Agenda and minutes

Venue: Conference Room 4B - Tŷ Hywel. View directions

Contact: Clerk: Kathryn Hughes  Deputy Clerk: Buddug Saer

No. Item


Introductions, apologies and declaration of interests


1.1     Eric Gregory declared that he was a business representative for the Parliamentary Review of Health and Social Care in Wales. 

1.2     No other interests were declared.



Minutes of 20 March, actions and matters arising


ACARAC (03-17) Paper 1 - Minutes of 20 March 2017 

ACARAC (03-17) Paper 2 – Summary of actions  

2.1     The minutes of the meeting on 20 March were agreed and the updates on actions captured in paper 2, were noted.   

2.2     Two action points were covered as separate agenda items, namely;

·         feedback on the Cyber Security Awareness Week, which was covered at item 11; and

·         prioritisation criteria for projects which was covered under the change and project management update at item 12. 

2.3     Regarding action point 7.2 (Advise of plans to repeat the benchmarking exercise for annual reports and governance statements with other public bodies and share best practice ideas with the Assembly Commission), Matthew Coe confirmed that they would inform the Committee if and when another benchmarking exercise would take place.  [Since the meeting the WAO have confirmed that a follow-up exercise would be carried out this year and, as it was a good practice exercise, they would be considering whether to repeat it annually.]

2.4     Regarding action point 16.1 (Share details of the current cost of caseworker training), Dave Tosh confirmed that the contract was for one-off casework management training offered for the first time to Assembly Members and their support staff at the start of the Fifth Assembly.  There were therefore no previous costs to use as a comparator.  The Committee were satisfied with this explanation.   



Internal Audit Update Report


ACARAC (03-17) Paper 3 – IA update report 

ACARAC (03-17) Paper 4 – PSIAS report 

3.1     Gareth Watts introduced his update report. Fieldwork had begun on the Integrated Committees audit which cut across six different service areas.  Due to the scale of this audit, Gareth advised the Committee that this work was not likely to be completed until the autumn.

3.2     The Committee welcomed Gareth’s Public Sector Internal Audit Standards (PSIAS) report, which was presented to appraise the Committee of the most recent changes to the standards. Gareth assured the Committee that no changes were required to the Commission’s processes.        

3.3     Gareth advised that he would shortly be able to share the outcome of the tender exercise which had recently been completed for the Internal Audit contract.           

3.4     The Committee noted the final External Quality Assessment report, which had been circulated out of committee. When questioned, Dave Tosh, as Director of Resources confirmed he was satisfied with the assurances. Gareth confirmed that this assessment was based on the previous version of the PSIAS and that future assessments would be based on the revised version.  

3.5     The Committee congratulated Nia Morgan and her team on the successful migration of data to the new finance system.  Nia expressed her thanks to her team for their hard work during the implementation of this project, especially considering the year-end obligations and reduced resources.       


-         Gareth Watts to share conclusion of Internal Audit tender exercise with ACARAC members by email. 



Latest Internal Audit Reports


ACARAC (03-17) Paper 5 – Assembly Members’ Allowances Audit Report

ACARAC (03-17) Paper 6 – Advisory Internal Audit Report on GDPR (TIAA)

4.1        Gareth presented two audit reports, both of which were welcomed by the Committee.

4.2        In relation to the audit of Assembly Members’ Allowances, Gareth reported that strong control procedures were in place for AMs’ expenses claims.  He also advised that the introduction of formal delegations of authority to office managers to submit claims on behalf of AMs had improved efficiency.  Suzy Davies confirmed that, despite this delegated authority, AMs fully understood their accountability for expenses claimed.

4.3        As well as testing resettlement grants paid to outgoing AMs and redundancy payments to outgoing AM support staff following the 2016 election, Gareth also tested staff recruitment processes.  Management had accepted all three of his recommendations.

4.4        In relation to the General Data Protection Regulation advisory audit, Gareth advised that assurance could be taken from the minor nature of the recommendations, which demonstrated the significant amount of preparatory work carried out by the Commission.  He also referred to a working group which had been established and a high level action plan which was being closely monitored by Alison Bond, the Commission’s Information Governance Manager.  Committee members commended the comprehensive action plan which had been circulated.

4.5        Dave mentioned that, like other legislatures and organisations, they were awaiting further detailed guidance from the Information Commissioner’s Office, which was due in the autumn. Once this guidance was produced, the action plan would be reviewed and would include a focus on advising Assembly Members as data controllers.     

4.6        The Committee were impressed and encouraged by the amount of preparation and the outcome of the advisory report, but urged officials not to be complacent.  It was agreed that AMs and their staff should be reminded of their obligations under the current data protection legislation as well as any future changes.          


-         Gareth to provide an update on recommendations of Assembly Members’ Allowances Audit report at the autumn meeting.



Consider any comments following report circulated out of committee


ACARAC (03-17) Paper 7 – Report on IRB Review

ACARAC (03-17) Paper 8 – Update on IRB Review

ACARAC (03-17) Paper 9 – Review of Closing Balances (data migration from CODA to NAV)

5.1     The Committee welcomed all three reports, on which they had shared comments with Gareth outside of the meeting. 

5.2     Discussion focused on the functions and responsibilities of the Commission’s Management Board and Investment and Resources Board (IRB).  Manon advised that she and the Directors were about to review the membership and roles of each board to ensure that they remained fit for purpose and to provide clarity on decision-making responsibilities and processes.

5.3     In response to questions about the level of challenge for IRB decisions, Dave referred to the amount of challenge that took place before proposals were presented to the board which the Committee thought could be clarified.  Manon agreed to consider alternative methods of communicating IRB decisions more widely, including with Commissioners, and would share the results of the review of governance structures after an away day.   

5.4     The Committee welcomed this positive review and the agreed actions and welcomed the proactive way in which external scrutiny was invited.  


-         Manon to consider methods of communicating IRB decisions more widely.

-         Manon to share results of review of governance structures post IRB away-day.



Internal Audit Annual Report


ACARAC (03-17) Paper 10 – Internal Audit Annual Report and Opinion 2016-17

6.1     The Committee approved Gareth’s annual report, which recognised that ‘…generally adequate and effective risk management, control and governance processes were in place…’, and congratulated him on his work and the continued contribution internal audit had made to providing assurance.  They particularly welcomed the focus on the impact and outcomes of the audit work and encouraged further focus on this in future reports. They were also encouraged to hear that a team member was due to commence internal audit training to further support his work.



Annual Report on Fraud


ACARAC (03-17) Paper 11 – Annual Report on Fraud

7.1     Gareth presented this report and confirmed that during 2016-17, there were no cases brought to his attention of actual or suspected fraudulent activity.  The Committee noted the report and recommended that future reports should include an overall assessment of assurances.

7.2     When questioned, Gareth outlined those with responsibility for detection of fraud, which included the Director of Finance and the Heads of Internal Audit and ICT, and agreed to share a list of these with the Committee.  The Committee noted that TIAA and the WAO also shared intelligence with Gareth and Nia, which would continue. 


-         Gareth to share details of responsibilities for fraud detection with the Committee.

-         Gareth to include an overall assessment of assurances in his next update paper and in future annual reports on fraud.



Draft Annual Report and Accounts, including the Governance Statement - hard copies available at meeting


8.1     Recent correspondence between the Chair of the Assembly’s Finance Committee and Suzy Davies, Commissioner had been circulated in advance of the meeting.  The Committee discussed ways in which the Commissioners and the Finance Committee could be briefed on decisions around major areas of spend and prioritisation in a way that would demonstrate due diligence and rigorous decision-making and provide further transparency during the year.

8.2     Ann-Marie Harkin also advised of a request made by the Chair of the Assembly’s Finance Committee to the Auditor General for Wales for a comparison to be made with other organisations around committee responsibilities for scrutinising or approving major spending decisions.


-         Manon to brief ACARAC following attendance at Finance Committee meeting.

ACARAC (03-17) Paper 12 – Draft Annual Report and Statement of Accounts 2016-17 – cover paper

ACARAC (03-17) Paper 12 – Annex A Draft Annual Report and Statement of Accounts 2016-17


9.1        Manon and Nia thanked the Committee for comments already received to the draft Annual Report and Statement of Accounts.   

9.2        The Committee thanked Manon, Nia and their teams for early sight of the report and urged them to ensure that statistics within the report were consistent with the key performance indicators. 

9.3        A final version of the report would be presented at the July meeting. 


External Audit update


ACARAC (03-17) Paper 13 – WAO update on 2016-17

10.1    Ann-Marie Harkin expressed her thanks, on behalf of her team at the WAO for the support and co-operation they had received from the Finance team and other Commission staff.  The Chair thanked the WAO for early presentation of the Financial Statements Report (ISA260) and Management Letter.  Ann-Marie confirmed that this was a straightforward audit with a high quality set of accounts and confirmed that there were no matters arising from their audit work and no significant matters to discuss.

10.2    The Chair recognised the excellent quality of the accounts, reflected by the ISA260: there were no uncorrected misstatements, no material internal control weaknesses and no recommendations arising.  Also, there were no outstanding actions from 2015-16.  The Committee praised all involved in the audit process, especially Nia and her team.  

10.3    Nia thanked everyone for their comments and advised that there would be additional focus on forecasting spend in future years. 



Feedback on the Cyber Security Awareness week - oral item


Oral item

11.1    Suzy reported that feedback from Assembly Members of their awareness of the cyber security awareness week and the issue of cyber security in general, suggested that the messages had not penetrated as intended.

11.2    Dave agreed to share this feedback with the Head of ICT in order to establish effective means of sharing these powerful and important messages with Assembly Members and their staff.     


-         Dave to provide the Committee with an update on awareness raising around cyber security with AMs and AMSS.



Change and project management update - oral item


Oral item

12.1     Further to the Committee’s recommendation, Dave informed the Committee that work was underway to develop guidance on the prioritisation of projects for IRB.  It had also been recognised that the challenge and assurance around business cases could be better documented.  The Committee welcomed this and asked for an update when available.    


-         Dave to update the Committee on progress with guidance on project prioritisation.     



Corporate Risks Report


ACARAC (03-17) Paper 14 - Corporate Risks

ACARAC (03-17) Paper 14 – Annex A - Corporate Risks Summary Report ACARAC (03-17) Paper 14 – Annex B - Corporate Risks plotted Corporate Risks Report

13.1    Dave informed the Committee that the Management Board had reviewed the register on 25 May, and risk owners had reviewed their risks again ahead of this paper being presented to the Committee.  The Committee were asked to note the changes to the register.

13.2    Dave reported that discussions were ongoing between relevant Management Board members to ensure a co-ordinated and strategic approach to the cumulative impact of constitutional and other corporate risks.  This approach was proving beneficial and responses to the risks would be discussed further at a forthcoming Management Board away day.  The Committee welcomed the documentation of the inter-related risks at Annex C of the paper. 

13.3    The Committee thanked officials for presenting details of their review and updates to the corporate risks register and noted the elevated severity of the Cyber Threat and Brexit risks.  They also suggested re-wording the cyber security risk.   


-         Dave to consider re-wording risk around cyber security (ICT16).



Critical examination of one identified or emerging risk - General Data Protection Regulation (GDPR)


ACARAC (03-17) Paper 15 – GDPR Risk  

14.1    The Committee welcomed Alison Bond to the meeting and informed her that the detailed action plan demonstrated that the Commission’s preparations were more advanced than in other organisations. 

14.2    Alison shared with the Committee her high level short and long term actions, explaining how these were mitigating the risk of not being prepared for the new Regulation as far as possible in advance of guidance which was due to be produced by the ICO in the autumn.  She also explained how the working group would identify further risks and issues, and test new processes in advance of GDPR coming into force in May 2018.

14.3    Although the advisory audit report was positive, she asked Committee members to consider and share details of any contacts from other organisations, with whom she could engage.     


-         ACARAC members to share relevant GDPR contacts with the Information Governance Manager.



SIRO Annual Report 2016-17


ACARAC (03-17) Paper 16 – SIRO Annual Report 2016-17   

15.1    The Committee welcomed the report which they agreed provided a further level of assurance.  Committee members suggested that qualitative statements were backed up by more specific quantitative evidence in future reports.

15.2    Dave wanted to formally record his thanks to Alison Bond for her hard work and commitment to improving and maintaining information governance standards across the organisation, as outlined in this report, and for her work on preparation for the new GDPR.     



Consider the approach to reviewing the Committee's effectiveness (report by Feb 2018)


ACARAC (03-17) Paper 17 – Previous survey questions (2015) 

16.1     The Committee agreed the timetable for the next survey, which would be issued in November 2017 and report in February 2018.  Committee members agreed to send any suggested revisions to the survey questions to the Clerking team by August.


-         ACARAC members to send suggestions for changes to the survey questions to the Clerking team.



Agree the Committee's annual report to the Commission and Accounting Officer


ACARAC (03-17) Paper 18 – ACARAC Annual Report


17.1     The Committee’s annual report was agreed without any further changes.  The Clerking team would arrange for this to be translated in preparation for it to be presented, by the Chair at the Assembly Commission meeting in July. 



Departures Summary


ACARAC (03-17) Paper 19 – Departures Summary

18.1     The Committee noted five departures from normal procurement procedure.  Dave confirmed that the host country for the Commonwealth Women’s Parliamentary Conference always funded accommodation.  They also noted that, due to the improved controls put in place by new finance system, the number of departures being reported had increased. They welcomed Manon’s suggestion of monitoring these closely. 


Forward Work Programme


ACARAC (03-17) Paper 20 – Forward Work Programme

19.1    The Chair asked for the Committee to review the forward work programme and send any suggested additions to the Clerking team by August.


-         ACARAC members to send suggestions on the FWP to the Clerking team.


Next meeting is scheduled for 18 July 2017.