Meeting Venue:
4B Tŷ Hywel
Meeting date: Friday, 3 May 2024
Meeting time: 10:00-12:30
------
|
Category |
Names |
|
Members of the Committee: |
Bob Evans, Independent Adviser and Committee Chair Hefin David MS, Senedd Commissioner and Committee Member Menai Owen[1]Jones, Independent Adviser and Committee Member
|
|
Other in attendance: |
Dr Aled Eirug, Independent Advisor |
|
Committee Staff: |
Manon Antoniazzi, Chief Executive and Clerk of the Senedd, and Accounting Officer Ed Williams, Director of Senedd Resources Kate Innes, Chief Finance Officer Arwyn Jones, Director of Communications and Engagement Lee Glover, Director, Validera and Head of Internal Audit (Part 1 - items 1-20) Anthony Veale, Executive Audit Director, Audit Wales (Part 1 - items 1-20) Kathryn Hughes, Committee Clerk, and Risk and Governance Manager Buddug Saer, Deputy Committee Clerk Matthew Richards, Head of the Legal Service (items 10-20) Leanne Baker, Acting Chief People Officer (items 10-20) Yvonne Jennings, Senior ICT Project Manager (item 21) Anna Daniel, Head of Strategic Transformation (item 24) |
1.1 The Chair welcomed everyone to the meeting and noted apologies from Siwan Davies, Clare James, Audit Wales and Uzo Iwobi, Independent Adviser.
1.2 The Chair formally welcomed Hefin David MS to his first meeting. Hefin recently took over the role as Commissioner and member of ARAC from Ken Skates MS.
1.3 The meeting was split into two parts, Part 1: Assurance and Committee Business and Part 2: Strategic Discussion. The Chair had previously indicated that only members of the Executive Board (EB) would attend part 2.
1.4 No interests were declared.
ARAC (24-02) Paper 1 – Draft Minutes of 19 February 2024
ARAC (24-02) Paper 2 – Summary of actions
2.1 The draft minutes of the 19 February meeting were formally approved and would be published on the website in due course.
2.2 The Chair welcomed sight of the Strategic planning framework recently approved by the Executive Board (EB). It would refer to this diagram again when considering individual strategy documents.
2.3 The Committee noted the progress against actions from the previous meetings.
ARAC (24-02) Paper 3 – IA activity update
3.1 The Chair welcomed Lee Glover, Head of Internal Audit, to the meeting. As well as presenting a paper, he provided a brief update on the outstanding Audit Needs Assessment and of two audit reports (namely Project and Programme Governance and Cyber Security) expected at the next meeting.
ARAC (24-02) Paper 5 - IA Public appointments report
4.1 Lee introduced the public appointments report.
4.2 The Committee raised one point of clarification regarding the cost of the recruitment search consultants which fell to the Commission. They subsequently noted the report and thanked Lee for presenting it.
ARAC (24-02) Paper 4 – IA Strategy 2024-25
5.1 A draft of the internal audit strategy 2024-25 had been presented and approved at a recent EB meeting. This was still a working document, with Committee members given the opportunity to share their thoughts and comments with the Head of Internal Audit and officials.
5.2 The Committee noted that the strategy was a change in approach from previous years and asked about the relationship between the new strategy and the corporate risk register. Members asked about the apparent focus on internal financial controls and sought assurance on the balance of planned audits across all three directorates. They also sought assurance that the programme of planned audits was adequately resourced so as to avoid any slippage in this new financial year.
5.3 Lee confirmed that the strategy’s intention was to provide a plan based on the audit needs assessment which had considered the detail of the risk register and was a three-year rolling programme. Included in this plan was an intention to review the risk management arrangements, business planning process and the new pension and payroll system. The business planning process audit would provide a greater understanding of the processes within the organisation, and this would inform adjustments to the planned programme of audits.
5.4 The risk register assumed a modest impact from control arrangements and did not fully address the risk appetite of the Commission. The risk audit would assess the register and the impact of controls and scoring which would allow a full risk-based approach to be adopted. Postponed audits would be incorporated where appropriate. The strategy would be developed further, as Lee’s understanding of each area grew. He recommended management maintain a tracker of outstanding audit recommendations and suggested quarterly meetings with the Chair.
5.5 Officials agreed that this was a different approach but acknowledged that the new Head of Internal Audit needed these core controls to build on and to provide assurance to the Committee.
5.6 Audit Wales provided their assurance by confirming that it was a balanced strategy with key financial areas covered but would need to be reviewed regularly.
5.7 The Committee welcomed this discussion and a chance to raise their concerns about the breadth of the strategy document. They recognised it was an agile programme that would be reviewed to include areas of focus from across all three directorates.
ARAC (24-02) Paper 6 – Internal Audit Charter
6.1 Lee presented the Committee with an internal audit charter, that the Public Sector Internal Audit Standards (PSIAS) require all internal audit activities to implement and retain. The new Global Internal Audit Standards (GIAS) were being reviewed by the UK Public Sector Internal Auditing Standards Advisory Board (IASAB). Any subsequent updates to the PSIAS were expected to take effect from Apil 2025.
6.2 Kate confirmed she was content with the Charter that had been shared at a recent EB meeting.
6.3 The Committee formally approved the Internal Audit Charter.
ARAC (24-02) Paper 7 – Internal Audit Annual Report and Opinion for 2023-24
7.1 Lee reminded the Committee that the Senedd’s internal audit arrangements were resourced through a hybrid model. The previous Head of Governance & Assurance (who performed the role of Head of Internal Audit) left the Senedd in July 2023, as did the Governance Manager (who acted as an internal auditor) in March 2024. Internal arrangements had been subject to External Quality Assessment (EQA) during 2023/24; the EQA concluded that the function generally conformed (the highest level of conformity) with the PSIAS.
7.2 The Committee noted Lee’s Annual Report and Opinion and commented that the moderate opinion provided a good level of assurance.
ARAC (24-01) Paper 8 – Annual Report Fraud
8.1 Kate presented this report, noting that during 2023-24, there had been no cases brought to her attention of actual or suspected fraudulent activity regarding cash, allowances and expenses or theft of assets.
8.2 Training was a key area of focus for Kate in the coming months. The Finance team and Members’ Business Support (who administered the Members’ expenses) were all offered regular anti-fraud training and best practice material was widely shared.
8.3 The Committee requested that Members of the Senedd and support staff be offered these opportunities and Kate agreed in principle to consider if the webinars were appropriate to share with them.
8.4 The Committee noted and thanked Kate for her Annual Report on Fraud.
ARAC (24-02) Paper 9 - Whistleblowing and Fraud 2024 - updates
ARAC (24-02) Paper 9 – Annex A - Whistleblowing policy
ARAC (24-02) Paper 9 – Annex B - Fraud Corruption and Bribery Policy – 2024
ARAC (24-02) Paper 9 - Annex C - Fraud Response Plan – 2024
9.1 Kate presented the annual update on the Commission’s Whistleblowing and Fraud policies. She reported that there had been no internal disclosures received under the remit of our Whistleblowing Policy.
9.2 The Department of Business and Trade commenced a review in 2023 of the Whistleblowing framework and legislation Public Interest Disclosure Act 1998 (PIDA) but was yet to report on their findings. Kate agreed to report back to the Committee once this was complete.
9.3 The Committee noted and thanked Kate for her updates.
ARAC (24-02) Paper 10 – AW Detailed Audit Plan-2023-24
10.1 The Chair welcomed Anthony Veale to the meeting. The estimated total audit fee of £71,627 based on the uplifting of last year’s actual fee which was £1,690 under the initial estimate. He assured the Committee that his team were in a better position this year, with more upfront work and planning having already begun and discussions underway for the pension audit.
10.2 Audit Wales noted that materiality was currently set based on 2022-23 accounts, but that this would be reviewed and updated when 2023-24 accounts were available.
10.3 Audit Wales and the Commission’s finance team were on target to commence the audit on Tuesday 7 May.
ARAC (24-02) Paper 11 - IA-EA Joint Working Protocol
11.1 The protocol set out the general principles and working arrangements between Audit Wales (external auditors) and Validera (internal auditors). It established the respective roles, responsibilities and sharing of information and documentation.
11.2 Both parties worked independently and this protocol set out how both parties co-operate and co-ordinate their work to provide overall assurance to offer the best value for money to the Commission.
11.3 The Committee recognised the importance of external audit on the assurance framework and reminded both internal and external audit that the lines of communication were always open to share ideas and suggestions.
ARAC (24-02) Paper 12 - Draft Annual Report 2023-24 - cover paper
ARAC (24-02) Paper 12 – Annex A – draft Annual Report Narrative
ARAC (24-02) Paper 12 – Annex B – draft Accounts
ARAC (24-02) Paper 12 – Annex C – draft Annual Governance Statement
12.1 The Chair invited Arwyn to introduce this item and for Committee members to comment on the draft narrative included in the Commission’s draft Annual Report and Accounts (ARA) and the draft Governance Statement.
12.2 Arwyn thanked Liz Jardine, who was leading on pulling together and reviewing the articles. The collection of the key performance indicators (KPIs) data was also almost complete. He reminded the Committee that following their suggestion, for the past two years, a suite of webpages had been produced that showcased highlights from the ARA (and the other annual reports), including feature pages for specific highlights to demonstrate how the Senedd had met its strategic goals.
12.3 Over the last year, Arwyn’s team had researched how the report was accessed online. In order to improve accessibility and transparency, it was decided to offer a simplified version of the online report this year.
12.4 The team remained on target to deliver the final, complete, Annual Report and Accounts document for Committee members’ review at the 10 June 2024 meeting. The Accounting Officer was due to sign the Annual Report and Accounts following final approval by the Commission at its next meeting following the ARAC meeting (17 June 2024).
12.5 The Committee agreed to share their comments relating to the draft Governance Statement by Friday 10 May. They also requested a discussion on KPIs to reflect on the Commission’s positive performance in reaching many targets. This would be scheduled for a future meeting. They welcomed Arwyn’s reasons for simplifying the format and would encourage more people to access it.
Action
- Separate agenda item to be included at a future meeting to provide an opportunity to reflect on KPIs.
ARAC (24-02) Paper 13 – G&A update
13.1 The Chair noted that Phil Boshier, had recently been appointed the Interim Head of the Commission’s Governance service. Phil had offered his apologies for the meeting but had provided a comprehensive and encouraging email briefing. He thanked Phil for his email and looked forward to working with him in the future.
13.2 A productive challenge session was held on 7 March to provide independent challenge and scrutiny of the Director governance statements.
13.3 Officials agreed to add all relevant EB and Commission papers (when appropriate) to the Committee members library of information that was under development.
14.1 The Committee noted four departures from normal procurement procedures and requested that the Head of Procurement review all departures over the past two years to determine if any patterns exist. An item would be added to the forward work programme for this to be presented at the November meeting.
Action
- Procurement to provide a summary report/trend analysis on all the departures from normal procurement procedures over the past two years (to determine any patterns)
ARAC (24-02) Paper 14 – Finance update
15.1 The financial target was to deliver an end of year operational out-turn within 1.5% of the approved operational budget and an unqualified audit opinion. The approved operational budget for 2023-24 after supplementary budget adjustment was £40.654 million before non-cash budgets. The forecast out-turn position for the year end is £90,000 underspend (equating to 0.22%) of the approved operational budget.
15.2 To minimise the pressure in 2024-25, a number of projects were delivered in 2023-24 to the value of £286,000.
15.3 The Committee congratulated the Finance team on the payment performance data and noted the losses and special payments. They also congratulated to whole team on running a very tight budget process considering the financial pressures predicted in 2024-25.
ARAC (24-02) Paper 15 – Corporate Risk
ARAC (24-02) Paper 15 – Annex A - Summary Corporate Risk Register
ARAC (24-02) Paper 15 - Annex B – Corporate Risks plotted ARAC
16.1 A discussion focused predominately on the following risks:
- Corporate Capacity and Capability – Ed updated the Committee on the activity related to this risk with the hope of reducing the likelihood rating. Future budget constraints would inevitably have an effect on resources.
- Cyber Attack – Arwyn’s team were encouraging all My View users to sign up to the multi-factor authentication to protect attacks on all users’ data. The Committee welcomed this technology and encouraged all users to use Multi-factor authentication where available.
- HR/Payroll system – a fundamental review of this risk would be undertaken, now that the project was live and would be re-framed in the coming weeks. Ed, as project SRO, would be involved in this.
- Members’ regulatory framework: changes and comprehension – the Elections and Elected Bodies (Wales) Bill proposed significant changes to the election process and amendments relating to this bill were being monitored. The Committee would be kept up to date on the progress of this proposed legislation.
ARAC (24-02) Paper 16 – SIRO Annual Report
17.1 Matthew Richards presented his first SIRO annual report. He had recently taken over from Ed in the role. His report focused on achievements during the year, including the completion of a processing agreement between the Commission and Members of the Senedd.
17.2 Matthew’s focus for the coming year was attempting to remove the use of WhatsApp for Senedd business whilst encouraging Members to use Teams and training Members on Teams was a key priority. The Artificial Intelligence (AI) groups were well established and licences for Co-pilot for 365 had been recently approved. A small number of users would be identified to test functionality.
17.3 The Committee thanked Matthew for his comprehensive report and asked for a wider discussion around the use of AI at a future meeting.
Action
- Agenda item on the Committee’s consideration of the Commission’s use of Artificial Intelligence (AI) at the July meeting to include discussion around the use of Co-Pilot
Oral item
18.1 The Chair requested that Committee members consider this out of committee and share any comments with the Clerking team.
ARAC (24-02) Paper 18 – updated ToR April 2024
19.1 The Chair requested that Committee members consider this out of committee and share any comments with the Clerking team.
ARAC (24-02) Paper 19 – Forward Work Programme
20.1 The Chair requested that Committee members consider this out of committee and share any comments with the Clerking team.
Oral item
21.1 The Chair welcomed Eve Jennings to the meeting. Her update on the HR Payroll system project included the following:
- A project initiation meeting with the new supplier, Midland, had been very positive. Midland were seen as key leaders in the field and had already supplied several other public bodies in the UK with a HR/Payroll system, including the House of Commons and Scottish Parliament.
- The stages of the project plan were discussed in detail, including meetings with key stakeholders that were already underway.
- The plan highlighted resource constraints and the intense effort needed from across the organisation to stick to the go live date of December 2024.
- Eve shared concerns with the Committee around the MyCSP pension configuration, with the added complication of working with another organisation and the delays that may occur in terms of testing.
- In terms of the security of the personal data being migrated from the current system to a new environment, Eve and Arwyn confirmed that the ICT Security team had met with Midland to discuss the detail of this transfer. Non-functional questions were included in the procurement process, which Midland answered all correctly. Both Jamie Hancock and Tim Bernat had since met with Midland and questioned their processes rigorously. Both were content with Midland’s approach to the handling of this sensitive personal data.
- The contract award for the pension administration workstream was due imminently. Eve was hoping that this could be incorporated into the current project plan. A workaround was manageable for a period of time, if the system could not be implemented at the same time. Kate was comfortable with this, as she was confident of the quality and accuracy of the data.
- The procurement process highlighted to the team that the employee interface was already available bilingually, but not the manager portal, so this needed to be translated. The team were in discussion with a third party provider to produce a Welsh language version. Once this had been tested, the system could be rolled out to Members and their staff.
- Leanne and Eve had also met with the Scottish Parliament and House of Commons who were currently implementing i-Trent. Fortunately for the Commission, both organisations were at different stages of implementation so those discussion had been very useful in terms of sharing lessons learnt.
21.2 The Committee welcomed this comprehensive update and wished Eve the best of luck. They looked forward to future updates on the progress of this project.
Action
- Committee to be kept informed of project progress.
Oral Update
22.1 The Chair confirmed that this item would be considered at a future meeting.
Oral Update
23.1 Ed led a discussion on the Ways of Working programme, this included Bay 32, Tŷ Hywel 26 and Senedd 26. He described the intense activity around all three projects, in particular working with Avison Young in the development of an outline business case. Responses had been received to the PIN issued in March, which was encouraging. The Welsh Government was yet to determine its use of Tŷ Hywel but an in-principle decision was due this month. User group sessions were under way and outline decisions on the Tŷ Hywel 26 project were expected to be taken by the Commission in July.
23.2 For the Bay 32 Project, the Commission would be adopting the Competitive Dialogue Process for procurement. This process required a detailed specification of requirements, and the team were in discussion with CBRE about how to produce the information, alongside the development of the outline business case, for which Avison Young were assisting.
23.3 The Siambr 26 project was at the outline design stage. The key outstanding issue was ICT provision in the new Siambr and also for the decant to Tŷ Hywel, scheduled for Easter 2025.
23.4 Reporting arrangements to EB and the Commission were well established and further information would be shared with the Committee in due course.
23.5 The Committee thanked Ed for this update.
25.1 No other business was raised.
Lee Glover, Head of Internal Audit attended a private session with members of the Committee once formal proceedings had concluded. No other Commission officials were present, and no minutes were taken.
Next meeting is scheduled for 10 June 2024.