Agenda and minutes
Venue: Conference Room 4B - Tŷ Hywel. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Ryan Bishop
Introductions, apologies and declaration of interests
1.1 One apology was received from Hugh Widdis, Independent Committee
1.2 The Chair welcomed everyone to the meeting, with a special
welcome to Aled Eirug, who was observing the meeting ahead of formally joining
the Committee in October 2019.
1.3 No interests were declared.
Minutes of 25 March, actions and matters arising
(03-19) Paper 1 - Minutes of 25 March 2019
ACARAC (03-19) Paper 2 –
Summary of actions
The minutes of the meeting of 25 March were agreed. Actions were
either completed or ongoing.
Action 3.4 (procurement strategy): Dave Tosh and Jan Koziel, Head
of Procurement had held several productive discussions with the South Wales
Chamber of Commerce around potential barriers for companies to tender for
contracts. Ann Beynon suggested these discussions should continue, involving
Gareth Watts where necessary. The Chair welcomed the update and that
discussions would continue with other organisations. The Committee agreed to
return to this topic at a future meeting.
Governance & Assurance Update Report
ACARAC (03-19) Paper 3 – Governance & Assurance
Update Report June 2019
Gareth Watts presented
his report which provided the Committee with an update on internal audit and other
activities undertaken by him and his team. He advised that the 2018-19 audit
plan had been completed, highlighted the positive responses from management and
that any outstanding recommendations would be followed up throughout the year.
The Committee asked to return to the implications for Assembly Commission
governance arising from proposals relating to Electoral Commission at a future
In response to questions
from Committee members, Gareth advised that there were no unmanageable risks
posed by delaying production of data processing agreements between the Assembly
Commission and Members until after the 2021 Election. This would also provide
the best opportunity to capture the new cohort of Members. Gareth
assured Committee members that this was
in line with other UK parliaments.
Implications for the
Commission arising from proposals relating to the Electoral Commission to be
added to the forward work programme.
Internal Audit Annual Report 2018-19
(03-19) Paper 4 – Internal Audit Annual Opinions and Report 2019
The Committee considered and noted the Internal
Audit Opinion and Report presented by Gareth. They were pleased to be updated
on Victoria Paris’ progress towards her Certified Internal Auditor (CIA) qualification
which would help provide further audit resilience within the Commission.
Gareth confirmed that the level of assurance had
not changed since the previous year but was now described as “Moderate” to
bring it into line with the Government Internal Audit Agency (GIAA) model of
Annual Report on Fraud
ACARAC (03-19) Paper 5 – Annual Report on
Gareth presented the
Annual Report on Fraud. Committee members were content with the assurance provided
by the report. They were pleased that Gareth and Nia had continued to be in
regular contact with officials from the Wales Audit Office and the Government’s Internal
Audit Agency, receiving the latest information on current scams and
fraudulent activity across the UK.
Suzy noted that in relation to the
internal audit on Assembly Member expenses, Members were
being challenged consistently on their expenditure by Members’ Business
Support. The Committee noted that controls were tight and that rules and
procedures appeared well understood.
The Chair acknowledged
the difficulty some public sector organisations have in managing fraud as a
risk but had been pleased to see the assurance provided by the report.
Latest Internal Audit Report/Previously circulated Internal Audit Report
(03-19) Paper 6 – Cyber-security 2019
The Committee agreed to consider the cyber-security
audit report under item 9 together with the corporate risk.
Gareth introduced the report on Assembly Members’
Expenses and invited comments from Committee members. All previous
recommendations had been implemented and there was one minor recommendation in
this year’s report. Gareth assured the Committee that his findings showed
further evidence of improved communication between Assembly Members and Members’ Business Support in relation
to their allowances.
Suzy asked whether,
during the course of the audit, any issues had come to Gareth’s attention
around the recent Remuneration Board recommendation relating to Assembly
Members buying their own equipment. Gareth indicated that there was currently
good guidance in place in terms of asset management but would provide further
assurance on this issue for next year’s audit.
The Chair was pleased
with the findings of the reports and had been reassured to note that no major
issues were identified.
Annual Report and Accounts, including the Governance Statement
ACARAC (03-19) Paper 8 – Draft Annual Report and
Statement of Accounts 2018-19 – cover paper
ACARAC (03-19) Paper 8 – Annex A - Draft Annual
ACARAC (03-19) Paper 8 – Annex B - Statement of
The Chair introduced the
Draft Annual Report and Statement of Accounts 2018-19, which had been
circulated two weeks in advance of the meeting as planned. He outlined the role
of the Committee in providing assurance to the Accounting Officer and the Commission.
He invited comments on the draft report, noting that final sign-off would take
place at the 15 July meeting, before being presented to the Commission on the
Committee members praised
the Annual Report and Accounts, noting in particular the high levels of
assurance provided throughout and the clear and accessible presentation with
appropriate use of infographics. The Chair considered the document to be a
highly effective report in highlighting the achievements of the Assembly over
the past year.
The Committee discussed
how the report could be publicised to help promote the work of the Assembly.
Ann advised that the Commission’s Remuneration, Engagement and Workforce
Advisory Committee (REWAC), of which she was a member, would be discussing wider
communication at an upcoming meeting. She would provide feedback to the
Committee on these discussions in the future.
In response to questions
from Committee members regarding current and future environmental and
sustainability targets, Dave advised that, as the current targets were due to
come to an end in 2021, the Commission would be setting new, more testing
targets over the coming year to measure progress towards the aspiration of
becoming a carbon neutral organisation.
In response to questions
about the lack of equality and diversity statistics in the Annual Report, Dave
explained that the Report provided summary information and that details could
be found in the Diversity and Inclusion Report Annual Report. He agreed to
consider how this information could be made available if queries arose when the
Annual Report and Accounts were published.
The Committee discussed
the KPIs included in the report. In response to questions about an apparent
fall in performance around engagement, Manon explained that measures against
the current indicators had been largely influenced by external factors. These
would be replaced with more appropriate targets when the new Director of
Communication and Engagement was appointed.
The Committee concluded
that the report represented a true, fair and understandable account of the
Commission’s work over the year and would be likely to be recommending to the
Commission that it is formally signed off on 15 July.
Ann Beynon to provide feedback to the Committee in
due course on discussions at REWAC on engagement and communication
Dave to provide an update to the Committee in the
Autumn on new sustainability measures
WAO Opinion 2018-19 (ISA260)
ACARAC (03-19) Paper 9 -
WAO opinion for 2018-19
Gareth Lucey confirmed that the WAO had not
identified any material issues during their audit of the Commission’s accounts
and that there were no uncorrected misstatements. The audit was substantially
complete and the WAO were expecting to propose an unqualified, clean audit
opinion. Gareth and Ann-Marie expressed their thanks to Nia and her team for
their co-operation during the audit process which had once again run
ACARAC (03-19) Paper 10 – Corporate Risks
ACARAC (03-19) Paper 10 – Annex A - Summary Corporate Risk Register
ACARAC (03-19) Paper 10 – Annex B – Corporate Risks
Gareth Watts presented
the paper which outlined movements on the Commission’s Corporate Risk Register
and invited the Committee members to comment.
Committee members sought
clarity on the actions being taken to mitigate the risks around compliance with
GDPR and DPO issues. Gareth explained that whilst the current arrangement for
cover by the Public Service Ombudsman’s office was to end shortly, steps were
being taken to secure further resources. He also outlined progress on
mitigation through the launch of a series of awareness raising videos produced
for Commission staff.
The Committee were
informed that, whilst the safeguarding risks in relation to the Youth
Parliament were being successfully mitigated, the wider risks around
safeguarding across Commission services were being assessed.
There was a discussion
around capacity and resources to deliver on the Commission’s goals whilst not
increasing the staffing budgets. It was noted that the risks around capacity
would continue to be closely monitored.
In terms of the risks
around pressures on accommodation, Dave explained that the issue of capacity
had been an historic one, but with an increase in the number of Assembly
Members looking unlikely to occur during the fifth or sixth Assemblies, the
immediate pressure to increase accommodation capacity had diminished. He
assured the Committee that the risk would continue to be carefully monitored.
Critical examination of one identified or emerging risk (Cyber)
ACARAC (03-19) Paper 11
Cyber-security Risk Radar diagram
Chair welcomed Mark Neilson, Head of ICT and Jamie Hancock, the new Head of IT
Infrastructure and Operations, to the meeting. The Chair outlined that the
purpose of the item was to provide a critical examination of the on-going
management of the Commission’s cyber-security risks, taking into account recommendations
from the recent internal audit report.
Mark outlined progress that had been made on
implementing the audit recommendations. This included: steps to ensure
compliance with cloud-based apps; controls around use of web-based personal
accounts on Commission devices; and storage and recovery of information held on
On the issue of back-up tapes, Mark explained that
their reliability was currently viewed as a low and short-term risk given the
move to more cloud-based storage. They were, however, exploring the use of
Microsoft Azure Site recovery as a possible longer-term solution alternative
and options for off-site storage locations in the meantime. Committee members
questioned over-reliance on Microsoft but concluded this was justified.
In response to questions from Committee members,
Mark provided assurances on management of the risks associated with the use of
USB storage devices, the use of which would be restricted in future. In terms
of accessing personal email through the Assembly network he did not consider
this an issue for the Commission and outlined that adequate controls were in
place, including appropriate monitoring tools if suspicious activity was
brought to their attention.
Mark also provided assurance that the team had
reviewed the data storage arrangements in the light of Brexit. Data was
currently stored in a location in the EU and would need to be relocated to the
UK in due course. Microsoft were aware of this requirement.
The Chair reminded the Committee of a Cabinet
Office paper Ann had circulated, which highlighted areas related to supplier
cover, and the consequences of inadequate controls being in place, in relation
Committee members agreed that, in the next
cyber-security update they would like updates on: the use of MS Azure Site
recovery; storage of back-up tapes; and the testing of business continuity
plans for recovery in the event of an ICT failure. They would also welcome an
updated risk radar diagram.
The next update on
cyber-security to include details of the use of MB Azure Site recovery, storage
of back-up tapes and an updated risk radar diagram.
Provide an update
on business continuity plans for recovery in event of an ICT failure and a
further update on any best practice adopted from the paper Ann circulated
entitled ‘Cyber Security for FTSE 350 companies’.
SIRO Annual Report 2018-19
ACARAC (03-19) Paper 12 – SIRO Annual Report 2018-19
11.1 The SIRO Annual Report 2018-19 was noted and agreed
by Committee members.
ACARAC Annual Report 2018-19
ACARAC (03-19) Paper 13 – ACARAC Annual Report
The Chair introduced the
ACARAC Annual Report which had previously been circulated for comments out of
committee. It was agreed that any
further comments were to be submitted as soon as possible, noting that the
final report would be presented to the Commission at its 15 July meeting.
Comments to be fed back
to the clerking team, who would then work with Chair to finalise before the
Commission deadline for papers on 1 July.
ACARAC (03-19) Paper 14 – Departure Summary
13.1 The Committee noted the departures listed in the
Forward Work Programme
(03-19) Paper 15 – Forward Work Programme
The Chair asked Committee members to feed in any
comments on the Forward Work Programme ahead of his meeting with the clerking
14.2 The Chair thanked
Committee members and officials for their attendance and contributions.
Next meeting is scheduled for 15 July.