Agenda and minutes

1.1     One apology was received from Hugh Widdis, Independent Committee Member.

1.2     The Chair welcomed everyone to the meeting, with a special welcome to Aled Eirug, who was observing the meeting ahead of formally joining the Committee in October 2019.

1.3     No interests were declared.

ACARAC (03-19) Paper 1 - Minutes of 25 March 2019

ACARAC (03-19) Paper 2 – Summary of actions  

2.1        The minutes of the meeting of 25 March were agreed. Actions were either completed or ongoing.

2.2        Action 3.4 (procurement strategy): Dave Tosh and Jan Koziel, Head of Procurement had held several productive discussions with the South Wales Chamber of Commerce around potential barriers for companies to tender for contracts. Ann Beynon suggested these discussions should continue, involving Gareth Watts where necessary. The Chair welcomed the update and that discussions would continue with other organisations. The Committee agreed to return to this topic at a future meeting.

ACARAC (03-19) Paper 3 – Governance & Assurance Update Report June 2019

3.1        Gareth Watts presented his report which provided the Committee with an update on internal audit and other activities undertaken by him and his team. He advised that the 2018-19 audit plan had been completed, highlighted the positive responses from management and that any outstanding recommendations would be followed up throughout the year. The Committee asked to return to the implications for Assembly Commission governance arising from proposals relating to Electoral Commission at a future meeting.

3.2        In response to questions from Committee members, Gareth advised that there were no unmanageable risks posed by delaying production of data processing agreements between the Assembly Commission and Members until after the 2021 Election. This would also provide the best opportunity to capture the new cohort of Members. Gareth assured Committee members that this was in line with other UK parliaments.

Actions

·         Implications for the Commission arising from proposals relating to the Electoral Commission to be added to the forward work programme.

ACARAC (03-19) Paper 4 – Internal Audit Annual Opinions and Report 2019

4.1        The Committee considered and noted the Internal Audit Opinion and Report presented by Gareth. They were pleased to be updated on Victoria Paris’ progress towards her Certified Internal Auditor (CIA) qualification which would help provide further audit resilience within the Commission.

4.2        Gareth confirmed that the level of assurance had not changed since the previous year but was now described as “Moderate” to bring it into line with the Government Internal Audit Agency (GIAA) model of assurance.

ACARAC (03-19) Paper 5 – Annual Report on Fraud 2019

5.1        Gareth presented the Annual Report on Fraud. Committee members were content with the assurance provided by the report. They were pleased that Gareth and Nia had continued to be in regular contact with officials from the Wales Audit Office and the Government’s Internal Audit Agency, receiving the latest information on current scams and fraudulent activity across the UK.

5.2        Suzy noted that in relation to the internal audit on Assembly Member expenses, Members were being challenged consistently on their expenditure by Members’ Business Support. The Committee noted that controls were tight and that rules and procedures appeared well understood.

5.3        The Chair acknowledged the difficulty some public sector organisations have in managing fraud as a risk but had been pleased to see the assurance provided by the report.

ACARAC (03-19) Paper 6 – Cyber-security 2019
ACARAC (03-19) Paper 7 – Assembly Members’ Expenses 2019

6.1        The Committee agreed to consider the cyber-security audit report under item 9 together with the corporate risk.

6.2        Gareth introduced the report on Assembly Members’ Expenses and invited comments from Committee members. All previous recommendations had been implemented and there was one minor recommendation in this year’s report. Gareth assured the Committee that his findings showed further evidence of improved communication between Assembly Members and Members’ Business Support in relation to their allowances.

6.3        Suzy asked whether, during the course of the audit, any issues had come to Gareth’s attention around the recent Remuneration Board recommendation relating to Assembly Members buying their own equipment. Gareth indicated that there was currently good guidance in place in terms of asset management but would provide further assurance on this issue for next year’s audit.

6.4        The Chair was pleased with the findings of the reports and had been reassured to note that no major issues were identified.

ACARAC (03-19) Paper 8 – Draft Annual Report and Statement of Accounts 2018-19 – cover paper

ACARAC (03-19) Paper 8 – Annex A - Draft Annual Report 2018-19

ACARAC (03-19) Paper 8 – Annex B - Statement of Accounts 2018-19

7.1        The Chair introduced the Draft Annual Report and Statement of Accounts 2018-19, which had been circulated two weeks in advance of the meeting as planned. He outlined the role of the Committee in providing assurance to the Accounting Officer and the Commission. He invited comments on the draft report, noting that final sign-off would take place at the 15 July meeting, before being presented to the Commission on the same day.

7.2        Committee members praised the Annual Report and Accounts, noting in particular the high levels of assurance provided throughout and the clear and accessible presentation with appropriate use of infographics. The Chair considered the document to be a highly effective report in highlighting the achievements of the Assembly over the past year.

7.3        The Committee discussed how the report could be publicised to help promote the work of the Assembly. Ann advised that the Commission’s Remuneration, Engagement and Workforce Advisory Committee (REWAC), of which she was a member, would be discussing wider communication at an upcoming meeting. She would provide feedback to the Committee on these discussions in the future.

7.4        In response to questions from Committee members regarding current and future environmental and sustainability targets, Dave advised that, as the current targets were due to come to an end in 2021, the Commission would be setting new, more testing targets over the coming year to measure progress towards the aspiration of becoming a carbon neutral organisation.

7.5        In response to questions about the lack of equality and diversity statistics in the Annual Report, Dave explained that the Report provided summary information and that details could be found in the Diversity and Inclusion Report Annual Report. He agreed to consider how this information could be made available if queries arose when the Annual Report and Accounts were published.

7.6        The Committee discussed the KPIs included in the report. In response to questions about an apparent fall in performance around engagement, Manon explained that measures against the current indicators had been largely influenced by external factors. These would be replaced with more appropriate targets when the new Director of Communication and Engagement was appointed.

7.7        The Committee concluded that the report represented a true, fair and understandable account of the Commission’s work over the year and would be likely to be recommending to the Commission that it is formally signed off on 15 July.

Actions

·         Ann Beynon to provide feedback to the Committee in due course on discussions at REWAC on engagement and communication

·         Dave to provide an update to the Committee in the Autumn on new sustainability measures

ACARAC (03-19) Paper 9 - WAO opinion for 2018-19

8.1        Gareth Lucey confirmed that the WAO had not identified any material issues during their audit of the Commission’s accounts and that there were no uncorrected misstatements. The audit was substantially complete and the WAO were expecting to propose an unqualified, clean audit opinion. Gareth and Ann-Marie expressed their thanks to Nia and her team for their co-operation during the audit process which had once again run smoothly.  

ACARAC (03-19) Paper 10 – Corporate Risks

ACARAC (03-19) Paper 10 – Annex A -  Summary Corporate Risk Register

ACARAC (03-19) Paper 10 – Annex B – Corporate Risks plotted

9.1        Gareth Watts presented the paper which outlined movements on the Commission’s Corporate Risk Register and invited the Committee members to comment.

9.2        Committee members sought clarity on the actions being taken to mitigate the risks around compliance with GDPR and DPO issues. Gareth explained that whilst the current arrangement for cover by the Public Service Ombudsman’s office was to end shortly, steps were being taken to secure further resources. He also outlined progress on mitigation through the launch of a series of awareness raising videos produced for Commission staff.

9.3        The Committee were informed that, whilst the safeguarding risks in relation to the Youth Parliament were being successfully mitigated, the wider risks around safeguarding across Commission services were being assessed.

9.4        There was a discussion around capacity and resources to deliver on the Commission’s goals whilst not increasing the staffing budgets. It was noted that the risks around capacity would continue to be closely monitored.

9.5        In terms of the risks around pressures on accommodation, Dave explained that the issue of capacity had been an historic one, but with an increase in the number of Assembly Members looking unlikely to occur during the fifth or sixth Assemblies, the immediate pressure to increase accommodation capacity had diminished. He assured the Committee that the risk would continue to be carefully monitored.

ACARAC (03-19) Paper 11 Cyber-security Risk Radar diagram

10.1     The Chair welcomed Mark Neilson, Head of ICT and Jamie Hancock, the new Head of IT Infrastructure and Operations, to the meeting. The Chair outlined that the purpose of the item was to provide a critical examination of the on-going management of the Commission’s cyber-security risks, taking into account recommendations from the recent internal audit report.

10.2     Mark outlined progress that had been made on implementing the audit recommendations. This included: steps to ensure compliance with cloud-based apps; controls around use of web-based personal accounts on Commission devices; and storage and recovery of information held on back-up tapes. 

10.3     On the issue of back-up tapes, Mark explained that their reliability was currently viewed as a low and short-term risk given the move to more cloud-based storage. They were, however, exploring the use of Microsoft Azure Site recovery as a possible longer-term solution alternative and options for off-site storage locations in the meantime. Committee members questioned over-reliance on Microsoft but concluded this was justified.

10.4     In response to questions from Committee members, Mark provided assurances on management of the risks associated with the use of USB storage devices, the use of which would be restricted in future. In terms of accessing personal email through the Assembly network he did not consider this an issue for the Commission and outlined that adequate controls were in place, including appropriate monitoring tools if suspicious activity was brought to their attention.

10.5    Mark also provided assurance that the team had reviewed the data storage arrangements in the light of Brexit. Data was currently stored in a location in the EU and would need to be relocated to the UK in due course. Microsoft were aware of this requirement. 

10.6    The Chair reminded the Committee of a Cabinet Office paper Ann had circulated, which highlighted areas related to supplier cover, and the consequences of inadequate controls being in place, in relation to cyber-risk.

10.7    Committee members agreed that, in the next cyber-security update they would like updates on: the use of MS Azure Site recovery; storage of back-up tapes; and the testing of business continuity plans for recovery in the event of an ICT failure. They would also welcome an updated risk radar diagram.

Actions

·         The next update on cyber-security to include details of the use of MB Azure Site recovery, storage of back-up tapes and an updated risk radar diagram.

·         Provide an update on business continuity plans for recovery in event of an ICT failure and a further update on any best practice adopted from the paper Ann circulated entitled ‘Cyber Security for FTSE 350 companies’.

ACARAC (03-19) Paper 12 – SIRO Annual Report 2018-19

11.1     The SIRO Annual Report 2018-19 was noted and agreed by Committee members.

ACARAC (03-19) Paper 13 – ACARAC Annual Report

12.1     The Chair introduced the ACARAC Annual Report which had previously been circulated for comments out of committee.  It was agreed that any further comments were to be submitted as soon as possible, noting that the final report would be presented to the Commission at its 15 July meeting.

Action

·         Comments to be fed back to the clerking team, who would then work with Chair to finalise before the Commission deadline for papers on 1 July.

ACARAC (03-19) Paper 14 – Departure Summary

13.1     The Committee noted the departures listed in the report.

ACARAC (03-19) Paper 15 – Forward Work Programme

14.1     The Chair asked Committee members to feed in any comments on the Forward Work Programme ahead of his meeting with the clerking team.

14.2     The Chair thanked Committee members and officials for their attendance and contributions.

Next meeting is scheduled for 15 July.