Agenda and minutes

Venue: Conference Room 4B - Tŷ Hywel. View directions

Contact: Clerk: Kathryn Hughes  Deputy Clerk: Buddug Saer

No. Item


Introductions, apologies and declaration of interests


1.1     Apologies were received from Ann-Marie Harkin, Wales Audit Office (WAO).

1.2     The Chair welcomed Mark Neilson (Head of ICT and Broadcasting) and Richard Coombe (Head of Infrastructure & Operations Management).

1.3     Eric Gregory declared that he continued to be part of the implementation team for the Parliamentary Review of Health and Social Care in Wales. 

1.4     No other interests were declared.

1.5     It had been agreed out of committee that, in order to reflect the change of name from the Assembly Commission to the Senedd Commission which would come into effect on 6 May, the full name of the Committee would change to the Senedd Commission Audit and Risk Assurance Committee (SCARAC) and would be commonly referred to internally as ARAC.



Minutes of 5 February, actions and matters arising


ACARAC (02-18) Paper 1 - Minutes of 5 February 2018

ACARAC (02-18) Paper 2 – Summary of actions  

2.1        The minutes of the meeting on 5 February were agreed and the completed actions captured in paper 2 were noted.



Cyber Security update


Oral update

3.1     The Committee agreed to consider ACARAC (02-18) Paper 11 – Cyber Security alongside the risks around cyber-security (ICT16) and the update from the Heads of ICT and IT Infrastructure under this item.

3.2     Mark Neilson and Richard attended the meeting to provide an update on the actions the Commission had taken to improve cyber security.

3.3     The Committee were informed that there were two areas of focus: technical and human. Mark provided statistics for the number of attempted cyber-attacks on the Commission over the past six months. The Committee noted that the corporate risk around cyber-security reflected that it was impossible to prevent cyber-attacks and that the focus was on protecting, detecting and responding to these.

3.4        Richard highlighted a change in the approach to cyber-security from a single ‘ring of steel’ approach to a layered defence with greater use of analytics and reporting. Richard reported that the National Cyber Security Centre issues alerts when other organisations are attacked.

3.5     The Committee questioned what work had been done in relation to the internal threat, particularly potentially malicious behaviour. Richard stated that the Commission was considering the introduction of a new information classification system and the Chair urged the Commission to accelerate this, taking account of lessons learned by other public sector organisations.

3.6     The Committee noted the improved internal audit rating. 

3.7     The Committee noted that cyber response plans had been successfully tested and that Mark and Gareth Watts would oversee further testing of defence and recovery plans.

3.8     In response to questions from the Committee, Dave confirmed that the procurement process contains a cyber-security checklist for third party suppliers and that regular contract reviews ensured this was adhered to.

3.9     The Committee suggested that a multi-dimensional model is created which would highlight the various elements of cyber-security ‘at-a-glance’. Mark confirmed he would work with Gareth Watts and Clive FitzGerald (TIAA) to develop this.

3.10 Mark informed the Committee of the work underway to raise and test awareness of cyber-security best practice among Commission staff, Assembly Members and their Support Staff. The aim was to reduce the severity rating of the risk.

3.11 The Committee asked whether insourcing ICT had provided cyber-security benefits. Dave considered the Commission to be in a better position to tailor and test cyber-security controls. Mark added that the current arrangement allowed the Commission to be agile in its approach, whilst also being able to rely on Microsoft’s experience.

3.12 The Committee noted Gareth's intention to carry out a formal annual audit and agreed that an update on cyber-security, including the implementation of internal audit recommendations, should be provided every six months.

3.13 Eric thanked officials for attending and for their clear articulation of a complex issue.


Cyber-security to be added to the forward work programme for review every six months.



Prioritisation Criteria


Update via presentation

4.1        This item was deferred to the June meeting.



Draft Governance Statement 2017-18


ACARAC (02-18) Paper 3 – Draft Governance Statement for 2017-18 – cover paper

ACARAC (02-18) Paper 3 – Draft Governance Statement for 2017-18

5.1        Manon presented an early draft of the 2017-18 Annual Governance Statement (AGS). The financial figures were still being finalised but the Commission was confident that there would be no overspend.

5.2        The Committee discussed the challenge session which took place in February 2018 where Eric had scrutinised and provided independent challenge to the Directors' Assurance Statements. Eric and officials agreed it had been a robust session with open and honest discussion.

5.3        The Committee suggested adding more detail on the recent governance and senior management changes, staff engagement in the refresh of organisational values, and external recognition. The Committee also suggested the following areas for focus in 2018-19: implementing and ratifying General Data Protection Regulation (GDPR) changes; cyber-security; and dignity and respect policies and procedures.

5.4        The Chair asked if there had been any new guidance on governance statements and Gareth Watts provided assurance that nothing new had been produced and that existing best practice, including audit reports and the NAO checklist on governance statements, had been taken into account.

5.5        Manon described the work being done to streamline reports and outputs throughout the year to minimise duplication of effort, whilst maintaining an appropriate flow of information to all stakeholders.

5.6        The Committee concluded that this was a good first draft and that the level of detail was appropriate in balancing transparency and readability. It was agreed that any further suggestions would be emailed.


Committee members to email suggested changes to the Governance Statement to Kathryn Hughes.



Review the overall Assurance Framework


ACARAC (02-18) Paper 4 – Assurance Framework update

ACARAC (02-18) Paper 4 – Annex A – Assurance Map

ACARAC (02-18) Paper 4 – Annex B – Assurance FW April 2017 – Mar 2018

6.1        Gareth Watts presented an update on how the Commission's Assurance Framework was being applied. He explained that there was increased ownership of, and engagement with, the assurance mapping process by Heads of Service. This had been achieved, in part, by delegating responsibility for reviewing and populating the assurance map processes and activities to inform assurance statements. His team had worked with service areas to help develop a governance and assurance culture across the Commission, including the provision of tailored training and awareness sessions.

6.2        The Committee highlighted that all bar one of the Assurance Map components had a green RAG status and suggested that different approaches to identify areas for improvement should be considered. Gareth agreed, and he and Kathryn Hughes had already begun to consider alternative ways of presenting this information in future.

6.3        Hugh suggested that more detail could be provided which clearly identified the levels of assurance associated with Commission processes and risks. Gareth reminded the Committee that the assurance map was underpinned by detailed service level assurance maps and statements which provided more detailed analysis and were used to identify areas of strength and weaknesses in assurance. This information was available to the Committee members.

6.4        The Committee discussed whether, as well as updating the Commission's Assurance Map to reflect the new governance structure, it should reflect the scrutiny the Commission received from the Public Accounts Committee and Finance Committee and whether ACARAC should be explicitly shown in the third line of defence, although only the high-level lines of defence element of the framework had been presented.


Officials to consider referencing PAC and Finance Committee on the Commission's Assurance Map and adding ACARAC to the third line of defence.



Update on whistleblowing and fraud policies


ACARAC (02-18) Paper 5 – Whistleblowing Policy and Fraud Policy Updates

7.1        Gareth Watts advised the Committee that no substantive changes had been made the Commission’s Whistleblowing and Fraud policies. He agreed to consider the testing the Whistleblowing policy.

7.2        In relation to the fraud policy, the Chair suggested that the Head of Internal Audit’s Annual Report on Fraud (to be presented at the June 2018 meeting) should refer to the Commission’s Policy Framework and other measures taken to raise awareness.

7.3        The Chair also asked for an update on the WAO's Fraud checklist. Gareth Watts had discussed this with the WAO and would be gathering the views of management based on his own assessment before presenting the checklist to the Committee. Gareth Lucey, from the WAO confirmed that, in line with International Standards on Auditing (ISA), each of the bodies they audited were required to complete the checklist.


Gareth Watts to include details of fraud awareness in his Annual Report on Fraud.



Corporate Risk Report


ACARAC (02-18) Paper 6 – Corporate Risks

ACARAC (02-18) Paper 6 – Annex A – Corporate Risks Summary Report

ACARAC (02-18) Paper 6 – Annex B – Corporate Risks plotted

8.1        Dave informed the Committee that it was now the responsibility of the Executive Board to review the Commission's Corporate Risk Register and that individual corporate risks were now owned by Directors. Directors would commission and challenge the quarterly risk reports from their Heads of Service, which would feed into discussions at Executive Board meetings.

8.2              The Committee noted the changes and movements highlighted in the paper and discussed the ratings of the Corporate Risks and adequacy of the controls. Regarding the Capacity Review risk, more quantitative data, including benchmarking with other legislatures, would be gathered to inform decisions by the Steering Group in phase two of the review.

8.3              The Committee highlighted the number of ‘red’ rated risks, particularly compared with a year ago, but accepted this was appropriate given the impact of, and limited control the Commission had over risks including GDPR for Assembly Members and Brexit. Dave confirmed that all risks were regularly reviewed and that the scenario planning sessions on Brexit and Assembly Reform helped ensure the Commission was as informed and prepared as possible with the resources available.



Finance update


ACARAC (02-18) Paper 7 – Finance update

ACARAC (02-18) Paper 7 – Appendix A

9.1        Nia set out the latest financial position for 2017-18 and the anticipated position for 2018-19 and 2019-20.  She anticipated that, helped by robust spending prioritisation by the Executive Board, the Commission would be within the challenging target of 0.5% at the year end.

9.2        HMRC were currently undertaking an audit of the Commission’s pay arrangements which had required diverting some resources within the Finance team. The process would take between 12 and 18 months and was not expected to have an impact on the audit timeline.

9.3        The Committee discussed the implications for the Commission’s budget of the Finance Committee’s inquiry into the Remuneration Board’s Determination Underspend and the Remuneration Board’s consultation on proposals arising from the review of staffing support for Members.

9.4        The Committee thanked Nia for an excellent report.



Internal Audit Update Report


ACARAC (02-18) Paper 8 – IA update report

10.1     Gareth introduced his update report. He highlighted the progress made since the February meeting, which included the completion of four internal audit reports. His additional commitments during 2017-18 meant that some internal audit work remained outstanding. He congratulated Victoria Paris, who had recently passed Part 1 of the Certified Internal Audit qualification.

10.2     The Committee was content with the report and recognised the additional work Gareth has been involved in over the past year. They questioned whether, given Gareth’s additional workload, the Commission could make more use of TIAA. Gareth acknowledged that there remains flexibility in the contract for this, and highlighted the increase in resilience and in-house capacity for internal audit which was also being introduced by training Victoria. He confirmed that he was still in a position to present an annual opinion at the June 2018 meeting. He committed to keep the capacity and resourcing of internal audit activity under review.



Internal Audit External Quality Assurance (EQA)


ACARAC (02-18) Paper 9 – EQA cover paper

ACARAC (02-18) Paper – progress of EQA action plan

11.1     The Committee noted the good progress made against the recommendations raised in the 2017 report.



Consider Internal Audit's outline audit plan for 2018-19


ACARAC (02-18) Paper 10 – Internal Audit Plan 2018-19

12.1     The Committee approved the audit plan for 2018-19.



Latest Internal Audit Report and previously circulated reports


ACARAC (02-18) Paper 11 – Cyber Security

Previously circulate IA Reports

ACARAC (02-18) Paper 12 – AMs’ Pension Scheme

ACARAC (02-18) Paper 13 – GDPR

ACARAC (02-18) Paper 14 – Security Assurance Review

13.1     The Committee had discussed ACARAC (02-18) Paper 11 – Cyber Security under agenda item 3. The Committee noted the papers that had been previously circulated and agreed to discuss feedback with Gareth in the private session which followed this meeting.   



Review the Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)


ACARAC (02-18) Paper 15 – Internal Audit Charter cover paper

ACARAC (02-18) Paper 15 – Internal Audit Charter

14.1    The Committee noted the minor changes to the Internal Audit Charter which had been updated in accordance with PSIAS, and approved the Charter for 2018-19.    


Update from attendance at TIAA Audit Chairs Conference


Oral Item

15.1     This item was deferred until the July meeting.


Update on the role of Audit and Risk Assurance Committees and Internal Audit, including feedback from the TIAA Chairs Conference, to be added to the July agenda.



WAO update report


ACARAC (02-18) Paper 16

16.1     Gareth Lucey presented the WAO’s update report. Interim visits that had taken place in January ahead of the 2017-18 audit which was due to formally start on 21 May.

16.2     The Committee agreed it was helpful to receive a breakdown of the WAO fee.

16.3     Gareth Watts confirmed that agreement had been reached with the WAO and Welsh Government regarding the treatment of the Auditor General for Wales’ salary and that this had been documented.



Review of Joint Working Protocol between WAO and Internal Audit


ACARAC (02-18) Paper 17

17.1     The Committee noted that no substantive changes had been made to the Joint Working Protocol and that the agreed actions were in hand.

17.2     Gareth Lucey confirmed that the WAO is itself required to meet international standards. The WAO has an internal quality assurance review regime as well as being subject to external reviews by the Quality Assurance Department of the Institute of Chartered Accountants in England and Wales (ICAEW).



Departure Summary


ACARAC (02-18) Paper 18 – Departure Summary

18.1     The Committee noted three departures from normal procurement procedure. Dave informed the Committee that the Corporate Suiting contract had been extended due to the absence of alternative suppliers on the National Procurement Service (NPS) Framework.

18.2     In response to a question about the gender equality benchmarking, Manon stated that it was important for the Commission to be focused on equality and to be leading by example. She confirmed that the Commission had not yet committed to taking part in future years.



Outline of ACARAC Annual Report


ACARAC (02-18) Paper 19 – Draft ACARAC Annual Report

19.1     The Chair highlighted some minor updates to the draft report to better reflect the current position, including GDPR. Gareth confirmed that there had been no issues arising from Internal Audit reports. The Committee requested an update on the Digital Transformation programme.


Dave to provide details of what has been delivered via Digital Transformation for Inclusion in the ACARAC Annual Report.



Forward Work Programme


ACARAC (02-18) Forward Work Programme

20.1     The Committee agreed to add the following items to the agenda for the July meeting: reflections from Keith on his role as Independent Adviser to the Commission; an update on Assembly Reform, Brexit, and Accommodation; the outcome of the inquiry into the Remuneration Board’s Determination Underspend; and delivery of the Capacity Review objectives. The Clerking team would update and publish a revised forward work programme.

20.   Private session

21.1     Gareth Watts attended a private session with members of the Committee once formal proceedings concluded. No minutes were taken.


Next meeting is scheduled for 16 June 2018.