without it, depending on the nature of the suspected offence.

Two cases were prosecuted under the RIPA shield, with one resulting in a vehicle impoundment and blue badge seizure. Seven instances of surveillance were carried out without the formal shield, with outcomes detailed in the report. Councillor Rigby inquired about the use of facial recognition technology, which was confirmed not to be in use, with surveillance relying on officers and handheld equipment. Councillor Kelly noted a reduction in the reported numbers of surveillance instances and asked for clarification. Kevin Holland, Assistant Director for Fraud, Risk and Insurance, explained that while the number of applications may have reduced, the investigations often uncover multiple instances of misuse from a single surveillance operation, meaning the overall fraudulent activity detected has not diminished. Councillor Critchard asked about the frequency of independent reviews of RIPA powers, and was informed that these are ad hoc, with the council also undergoing annual inspections as part of a five-borough partnership. The committee agreed to approve the specific purpose for which RIPA powers are used, as outlined in paragraph 4 of the report.

Internal Service Charger Strategy and Plan

The committee reviewed the Internal Service Charger Strategy and Plan, an annual document outlining the council's charter, strategy, and plans for the upcoming year, as well as a five-year strategic plan. Paul Gigliotti highlighted that the primary change this year is the adaptation to new global internal audit standards, which have led to a comprehensive rewrite of the document rather than minor amendments. Key changes include the explicit identification of structural independence, formalisation of procedures for perceived conflicts of interest, and enhanced details on access and escalation protocols.

Andrew Hamilton, Assistant Director for the Shared Audit Service, elaborated that the shift from public sector internal standards to global standards necessitated a complete overhaul of the document. He explained that the charter now explicitly refers to compliance with global internal audit standards and UK public sector guidance, strengthening governance arrangements and clarifying the roles of the audit committee and senior management. Councillor Critchard requested clarification on specific paragraphs detailing these changes, and Mr Hamilton offered to highlight the relevant sections and distribute them to the committee.

Discussions also covered the risk management framework, with Councillor Rigby seeking a timeline for its implementation. Mr Holland indicated that this is an ongoing process, with a meeting with directors scheduled and a quarterly cycle already in place, though the timeline for a digital platform remains uncertain. Councillor Hedges raised questions about the operational audit plan, specifically regarding the transformation program and cybersecurity audits. Mr Holland explained that the transformation program audit is iterative and involves collaboration with the relevant teams to ensure involvement during the process. Regarding cybersecurity, he noted that audits are conducted biennially, but that ongoing assurance is gained through training and workshops, and that the council has a continuous network monitoring service. He also highlighted that the Information Security audit covers aspects of cybersecurity.

Councillor Hedges also inquired about the frequency of housing management and compliance audits, given the regulator of social housing's previous review. The committee was informed that high-risk areas are audited on a one-to-two-year cycle, with flexibility based on audit outcomes. Specific audits on fire risk assessments and gas safety are also conducted. Councillor Caddy questioned the rationale behind auditing certain low-risk areas annually while higher-risk areas are audited less frequently. Mr Holland explained that some audits, like the procurement card continuous audit, are in place for ongoing oversight rather than a traditional audit, and that their low-risk status is partly due to existing robust processes.

Alexander Priest, an independent member, asked about the procurement of external expertise and the council's approach to data testing. Mr Hamilton confirmed that external specialists are engaged for specific high-profile or IT-based audits when internal expertise is insufficient, though this is used sparingly due to cost. Regarding data testing, he explained that the target of 50% of audits covering data testing by 2027 is a gradual process due to varying skill levels within the team and budget constraints for training. He clarified that data testing involves transactional testing of systems holding data, aiming for full population tests rather than samples.

Further discussion involved emergency planning and the council's reliance on external utility providers, with Mr Holland stating that while internal audit cannot assess the operations of external providers like Thames Water, they can review the council's emergency planning team's response to challenges. He noted that the council is cyber-assured and meets government standards for cybersecurity, with IT services going beyond these requirements due to the consequences of cyber-attacks. Councillor Critchard raised a point about the off-stead review and its potential impact on the audit plan, which will be discussed with children's services. The methodology for determining high, medium, and low-risk audits was explained, based on criteria such as financial cost, changes in systems or personnel, reputation, and links to strategic objectives. The risk assessment process itself is due for review.

The committee agreed to approve recommendations A, B, and C, and to note recommendation D, relating to the internal audit plan. It was also suggested that the internal audit plan be referred to the Cabinet for noting.

Fraud Update March 2026

The committee received the Fraud Update March 2026 ², presented by Kevin Holland, Assistant Director for Fraud, Risk and Insurance. He outlined the indicative fraud plan, which prioritises fraud prevention, and the key performance indicators (KPIs) reported to the committee and chief officers. The report also detailed the outcomes of activities undertaken during the year, including findings from the first local government fraud survey since 2018-19 by the National Anti-Fraud Network.

Councillor Rigby commended the team's work in protecting council funds and requested more detailed breakdowns in future reports, specifically regarding the outcomes of different investigation types. She also raised concerns about the use of Artificial Intelligence (AI) by fraudsters and asked about the team's strategy for addressing this. Mr Holland confirmed he would provide more detailed statistics and explained that AI is reducing the technical knowledge required for fraudulent activities, increasing the risk. He highlighted the council's membership in the Government Counter-Fraud Profession, which provides updates on AI use by fraudsters, and the development of a new cohort of investigators through apprenticeships to combat evolving threats.

Councillor Caddy inquired about the process for recommending fraud prevention measures to departments and tracking their implementation. Mr Holland explained that post-mortem reviews of significant internal frauds lead to recommendations, which are then incorporated into the audit actions list. He also mentioned the compulsory online fraud awareness tool for all officers and targeted training sessions.

Regarding data analytics, Councillor Caddy asked about potential partners for data sharing, such as the Department for Work and Pensions (DWP) and HMRC. Mr Holland acknowledged that sharing information with some government partners remains challenging, but that dialogue is ongoing through groups like the London Borough Fraud Investigators Group. He also mentioned the London Fraud Hub and ongoing trials of IT companies offering fraud detection solutions. The human element of fraud investigation, particularly in temporary accommodation, was also highlighted, with a focus on ensuring suitability and preventing misuse.

Councillor Critchard noted that Wandsworth's fraud referral numbers are higher than the average reported by the National Anti-Fraud Network and asked for a comparative borough analysis. Mr Holland attributed this to the size of the council's housing stock and local regulations concerning parking and transport centres, which contribute to a higher incidence of blue badge misuse. He also clarified that additional resources for Merton Council's review are being utilised, contributing to the recruitment of apprentices. Changes to the methodology for calculating notional savings were explained, with the increase in the other category attributed to data cleansing and the removal of invalid blue badges from waiting lists.

Alexander Priest asked for a breakdown of referrals versus independent investigations in the savings figures, and Mr Holland stated that the vast majority of cases are referrals, though proactive exercises are also conducted. He also discussed the potential for increased savings in housing fraud if resources were reallocated, but emphasised the need for a balanced approach across different fraud types to maintain deterrence. Councillor Cressy inquired about the cost-benefit of the fraud investigation team and the council's engagement with the Government Assure for Cyber program. Mr Holland confirmed the full-time equivalent investigator numbers and explained that the apprentices are funded through a grant and their work initially focuses on compliance verification, with a growing fraud element as they progress. He also confirmed that the council is cyber-assured and meets government standards.

The committee noted the indicative fraud plan and the fraud progress report.

Annual Review of Risk Management

The committee reviewed the Annual Review of Risk Management ³. Paul Gigliotti noted that this topic had been largely covered during discussions on other agenda items, particularly concerning the internal audit plan. He confirmed that a follow-up review is scheduled for the summer, a first review with the Director's Board on corporate risks has been completed, and a training plan is in place.

Councillor Caddy raised a point about the perception of local government as risk-averse and questioned how the council assesses risk appetite in light of significant financial challenges. Mr Gigliotti explained that the scoring matrix now considers inherent and residual risks, with a process to accept risks based on risk appetite, which is collectively set by service heads and overseen by senior management. He noted that the Director's Board now reviews governance and risk quarterly, allowing for cross-departmental oversight.

The committee was asked to note the paper.