Agenda and minutes

1.1         The Chair welcomed everyone to the extended meeting. There were no apologies.

1.2         As this was Suzy Davies’ last meeting the Chair expressed, on behalf of the whole Committee, heartfelt thanks for her contribution, insight and constructive challenge during her term as a member of the Committee. He would welcome hearing her thoughts on her membership later in the meeting.  

ARAC (02-21) Paper 1 – Draft Minutes of 12 February 2021

ARAC (02-21) Paper 2 – Summary of actions

2.1         The minutes of the 12 February meeting were agreed. The Committee noted the following in response to points raised by Suzy: 

-      (paragraph 4.3) – to supplement the recent audit on ICT asset management, Gareth Watts would be producing an update report after the Election on the return of ICT assets and furniture by departing Members. The Committee agreed that, where possible, this should include discussions with departing Members as well as the Members’ Business Support team.

-      (paragraph 5.3) - the Committee welcomed that, once elected, the new Members would receive cyber security awareness training as part of the induction process. 

2.2         Updates to the actions summary were noted. In reference to action point 6.2 - Ann Beynon had discussed the Commission’s involvement with the Equality and Human Rights Commission with Lowri Williams, Head of HR and Inclusion and potential actions emerging would be discussed further with officials. 

Oral update

3.1         Dave Tosh provided the Committee with some monitoring data that had been routinely collected since March 2020. This showed that the Senedd Commission had not been impacted by high numbers of confirmed cases of Covid-19, largely due to moving to virtual/hybrid working.   

3.2         Attendance on the estate remained low and plans were being revisited for a limited and managed return. The wellbeing of staff remained a concern and it was evident that the strain from lack of face to face contact and group activity was beginning to tell on some. 

3.3         The Covid Resilience and Monitoring Group (CRAM), chaired by Dave, had continued to monitor changes to regulations as issued by Welsh Government. The group also continued to review a range of risk assessments including for those returning to the estate to prepare for and deliver post-Election activity such as oath-taking, collection of IT kit and a hybrid plenary session for electing the Presiding Officer and First Minister.

3.4         Dave also advised that, following discussions with South Wales Police and Cardiff Council, the decision had reluctantly been made to retain the fences erected around the Senedd as a deterrent for anti-social behaviour until after the early May bank holiday.

3.5         In response to questions from the Committee around recording of vaccination data, Dave advised that, based on legal advice, there was no good business purpose under data protection legislation to capture this information. 

3.6         Dave also responded to questions around the Commission’s approach to longer term planning for a return to normal post-Covid and estimated occupancy levels. Pilot schemes were underway to re-configure some work spaces which included equipment in meeting rooms to accommodate hybrid working. These would be evaluated and rolled out in due course, taking account of requirements of individual teams and their roles. 

3.7         Gareth provided further assurance that due diligence was being carried out by CRAM to ensure effective governance and assessment of risks associated with returning to the estate. He had shared the terms of reference for the group with his counterparts in other legislatures who were experiencing similar issues.

3.8         The Committee welcomed this comprehensive update, especially the detail of the planning involved to ensure the continued safety and wellbeing of those who were working on the estate. The Chair wished to record his recognition of the successful governance arrangements that had been put in place by the Commission throughout the pandemic.   

Oral item

4.1         Suzy welcomed the opportunity to share her thoughts with the Committee and thanked its members and officials for being so welcoming and supportive. A summary of her reflections is outlined below.

4.2         The exceptionally high standards of work across the organisation sometimes made it challenging to suggest improvements. However, Suzy noted that there was an ethos of continuous improvement and that the scrutiny and challenge from the Committee worked well. There had also been major changes to senior management in the last few years which had generated welcome new ideas.

4.3         As well as business as usual activity, Suzy noted that the Commission’s response to the amount of work resulting from Brexit had been astounding, particularly by the Legal Service and its support for the Senedd Committees.

4.4         Suzy also congratulated Commission staff on their responsiveness and business continuity arrangements during the pandemic which had been staggering. She urged senior management to remain cautious with plans for remote and hybrid working arrangements, as more people might want to be present in the office than anticipated.  She also noted the development of changes around engagement activity, such as the virtual tours of the Senedd, which had worked very well and should continue to be offered in the future

4.5         Suzy thanked Nia Morgan for her help, particularly in helping to prepare for appearances before the Finance and Public Accounts Committees, and her ability to explain financial terminology. Praise was also extended to Nia and her team for their management of the budgets, greater transparency in reporting and clean audits of the accounts. She expected there to be a continued focus on scrutiny around value for money and prioritisation of resources in the sixth Senedd.

4.6         Suzy suggested that public sector spend in general would be monitored and scrutinised more than ever during the sixth Senedd as a result of the pandemic. She also noted that risks would need to be considered around the expectations of Members, the Llywydd and the public on priorities for spending.

4.7         Going forward, Suzy noted the importance of clearly defining the role of Commissioners in terms of managing the relationship between the Commission and Members of the Senedd, particularly where decisions on working practices and spending priorities could cause tension. In response to questions around communication between Commissioners, Members and officials, Suzy suggested ways this could be improved, including consideration of more face to face contact and opportunities for Members and party groups to engage more directly with appropriate officials to share feedback.  

4.8         The Chair thanked Suzy for her honest analysis and Committee members wished her all the best for the future. Suzy agreed to share a more comprehensive note with the Chair, which could be used to inform future discussions with relevant officials.  

Actions

·         Suzy to share her reflections on membership of the Committee in writing with the Chair.

·         Chair to discuss any action points from Suzy’s reflections with relevant officials.

ARAC (02-21) Paper 3 – G&A update report 

5.1         Gareth presented his update report on governance and audit work, highlighting priority work with further updates to follow in due course.

5.2         Despite the disruption caused by the Covid-19 pandemic, Gareth was pleased that the reports on the Commission’s ICT asset management and cyber security had been completed and were included in the papers for this meeting.

5.3         The fieldwork for the audit of Members’ expenses had also been completed and a draft report shared with the Members’ Business Support team. Gareth highlighted that this was the first year the audit had been completed remotely and with electronic records and, given its success, would be repeated for future audits. In response to a suggestion from Suzy, Gareth agreed to consider ways to seek input from Members for future expense’s audits, to help aid their understanding of the process.

ARAC (02-21) Paper 4 – IA Charter cover paper

ARAC (02-21) Paper 4 – Annex A - IA Charter 2021

6.1         Gareth presented his paper, highlighting that the Senedd Commission’s Internal Audit service generally conforms with Public Sector Internal Audit Standards (PSIAS). In line with PSIAS requirements, the Committee was asked to formally approve the Commission’s Internal Audit Charter. Gareth confirmed that his annual review of the Charter had not resulted in any substantive changes. 

6.2         Responding to questions around the detection of fraud and appropriate training, Gareth and Nia explained their collaborative approach to providing assurances to Manon, as the Accounting Officer on the controls in place. The Committee were reminded of the training and ongoing awareness activities for appropriate officials, including members of the Finance team and the finance co-ordinators in each service area. Mark Neilson added that general cyber security awareness training for staff, which covered fraud detection, was also delivered throughout the year. Audit Wales also reminded the Committee of its own good practice guidance on fraud and outlined a recent case study where fraudsters were hijacking supplier emails. Gareth offered to share the various fraud guidance documents with Committee members.

6.3         The Chair indicated that a shared responsibility approach was common practice in public sector bodies but urged a continued focus on this going forward.

6.4         The Committee thanked Gareth for the update and approved the Internal Audit Charter for 2021.

ARAC (02-21) Paper 5 – Internal Audit Annual Report and Opinion for 2020-21

7.1         Gareth introduced his paper which provided an overview of the work undertaken by the Internal Audit service for the year ended 31 March 2021. The Committee noted that some planned audits had  been delayed due to Covid-19 but welcomed the additional real-time assurance work undertaken. This had included reports to reflect on the Commission’s response to the Covid-19 pandemic and a review of the Commission’s risk and issue management during the pandemic.

7.2         The Committee welcomed the Commission’s continued positive attitude to the implementation of audit recommendations which reflected well on organisational culture.

7.3         The Chair thanked Gareth for his update, noting recognition for the volume of work covered and assurances provided on the controls in place.

7.4         Responding to questions around the overall moderate assurance rating in his Annual Report, Gareth judged this to be a fair assessment in light of the audits conducted, some of which were rated as substantial assurance but with others being delayed due to the challenging circumstances.

ARAC (02-21) Paper 6 – Annual Report Fraud

8.1         Gareth introduced his Annual Report on Fraud to the Committee. The provision of assurances and details of training and awareness around fraud had been covered under agenda item 5.

8.2         The Committee noted the recent case whereby internal controls and monitoring of Members’ spend had detected the theft of Commission assets which resulted in investigation by the appropriate authorities. Arwyn described how controls around the stationery ordering process for Members’ offices had been further tightened to prevent this from occurring in the future. He added that the enhanced controls provided greater oversight by the Remuneration Board and greater transparency.

8.3         The Chair thanked Gareth for the update and the Committee noted the report.

ARAC (02-21) Paper 7 – ICT Asset Management

ARAC (02-21) Paper 8 – Cyber Security

9.1         Gareth introduced the ICT Asset Management internal audit report. The main focus of the review had been on the management of portable media devices which had been identified by ICT as an area of potential risk, particularly given the new ways of working. A rating of substantial assurance was given with two recommendations accepted by the ICT team. Gareth outlined further work to enhance the use of management information and reviewing process with new Members and their staff which would take place during the year.

9.2         In response to questions around the safe and sustainable disposal of assets, Gareth advised that he had sought and received assurances from the Commission’s Sustainability Manager, and the Estates and Facilities Management and ICT teams on the effectiveness of arrangements with a local third-party supplier.

9.3         Gareth introduced the Cyber Security audit report produced by TIAA. He explained that an audit of this high risk area was undertaken annually, the scope of which was based on discussions about areas of focus with the Head of ICT. The focus for this year was around back up and recovery arrangements which included comparisons with best practice guidance provided by the National Cyber Security Centre (NCSC).

9.4         The review concluded that the Commission had made considerable progress in implementing a new backup process which provided significant improvements over the previous solution. The overall rating of moderate assurance was given with six recommendations accepted by management. The Committee welcomed the thoroughness of the report.

9.5         In response to questions from Committee members, Mark Neilson confirmed assurances around the security of the network, the tight security around off-site servers, and arrangements for business continuity and disaster recovery and back ups, including for legacy back-up tapes. This included assurance for the management of risks around malware and for resolving issues outside normal working hours. He also noted added resilience through membership of a wider public sector arrangement and agreed to invite a representative to attend a future meeting.

9.6         The Committee thanked Mark for the additional assurances and noted that, whilst assurance levels were not as high as anticipated they were pleased with the management responses. They appreciated that ICT infrastructure was under constant threat and were thankful for all the efforts by Mark and his team to manage cyber security risks. The Committee would welcome future updates on the implementation of the back-up solution.    

ARAC (02-21) Paper 9 - Audit Wales update

10.1      The Chair welcomed Audit Wales to the meeting and extended his congratulations to Ann-Marie on her recent promotion to Executive Director of Audit Services within Audit Wales.

10.2      Ann-Marie informed the Committee that, due to the significantly higher proportion of work in the health sector, Steve Wyndham would need to temporarily return to work on their accounts. To ensure a level of continuity, responsibility for auditing the Commission’s accounts would be handed back to his predecessor Gareth Lucey.  Audit Wales apologised for this change in personnel, especially mid-way through an audit, but appreciated the Commission’s understanding in the matter.

10.3      Steve presented the paper which provided an update on current and planned financial audit work. He confirmed that the audit fee remained unchanged from the previous year but noted this was an estimate until the work was complete. There was nothing of note in the audit work undertaken so far and there had been good co-operation by Nia, the Finance team and Gareth Watts. He confirmed they were on track to commence the audit of the accounts on 10 May,

10.4      The Committee welcomed the inclusion in the paper of information about the Auditor General’s wider work programme, including the Good Practice Exchange (GPX).

ARAC (02-21) Paper 10 - Draft Annual Report and Accounts 2020-21 - cover paper

ARAC (02-21) Paper 10 – Annex A – draft Annual Report Narrative

ARAC (02-21) Paper 10 – Annex B – draft Statement of Accounts

ARAC (02-21) Paper 10 – Annex C – draft Annual Governance Statement

11.1      Arwyn Jones outlined the annual report narrative section which, as in the previous year, included a table to highlight a summary of activity and analysis of performance during the year in a concise way. Inevitably, there was a focus on how the organisation had reacted in an agile and positive way to the pandemic. The focus going forward was on embedding new ways of working into business as usual. 

11.2      In relation to the Statement of Accounts, Nia highlighted that this was presented for information on the format only at this early stage. She added that targets outlined in the 2020-21 Audit Plan had been met and that the final accounts would be ready to present formally to the Committee at the meeting on 18 June 2021.

11.3      The Committee commended the Commission on its remarkable performance during a remarkable year. Committee members commented on the length of the narrative section and its readability but acknowledged that best practice guidance had been diligently followed on its content. They also suggested consideration of an executive summary to focus on key messages and the inclusion of details on potential capital spend on the estate. They also commented that the report should be a key briefing document for the new Commissioners once appointed.

11.4      Arwyn thanked the Committee members for their constructive feedback. In terms of readability he outlined plans to making the report more interactive in future years, with better use of graphics.  In terms of the content and length of the report, Manon added that positive feedback had been received on previous reports from the Senedd’s Public Accounts and Finance Committees.

11.5      Officials agreed to consider the specific comments raised at the meeting and Committee members agreed to send detailed comments to the Clerking team by 7 May.

Action: ARAC members to send detailed comments on the draft Annual Report and Accounts to the Clerking team by 7 May.

ARAC (02-21) Paper 11 – Finance Update

12.1      Nia Morgan set out the latest financial position for 2020-21 and the anticipated financial position for 2021-22 and 2022-23. It was anticipated that the out-turn for the operational budget at year end would be 0.4% which was well within the target of between 0% and 1.5%.   

12.2      In response to questions from the Committee around the accrual of leave, Nia confirmed that the extended Christmas shut-down had reduced the annual leave provision figure required and the figure reflected in the accounts would be an accounting adjustment only.

ARAC (02-21) Paper 12 – Corporate Risk

ARAC (02-21) Paper 12 – Annex A – Summary Corporate Risk Register

ARAC (02-21) Paper 12 – Annex B – Corporate Risks plotted

13.1       Dave presented this item noting that the Corporate Risk Register had been reviewed by the Executive Board on 21 April and outlining the changes agreed. Officials responded as below to questions from the Committee members on specific risks.

13.2      Dave was satisfied with the information captured for the description of the data protection risk and its severity, noting that the Executive Board received fuller reports on which to base its reviews. He outlined the challenges around additional workloads in this area partly due to changes in engagement activity and events brought about by the pandemic and also preparing for an election and induction for new Members. This included supporting teams across the Commission to carry out impact assessments and privacy notices and also maintaining awareness of data protection issues.

13.3      In relation to the risks around compliance with the Senedd’s Official Languages Scheme (OLS), Arwyn explained that effective communication of the issues with Members, their staff and party groups and the mitigation in place would reduce the impact of a breach. Members appreciated the limits of existing platforms and the continuing efforts by the Commission to find a technical solution to allow simultaneous translation for all meetings. Arwyn reminded the Committee that this was only an issue for private meetings and that simultaneous translation was still available for all public, formal Senedd business. He added that workarounds reduced the likelihood of a breach and that ICT colleagues were continuing to work with the Welsh Government and Microsoft to push for a solution. He also re-iterated the commendation by the Welsh Language Commissioner on the approach.

13.4      Siwan explained that a fresh assessment would be carried out of the risks around the UK’s exit from the EU and associated constitutional change. She added that the uncertainty was at a political level and there were no concerns over the Commission’s ability to serve Members of the Senedd and its Committees. 

13.5      Dave explained that risks around corporate capacity would be reviewed in light of emerging Commission priorities and budget constraints and the next capacity review. 

13.6      In relation to the risks around dignity and respect, the Committee noted that a new Code of Conduct for Members had been approved and welcomed the addition of the ‘respect’ principle. Siwan advised that this would form an important part of the induction sessions for Members, which would include meeting the Standards Commissioner, and that a review of the complaints procedure was planned.   

Action: Clerking team to share a published copy of the new Members’ Code of Conduct with Committee members 

Oral update

14.1      The Committee welcomed this opportunity to discuss the risk management process. In response to comments from Committee members around reporting on integrated management of risks, Dave explained that discussions at service, directorate and Executive Board level considered the interconnections and overall risk profile but recognised this might not be apparent in the reports presented to the Committee. Kathryn Hughes agreed to consider this further.

14.2       The Chair was content that the register was dynamic, demonstrated by movement in the risks and their ratings, and that the risks captured and their ratings were appropriate in the current climate. 

ARAC (02-21) Paper 13 – Departure Summary

15.1      The Committee raised concern that the Commission had not tested the market for a service to deliver coaching and learning and development resources. Ann Beynon also wanted on record that similar concerns had been raised by members of the Commission’s Remuneration, Engagement and Workforce Advisory Committee (REWAC).In response, Dave noted the concerns and explained that the decision had been based on an understanding of the market, quality and value for money of the product, its online offering and potential for it to deliver savings. He added that, as the product was also used by other parliaments, it provided a good opportunity for collaboration.

ARAC (02-21) Paper 14 – Whistleblowing Policy and Fraud Policy Updates – cover paper

ARAC (02-21) Paper 14 – Annex A - Fraud Corruption and Bribery Policy

ARAC (02-21) Paper 14 – Annex B - Whistleblowing Policy

16.1      Gareth confirmed that there had been no substantive changes from his annual review of both policies.

16.2      In relation to fraud, Gareth reminded the Committee about the National Audit Office’s recent ‘Good Practice Guide on Fraud and Error’ which had been circulated previously. This included a checklist which Gareth would review to determine what aspects could be applied to the Commission. Alongside this review he had also completed his Annual Report on Fraud which was presented under item 7.

16.3      In reviewing the Whistleblowing Policy, Gareth had taken account of guidance from Protect (formerly Public Concern at Work). He added that he would be carrying out a fuller review of the policy during 2021-22. This would involve liaising with HR colleagues and others involved in updating the Commission’s approach to dignity and respect at work to ensure appropriate links to this policy.

16.4      The Committee noted Gareth’s updates and endorsed his approach.   

ARAC (02-21) Paper 15 – SIRO Annual Report

17.1      The Chair thanked officials for a very comprehensive report and welcomed more information on the protective marking scheme.

17.2      Dave emphasised the challenges over the year for delivering on priority work around compliance with, and raising awareness of data protection legislation and the additional work created by the pandemic and the Senedd Elections. In relation to introducing a protective marking scheme, Dave outlined the complications of finding a technical solution that was flexible enough to accommodate the different requirements for the flow of information for both Commission staff and Members. He added that, whilst the team would continue to pursue this, the focus was currently on preparations for the new Senedd and the production of guidance for Members. 

17.3      In relation to a comment about the mitigation of risks around data sharing, Dave confirmed that Members had welcomed the migration to SharePoint and OneDrive for its security features and flexibility and that all Members would now be using these platforms.

17.4      Suzy questioned the number of Freedom of Information requests received by the Commission in comparison to other public bodies.  Officials admitted that the number of requests received by the Commission was lower than public authorities, but the complexity and political motivation of requests meant that the number wasn’t a true reflection of the work involved.  

17.5      The Committee noted this annual report and thanked Dave for the update.

Oral update

18.1      Ann Beynon, as member of REWAC welcomed this opportunity to feedback on its last two meetings, the latest of which had focused primarily on discussions around the remuneration of senior management. 

18.2      At the March meeting, the Committee had discussed the following:

-      the scope of an effectiveness review of REWAC to be carried out by Gareth Watts, the output from which would be shared with the Committee;

-      plans to hold a scenario planning meeting in the summer;

-      how to support the review of the Commission’s Dignity and Respect policy in the autumn;

-      results of the latest wellbeing pulse survey, noting that this now allowed for benchmarking of scores against other public sector bodies and that the overall happiness score was favourable compared to other organisations;

-      ways to address socio-economic inequality and to increase BAME representation in the Commission, including the possibility of a benchmarking exercise with other organisations which would need to take account of the relatively low turnover of staff; and

-      the Commission’s Communication and Engagement strategy.

18.3      Ann and the Chair of REWAC had recently been involved in the recruitment of two senior posts within the Engagement Directorate and had been impressed with quality of applications and pleased to have been part of the process.

18.4      The Chair thanked Ann for this feedback and noted good progress with the REWAC programme of work. 

Oral item

19.1      Committee members were asked to comment on, and contribute to the content of the Committee’s annual report which would be presented to the new Commission once appointed. A copy of the previous year’s report had been circulated with the papers for this meeting.

19.2      The Chair suggested including a review of the whole fifth Senedd term in order to document coverage and how the Committee had evolved. Ann referred to the importance of demonstrating to new Commissioners the role the Committee had played in its balanced and constructive challenge. Suzy added that it was important to present the purpose of the report to new Commissioners and to reference the overall strength of governance. 

19.3      The Chair asked for comments to be sent the Clerking team by 7 May. 

Action: Comments on the Committee’s Annual Report to be sent to the Clerking team by 7 May.

ARAC (02-21) Paper 16 – Forward Work Programme

20.1      The Committee had no changes to make to the Committee’s work programme.

21.0      Item 20 – Any other business

Oral item

21.1      No other business was raised.

Audit Wales attended a private session with members of the Committee once formal proceedings had concluded. No minutes were taken.

Next meeting is scheduled for 18 June 2021.