Agenda and minutes

Venue: Remote - Digital. View directions

Contact: Clerk: Kathryn Hughes  Deputy Clerk: Buddug Saer

No. Item


Introductions, apologies and declaration of interests


1.1 The Chair welcomed everyone to the meeting and noted one apology from Ann-Marie Harkin, Audit Wales.

1.2 The Chair thanked the clerking team for pulling together another good set of papers, and for issuing them in a timely manner.

1.3 No interests were declared.



Minutes of 14 February, actions and matters arising


ARAC (22-02) Paper 1 – Draft Minutes of 14 February 2022

ARAC (22-02) Paper 2 – Summary of actions

2.1 The minutes of the 14 February meeting were formally approved. All actions from previous meetings had been completed.

2.2 The Chair thanked Ed Williams for the briefing on the Estates Strategy which he had provided to Committee members on 28 March 2022.



COVID-19 - Corporate update

Oral update


Oral update

3.1 The Chair agreed that, due to the lifting of Welsh Government restrictions, this would be the last formal Covid-19 corporate update.

3.2 Ed confirmed that the Covid Resilience and Monitoring Group (CRAM) would remain in place until the Summer recess after which its remit would be incorporated into the Health, Safety, Wellbeing and Safeguarding Committee. All statutory Covid-19 measures had been removed, although the wearing of face coverings by all building users remained as part of the Commission’s guidance. Reported cases of Covid-19 on the estate had been managed effectively and the impact on business continuity was reducing; this demonstrated the effectiveness of the measures and internal processes in place. 

3.3 Ed reported significant on-site presence and activity, particularly on business days. The Leadership Team, Executive Board and the Commission continued to meet virtually, in hybrid format and in person. Evidently, this provided the organisation with greater flexibility and resilience, should restrictions be imposed in the future.      

3.4 Ed shared some further information with the Committee regarding the second paper on ‘ways of working’ which was due to be considered by the Commission on 9 May. The paper described the structure of service areas and their approach to future ways of working. Ed agreed to share the Commission’s response to the paper with the Committee at the next meeting. 

3.5 The Committee thanked Ed for his update and, recognising that more staff would be expected to return to the estate now that restrictions had been lifted, encouraged senior management to continue to take account of their welfare and wellbeing. 


·    Provide an update to the Committee on the Commission’s response to the second paper on ‘ways of working’.



G&A update report


Internal Audit

ARAC (22-02) Paper 3 – G&A update report 

4.1 Gareth Watts provided an update on overall governance and assurance activity since the last ARAC meeting and highlighted the following from his report: 

- Assurance statements had been finalised, reviewed by the Chief Executive and challenged by Independent Advisers at a meeting on 10 March. This had informed drafting of the Governance Statement which was included in the papers for this meeting.
- The Commission’s Corporate Delivery Plan was approved by the Executive Board on 22 April and would be shared with the Commission as a paper to note on 9 May. Gareth and Ed would now work on corporate communications to ensure visibility of the plan across the organisation.
- All service areas had carried out a Business Impact Analysis and this was informing ongoing work to update the Commission’s approach to business continuity.
- At the latest regular meeting with the Independent Remuneration Board’s clerking team, Gareth had been asked to carry out a mid-term effectiveness review.

4.6 Gareth provided an update on the core internal audit work. The report on the audit of Winding up of Members’ Offices was covered under item 8. The cyber-security audit and value for money review of Library Services had also been completed, reports on which would be shared as soon as they had been finalised and approved by the relevant Directors. The Committee were reminded that Ann Beynon and Aled Eirug had reviewed an outline terms of reference for the Official Languages Scheme audit, work on which was also well advanced. A follow up report on implementation of recommendations from the previous cyber-security audit, all of which were progressing, would also be shared with the Committee.  

4.7 The Committee praised Gareth for his achievements in ensuring that the audit programme was in such a good position, particularly during the pandemic. Gareth thanked the Committee members for their positive comments. In response to questions around his capacity to undertake such a substantive programme alongside his other assurance responsibilities, Gareth provided assurance that this was manageable with support from his colleague Victoria Paris and his current internal audit co-sourced partner TIAA.


Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)


ARAC (22-02) Paper 4  – Internal Audit Charter cover paper

ARAC (22-02) Paper 4 – Annex A – Internal Audit Charter 2022

5.1 The Committee formally approved the Internal Audit Charter for 2022-23, noting that there were no substantive changes to report.



Internal Audit Annual Report and Opinion


ARAC (22-02) Paper 5 – Internal Audit Annual Report and Opinion for 2021-22

6.1 Gareth introduced his Annual Report and Opinion which reported that the Accounting Officer could take moderate assurance that arrangements to secure governance, risk management and internal control, were suitably designed and applied effectively. This was a reflection on the culture of the organisation and the positive management response to internal audit recommendations. 

6.2 The Committee noted Gareth’s Annual Report and Opinion and commented that the moderate opinion provided a good level of assurance.



Annual Report on Fraud


ARAC (22-02) Paper 6 – Annual Report Fraud

7.1 Gareth reported that during 2021-22, there had been no cases brought to his attention of actual or suspected fraudulent activity regarding cash, allowances and expenses or theft of assets. 

7.2 He described how information shared regularly by TIAA and Audit Wales on fraudulent activity across the public and private sectors helped ensure the Commission remained alert to the tactics being deployed by potential fraudsters.

7.3 The Committee were pleased that no fraudulent activity had been detected during 2021-22. In response to questions about benchmarking against other public sector organisations, Gareth explained that we were not as exposed in the same way as some grant paying organisations, for example. He added that the majority of spend was via payroll and Members’ pay and allowances which had robust controls in place, with staff in those areas carrying out due diligence. Going forward, Gareth would also be exploring assurances around the use of procurement cards.

7.4 The Committee noted and thanked Gareth for his Annual Report on Fraud.



Latest Internal Audit report(s)


ARAC (22-02) Paper 7 – Winding up of Members' Offices

8.1 Gareth presented his internal audit report. This audit aimed to assess the procedures and controls in place around the dissolution of the Senedd for the 2021 election with particular focus on those Members of the Senedd that were standing down or not returned at the election. It also covered additional challenges caused by the pandemic on the dispersal of assets. Gareth recorded his thanks to the Members’ Business Support and ICT teams for their co-operation during the audit. 

8.2 The review examined the guidance, process, and procedures in place during the dissolution period and drew out the significant issues identified, or lessons learned. Although no formal recommendations were raised, Gareth identified a number of issues which the Commission may wish to consider for future elections.

8.3 The Committee noted and welcomed the detailed report and were impressed with the thoroughness of the review. Committee members recorded their praise for Gareth and the teams involved, acknowledged the amount of work carried out in a short space of time, and appreciated the sensitivities involved. They further remarked that it was evident that the internal controls, as well as the positive internal audit culture, were working well. 


Emerging findings and advice to Accounting Officer regarding submission of the draft Annual Report and Accounts to the Commission


ARAC (22-02) Paper 8 - Audit Wales Update

9.1 Gareth Lucey introduced the Audit Wales update. Although Committee members had been notified previously, he reminded them of the proposed audit fee of £59,987 – a 3.5% increase on last year, in line with the 3.7% average increase in rates.

9.2 He confirmed that the interim audit ‘visit’ had taken place over the weeks of 14 and 21 March and the team had completed early sample testing on a number of account areas (including payroll, other expenditure and direct charges to the Welsh Consolidated Fund). He was happy to report that there were no audit issues arising to date and the plan was to deliver the ISA 260 report in time for 15 June meeting.

9.3 Gareth advised of one change to the audit team. The Chair asked to meet informally with the team, which Gareth agreed to arrange. 

9.4 In response to questions around the impact of increases to National Insurance and the rate of inflation on public sector organisations, Gareth explained the challenges they all faced around calculating costs, particularly relating to asset valuation.

9.5 Nia confirmed that an asset valuation was due to be undertaken by the Commission the following year and that the impact of an increase in the rate of inflation had been highlighted to the Commission in a paper relating to the 2023-24 budget. 


·       The Chair to meet (informally) with the Audit Wales auditing team.



Joint working protocol

Oral item - update in paper 8 refers


Oral item

10.1 Gareth Lucey introduced this oral item. He confirmed that a recent discussion with Gareth Watts had concluded there was no need for an updated version as there were no changes to the protocol which was presented in April 2021, a copy of which had been circulated with the committee papers. He outlined compliance with the protocol and referred the Committee to the table in the update paper which summarised how both parties had responded to a set of agreed actions during the year.

10.2 The Committee thanked Gareth for the update and noted the Joint Working Protocol.



Commission's draft Annual Report and Governance Statement for 2021-22


Commission Governance

ARAC (22-02) Paper 9 - Draft Annual Report 2021-22 - cover paper

ARAC (22-02) Paper 9 – Annex A – draft Annual Report Narrative

ARAC (22-02) Paper 9 – Annex B – draft Annual Governance Statement

11.1 Arwyn introduced this item and invited Committee members to comment on the draft narrative included in the Commission’s draft Annual Report and Accounts (ARA) and the draft Governance Statement for 2021-22.

11.2 Arwyn outlined plans to present the report in a more interactive online format to make it more accessible and reach a wider audience, something the Committee had been keen for the Commission to pursue. He presented a mock-up of the landing pages which had been designed in compliance with an accessibility impact assessment. 

11.3 Arwyn described how this format provided the opportunity to include links to video and digital content, as well as the array of articles and further information already created during the year. He considered this to be a great way to recycle existing material and develop the report as a communications tool as well as satisfying a governance and accountability requirement.   

11.4 The Committee members were pleased to see plans for such a positive online presence. In terms of developing the format going forward, they encouraged the team to focus the links on content and stories that contained a human element e.g. the carrier of the mace for the official opening, and to consider the order of the report to focus on citizens. Arwyn welcomed this feedback which he agreed to take on board.

11.5 In response to questions about reach and engagement, Arwyn advised that infographics containing this information were yet to be populated in the report. In terms of the demographics on engagement, plans were in place to introduce tools and systems such as media monitoring and customer relationship management which would help the Commission to better measure and report on engagement. He also outlined plans for increasing presence on social media platforms such as Instagram and TikTok to target a younger audience, and for engaging in a more proactive way with schools.

11.6 Arwyn and Nia confirmed that, for audit purposes, a printable physical version of the Annual Report and Accounts would be produced for the Auditor General for Wales to sign and that would be the version laid before the Senedd. Nia added that the format proposed would make it easier for readers interested in the financial statements to access that part of the report. 

11.7 The Chair was pleased with the advanced state and content of the draft Governance Statement, noting that this was a key document in terms of accountability. He welcomed the items listed under the areas of focus for 2022-23 and asked Committee members to pass on any comments on the statement to the clerking team. It was agreed that the Committee would be kept informed of discussions by the Executive Board on risk appetite. 



Update on Cyber Security


ARAC (22-02) Paper 10 – Cyber Security Assurance Report

12.1 The Chair welcomed Mark Neilson, Jamie Hancock and Tim Bernat to the meeting to present this item.

12.2 Mark introduced the Cyber Security Assurance Report, a draft version of which had been sent to Committee members in February for comments. Mark confirmed that the report would be refined based on feedback and produced and shared on a quarterly basis.

12.3 The Chair thanked Mark and his team for preparing such a detailed report. It provided the necessary level of assurance in a number of areas of interest to the Committee and contained ample technical detail. The Chair was keen to ensure the report’s usability.

12.4 The Committee raised questions around data storage, liaison with other organisations including the Welsh Government, and plans for cyber security user awareness events. It was also suggested that a separate section on the role of the Public Sector Broadband Authority (PSBA) could be included in the future reports. 

12.5 Jamie Hancock confirmed that the team were committed to offsite storage with appropriate immutable back-up arrangements, which they were actively pursuing through a media storage project.

12.6 Tim Bernat outlined how, given the current threat levels, the ICT team had increased the frequency of their monitoring of available threat intelligence sources. This enabled the Commission to be kept up to date with the evolving threat landscape along with latest tools and initiatives to mitigate the risks. It also helped ensure all parties were mutually informed and that relevant knowledge and experiences were shared. In response to questions about recent successful ransomware attacks in another public sector organisation, the team had noted the lessons learned and further strengthened some of the Commission’s defences as a result.  

12.7 Mark confirmed that plans for a Senedd-wide cyber awareness-raising programme of events were being finalised. He thanked Ann for her offer to provide contact details of experts in the university and private sectors who might be able to assist. Jamie added that he also had contacts from his previous employment at a university. In response to a question from Ken Skates around engaging with Members of the Senedd more often to raise awareness, Mark suggested supplementing attendance at party group meetings with six-monthly briefing sessions. Ken suggested a refresh briefing session at the start of the autumn term in September and offered to encourage Members to attend. 

12.8 Mark agreed to include reference to PSBA in future reports and Tim briefly outlined its role and the services it provided to help protect the Commission’s network. It was agreed that a presentation from PSBA on its role would be useful for the Committee. 

12.9 Arwyn acknowledged Jamie and Tim’s expert knowledge and the critical role they played in mitigating cyber-security threats, which provided assurance. He welcomed Ken’s offer of liaising with the Commissioners and party groups to encourage maximum take-up in the planned cyber-security awareness events. 

12.10 The Chair thanked the team and also acknowledged their expertise and the assurance that  ...  view the full minutes text for item 12.


Corporate Risk


ARAC (22-02) Paper 11 – Corporate Risk

ARAC (22-02) Paper 11 – Annex A -  Summary Corporate Risk Register

ARAC (22-02) Paper 11 – Annex B – Corporate Risks plotted

13.1 Ed updated the Committee on the overall position of the Corporate Risk Register. The risks had been reviewed and updated by the risk owners and reviewed by the Executive Board at its 22 April meeting. Given the increase in activity, including recent Remuneration Board decisions and consultation on the Accounting Officer rules, the residual likelihood risk rating of the risk relating to the Members’ Regulatory Framework had increased which had resulted in an increase in the overall risk rating. Ed provided assurance that the risk was being actively managed.

13.2 The Committee thanked Ed for his introduction and thanked officials for their comprehensive updates in the register. The Chair particularly welcomed the diagram which demonstrated the dynamic nature of the risk register.  



Critical examination of one identified risk - Data Protection risks

Oral item – updates on DP risks (Legal-R-66 and Legal-R-68) in paper 11 Annex A refer


14.1 The Chair welcomed Matthew Richards and Jo Grenfell to the meeting to present this item. Matthew welcomed this opportunity to update the Committee on the two data protection risks that sat within the Legal Services team: one relating to the Commission and the other to Members of the Senedd.

14.2 Matthew updated the Committee on priority areas which could now progress due to the increased staff resources in the Information Governance team. This would include: addressing areas of relative weakness around GDPR compliance; ensuring consistent application of data retention practices; and refresher training for all Commission staff, and Members and their staff. There were also plans to upskill those responsible for processing data to better equip them to handle routine matters, allowing the specialist Information Governance team and legal advisers to focus on more complex issues.

14.3 Matthew and Ed Williams, as Senior Information Risk Officer (SIRO) were also developing a plan to ensure consistent and appropriate use of technology such as SharePoint and Teams. This would provide more clarity on, and reduce time locating sources of corporate information to respond, for example, to FOI or subject access requests or oral/written questions to the Commission.

14.4 The Committee discussed the challenges around supporting politicians who were data controllers in their own right. It was acknowledged that advice and training could be offered but not mandated and that any breach, regardless of the source, would reflect badly on the organisation. Matthew described the training that had been made available to Members and their staff following the election, and plans to deliver training and awareness sessions on an ongoing basis. He also outlined plans to fully implement data-processing agreements with Members as a priority when the additional resources were in place which was welcomed by the Committee.



SIRO Annual Report


ARAC (22-02) Paper 12 – SIRO Annual Report


15.1 The Chair noted that the SIRO Annual Report was a key assurance document for the Committee to review. Ed Williams wished to express his thanks to his predecessor and also to colleagues from across the Commission, particularly from the Governance and Assurance, ICT and Legal Services teams, for their support since taking up the SIRO role on his appointment in February 2022. He also thanked Gareth Watts for his assistance in drafting the report.

15.2 Ed outlined the key elements of the report which highlighted progress made during the reporting period and areas of priority to be taken forward. He advised that some of the areas listed for focus during the year had not progressed as planned due to prioritisation of limited resources. He referred to the assurances provided to the Committee on the management of cyber-security risks.

15.3 Going forward, Ed would be working with Matthew Richards and the Information Governance team to revive the project to introduce a new protective marking scheme and to consider the information risks associated with the new Ways of Working strategy. He also highlighted proposals for establishing a new information governance board to support decision-making by the SIRO. 

15.4 The Chair thanked Ed and Gareth for this report which provided the Committee with the necessary assurances.  


Departure Summary


ARAC (22-02) Paper 13 – Departure Summary

16.1 The Committee noted four departures from normal procurement procedures. 



Finance Update and update on upgrade to finance system

Oral update


17.1 Nia confirmed that it was too early to confirm the final out-turn figure for 2021-22 and that there were no issues to note from the interim audit of the accounts. She advised of some additional pressures caused by late returns of financial information from some service areas.

17.2 Nia informed the Committee that the upgraded finance system went live as planned and was working as well as expected, with some minor issues which were being addressed.

17.3 In relation to the approved 2022-23 budget, Nia advised that a proposal for a  supplementary budget was due to be considered by the Commission on 9 May, before being presented to the Finance Committee. The 2023-24 budget strategy paper was also due to be considered by the Commission. In response to questions from Committee members around managing costs relating to inflation and increases in National Insurance, Nia advised that, whilst every effort had been made to absorb the additional costs, a request for a supplementary budget was now necessary. She added that any savings realised during the pandemic would be offset by the increase in inflation and utilities.  

17.4 Nia agreed to share papers with the Committee on the supplementary budget and 2023-24 budget strategy once considered by the Senedd Commission and Finance Committee.

17.5 The Committee requested an update on the district heating scheme. Ed was aware of some developments on infrastructure to support the scheme and noted that the go live date for the project was still to be confirmed. He agreed to provide the Committee with an update when available.

17.6 The Chair acknowledged the amount of effort that had gone into managing finances and planning budgets, especially as it was become increasingly difficult to plan for the future. He also noted that resource pressures would continue to be a theme of discussion for future years. He, and the Committee members, were also pleased that the new finance system was in place and working well. 


·      Nia Morgan to share papers with the Committee on supplementary budget and 2023-24 budget strategy once considered by the Senedd Commission and Finance Committee.

·      Ed Williams to provide an update to the Committee on the district heating scheme when available.


Committee's Annual Report to the Commission and Accounting Officer

Oral item


Commission Business

Oral update

18.1 The Chair invited members of the Committee to suggest content for the Committee’s annual report. He mentioned one area he wished to focus on which was the solidity of the ways in which the Commission were emerging from the pandemic.   



Forward work programme


ARAC (22-02) Paper 14 – Forward Work Programme

19.1 The Committee noted the forward work programme and the clerking team confirmed that a date for the autumn meeting would be arranged shortly.




Papers to note and AOB


Oral item

20.1 No other business was raised.

20.2 The Accounting Officer attended a private session with members of the Committee once formal proceedings had concluded. No minutes were taken.