National Assembly for Wales Commission Audit and Risk Assurance Committee


Meeting Venue:

Conference Room 4B - Ty Hywel




Meeting date:

Monday, 9 June 2014




Meeting time:















Eric Gregory (Chair)

Hugh Widdis

Keith Baldwin



Claire Clancy, Chief Executive and Clerk, and Accounting Officer

Dave Tosh, Interim Director of Assembly Business and ICT

Virginia Hawkins, Committee Clerk

Kathryn Hughes, Risk Manager

Gareth Watts, Head of Internal Audit

Nicola Callow, Director of Finance

Vicky Davies, TIAA

Mark Jones, Wales Audit Office

Richard Harries, Wales Audit Office

Buddug Saer, Deputy Committee Clerk


Item 8 – Anna Daniel, Head of Strategic Transformation





1    Introductions and apologies and declaration of interests

1.1        The Chair welcomed everyone to the meeting.

1.2        No interestswere declared.




2    Minutes of 7 April meeting, actions and matters arising

2.1        The minutes were agreed and officials provided the following updates on the outstanding actions:

·                     Impact of Internal Audit recommendations (action 3.6) – Gareth confirmed that an update of these recommendations and their outcomes were highlighted in his annual report, as in paper 3b which was discussed under item 3.     

·                     Updated strategic priorities (action 3.15) – Kathryn agreed to email Committee members the updated Assembly Commission strategic priorities document.

·                     Governance Statement (action 6.2) – Virginia confirmed that all comments had been incorporated into the Governance Statement which formed part of the draft Annual Report to be considered during this meeting under item 6. 




3    Internal Audit Activity Report

3.1        Gareth Watts provided an update in relation to the 2014-15 programme of work.  2013-14 work was detailed in his annual report.   

3.2        Since April 2014, he explained that he had continued to work with Dave Tosh and Alison Rutherford on the Information Governance review.  In response to a recent staff survey, he was performing a Recruitment Procedures audit and aimed to produce a report before the summer recess.  TIAA were currently scoping the Risk Management Framework audit. 

3.3        He also informed the Committee that he had completed follow up work on the Scheme of Financial Delegation and the National Assembly for Wales shop. He would be reporting to the Assembly Commission on 18 June following a review of their effectiveness. 

3.4        Following a brief discussion on Business Continuity, the Committee urged officials to accelerate this area of work and provide an update by November 2014. 

3.5        Dave Tosh explained that a mock plenary was held over the Easter recess which specifically tested the manual voting procedures.  Service areas have drafted plans, but they were yet to be tested and refined.  Work may also be delayed over the summer recess with many of the service areas taking their annual leave during this period.     

3.6        Gareth Watts introduced his annual report of work during the 2013-14 financial year.  The programme of work was successfully delivered, despite the changes to internal audit in year, which included both a new Head of Internal Audit and a new external contractor. 

3.7        Committee members questioned the definition of the opinion ‘Reasonable’.  Gareth explained that this was a moderate rating and that given the scope of the audits, was the highest achievable score. 

3.8        He confirmed that he intended to carry out more full scope audits this year which, potentially, could give a higher level of assurance.         

3.9        Dave Tosh mentioned the Information Governance area as an example of vast improvement in the last 2-3 years.  From the 12 original recommendations, 4 remain outstanding in 2013-14.  Tighter controls, clear policies and structures were now in place.  He was hopeful that this improved position would be reflected in the update in November. 

3.10     Committee members also questioned how the specific internal audit reviews were selected.  Officials confirmed that by their very nature, internal audit chose areas of weakness in order for improvements to be identified.  Gareth’s work would continue to focus on these areas. 

3.11     The Chair agreed that this was a constructive approach and that the Management Board was taking the recommendations seriously and was acting in a positive way to improve the functions within the organisation. 

3.12     The Annual report on Fraud was finalised mid-May and at the time of writing provided a fair reflection of the position. 

3.13     Lots of positive work had taken place since this area was audited in November 2011, especially access to policies and training by the Head of Procurement and from the Chartered Institute of Purchasing and Supply. 

3.14     Gareth was considering Fraud Response plans across the public sector and would be working with Nicola to update the Assembly’s approach.  Both agreed that a revised plan needed to be in place by September 2014.

3.15     The Committee were aware of stringent procurement checks on new suppliers and questioned if any of these checks could be applied to existing suppliers to further improve Financial Services processes.  Nicola would discuss this with Jan Koziel, Head of Procurement.


-               Dave Tosh to aim to accelerate the Business Continuity work and provide an update to the Committee at the November meeting.

-               Gareth and Nicola to produce a revised Fraud Response Plan by September 2014.

-               Nicola to discuss processes with Procurement to explore which of the financial checks they perform on new contracts could be used by Finance for existing suppliers.




4    Latest Internal Audit Reports

4.1        Vicky Davies introduced this item which was a report on the migration of payroll data following the HR and Payroll project.  This was a limited scope review, with a sample of 30 staff records checked.

4.2        TIAA assessed the controls surrounding Payroll – Data Migration as ’Reasonable’.  The assessment related only to Payroll Data Migration and excluded the wider new Payroll and HR system project.  9 recommendations were made and accepted. 

4.3        Dave Tosh, as a member of the HR Payroll project board, mentioned some issues regarding the Commission’s relationship with the supplier and that the additional resource seconded from Monmouthshire County Council was working well in resolving outstanding issues.  Actions and resources were being re-planned and the Investment Board would be reviewing the revised plans.

4.4        The Chair asked for a follow up report to be provided in the autumn outlining the project’s progress.   


-               Mike Snook (SRO, HR Payroll project) to provide an update for the Committee at the November meeting. 




5    External Audit updates

5.1        The Wales Audit Office (WAO) apologised for the delay in sending the audit fee letter which was due to the implementation of the Public Audit Wales Act 2013.  The 2013-14 increase of 3.8% was subject to a consolidated fund subsidy, which will not apply to the 2014-15 fee.  The WAO agreed to provide the Committee with more information in terms of the make-up of the fee and the internal changes to the WAO following the legislation. 

5.2        Officials confirmed that they would work closely with TIAA and the WAO to ensure that the best approach was taken to the programme of audit work in order to contain costs in the future.  

5.3        The WAO also confirmed that they were liaising with colleagues in the NAO, Scotland and Northern Ireland to discuss appropriate levels of audit for parliamentary bodies in the future.

5.4        The Chair agreed that with the working protocols already in place, there was evidence of a strong working relationship and this should help ensure that costs would be contained.

5.5        The Effectiveness Survey results were also discussed.  Mark Jones, WAO took the Committee through the results, which overall were positive.

5.6        The Chair agreed that this was a very encouraging survey but that there were opportunities for improvement. 

5.7        The Committee agreed that they would review the accounting policies. They also asked for a summary of the whistleblowing policy to be brought to the next meeting.

5.8        To increase their awareness of performance and issues discussed within the organisation, Committee members requested that the Key Performance Indicator (KPI) reports and Assembly Commission (AC) minutes be sent to members on a regular basis.    

5.9        They also agreed that if there were no corporate risks of a severity that merited close scrutiny, then they should consider a key performance indicator instead.  However, the Committee should always be sighted on the overall risk landscape.   

5.10     The Chair asked Committee members to think about what further actions were needed to respond to the survey results and which of these should be reflected in the Committee’s Forward Work Programme.


-               Nicola Callow to confirm with the clerking team when and what accounting policies should be added to the FWP.

-               Gareth Watts agreed to present the whistleblowing mechanism at the meeting in November. 

-               Kathryn Hughes to ensure that KPI reports and AC minutes are circulated to members on a regular basis.

-               If no corporate risks are scheduled to be discussed, the clerking team will agree with the Chair on a corporate performance measure to discuss instead.

-               Committee members to propose actions to respond to the Effectiveness Survey.   

-               The Chair and Chief Executive to discuss privately the management of communication with the Assembly Commission.




6    Annual Report and Accounts

6.0        Nicola Callow introduced this item and welcomed comments on the annual report via email.  The WAO were currently on site reviewing the accounts, and a revised set would be considered for approval in July.

6.1        Committee members recommended the following amendments:

·         give more prominence to the underspend of £34,000 in 2013-14  as it is a very positive achievement;

·         highlight achievements measured against KPIs;

·         move the main areas of Legislation and Constitutional change to the front of the annual report and highlight more compelling achievements;

·         include a summary of Change Programme projects; and

·         include a case study of tweets and responses.        


-               Committee members to submit changes to the annual report to Nicola as soon as possible.

-               Nicola to ensure that Committee members are kept informed of the accounts.

-               Nicola to confirm that ACARAC members’ expenses do not need to be broken down and displayed separately in the accounts. 




7    Corporate Risk Summary Report

7.1        Kathryn Hughes presented the item to the Committee and confirmed that the corporate risks had been considered in light of the new Commission strategic priorities.  She highlighted that the social media risk was due to be discussed at the Management Board on the 23 June, with the potential of raising it to a corporate risk and that Lowri Williams, Head of HR was presenting proposals on capacity planning to the Investment Board on 16 June.

7.2        Following the discussion on fraud, Committee members questioned why fraud was not on the risk register.  Kathryn confirmed that is was being managed at a service level.  The Commission’s assurance mapping would also capture these types of static risk when it had been fully developed.

7.3        Committee members agreed that at future meetings, current issues should also be discussed and they welcomed the work being done on assurance mapping which would be presented in the autumn.  Recognising the importance of this work, the Chair encouraged its early completion.      




8    Critical examination of one identified risk

8.1        The Committee was asked to consider the risks around reaction to the decisions of the Remuneration Board, the controls in place, and what more could be done to further mitigate the risk.

8.2        Anna Daniel introduced the paper and told the Committee that she expected the risk rating to increase in the short term as the Board looked at issues such as pensions and the employment of family members.

8.3        The Committee commented on the importance of communication and the significance of stakeholder management.  They also felt that it was essential for each party to understand each other’s remit.  Hugh Widdis suggested contacting other legislatures to see how they dealt with similar risks.




9    Assembly's approach to project and programme management

9.1        Dave Tosh provided the Committee with an overview of the Commission’s approach to project and programme management.  The level of change across the organisation was such that a programme approach was essential.

9.2        Some Committee members questioned the domination of ICT projects and Dave confirmed that the change programme would be facilitated by ICT projects and once the IT changes were in place, the programme would become more business led.  Constitutional change would also have to be captured within the programme.    

9.3        The Chair concluded that Dave and his team were moving in a positive direction and offered a number of contacts who were currently working on a similar process.




10        Papers to note

10.1   The Committee noted the four departures from normal procurement procedure.

10.2     The Forward Work Programme (FWP) would be discussed outside the meeting.


-        Committee members agreed to pass any suggested FWP items to the clerking team.

11.0     Private session

11.1   A private session with Committee members was attended by Gareth Watts, Head of Internal Audit, and Vicky Davies of TIAA.  No minutes were taken for this part of the meeting.


Next meeting is scheduled for 11:00 7th July 2014.