Concise Minutes - Senedd Commission Audit and Risk Assurance Committee


Meeting Venue:

Video Conference via Zoom

Meeting date: Friday, 12 February 2021

Meeting time: 10. - 12.00
This meeting can be viewed
on Senedd TV at:
http://senedd.tv/en/11208


------

Attendance

Category

Names

Members of the Senedd:

Robert (Bob) Evans (Chair)

Ann Beynon

Suzy Davies MS

Dr Aled Eirug

Witnesses:

Committee Staff:

Kathryn Hughes (Clerk)

Buddug Saer (Deputy Clerk)

Manon Antoniazzi (Official)

Gareth Watts (Official)

Nia Morgan (Official)

Arwyn Jones (Official)

Siwan Davies (Official)

Dave Tosh (Official)

Sulafa Thomas (Official)

Mark Neilson (Official)

Jamie Hancock (Official)

Steve Wyndham (Official)

 

<AI1>

1       Introductions, apologies and declaration of interests

1.1         The Chair welcomed everyone to the meeting, including Steve Wyndham who was attending for the first time since replacing Gareth Lucey as the Audit Manager from Audit Wales. He noted an apology from Ann-Marie Harkin and advised that the annual private session with Audit Wales which had been arranged for today would be re-arranged. 

</AI1>

<AI2>

2       Minutes of 20 November, actions and matters arising

2.1         The minutes of the 20 November meeting were agreed and updates to the actions summary noted. 

</AI2>

<AI3>

3       COVID-19 - Corporate update

3.1         Dave Tosh provided the Committee with an update on the arrangements in place on the estate. Due to the tier 4 restrictions, Senedd business was completely virtual and would remain so until any restrictions were lifted. The restrictions had significantly reduced the risk on the estate as attendance was below 15%, with the threshold set at 30%. Those in attendance, including those supporting Senedd business on Tuesdays and Wednesdays were bound by social distancing rules which were working well. 

3.2         The Return to the Estate programme group were continuing to prepare for a number of scenarios based on the easing of restrictions, especially given early success of the vaccination programme. Their focus was on monitoring the regulations to ensure that the organisation was as prepared as possible to reopen. This group would provide weekly updates to the Leadership Team and would continue to consult with other legislatures.   

3.3         Committee members questioned whether the success of the vaccination programme would result in staff returning to the estate sooner. In response, Dave confirmed that this was unlikely due to the age profile of building users, the majority of which were unlikely to receive the vaccination until later in the year. He also stressed that rules around social distancing and the wearing of face masks were likely to remain for some time, as well as only needing to attend the workplace if it was essential. 

3.4         The Estates and Facilities Team has identified pilot areas for specific alterations to be made in order to test what a return to the estate could look like, with both a physical and virtual presence, as well as meeting and break out spaces. These pilots would be evaluated and adjusted before being rolled out to other areas. 

3.5         When questioned on the importance of monitoring staff wellbeing, Dave assured the Committee that the challenges around domestic responsibilities and home schooling for a number of employees were being actively monitored by line managers and that the welfare and wellbeing of staff was a priority for all. The extended Christmas shutdown had provided an opportunity for the vast majority of staff to take a break, as well as reducing the accumulated annual leave figure. He believed that, whilst the sustained lockdown was putting pressure on many, the Commission’s policies and the flexibility of teams to work differently meant this was being well managed. He also advised that there was mutual understanding of the pressures through regular discussions with the Commission and the Chairs’ Forum. 

3.6         Arwyn Jones also informed the Committee that the planning for the start of the Sixth Senedd was underway to allow for predominantly virtual delivery of proceedings. This included the official opening ceremony which could be a mixture of onsite and virtual activities depending on the restrictions in place at the time. Commission staff were engaged in discussions with the various stakeholders. 

3.7         The Committee welcomed this comprehensive update, the planning involved to ensure the safety and wellbeing of those who were working on the estate.

</AI3>

<AI4>

4       G&A update report (including forward look for 2021-22 audit plan)

4.1         Gareth presented his usual update on governance and assurance activity and audit work. He outlined how he had continued to lead the Assurance Workstream of the Commission’s Return to the Estate Programme and to participate in the intra parliamentary forum on Business Continuity. He also provided an update on preparations for production of the Commission’s 2020-21 Annual Report, and the production of assurance statements by each Head of Service and Director, which his team were leading on.   

4.2         The report on the risk and issue management review had been circulated out of Committee and a review of the management of ICT assets for both Commission staff and Members of the Senedd and their staff was awaiting clearance before sharing with the Committee.

4.3         The Committee questioned the criteria for the return of ICT assets and furniture by departing Members and the allocation of kit to new and returning Members. Gareth agreed that he would discuss recycling and re-use options with colleagues in Members’ Business Support and Estates and Facilities Management. 

4.4         The compliance culture audit had been rescheduled for the autumn term, the scope of which was yet to be defined. Gareth described the meta compliance tool which had been used to deploy certain policies, the effectiveness of which would be evaluated. Committee members questioned its use to help ensure their level of compliance with Commission policies beyond the ICT Security Rules.

4.5         In terms of training needs in general for Committee members, the Chair suggested discussions should be held with him and the clerking team. 

4.6         In forming his year-end Annual Report and Opinion, Gareth would review the Public Sector Internal Audit Standards. His report would acknowledge how the reduction in the number of traditional internal audit reports produced had been offset by additional ways in which he had been able to offer assurance and review during this period, including sitting on boards, providing real time assurance and advice to senior management and others.

4.7         Gareth concluded his item by presenting his forward look for 2021-22 which, as well as delayed audit from the previous year and the regular reviews of areas such as financial systems, Members expenses and cyber security would also include work associated with a new Senedd. The Committee welcomed plans to carry out the planned value for money review of the Research Service, specifically around the Library as this would demonstrate effective use of resources.  

</AI4>

<AI5>

5       Data Protection update

5.1       Gareth presented this paper, which was intended to provide assurance that the Commission were constantly reviewing their ability to comply with GDPR. The focus of this paper was on how the gaps which had been identified would be addressed going forward and plans for future compliance audits. He also outlined the development of a data protection compliance tool (based on an ICO self-assessment) which was being rolled out to service areas.

5.2       Gareth added that with a Deputy Data Protection Officer in place there would be increased focus on priority actions including training and awareness, guidance and policy, including for retention of information. Gareth agreed to provide regular reports on progress in respect of the actions identified and would formally verify progress in a year’s time through a formal audit.

5.3       The Committee welcomed this update and the proposed approach. When questioned if advice and training would be provided to Members and their staff, Gareth reminded the Committee that Members were data controllers in their own right but his team would make Members aware of guidance, including from the Information Commissioner’s Office (ICO). He also made reference to training sessions which the  ICO Wales office had provided to Members in the past, and the option of possible delivery of virtual sessions in the future.

</AI5>

<AI6>

6       Consider emerging findings from the current interim/in-year work and advise the Accounting Officer of any issues that need to be addressed during the remainder of the year

</AI6>

<AI7>

7       Consider any residual actions arising from the previous year's work of both internal and external audit and comment on any associated risks

</AI7>

<AI8>

8       Share wider public sector/national reports produced

6.1         Steve Wyndham thanked the Committee for their welcoming words and the Chair for taking the time to introduce himself ahead of the meeting. He had taken on board the Committee’s interest in Audit Wales (and National Audit Office) outputs and updates and agreed to share these when available.   

6.2         Steve updated the Committee on the action regarding the outcome of any discussions with the Equalities and Human Rights Commission (EHRC) in relation to the Equalities Act. There was a commitment that Audit Wales would continue to liaise with EHRC when there was a significant equality angle to their work. Ann Beynon welcomed this commitment and encouraged the Senedd Commission to engage with the EHRC in a similar way. It was agreed that Dave would discuss this further with Ann outside of the meeting. 

6.3         Steve confirmed that there were no outstanding issues for last year’s ISA 260 or Management Letter and the current interim audit was progressing well, with his team and the Finance team working flexibly and pragmatically in these challenging circumstances. 

6.4         Audit Wales was not in a position to share its audit fee as it was being reviewing by their internal moderation process.  As soon as it was available, it would be shared with the Committee.   

Actions

·        (6.2) Dave and Ann to discuss privately any value that could be added by involving the Equality and Human Rights Commission in some aspects of equality work to be taken forward by the Commission’s Executive Board.

</AI8>

<AI9>

9       Consider the Commission's strategy for sixth Senedd

7.1      The Chair invited Manon to provide an update on development of the strategy for the Sixth Senedd. She explained that initial discussions had been held with Commissioners around legacy reporting and its recommendations for the new Commission, with further discussions to follow. There were a number of areas of some certainty on which the current Commission could base its recommendations, including that members of the next Commission would be new and approval of the budget for 2021-22. Suzy pointed out that the budget was already under pressure, particularly for future projects.

7.2      The new Commission would need to take account of the budget constraints, the Welsh Government’s legislative programme and learning from the Covid situation when prioritising its objectives around delivering Senedd business, as well as developing workforce and accommodation strategies. Manon also reminded the Committee of the expectation that a further capacity review would be undertaken at the start of the Sixth Senedd.

7.3      The Committee noted that, whilst the strategic goals were unlikely to change drastically, resetting these would depend on the ambitions of the new Commission, for instance, around the next stage of Senedd reform and levels and methods of engagement with the public. It also noted that the setting of strategic goals and priorities would need to be informed by the views of the current Commission.

7.4      The Committee then discussed specific examples of priorities which would need to be considered, including the merits versus the expense of taking forward citizen engagement activities and the various ways this could be achieved. Aled suggested an evaluation of the Assembly/Senedd experience with citizen assemblies and experiences elsewhere in Ireland and Scotland. 

7.5      The future of Tŷ Hywel was still a live issue. Dave outlined plans in the short-term for necessary maintenance and refurbishment of Members’ offices during the dissolution period, and in the medium to long-term for return to the estate. He described the Commission’s plans to pilot the approved proposals to support more hybrid working for staff across the estate. These pilots would be evaluated and adjusted to suit service areas. Rolling this out would involve exploring innovative solutions and the re-direction of resources into providing the space and technology to facilitate new workspace formats.  

7.6      Aled asked for an update on the long-term lease arrangements for the Tŷ Hywel building, and suggested the need for an options paper when the lease was reviewed, Dave advised that exploratory discussions would begin with the landlord in the coming months.

 

</AI9>

<AI10>

10    Update on planning for the May 2021 Senedd elections

8.1      The Chair welcomed Siwan Davies and Sulafa Thomas to the meeting. Siwan referred the Committee to the updates provided in the Commission’s Corporate Risk Register and provided a further update on the legislative position, outlining the rapid passage of the Government Emergency Bill through its various stages and the implications of this for the Commission. The Bill, which was awaiting Royal Assent for it to become enacted as the Elections Wales (Coronavirus) Act 2021 would provide powers for the Llywydd to move the date of the Senedd Elections by up to six months should this be necessary to protect public health. It would also shorten the formal dissolution period to one week.

8.2      Siwan described the agreement that this formal one week dissolution period would be preceded by a three week pre-dissolution period. During this four week period, which would be known as the ‘election period’, the only Senedd business to be conducted would be to debate and approve proposed changes to the date of the election or for matters of public health relating to Coronavirus. She added that normal dissolution rules, including those around use of Senedd resource, would apply during this four week election period. Dissolution guidance for Members of the Senedd and for Commission staff was being updated and would be issued in the coming days.

8.3      Sulafa described the practical steps being taken to update and issue election period guidance, and the plans being finalised for the start of the Sixth Senedd. This included plans for virtual or physical oath taking in line with public health guidelines, providing access to IT equipment and other resources, and setting up offices for new and returning Members. Sulafa explained that some IT equipment for new Members was being purchased early to mitigate the potential risks around procurement delays relating to the end of the EU Transition period.

8.4      Sulafa advised that plans were also being drawn up for the various forms in which the official opening ceremony might be conducted depending on the lockdown restrictions. A detailed programme of induction was also being finalised which, in the early days, would focus on providing clarity on rules and Members’ statutory and most significant responsibilities. Discussions were also underway, including with the Llywydd, the Commission and the (Committee) Chair’s Forum, around the end of Fifth Senedd in terms of legacy reporting.

8.5      Sulafa added that the process for changing the date of the election and the thresholds for doing so were also being considered. Budget implications of any changes were also being monitored. In response to questions from the Committee, Siwan advised that it would be the First Minister proposing a change to the date of the election based on advice from Public Health Wales and the Chief Medical Officer.

8.6      The Chair thanked Siwan and Sulafa for their comprehensive updates and noted the rigorous and well-developed plans in place. He also noted that the focus for the Committee would be on regularity and propriety. Committee members also noted the exemplary approach by Commission officials and offered to provide any assistance going forward.

Actions

·        (8.2) Clerking team to ensure dissolution guidance is shared with ARAC members once finalised.

 

</AI10>

<AI11>

11    Corporate Risk

9.1      Dave presented this item noting that the Corporate Risk Register had been reviewed by Executive Board on 28 January. He highlighted that, due to the on-going lockdown restrictions the likelihood rating on the Coronavirus risk was increased from medium to high. The Corporate Capacity risk had also been re-escalated to a corporate level in recognition of the ongoing significant pressures on capacity due to the pandemic and increased workloads, including around the Emergency Bill and preparing for an Election.

9.2      The Committee welcomed this comprehensive summary and with the pace of the vaccination programme rollout, they hoped to see the Coronavirus risk moving in a downward direction in the coming months. 

</AI11>

<AI12>

12    Critical examination of one identified or emerging risk - Cyber Security (combined with the twice yearly update)

10.1    The Chair welcomed Mark Nielson, Jamie Hancock and Tim Bernat to the meeting and invited them to outline the details of their update on cyber-security.

10.2    Mark shared a detailed description of the work his team had undertaken since the last update and where they would concentrate their efforts in the future. He reported that there had been a significant rise in phishing attacks during the pandemic and the main source of the malicious intent remained with emails. His team had been working closely with Microsoft to enhance the security arrangements and parameters in place.  A system had been put in place to assist recovery from any cyber-attacks and a new zero trust model was being implemented.

10.3    The training of staff remained a priority for his team and an internal audit scheduled for later in 2021 would test the core resilience of the backup systems in place. He was confident that his team were sufficiently resourced to perform the tasks required of them currently.

10.4    The Committee then questioned the location of data storage of some applications.  Mark confirmed that not all of the data was in the UK but it was all held within the EU.  Discussions had commenced around ensuring data remained in the UK. Previous concerns had been raised about the organisation’s reliance on Cloud service. The Committee appreciated the level of flexibility the Cloud offered but it remained an implicit point of failure.

10.5    Mark and Dave noted the concerns raised regarding Cloud services, but noted that the transition to remote working would have been extremely problematic had they not moved to the Office365 environment some years ago. Mark was aware that some organisations had experienced significant problems as a result of trying to implement a Cloud service model during the pandemic. Single points of failure were inevitable and, whilst the failure of third parties was out of the Commission’s control, mitigation would remain their focus in the future.

10.6    The Committee thanked and congratulated Mark and his team for their efforts during these unprecedented times. The fact that there had been no major failings since the whole organisation had been working remotely since March 2020 was a tremendous achievement.            

</AI12>

<AI13>

13    Finance Update

11.1    Nia Morgan outlined the 2020-21 corporate financial target was to deliver an unqualified audit report and an end of year operational out-turn in the range of 0% to 1.5% of the approved operational budget. She confirmed that the forecast out-turn position at the end of January was well within this target at 0.4% of the approved operational budget. As the underspend remained tight, Executive Board and Leadership team would continue to assess project resource requests with a view to maintaining the low level of underspend until the end of the year. The piloting of different work space had been an additional unforeseen area of spend and it would be an item of expenditure budgeted for in future years, if the pilot was successful. 

11.2    The Public Accounts Committee recommended that the Senedd Commission remove any future KPIs that set to minimise under expenditure, and focus instead on using financial resources as efficiently as possible. Work would be undertaken during 2021-22 to develop proposals to discuss with the Commission appropriate corporate financial targets for the Sixth Senedd.

11.3    A second Supplementary Budget was approved by the Commission in December. As noted in the November meeting, part of this second Supplementary Budget was to increase the Annually Managed Expenditure (AME) budget from £1.6 million to £2.0 million to reflect the Actuary’s estimate of the increase in Members’ Pension finance costs. 

11.4    Nia then moved onto 2021-22 budget which related to the first year of the Sixth Senedd that would be overseen by a new Commission elected in 2021. With the delay to the implementation of International Financial Reporting Standard (IFRS) 16 (Leases) due to the impact of Covid-19 the 2021-22 budget had been presented without any IFRS 16 data. Further details on this can be found in paragraph 12.2.

11.5    The Committee thanked Nia for this update and noted the well-deserved praise and recognition from the Public Accounts Committee. The work undertaken to present the future budget was exemplary and Nia agreed to share information on any savings or additional spend due to the pandemic, with the Committee in due course.

Actions

·         Nia to share analysis of spend and savings in relation to Covid with ARAC at year end.

</AI13>

<AI14>

14    Review of accounting policies

12.1    Nia presented this paper which outlined the annual review of accounting policies to ensure their continued relevance in supporting Senedd business. The Finance team used the latest information available from HM Treasury and worked with services across the Commission, identifying any significant changes. Areas reviewed included external changes such as accounting standard changes, internal business changes and the Audit Wales external audit report and management letter.

12.2    Although the review was on-going, there were no expected changes to the accounting standards that would need reflecting in the accounting policies applied by the Commission for 2020-21, apart from the International Financial Reporting Standard (IFRS) 16. Following a number of delays, HM Treasury confirmed in November 2020 that the Financial Reporting Advisory Board had agreed that there would be no mandatory implementation of IFRS 16 from 1 April 2021. Instead, the effective date would now be 1 April 2022. This further delay to its implementation will mean that IFRS 16 will not impact on the Commission’s budget until 2022-23. The Commission decided not to adopt IFRS early (in 2021-22). Subject to further guidance from HM Treasury, the impact will be reflected in the Commission’s Draft Budget for 2022-23 or its first Supplementary Budget for 2022-23.

12.3    The Committee thanked Nia and her team for their detailed review. He suggested that discussions with Audit Wales might be useful to minimise duplication of effort across Welsh public sector organisations for analysing changes to accounting policies and the Financial Reporting Manual (FReM).

</AI14>

<AI15>

15    Feedback on discussions at the Commission's Remuneration, Engagement and Workforce Advisory Committee (REWAC)

13.1    Ann Beynon, as member of the Commission’s Remuneration, Engagement and Workforce Advisory Committee (REWAC) welcomed this opportunity to feedback on the last meeting held on 30 November 2020.  She reported that the response rate of the Pulse survey, held in October had increased, but the uptake of the Dignity and Respect survey by Members of the Senedd was very low. 

13.2    REWAC had discussed ways of improving daily communications and how the start of a new Senedd term would be a great opportunity to promote policies, and refresh training and guidance. Ann referred to a report into journalism in Wales and discussions at REWAC focusing on how messages from and about the Senedd could be disseminated wider, whilst upholding our separation from the Welsh Government.

13.3    Arwyn updated members on the paper being prepared for Commissioners on sustaining journalism in Wales, building on the work of the Digital Taskforce whose reported was published in 2017.

13.4    The Chair thanked Ann for this feedback and would welcome feedback at future meetings. 

</AI15>

<AI16>

16    Feedback on ARAC Chairs' Forum

14.1    Unfortunately, due to the pandemic, the Chair confirmed that there had been no Chairs’ forum events to report on.

</AI16>

<AI17>

17    Consider ways in which the Annual Report and Accounts can be used to promote the work of the Senedd throughout the year

15.1    This item would be discussed out of Committee.

</AI17>

<AI18>

18    Forward work programme

16.1    The Committee had no changes to make to the Committee’s work programme.

</AI18>

<AI19>

19    Departure Summary

17.1    There were no comments or questions on the departures.

Next meeting is scheduled for 23 April 2021.

</AI19>

<TRAILER_SECTION>

</TRAILER_SECTION>

<LAYOUT_SECTION>

1.          FIELD_TITLE

FIELD_SUMMARY

</LAYOUT_SECTION>

<TITLE_ONLY_LAYOUT_SECTION>

2.          FIELD_TITLE

</TITLE_ONLY_LAYOUT_SECTION>

<HEADING_LAYOUT_SECTION>

FIELD_TITLE

</HEADING_LAYOUT_SECTION>

<TITLED_COMMENT_LAYOUT_SECTION>

FIELD_TITLE

FIELD_SUMMARY

</TITLED_COMMENT_LAYOUT_SECTION>

<COMMENT_LAYOUT_SECTION>

FIELD_SUMMARY

</COMMENT_LAYOUT_SECTION>

 

<SUBNUMBER_LAYOUT_SECTION>

2.1          FIELD_TITLE

FIELD_SUMMARY

</SUBNUMBER_LAYOUT_SECTION>

 

<TITLE_ONLY_SUBNUMBER_LAYOUT_SECTION>

2.2          FIELD_TITLE

</TITLE_ONLY_SUBNUMBER_LAYOUT_SECTION>