Agenda and minutes
PDF 100 KBVenue: Conference Room 4B - Tŷ Hywel. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Buddug Saer
| No. | Item |
|---|---|
|
Introductions, apologies and declaration of interests Minutes: 1.1 Apologies were received from Ann-Marie
Harkin, Wales Audit Office (WAO). 1.2 The Chair welcomed Mark Neilson
(Head of ICT and Broadcasting) and Richard Coombe (Head of Infrastructure &
Operations Management). 1.3 Eric
Gregory declared that he continued to be part of the implementation
team for the Parliamentary Review of Health and Social Care in Wales. 1.4 No
other interests were declared. 1.5
It had been agreed out of committee that, in
order to reflect the change of name from the Assembly Commission to the Senedd
Commission which would come into effect on 6 May, the full name of the
Committee would change to the Senedd Commission Audit and Risk Assurance
Committee (SCARAC) and would be commonly referred to internally as ARAC. |
|
|
Minutes of 5 February, actions and matters arising Minutes: ACARAC
(02-18) Paper 1 - Minutes of 5 February 2018 ACARAC
(02-18) Paper 2 – Summary of actions 2.1
The minutes of the meeting on 5 February were agreed and the
completed actions captured in paper 2 were noted. |
|
|
Cyber Security update Minutes: Oral
update 3.1 The
Committee agreed to consider ACARAC (02-18) Paper 11 – Cyber Security alongside the risks around
cyber-security (ICT16) and the update from the Heads of ICT and IT
Infrastructure under this item. 3.2 Mark Neilson and Richard attended the
meeting to provide an update on the actions the Commission had taken to improve
cyber security. 3.3 The
Committee were informed that there were two areas of focus: technical and
human. Mark provided statistics for the number of attempted cyber-attacks on the
Commission over the past six months. The Committee noted that the corporate
risk around cyber-security reflected that it was impossible to prevent
cyber-attacks and that the focus was on protecting, detecting and responding to
these. 3.4
Richard highlighted a change in
the approach to cyber-security from a single ‘ring of steel’ approach to a
layered defence with greater use of analytics and reporting. Richard reported
that the National Cyber Security Centre issues alerts when other organisations
are attacked. 3.5 The
Committee questioned what work had been done in relation to the internal
threat, particularly potentially malicious behaviour. Richard stated that the
Commission was considering the introduction of a new information classification
system and the Chair urged the Commission to accelerate this, taking account of
lessons learned by other public sector organisations. 3.6 The
Committee noted the improved internal audit rating. 3.7 The
Committee noted that cyber response plans had been successfully tested and that
Mark and Gareth Watts would oversee further testing of defence and recovery
plans. 3.8 In
response to questions from the Committee, Dave confirmed that the procurement
process contains a cyber-security checklist for third party suppliers and that
regular contract reviews ensured this was adhered to. 3.9 The
Committee suggested that a multi-dimensional model is created which would
highlight the various elements of cyber-security ‘at-a-glance’. Mark confirmed
he would work with Gareth Watts and Clive FitzGerald (TIAA) to develop this. 3.10 Mark
informed the Committee of the work underway to raise and test awareness of
cyber-security best practice among Commission staff, Assembly Members and their
Support Staff. The aim was to reduce the severity rating of the risk. 3.11 The Committee asked whether
insourcing ICT had provided cyber-security benefits. Dave considered the
Commission to be in a better position to tailor and test cyber-security
controls. Mark added that the current arrangement allowed the Commission to be
agile in its approach, whilst also being able to rely on Microsoft’s
experience. 3.12 The Committee noted Gareth's
intention to carry out a formal annual audit and agreed that an update on
cyber-security, including the implementation of internal audit recommendations,
should be provided every six months. 3.13 Eric thanked officials for attending
and for their clear articulation of a complex issue. Action Cyber-security
to be added to the forward work programme for review every six months. |
|
|
Prioritisation Criteria Minutes: Update
via presentation 4.1
This
item was deferred to the June meeting. |
|
|
Draft Governance Statement 2017-18 Minutes: ACARAC (02-18) Paper 3 – Draft Governance Statement for 2017-18 –
cover paper ACARAC (02-18) Paper 3 – Draft Governance Statement for 2017-18 5.1
Manon presented an early draft of the 2017-18
Annual Governance Statement (AGS). The financial figures were still being
finalised but the Commission was confident that there would be no overspend. 5.2
The Committee discussed the challenge session
which took place in February 2018 where Eric had scrutinised and provided
independent challenge to the Directors' Assurance Statements. Eric and
officials agreed it had been a robust session with open and honest discussion. 5.3
The Committee suggested adding more detail on
the recent governance and senior management changes, staff engagement in the
refresh of organisational values, and external recognition. The Committee also
suggested the following areas for focus in 2018-19: implementing and ratifying
General Data Protection Regulation (GDPR) changes; cyber-security; and dignity
and respect policies and procedures. 5.4
The Chair asked if there had been any new
guidance on governance statements and Gareth Watts provided assurance that
nothing new had been produced and that existing best practice, including audit
reports and the NAO checklist on governance statements, had been taken into
account. 5.5
Manon described the work being done to
streamline reports and outputs throughout the year to minimise duplication of
effort, whilst maintaining an appropriate flow of information to all
stakeholders. 5.6
The Committee concluded that this was a good
first draft and that the level of detail was appropriate in balancing
transparency and readability. It was agreed that any further suggestions would
be emailed. Action Committee
members to email suggested changes to the Governance Statement to Kathryn
Hughes. |
|
|
Review the overall Assurance Framework Minutes: ACARAC (02-18) Paper 4 – Assurance Framework
update ACARAC (02-18) Paper 4 – Annex A – Assurance
Map ACARAC
(02-18) Paper 4 – Annex B – Assurance FW April 2017 – Mar 2018 6.1
Gareth
Watts presented an update on how the Commission's Assurance Framework was being
applied. He explained that there was increased ownership of, and engagement
with, the assurance mapping process by Heads of Service. This had been
achieved, in part, by delegating responsibility for reviewing and populating
the assurance map processes and activities to inform assurance statements. His
team had worked with service areas to help develop a governance and assurance
culture across the Commission, including the provision of tailored training and
awareness sessions. 6.2
The
Committee highlighted that all bar one of the Assurance Map components had a
green RAG status and suggested that different approaches to identify areas for
improvement should be considered. Gareth agreed, and he and Kathryn Hughes had
already begun to consider alternative ways of presenting this information in
future. 6.3
Hugh
suggested that more detail could be provided which clearly identified the levels
of assurance associated with Commission processes and risks. Gareth reminded
the Committee that the assurance map was underpinned by detailed service level
assurance maps and statements which provided more detailed analysis and were
used to identify areas of strength and weaknesses in assurance. This
information was available to the Committee members. 6.4
The
Committee discussed whether, as well as updating the Commission's Assurance Map
to reflect the new governance structure, it should reflect the scrutiny the
Commission received from the Public Accounts Committee and Finance Committee
and whether ACARAC should be explicitly shown in the third line of defence, although only the high-level
lines of defence element of the framework had been presented. Action Officials
to consider referencing PAC and Finance Committee on the Commission's Assurance
Map and adding ACARAC to the third line of defence. |
|
|
Update on whistleblowing and fraud policies Minutes: ACARAC
(02-18) Paper 5 – Whistleblowing Policy and Fraud Policy Updates 7.1
Gareth
Watts advised the Committee that no substantive changes had been made the
Commission’s Whistleblowing and Fraud policies. He agreed to consider the testing
the Whistleblowing policy. 7.2
In
relation to the fraud policy, the Chair suggested that the Head of Internal
Audit’s Annual Report on Fraud (to be presented at the June 2018 meeting)
should refer to the Commission’s Policy Framework and other measures taken to
raise awareness. 7.3
The
Chair also asked for an update on the WAO's Fraud checklist. Gareth Watts had
discussed this with the WAO and would be gathering the views of management
based on his own assessment before presenting the checklist to the Committee.
Gareth Lucey, from the WAO confirmed that, in line with International Standards
on Auditing (ISA), each of the bodies they audited were required to complete
the checklist. Action Gareth Watts to include details of
fraud awareness in his Annual Report on Fraud. |
|
|
Corporate Risk Report Minutes: ACARAC
(02-18) Paper 6 – Corporate Risks ACARAC
(02-18) Paper 6 – Annex A – Corporate Risks Summary Report ACARAC
(02-18) Paper 6 – Annex B – Corporate Risks plotted 8.1
Dave
informed the Committee that it was now the responsibility of the Executive
Board to review the Commission's Corporate Risk Register and that individual
corporate risks were now owned by Directors. Directors would commission and
challenge the quarterly risk reports from their Heads of Service, which would
feed into discussions at Executive Board meetings. 8.2
The
Committee noted the changes and movements highlighted in the paper and
discussed the ratings of the Corporate Risks and adequacy of the controls.
Regarding the Capacity Review risk, more quantitative data, including
benchmarking with other legislatures, would be gathered to inform decisions by
the Steering Group in phase two of the review. 8.3
The
Committee highlighted the number of ‘red’ rated risks, particularly compared
with a year ago, but accepted this was appropriate given the impact of, and
limited control the Commission had over risks including GDPR for Assembly
Members and Brexit. Dave confirmed that all risks were regularly reviewed and
that the scenario planning sessions on Brexit and Assembly Reform helped ensure
the Commission was as informed and prepared as possible with the resources
available. |
|
|
Finance update Minutes: ACARAC
(02-18) Paper 7 – Finance update ACARAC
(02-18) Paper 7 – Appendix A 9.1
Nia
set out the latest financial position for 2017-18 and the anticipated position
for 2018-19 and 2019-20. She anticipated
that, helped by robust spending prioritisation by the Executive Board, the Commission would be within the
challenging target of 0.5% at
the year end. 9.2
HMRC
were currently undertaking an audit of the Commission’s pay arrangements which
had required diverting some resources within the Finance team. The process
would take between 12 and 18 months and was not expected to have an impact on
the audit timeline. 9.3
The
Committee discussed the implications for the Commission’s budget of the Finance
Committee’s inquiry into the Remuneration Board’s Determination Underspend and
the Remuneration Board’s consultation on proposals arising from the review of
staffing support for Members. 9.4
The
Committee thanked Nia for an excellent report. |
|
|
Internal Audit Update Report Minutes: ACARAC
(02-18) Paper 8 – IA update report 10.1 Gareth introduced his update report.
He highlighted the progress made since the February meeting, which included the
completion of four internal audit reports. His additional commitments during
2017-18 meant that some internal audit work remained outstanding. He
congratulated Victoria Paris, who had recently passed Part 1 of the Certified
Internal Audit qualification. 10.2
The
Committee was content with the report and recognised the additional work Gareth
has been involved in over the past year. They questioned whether, given
Gareth’s additional workload, the Commission could make more use of TIAA.
Gareth acknowledged that there remains flexibility in the contract for this,
and highlighted the increase in resilience and in-house capacity for internal
audit which was also being introduced by training Victoria. He confirmed that
he was still in a position to present an annual opinion at the June 2018
meeting. He committed to keep the capacity and resourcing of internal audit
activity under review. |
|
|
Internal Audit External Quality Assurance (EQA) Minutes: ACARAC
(02-18) Paper 9 – EQA cover paper ACARAC
(02-18) Paper – progress of EQA action plan 11.1
The
Committee noted the good progress made against the recommendations raised in
the 2017 report. |
|
|
Consider Internal Audit's outline audit plan for 2018-19 Minutes: ACARAC
(02-18) Paper 10 – Internal Audit Plan 2018-19 12.1
The
Committee approved the audit plan for 2018-19. |
|
|
Latest Internal Audit Report and previously circulated reports Minutes: ACARAC
(02-18) Paper 11 – Cyber Security Previously circulate IA Reports ACARAC
(02-18) Paper 12 – AMs’ Pension Scheme ACARAC
(02-18) Paper 13 – GDPR ACARAC
(02-18) Paper 14 – Security Assurance Review 13.1 The Committee had discussed ACARAC
(02-18) Paper 11 – Cyber Security under agenda item 3. The Committee noted
the papers that had been previously circulated and agreed to discuss feedback
with Gareth in the private session which followed this meeting. |
|
|
Review the Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS) Minutes: ACARAC
(02-18) Paper 15 – Internal Audit Charter cover paper ACARAC
(02-18) Paper 15 – Internal Audit Charter 14.1
The
Committee noted the minor changes to the Internal Audit Charter which had been
updated in accordance with PSIAS, and approved the Charter for 2018-19. |
|
|
Update from attendance at TIAA Audit Chairs Conference Minutes: Oral
Item 15.1
This item was deferred until the
July meeting. Action Update on the role of
Audit and Risk Assurance Committees and Internal Audit, including feedback from
the TIAA Chairs Conference, to be added to the July agenda. |
|
|
WAO update report Minutes: ACARAC
(02-18) Paper 16 16.1 Gareth
Lucey presented the WAO’s update report. Interim visits that had taken place in
January ahead of the 2017-18 audit which was due to formally start on 21 May. 16.2 The
Committee agreed it was helpful to receive a breakdown of the WAO fee. 16.3 Gareth
Watts confirmed that agreement had been reached with the WAO and Welsh
Government regarding the treatment of the Auditor General for Wales’ salary and
that this had been documented. |
|
|
Review of Joint Working Protocol between WAO and Internal Audit Minutes: ACARAC
(02-18) Paper 17 17.1 The
Committee noted that no substantive changes had been made to the Joint Working
Protocol and that the agreed actions were in hand. 17.2 Gareth
Lucey confirmed that the WAO is itself required to meet international
standards. The WAO has an internal quality assurance review regime as well as
being subject to external reviews by the Quality Assurance Department of the
Institute of Chartered Accountants in England and Wales (ICAEW). |
|
|
Departure Summary Minutes: ACARAC (02-18) Paper 18 –
Departure Summary 18.1 The
Committee noted three departures from normal procurement procedure. Dave
informed the Committee that the Corporate Suiting contract had been extended
due to the absence of alternative suppliers on the National Procurement Service
(NPS) Framework. 18.2 In
response to a question about the gender equality benchmarking, Manon stated
that it was important for the Commission to be focused on equality and to be
leading by example. She confirmed that the Commission had not yet committed to
taking part in future years. |
|
|
Outline of ACARAC Annual Report Minutes: ACARAC
(02-18) Paper 19 – Draft ACARAC Annual Report 19.1
The Chair highlighted some minor
updates to the draft report to better reflect the current position, including
GDPR. Gareth confirmed that there had been no issues arising from Internal
Audit reports. The Committee requested an update on the Digital Transformation
programme. Action Dave to provide details of
what has been delivered via Digital Transformation for Inclusion in the ACARAC
Annual Report. |
|
|
Forward Work Programme Minutes: ACARAC
(02-18) Forward Work Programme 20.1
The Committee agreed to add the
following items to the agenda for the July meeting: reflections from Keith on
his role as Independent Adviser to the Commission; an update on Assembly Reform, Brexit, and Accommodation; the
outcome of the inquiry into
the Remuneration Board’s Determination Underspend; and delivery of the Capacity Review objectives.
The Clerking team would update and publish a revised forward work programme. 20.
Private session 21.1
Gareth Watts attended a private
session with members of the Committee once formal proceedings concluded. No
minutes were taken. Next meeting is scheduled
for 16 June 2018. |