Concise Minutes - Assembly Commission Audit and Risk Assurance Committee

Meeting Venue:

Conference Room 4B - Tŷ Hywel

Meeting date: Monday, 11 February 2019

Meeting time: 10:30-13:00





Committee Members:

Eric Gregory (Chair)

Ann Beynon

Robert (Bob) Evans

Hugh Widdis

Suzy Davies AM

Wales Audit Office:

Ann-Marie Harkin, Wales Audit Office (WAO)

Commission Staff:

Manon Antoniazzi, Chief Executive and Clerk, and Accounting Officer 

Dave Tosh, Director of Resources 

Nia Morgan, Director of Finance 

Gareth Watts, Head of Governance and Assurance 

Clive Fitzgerald, TIAA

Kathryn Hughes, Committee Clerk and Risk Manager

Siwan Davies, Director of Assembly Business  

Craig Stephenson, Director of Engagement (Item 9)

Sulafa Thomas, Head of Commission and Members Support (Item 10)

Yvonne (Eve) Jennings, Senior ICT Project Manager (Item 10)

Dean Beard, Members' Business Support Manager (Item 10)

1       Introductions, apologies and declarations of interest

1.1     Apologies were received from Gareth Lucey (WAO) and Buddug Saer, Committee Deputy Clerk.

1.2     The Chair welcomed Clive Fitzgerald from TIAA and Siwan Davies, recently appointed Director of Assembly Business to the meeting.

1.3     The Chair declared that he was a member of the NHS Wales Digital Architecture Review Advisory Group.


2       Minutes of 26 November, actions and matters arising

ACARAC (01-19) Paper 1 - Minutes of 26 November 2018

ACARAC (01-19) Paper 2 – Summary of actions  

2.1     Subject to one minor point of clarification in relation to the Welsh Consolidated Fund, the minutes of the meeting of 26 November were agreed.

2.2     Action 2.2 (Welsh Consolidated Fund): Gareth had been in contact with his counterpart at the Welsh Government who was yet to confirm a date to meet. Gareth would provide an update ahead of the next meeting. The Chair encouraged Gareth to pursue this.

2.3     Action 5.1 (Events Review): Gareth noted that good progress was being made against the action plan for communication and benefits realisation and agreed to circulate further details to members for discussion at next meeting.


      (2.2) Gareth Watts to provide an update on discussions with the Welsh Government around the Welsh Consolidated Fund.

      (2.3) Gareth Watts to circulate further details of progress against the Events Review action plan. 

3       Internal Audit Update Report

ACARAC (01-19) Paper 3 – update report

3.1     Gareth and Dave Tosh had met with the WAO to ensure accurate reflection of the Assembly’s work in their forthcoming report on Welsh public sector’s preparedness for Brexit. Dave briefly described the work in terms of legislation and scenario planning. The Committee asked for an update following a further planning session due to be held later that week.

3.2     Gareth had met with the Head of Procurement to discuss timings of the audit into the Commission’s procurement approach in terms of opportunities for Welsh suppliers to win contracts. It was agreed to delay the audit until the Autumn of 2019 when there would be more evidence on which to evaluate the effectiveness of the approach. In the meantime, a paper was due to be presented to the Commission outlining the approach to engaging Welsh suppliers. Given the potential political and reputational risks, and recent scrutiny of the Welsh Government’s procurement procedures, Gareth agreed to consider and discuss the timings further.

3.3     There were no concerns around implementation of outstanding recommendations and an update would be provided at the next meeting.

3.4     Gareth would be discussing the timing of the audit into integrated committee support with Siwan Davies.


                  (3.1) Siwan Davies to share the update report on follow-up Brexit meetings  with the Committee.

                  (3.2) Gareth to consider and further discuss the timing of the procurement audit.

                  (3.3) Gareth to present a report on implementation of recommendations to the March meeting.

4.     TIAA internal audit partner and latest Internal Audit reports

Oral item - TIAA internal audit partner

4.1     The Committee welcomed Clive Fitzgerald from TIAA, the Commission’s co-sourced internal audit partner, to the meeting. For the benefit of the new Committee members, Clive provided some background to the company, which was the largest independent provider of internal audit, business assurance and counter-fraud in the country, covering a wide range of public sector organisations. Gareth described how the co-sourced arrangement works in practice, bringing in specific expertise and knowledge and protecting the independence of the internal audit function. 

ACARAC (01-19) Paper 4 - Scheme of Delegation

4.2     The Committee commented that the substantial assurance was a positive reflection on the work of the Finance Team’s engagement with budget holders and the maturity of the scheme of delegation. In response to questions around the levels of delegation, Nia Morgan described the increased sense of ownership and interest in budget management, partly as a result of allowing budget holders to set appropriate delegations in their areas.

ACARAC (01-19) Paper 5 - GDPR Compliance Follow Up

4.3     The Committee welcomed this follow-up review of assurances around GDPR compliance. Dave advised that a revised Data Protection Policy had been approved by Executive Board, and that an electronic staff training package would be ready for delivery in the coming weeks. This had been developed in-house as there was nothing commercially available which was suitable. The Commission agreed to consider how best to evidence receipt of this training.

4.4     The Commission were considering options for appointing a temporary Data Protection Officer to cover for maternity leave.  Team resilience would be increased by training another member of staff.

4.5     The practical issues around data protection agreements for elected members was being discussed further at an inter-parliamentary forum at the end of February and this could inform decisions around the Commission’s approach.

4.6     The Committee discussed testing the security of sensitive personal information held by the Commission and the role and importance of the Information Asset Registers and Registers of Personal Data. It was noted that the move to SharePoint as a document management system would provide further mitigation for information-related risks and that the forthcoming review of cyber-security would help to test the controls. It was agreed that Dave and Bob should consider this further.

4.7     Committee members asked for GDPR compliance to be reviewed at a future meeting.

4.8     The Committee asked for the issue of the data protection agreement with the HR/Payroll system provider to be re-visited, and suggested keeping the ICO informed.

ACARAC (01-19) Paper 6 – Payroll

4.9     The Committee asked for assurance that the recommendations from the previous audit had been implemented effectively. Gareth explained that the focus for this review was around the systems in place whereas the previous review had focused on data analytics for which assurance is provided from the routine and thorough reviews by the WAO when auditing the accounts. The effectiveness of data analytics was also discussed regularly at inter-parliamentary meetings. He also reported that inefficiencies around manual interventions for reconciliation had been eliminated as far as possible. The Committee asked to return to this issue at a future meeting.


      (4.3) Dave to share the electronic data protection staff training package with Independent Advisers. 

      (4.6) Dave and Bob to discuss testing the controls around information security.

      (4.7) Clerking team to add GDPR compliance to the forward work programme.

          (4.8) Dave to provide an update on the data protection agreement with the HR/Payroll system provider at a future meeting.

          (4.9) Nia to provide an update on manual interventions for reconciliations for HR and finance data.



5       Update from WAO

ACARAC (01-19) Paper 7 - WAO update

5.1     Ann-Marie thanked Nia and her team for accommodating the trainee accountant who was grateful for the opportunity.

5.2     The interim audit was due to be started that week and Ann-Marie assured the Committee that issues around internal communications between audit teams would be resolved.


-                   (5.2) Bob and Ann-Marie to discuss the approach to auditing the Commission’s accounts.



6       Issues Management

ACARAC (01-19) Paper 8 – Issue Management

6.1     In response to questions from the Chair, Dave advised that the Risk Management System would be ready to capture issues by the end of April and that the corporate issue spreadsheet, as presented in the paper, was to be populated in the meantime. He also explained that, although he had confidence in the escalation of issues at a service and project level, this work would introduce consistency and facilitate more timely reporting. The Chair asked for an update at a future meeting.


             (6.1) Issues element of the Risk Management System to be developed by the end of April.

             (6.1) Clerking team to add issue reporting to the forward work programme for a future meeting. 



7       Corporate Risks Report

ACARAC (01-19) Paper 9 – Corporate Risk

ACARAC (01-19) Paper 9 – Annex A – Summary Corporate Risk Register

ACARAC (01-19) Paper 9 – Annex B – Summary Corporate Risks plotted

7.1     The Committee noted changes to the Corporate Risk Register following the Executive Board’s review in January. In response to questions from the Chair, the Committee noted the following details.

7.2     The Welsh Government had drafted a business case to address future accommodation needs which was being considered by Ministers. Short-term pressure on space remains a risk as this was not likely to be resolved before 2024. Dave also advised that discussions were ongoing with the new owners of Tŷ Hywel about the lease.

7.3     The risk around safeguarding for the Welsh Youth Parliament (WYP) was reducing as mitigating controls, based on external advice, were now in place. Craig agreed to take account of a comment around inability to make direct contact with the WYP members. Other risks in relation to the WYP which were being considered included those around taking forward actions as a result of its deliberations.

7.4     Turnover rates were partly attributable to recruitment campaigns at the Welsh Government which provided continuity around terms and conditions and pensions for staff. Whilst the turnover figures were not yet a cause for concern it was noted that this had resulted in some loss of skills.

7.5     In terms of Brexit it was noted that demands on legal resources were presenting a challenge both for the Assembly and the Welsh Government.

7.6     Strategies for engagement around the Assembly reform work were a key priority and this was due to be considered by the Commission’s Remuneration, Engagement and Workforce Committee.

7.7     The Committee noted that the number of significant risks was in part due to the inability to substantially influence or control their impact, and that they were being mitigated as much as possible with the resources available.



8       Critical examination of one identified or emerging risk

ACARAC (01-19) Paper 10 – Dignity and Respect risk

8.1        The Chair welcomed Craig Stephenson to the meeting. The Committee noted the progress made as a result of reviewing the dignity and respect arrangements, as presented in the paper.

8.2        Craig advised that a mystery shopper exercise, which was one of the recommendations in a report by the Assembly’s Standards of Conduct Committee (SCC), had been carried out. The results of this exercise were being used to inform further improvements and a formal report on implementing the recommendations made to the Assembly Commission would be presented to the SCC in April. Further reports around complaints procedures and the Code of Conduct for Assembly Members, due to be published in the summer, would also be considered. The Dignity and Respect Survey would also be repeated annually.

8.3        Craig also clarified that hyperlinks to political party procedures would only be included after they had been reviewed by the SCC.

8.4        The Committee asked if there had been any lessons for the Assembly from the collapse of a Scottish Parliament enquiry and how we would measure whether enough was being done collectively to address the issues. Craig described how the SCC was working with other administrations when reviewing complaints procedures. Manon added that dignity and respect had also been discussed in detail at a recent Quadrilateral meeting of Speakers and Clerks from the UK Parliaments. Regular reviews and surveys would be carried out to make sure the results of the reviews were embedded in the culture of the organisation and messages would be reinforced through learning pathways, leadership training and regular dissemination of messages.



9       Members Expense Management System Replacement project

ACARAC (01-19) Paper 11 – Update on Members Expense Management System

9.1        The Chair welcomed Sulafa, Eve and Dean to the meeting and thanked them for the paper outlining progress with the project and the benefits it will realise.

9.2        Eve expressed confidence that the project was on track to go live on 1 April and advised that there had not been any significant variations to the business case since its approval in March 2018. She also advised of improvements in levels of support from the service provider as a result of more focus on quality in the contract retendering process.

9.3        Sulafa provided assurances around transparency and ease of access to information on expenses and Nia provided assurances around security of the systems through user accounts.



10    Review of accounting policies

ACARAC (01-19) Paper 12 – Accounting policies – annual review

10.1    Nia confirmed that no changes to accounting policies had been identified from the latest annual review. The Chair and Committee members thanked Nia for the clear paper and welcomed the due diligence in anticipating changes which would come into effect in future years.



11    Finance Update

ACARAC (01-19) Paper 13 - Finance Update

11.1    In response to questions from the Chair, Suzy confirmed that the Determination budget was aligned with expectations of the Assembly’s Finance Committee and Public Accounts Committee. She also described how the Finance Committee recommendations had been taken on board. Suzy and Nia explained that they agreed in principle with the recommendation for   tracking the Welsh Consolidated Fund when setting the Assembly’s budget. However, the Committee noted the challenge here as the figures would not be available in time to set the budgets and that there was a potential reputational risk.

11.2    The Chair congratulated Nia and her team on the value for money and prompt payment performance. When asked, Nia confirmed that there had not been any significant variances against budgets set for programmes and projects.

11.3    Nia also highlighted that the increase in pension contributions may result in a supplementary budget for 2019-20.  The Finance Committee had been advised of this.



12    Departure Summary

ACARA ACARAC (01-19) Paper 14 – Departure Summary

12.1    The Committee noted that there had been three departures from normal procurement procedures.

C (01-19) Paper 14 – Departure Summary

12.2    The Committee noted that there had been three departures from normal procurement procedures.



13    Information Breaches - oral item

Oral Update

13.1    There were no information breaches to report. 



14    Forward Work Programme

ACARAC (01-19) Paper 15 – Forward Work Programme

14.1     The Chair asked Committee members to confirm availability for the autumn meeting on 21 October 2019 and to liaise with the clerking team about agenda items for future meetings.  


Next meeting is scheduled for 25 March 2019.





1.          FIELD_TITLE




2.          FIELD_TITLE














2.1          FIELD_TITLE





2.2          FIELD_TITLE