Agenda and minutes
Venue: Remote - Digital. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Buddug Saer
Introductions, apologies and declaration of interests
1.1 The Chair welcomed everyone to the meeting and noted one
apology from Ann-Marie Harkin, Audit Wales.
1.2 The Chair thanked the clerking team for pulling together
another good set of papers, and for issuing them in a timely manner.
1.3 No interests were declared.
Minutes of 14 February, actions and matters arising
ARAC (22-02) Paper 1 – Draft Minutes of 14 February 2022
ARAC (22-02) Paper 2 – Summary of actions
2.1 The minutes of the 14 February meeting were formally
approved. All actions from previous meetings had been completed.
2.2 The Chair thanked Ed Williams for the briefing on the Estates Strategy which he had provided to Committee members on 28 March 2022.
COVID-19 - Corporate update
3.1 The Chair agreed that, due to the lifting of Welsh
Government restrictions, this would be the last formal Covid-19 corporate
3.2 Ed confirmed that the Covid Resilience and Monitoring
Group (CRAM) would remain in place until the Summer recess after which its
remit would be incorporated into the Health, Safety, Wellbeing and Safeguarding
Committee. All statutory Covid-19 measures had been removed, although the
wearing of face coverings by all building users remained as part of the
Commission’s guidance. Reported cases of Covid-19 on the estate had been
managed effectively and the impact on business continuity was reducing; this
demonstrated the effectiveness of the measures and internal processes in
3.3 Ed reported significant on-site presence and activity,
particularly on business days. The Leadership Team, Executive Board and the
Commission continued to meet virtually, in hybrid format and in person.
Evidently, this provided the organisation with greater flexibility and
resilience, should restrictions be imposed in the future.
3.4 Ed shared some further information with the Committee
regarding the second paper on ‘ways of working’ which was due to be considered
by the Commission on 9 May. The paper described the structure of service areas
and their approach to future ways of working. Ed agreed to share the
Commission’s response to the paper with the Committee at the next meeting.
3.5 The Committee thanked Ed for his update and, recognising
that more staff would be expected to return to the estate now that restrictions
had been lifted, encouraged senior management to continue to take account of
their welfare and wellbeing.
· Provide an update to the Committee on the Commission’s response to the second paper on ‘ways of working’.
G&A update report
ARAC (22-02) Paper 3 – G&A update report
4.1 Gareth Watts provided an update on overall governance and
assurance activity since the last ARAC meeting and highlighted the following
from his report:
statements had been finalised, reviewed by the Chief Executive and challenged
by Independent Advisers at a meeting on 10 March. This had informed drafting of
the Governance Statement which was included in the papers for this meeting.
4.6 Gareth provided an update on the core internal audit
work. The report on the audit of Winding up of Members’ Offices was covered
under item 8. The cyber-security audit and value for money review of Library
Services had also been completed, reports on which would be shared as soon as
they had been finalised and approved by the relevant Directors. The Committee
were reminded that Ann Beynon and Aled Eirug had reviewed an outline terms of
reference for the Official Languages Scheme audit, work on which was also well
advanced. A follow up report on implementation of recommendations from the
previous cyber-security audit, all of which were progressing, would also be
shared with the Committee.
4.7 The Committee praised Gareth for his achievements in ensuring that the audit programme was in such a good position, particularly during the pandemic. Gareth thanked the Committee members for their positive comments. In response to questions around his capacity to undertake such a substantive programme alongside his other assurance responsibilities, Gareth provided assurance that this was manageable with support from his colleague Victoria Paris and his current internal audit co-sourced partner TIAA.
Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)
ARAC (22-02) Paper 4 – Internal Audit Charter cover paper
ARAC (22-02) Paper 4 – Annex A – Internal Audit Charter
5.1 The Committee formally approved the Internal Audit Charter for 2022-23, noting that there were no substantive changes to report.
Internal Audit Annual Report and Opinion
ARAC (22-02) Paper 5 – Internal Audit Annual Report and Opinion for 2021-22
6.2 The Committee noted Gareth’s Annual Report and Opinion and commented that the moderate opinion provided a good level of assurance.
Annual Report on Fraud
ARAC (22-02) Paper 6 – Annual Report Fraud
7.1 Gareth reported that during 2021-22, there had been no
cases brought to his attention of actual or suspected fraudulent activity
regarding cash, allowances and expenses or theft of assets.
7.2 He described how information shared regularly by TIAA
and Audit Wales on fraudulent activity across the public and private sectors
helped ensure the Commission remained alert to the tactics being deployed by
7.3 The Committee were pleased that no fraudulent activity
had been detected during 2021-22. In response to questions about benchmarking
against other public sector organisations, Gareth explained that we were not as
exposed in the same way as some grant paying organisations, for example. He
added that the majority of spend was via payroll and Members’ pay and
allowances which had robust controls in place, with staff in those areas carrying
out due diligence. Going forward, Gareth would also be exploring assurances
around the use of procurement cards.
7.4 The Committee noted and thanked Gareth for his Annual Report on Fraud.
Latest Internal Audit report(s)
ARAC (22-02) Paper 7 – Winding up of Members' Offices
8.1 Gareth presented his internal audit report. This audit
aimed to assess the procedures and controls in place around the dissolution of
the Senedd for the 2021 election with particular focus on those Members of the
Senedd that were standing down or not returned at the election. It also covered
additional challenges caused by the pandemic on the dispersal of assets. Gareth
recorded his thanks to the Members’ Business Support and ICT teams for their
co-operation during the audit.
8.2 The review examined the guidance, process, and
procedures in place during the dissolution period and drew out the significant
issues identified, or lessons learned. Although no formal recommendations were
raised, Gareth identified a number of issues which the Commission may wish to
consider for future elections.
8.3 The Committee noted and welcomed the detailed report and were impressed with the thoroughness of the review. Committee members recorded their praise for Gareth and the teams involved, acknowledged the amount of work carried out in a short space of time, and appreciated the sensitivities involved. They further remarked that it was evident that the internal controls, as well as the positive internal audit culture, were working well.
Emerging findings and advice to Accounting Officer regarding submission of the draft Annual Report and Accounts to the Commission
ARAC (22-02) Paper 8 - Audit Wales Update
9.1 Gareth Lucey introduced the Audit Wales update. Although
Committee members had been notified previously, he reminded them of the
proposed audit fee of £59,987 – a 3.5% increase on last year, in line with the
3.7% average increase in rates.
9.2 He confirmed that the interim audit ‘visit’ had taken
place over the weeks of 14 and 21 March and the team had completed early sample
testing on a number of account areas (including payroll, other expenditure and
direct charges to the Welsh Consolidated Fund). He was happy to report that
there were no audit issues arising to date and the plan was to deliver the ISA
260 report in time for 15 June meeting.
9.3 Gareth advised of one change to the audit team. The
Chair asked to meet informally with the team, which Gareth agreed to
9.4 In response to questions around the impact of increases
to National Insurance and the rate of inflation on public sector organisations,
Gareth explained the challenges they all faced around calculating costs,
particularly relating to asset valuation.
9.5 Nia confirmed that an asset valuation was due to be
undertaken by the Commission the following year and that the impact of an
increase in the rate of inflation had been highlighted to the Commission in a
paper relating to the 2023-24 budget.
· The Chair to meet (informally) with the Audit Wales auditing team.
Joint working protocol
Oral item - update in paper 8 refers
10.1 Gareth Lucey introduced this oral item. He confirmed
that a recent discussion with Gareth Watts had concluded there was no need for
an updated version as there were no changes to the protocol which was presented
in April 2021, a copy of which had been circulated with the committee papers.
He outlined compliance with the protocol and referred the Committee to the
table in the update paper which summarised how both parties had responded to a
set of agreed actions during the year.
10.2 The Committee thanked Gareth for the update and noted the Joint Working Protocol.
Commission's draft Annual Report and Governance Statement for 2021-22
ARAC (22-02) Paper 9 – Annex A – draft Annual Report Narrative
Paper 9 – Annex B – draft Annual Governance Statement
11.1 Arwyn introduced this item and invited Committee
members to comment on the draft narrative included in the Commission’s draft
Annual Report and Accounts (ARA) and the draft Governance Statement for
11.2 Arwyn outlined plans to present the report in a more
interactive online format to make it more accessible and reach a wider
audience, something the Committee had been keen for the Commission to pursue.
He presented a mock-up of the landing pages which had been designed in
compliance with an accessibility impact assessment.
11.3 Arwyn described how this format provided the
opportunity to include links to video and digital content, as well as the array
of articles and further information already created during the year. He
considered this to be a great way to recycle existing material and develop the
report as a communications tool as well as satisfying a governance and
11.4 The Committee members were pleased to see plans for
such a positive online presence. In terms of developing the format going
forward, they encouraged the team to focus the links on content and stories
that contained a human element e.g. the carrier of the mace for the official
opening, and to consider the order of the report to focus on citizens. Arwyn
welcomed this feedback which he agreed to take on board.
11.5 In response to questions about reach and engagement,
Arwyn advised that infographics containing this information were yet to be
populated in the report. In terms of the demographics on engagement, plans were
in place to introduce tools and systems such as media monitoring and customer
relationship management which would help the Commission to better measure and
report on engagement. He also outlined plans for increasing presence on social
media platforms such as Instagram and TikTok to target a younger audience, and
for engaging in a more proactive way with schools.
11.6 Arwyn and Nia confirmed that, for audit purposes, a
printable physical version of the Annual Report and Accounts would be produced
for the Auditor General for Wales to sign and that would be the version laid
before the Senedd. Nia added that the format proposed would make it easier for
readers interested in the financial statements to access that part of the
11.7 The Chair was pleased with the advanced state and content of the draft Governance Statement, noting that this was a key document in terms of accountability. He welcomed the items listed under the areas of focus for 2022-23 and asked Committee members to pass on any comments on the statement to the clerking team. It was agreed that the Committee would be kept informed of discussions by the Executive Board on risk appetite.
Update on Cyber Security
ARAC (22-02) Paper 10 – Cyber Security Assurance Report
12.1 The Chair welcomed Mark Neilson, Jamie Hancock and Tim
Bernat to the meeting to present this item.
12.2 Mark introduced the Cyber Security Assurance Report, a
draft version of which had been sent to Committee members in February for
comments. Mark confirmed that the report would be refined based on feedback and
produced and shared on a quarterly basis.
12.3 The Chair thanked Mark and his team for preparing such
a detailed report. It provided the necessary level of assurance in a number of
areas of interest to the Committee and contained ample technical detail. The
Chair was keen to ensure the report’s usability.
12.4 The Committee raised questions around data storage,
liaison with other organisations including the Welsh Government, and plans for
cyber security user awareness events. It was also suggested that a separate
section on the role of the Public Sector Broadband Authority (PSBA) could be
included in the future reports.
12.5 Jamie Hancock confirmed that the team were committed to
offsite storage with appropriate immutable back-up arrangements, which they
were actively pursuing through a media storage project.
12.6 Tim Bernat outlined how, given the current threat
levels, the ICT team had increased the frequency of their monitoring of
available threat intelligence sources. This enabled the Commission to be kept
up to date with the evolving threat landscape along with latest tools and
initiatives to mitigate the risks. It also helped ensure all parties were
mutually informed and that relevant knowledge and experiences were shared. In
response to questions about recent successful ransomware attacks in another
public sector organisation, the team had noted the lessons learned and further
strengthened some of the Commission’s defences as a result.
12.7 Mark confirmed that plans for a Senedd-wide cyber
awareness-raising programme of events were being finalised. He thanked Ann for
her offer to provide contact details of experts in the university and private
sectors who might be able to assist. Jamie added that he also had contacts from
his previous employment at a university. In response to a question from Ken
Skates around engaging with Members of the Senedd more often to raise
awareness, Mark suggested supplementing attendance at party group meetings with
six-monthly briefing sessions. Ken suggested a refresh briefing session at the
start of the autumn term in September and offered to encourage Members to
12.8 Mark agreed to include reference to PSBA in future
reports and Tim briefly outlined its role and the services it provided to help
protect the Commission’s network. It was agreed that a presentation from PSBA
on its role would be useful for the Committee.
12.9 Arwyn acknowledged Jamie and Tim’s expert knowledge and
the critical role they played in mitigating cyber-security threats, which
provided assurance. He welcomed Ken’s offer of liaising with the Commissioners
and party groups to encourage maximum take-up in the planned cyber-security
12.10 The Chair thanked the team and also acknowledged their expertise and the assurance that ... view the full minutes text for item 12.
ARAC (22-02) Paper 11 – Corporate Risk
ARAC (22-02) Paper 11 – Annex A - Summary Corporate Risk Register
ARAC (22-02) Paper 11 – Annex B – Corporate Risks plotted
13.1 Ed updated the Committee on the overall position of the
Corporate Risk Register. The risks had been reviewed and updated by the risk
owners and reviewed by the Executive Board at its 22 April meeting. Given the
increase in activity, including recent Remuneration Board decisions and
consultation on the Accounting Officer rules, the residual likelihood risk
rating of the risk relating to the Members’ Regulatory Framework had increased
which had resulted in an increase in the overall risk rating. Ed provided assurance
that the risk was being actively managed.
13.2 The Committee thanked Ed for his introduction and thanked officials for their comprehensive updates in the register. The Chair particularly welcomed the diagram which demonstrated the dynamic nature of the risk register.
Critical examination of one identified risk - Data Protection risks
Oral item – updates on DP risks (Legal-R-66 and Legal-R-68) in paper 11 Annex A refer
14.1 The Chair welcomed Matthew Richards and Jo Grenfell to
the meeting to present this item. Matthew welcomed this opportunity to update
the Committee on the two data protection risks that sat within the Legal
Services team: one relating to the Commission and the other to Members of the
14.2 Matthew updated the Committee on priority areas which
could now progress due to the increased staff resources in the Information
Governance team. This would include: addressing areas of relative weakness
around GDPR compliance; ensuring consistent application of data retention
practices; and refresher training for all Commission staff, and Members and
their staff. There were also plans to upskill those responsible for processing
data to better equip them to handle routine matters, allowing the specialist
Information Governance team and legal advisers to focus on more complex issues.
14.3 Matthew and Ed Williams, as Senior Information Risk
Officer (SIRO) were also developing a plan to ensure consistent and appropriate
use of technology such as SharePoint and Teams. This would provide more clarity
on, and reduce time locating sources of corporate information to respond, for
example, to FOI or subject access requests or oral/written questions to the
14.4 The Committee discussed the challenges around supporting politicians who were data controllers in their own right. It was acknowledged that advice and training could be offered but not mandated and that any breach, regardless of the source, would reflect badly on the organisation. Matthew described the training that had been made available to Members and their staff following the election, and plans to deliver training and awareness sessions on an ongoing basis. He also outlined plans to fully implement data-processing agreements with Members as a priority when the additional resources were in place which was welcomed by the Committee.
SIRO Annual Report
ARAC (22-02) Paper 12 – SIRO Annual Report
15.1 The Chair noted that the SIRO Annual Report was a key
assurance document for the Committee to review. Ed Williams wished to express
his thanks to his predecessor and also to colleagues from across the
Commission, particularly from the Governance and Assurance, ICT and Legal
Services teams, for their support since taking up the SIRO role on his
appointment in February 2022. He also thanked Gareth Watts for his assistance
in drafting the report.
15.2 Ed outlined the key elements of the report which
highlighted progress made during the reporting period and areas of priority to
be taken forward. He advised that some of the areas listed for focus during the
year had not progressed as planned due to prioritisation of limited resources.
He referred to the assurances provided to the Committee on the management of
15.3 Going forward, Ed would be working with Matthew
Richards and the Information Governance team to revive the project to introduce
a new protective marking scheme and to consider the information risks
associated with the new Ways of Working strategy. He also highlighted proposals
for establishing a new information governance board to support decision-making
by the SIRO.
15.4 The Chair thanked Ed and Gareth for this report which provided the Committee with the necessary assurances.
ARAC (22-02) Paper 13 – Departure Summary
16.1 The Committee noted four departures from normal procurement procedures.
Finance Update and update on upgrade to finance system
17.1 Nia confirmed that it was too early to confirm the
final out-turn figure for 2021-22 and that there were no issues to note from the
interim audit of the accounts. She advised of some additional pressures caused
by late returns of financial information from some service areas.
17.2 Nia informed the Committee that the upgraded finance
system went live as planned and was working as well as expected, with some
minor issues which were being addressed.
17.3 In relation to the approved 2022-23 budget, Nia advised
that a proposal for a supplementary
budget was due to be considered by the Commission on 9 May, before being
presented to the Finance Committee. The 2023-24 budget strategy paper was also
due to be considered by the Commission. In response to questions from Committee
members around managing costs relating to inflation and increases in National
Insurance, Nia advised that, whilst every effort had been made to absorb the
additional costs, a request for a supplementary budget was now necessary. She
added that any savings realised during the pandemic would be offset by the
increase in inflation and utilities.
17.4 Nia agreed to share papers with the Committee on the
supplementary budget and 2023-24 budget strategy once considered by the Senedd
Commission and Finance Committee.
17.5 The Committee requested an update on the district
heating scheme. Ed was aware of some developments on infrastructure to support
the scheme and noted that the go live date for the project was still to be
confirmed. He agreed to provide the Committee with an update when available.
17.6 The Chair acknowledged the amount of effort that had
gone into managing finances and planning budgets, especially as it was become
increasingly difficult to plan for the future. He also noted that resource
pressures would continue to be a theme of discussion for future years. He, and
the Committee members, were also pleased that the new finance system was in
place and working well.
· Nia Morgan to share papers with the Committee on supplementary budget and 2023-24 budget strategy once considered by the Senedd Commission and Finance Committee.
· Ed Williams to provide an update to the Committee on the district heating scheme when available.
Committee's Annual Report to the Commission and Accounting Officer
18.1 The Chair invited members of the Committee to suggest content for the Committee’s annual report. He mentioned one area he wished to focus on which was the solidity of the ways in which the Commission were emerging from the pandemic.
Forward work programme
ARAC (22-02) Paper 14 – Forward Work Programme
Papers to note and AOB
20.1 No other business was raised.
20.2 The Accounting Officer attended a private session with members of the Committee once formal proceedings had concluded. No minutes were taken.