Agenda and minutes

Venue: Conference Room 4B - Tŷ Hywel. View directions

Contact: Clerk: Kathryn Hughes  Deputy Clerk: Ryan Bishop

No. Item


Introductions, apologies and declaration of interests


1.1        The Chair welcomed everyone to the meeting and noted apologies had been received from Ann-Marie Harkin and Gareth Lucey, both from the Wales Audit Office (WAO), and welcomed Jon Martin who was attending on their behalf.

1.2        No interests were declared.



Minutes of 15 July, actions and matters arising


ACARAC (05-19) Paper 1 - Minutes of 15 July 2019

ACARAC (05-19) Paper 2 – Summary of actions  

2.1        The minutes of the 15 July meeting were agreed.

2.2        In relation to the one outstanding action around the Electoral Commission (para 2.1), Committee members had received an update prior to the meeting.

2.3        The Chair commented that the incremental pension provision (para 3.4) would continue to be an issue for the 2019-20 accounts.

2.4        In relation to the suggested joint session with REWAC (para 6.2), it was agreed that a further meeting between the two Committee Chairs, Manon and Dave was to be arranged.


Reflections from outgoing Committee member


3.1 This item would be covered at the end of the meeting.


Governance and Assurance Update Report


ACARAC (05-19) Paper 3 – G&A update report

4.1        Gareth Watts introduced the report which provided members with an update on recent internal Governance and Assurance work.

4.2        Copies of the reports on the review of the Assembly Commission’s Voluntary Exit Scheme and the Effectiveness Review of the Executive Board had been circulated to Committee members out of meeting on 26 September 2019. Gareth had also undertaken an Effectiveness Review of the Leadership Team and had presented the outcome and recommendations to them. Gareth would keep the Committee up to date with progress against actions arising from both of these reviews.

4.3        The Governance team led on the production of the Annual Report and Accounts for the first time this year. The team had worked closely with colleagues in the Finance and Communications teams, producing drafts in advance of the original deadlines set. A number of recommendations for the 2019-20 report had been agreed by management which, along with a proposed timetable, would be shared with the Committee in due course.

4.4        The Governance team had been meeting with Heads of Service as part of the annual Governance Matters cycle of meetings. This formed the first building blocks for the production of the Annual Governance Statement. Meetings with Directors had been arranged to discuss any issues identified from the Head of Service meetings in preparation for drafting Assurance Statements.

4.5        A review of Fixed Assets was due to take place and Gareth agreed to share the scoping paper ahead of the review commencing.

4.6        A review of the Commission’s approach to engaging with Welsh suppliers had been completed and the report would be circulated when finalised. Suzy asked whether any environmental/sustainability themes or issues had arisen from the review. Gareth indicated that the report included reference to impact assessments but agreed to consider how this could be explored further.

4.7        In relation to the forthcoming review of Project Management Changes, it was noted that, whilst the Commission had made significant improvements in recent years, this was timely given the change of structure put in place around project governance. The Chair agreed to return to this topic once the audit had been concluded. In the meantime, Gareth agreed to circulate the outline scoping paper to Committee members, when available.

4.8        In response to questions from the Committee around any plans for reviewing use of the Assembly’s estate, Arwyn Jones advised that this would form part of the wider engagement strategy.

4.9        Hugh Widdis noted that the review of the impact of the Capacity Review was under way. Gareth advised that the emerging themes were largely consistent with those raised during the Commission’s evidence session at the Finance Committee meeting on 3 October. He added that this review would focus on assurances around the realisation of benefits.

4.10     Hugh re-iterated the importance of conducting audits into Business Directorate areas, where appropriate. Gareth agreed and would be working with Director of Assembly Business to develop the scope of future audit work.

Actions:  ...  view the full minutes text for item 4.


Consider latest Internal Audit reports


ACARAC (05-19) Paper 4 – Absence Management

5.1        The Chair invited Gareth and Lowri Williams, Head of HR, to introduce the internal audit report on Absence Management. Gareth explained that the audit had concluded that the fundamental controls and mechanisms were in place and working and included a small number of relatively minor recommendations. Lowri described how HR were working with the Leadership Team and service areas to ensure sufficient awareness of support available to staff through the policies and procedures in place and that these were being used effectively.

5.2        Committee members and officials discussed various aspects of the report including the use of absence data. This included a discussion around the usefulness of benchmarking absence rates against other Civil Service/public sector organisations and whether there was scope to benchmark against other legislatures. Hugh encouraged officials to continue to monitor absence data particularly when there was continued pressure on staff resources.

5.3        The Chair thanked Gareth and Lowri for presenting and discussing the details of the report with the Committee which they collectively agreed was a positive reflection of the controls in place, with a recognition of some that could be strengthened. He asked to receive an update on the implementation of the recommendations early in 2020.


Action: Provide an update on the implementation of recommendations from the review of Absence Management


Review HMT/other guidance for Audit and Risk Assurance Committees (Chair and Head of Internal Audit)


6.1    Gareth advised that there had been no updates to HM Treasury’s Risk and Assurance Committee Handbook.

6.2    Kathryn had circulated an updated version of HM Treasury’s Orange Book on Risk Management to Committee members in advance of the meeting. Gareth noted that, at a recent Heads of Internal Audit Forum he had discovered this was subject to change as it was currently out for consultation, with a hard launch due in early 2020. He would be working with his counterparts on a consultation response but confirmed that there was nothing that would impact on the Committee’s Terms of Reference.

6.3    The Committee were informed that results of a consultation by the Institute of Internal Auditors (IIA) on the three lines of defence model for assurance frameworks were due to be published in December. Gareth would be considering this, along with a new IIA guide for internal audits in the financial services sector to assess any impact for the Commission’s approaches.



WAO update report


ACARAC (05-19) Paper 5 – WAO Update

7.1    The Chair introduced Jon Martin to the meeting, who was attending in place of Ann-Marie Harkin and Gareth Lucey, who had both sent apologies in advance.

7.2    Jon informed the Committee that a review meeting with Nia had identified some minor improvements for the process of auditing next year’s accounts.

7.3    As this meeting was earlier than usual, it was noted that the WAO Audit plan for the upcoming year would be circulated out of meeting when available.

7.4    In response to questions from Aled on the audit fee calculations, Jon indicated that the WAO would provide a note out of Committee on this.

Action: WAO Audit Plan to be circulated to Committee members out of meeting, along with a short note of how the annual audit fee is compiled


Cyber-Security Update


ACARAC (05-19) Paper 6 – Cyber-security update

8.1        The Chair welcomed Mark Nielson, Head of ICT and Jamie Hancock, Head of Infrastructure and Operations, to the meeting and invited them to outline the details of their update on cyber-security. The paper provided a summary of progress against the recommendations made in the April 2019 internal audit report, and Mark highlighted the following:

i.     the repurposing of a post to cover security and compliance;

ii.    the introduction of minimum standards to all applications which had seen immediate results in terms of blocking access;

iii.  a business case for additional cloud services for back-up and recovery which was being considered by the Executive Board in November;

iv.  implementation of controls around removeable media (USB drives);

v.    a further exercise to educate users in the risks of phishing which had been carried out; and

vi.  plans for further awareness raising during a Cyber Security awareness week, scheduled for end of November.

8.2        In response to questions about affordability and further reliance on Microsoft, Mark reassured Committee members that all work outlined in the report was included in existing budget plans and that the recent TIAA audit report had not raised any issues or concerns. He also advised that, following consultation with external experts, further reassurances had been provided around current arrangements. Jamie added that the advice indicated there would be greater risk with outsourcing to other providers at this stage. Committee members would be invited to a site visit at the local datacentre and encouraged them to attend.

8.3        Jamie and Mark presented the updated ICT Risk Radar, highlighting improvements made since bringing the ICT function in-house, in particular around the flexibility of services that could be provided, and the areas for further improvement going forward.

8.4        The Chair thanked Mark and Jamie and requested to have a further update on the review of Microsoft contract dependencies in January.

Action: Provide an update on Microsoft contract dependencies at the January meeting


Budget update


ACARAC (05-19) Paper 7 – Update on 2019-20 Financial Position and 2020-21 Budget

9.1        Nia talked Committee members through the paper, which set out the latest financial position for 2019-20 and provided an update on the work to approve the 2020-21 budget proposals.

9.2        The Chair thanked Nia for the update and the Committee noted the paper.


Feedback on recent Finance Committee and Public Accounts Committee


10.1     Nia provided an update to Committee members on recent appearances before both the Finance Committee and Public Accounts Committee. She advised that no major issues were flagged during the evidence sessions and that they were able to provide assurances around arrangements for the Standards Commissioner’s office.

10.2     The Finance Committee’s report, and the proposed response, were due to be considered by the Commission in November. Nia would circulate these to Committee members when the response had been agreed.

10.3     In response to questions from Aled around the levels of underspend in relation to Assembly Members staffing costs, Nia explained that this related, in part, to the budget set aside for staff churn. Manon highlighted that, following previous recommendations made by the Finance Committee, any underspend in this area was now returned to the Wales Consolidated Fund at the end of the financial year.

Action: Circulate the Finance Committee’s report and the Commission’s response to Committee members


Corporate Risks Report


ACARAC (05-19) Paper 8 – Corporate Risk
ACARAC (05-19) Paper 8 – Annex A – Summary Corporate Risk Register
ACARAC (05-19) Paper 8 – Annex B – Corporate Risks plotted

11.1     Dave introduced the paper, which provided the Committee with an update on the status of the Commission’s Corporate Risks.

11.2     Hugh noted the status of the legislative workbench risk and sought further detail on the manual work around suggested in the paper. Siwan advised that this would be resource intensive and not sufficient or practical longer term. The Committee recognised that this risk, which had arisen from circumstances outside the Commission’s control was unavoidable in the short term and were satisfied with the measures being taken to mitigate the risk.

11.3     Dave advised that, once work to improve the cyber-security elements of the current system had been completed, the risk rating would dramatically reduce. Looking further ahead, the Executive Board had agreed to undertake a joint procurement exercise with the Welsh Government, that was due to commence in November 2019. The Committee were reassured by this update.

11.4     In response to comments from Suzy, officials agreed to review the risk ratings of the Assembly Reform political risk.


Critical examination of one identified or emerging risk


ACARAC (05-19) Paper 9 – Brexit Risk

12.1     The Chair welcomed Siwan Davies, Director of Assembly Business, Kathryn Potter, Head of the Research Service and Manon George, Brexit Co-ordinator, to the meeting and thanked them for the paper outlining the Commission’s approach to managing the risks relating to Brexit.

12.2     Given the longstanding uncertainty over the timing of Brexit, the Committee were informed that one of the biggest challenges related to planning how the Assembly would resource the work it needs to deliver as a legislature.

12.3     Kathryn advised that the iterative approach taken to date, through regular scenario planning exercises had worked well and helped to identify pressures and issues that could arise from the various possible Brexit outcomes.

12.4     Ann questioned the effectiveness of the Interparliamentary Forum on Brexit and whether officials were kept up to date with discussions. Manon George advised that all the UK parliaments were represented and engaging in valuable dialogue at political and official level. The Committee were informed that the Commission was due to host the next meeting of the forum later this year.

12.5     The Chair thanked Siwan, Kathryn and Manon for attending, and providing a reassuring update in relation to this risk.


Information Breaches


13.1 The Committee noted that two information breaches had been reported but that no further action had been deemed necessary.


Feedback from REWAC


12.1     Ann provided an update on areas covered during the year at meetings of REWAC, of which she was also a member. Discussions to date had focussed on staff survey results and proposals for future surveys, the Commission’s People Strategy and the Commission’s Public Engagement Strategy.

12.2     As the Director of Communications and Engagement was new, members had agreed to return to the Public Engagement strategy at a future meeting.

12.3     The Committee agreed, subject to approval by REWAC, to share meeting minutes between the two committees, along with periodically sharing other information, such corporate risks with REWAC.

12.4 The Chair and officials were keen to ensure that the separate remits of each committee were clear whilst also facilitating effective interchange.


Committee's effectiveness survey


12.1     The Chair agreed that the survey would be circulated out of committee for comment from Committee members.

Action: Comments on the timing and content of the Committee’s effectiveness survey to be passed to the Chair and clerking team


Presentation of ACARAC Annual Report to the Assembly Commission


12.1     The Chair would provide feedback out of committee on the presentation of the ACARAC Annual Report to the Commission in July 2019.



Departure Summary


ACARAC (05-19) Paper 10 – Departure Summary

17.1 The Committee noted the departures from normal procurement procedures outlined in the paper.


Forward Work Programme


ACARAC (05-19) Paper 11 – Forward Work Programme

18.1     As this item was not discussed – Committee members would be invited to comment out of committee.



Reflections from outgoing Committee member (moved from Item 3)


19.1     The Chair thanked Hugh for his valuable contributions during his time as a member of ACARAC, and invited him to share his reflections on his tenure.

19.2     Hugh thanked current and past Committee members and officials for the open and positive culture which he had experienced on the Committee since he joined in 2013. He felt the level of co-operation was a key factor in the effectiveness of the Commission’s governance. He outlined some of the highlights of his time on ACARAC and noted the following:

i.        the changes to the corporate risk profile, noting progress against areas such as business continuity, ICT services, social media and safeguarding;

ii.       the ethos of continuous improvement, and the use of both internal and external quality assurances;

iii.     how the regular governance matters meetings with Service Heads and Directors had helped to keep governance in mind during the year;

iv.     the smooth processes for auditing of the Commission’s accounts;

v.       the effective handling of changes to the use of underspends on the Remuneration Board’s Determination;

vi.     the maturity which the Commission had shown in the documentation and management of risks, particularly around Brexit and constitutional change;

vii.    how deep-dives into individual risks and detailed discussions had helped Committee members to learn more about the organisation; and

viii.  the value added by external presenters at Committee meetings.

19.3     The Chair thanked Hugh for his contributions on all of these points. He also noted the value Hugh had added to the scrutiny and challenge of the Commission’s Assurance Statements. Manon added her thanks for his contributions in particular around risk, assurance and also his involvement in the appointment of new Independent Advisers.


Next meeting is scheduled for 20 January 2020.