Agenda and minutes

1.1 The Chair welcomed everyone to the meeting and noted apologies from Ann-Marie Harkin, Audit Wales and Uzo Iwobi.

1.2 No interests were declared.

2.1 The minutes of the 13 February were formally approved and updates to the actions were noted. 

3.1 Gareth presented his Governance and Assurance update report which outlined governance, assurance and audit activity since the February meeting. He outlined the following work which had been completed:

·       following the assurance statement challenge session in March, attended by Aled Eirug and Bob Evans, a draft of the Annual Governance Statement had been prepared and shared with the Committee;

·       his report on the Effectiveness Review of the Remuneration Board had been published, and links had been shared with the Committee, along with the Board’s response; and

·       the report on the review of the lessons learned from Covid-19 was included in the papers for this meeting.

3.2 Gareth also outlined the following progress on ongoing audit work, reports on which would be shared with the Committee in due course:

·       fieldwork on the Effectiveness Review of the Executive Board had largely been completed and the three directors and members of the secretariat team had been interviewed;

·       interviews with Commission staff had been held as part of a review of our business continuity arrangements; and

·       the review of controls relating to the regulatory framework corporate risk was underway.

3.3 A follow up on the audit recommendations from previous cyber security audits had also been completed. Cyber security was a substantive item at the June meeting and Gareth planned to circulate his update prior to the meeting. 

3.4 Gareth had circulated his Internal Audit plan for 2023-24 to Committee members on 30 March. This plan covered all three directorates and key areas of risk. Members welcomed and approved the 2023-24 plan. 

3.5 Menai Owen-Jones asked if there was also an audit strategy spanning a number of years. Gareth explained that he had previously produced a strategy document on a three-year cycle, and alluded to an ongoing post-pandemic debate in the internal audit profession around making audit strategies and plans more dynamic and reactive. He was aware of some organisations producing plans quarterly as opposed to annually. He added that his preferred approach was for a single document to eliminate duplication, and that he included information related to strategy in other documents, such as the Internal Audit Charter.

3.6 Mark Egan understood the need for flexibility but asked how Gareth ensured all areas of audit were covered over a three- or four-year period. Gareth explained the benefits of having an in-house Head of Internal Audit in this respect, as he was able to ensure coverage across the organisation through discussions with Directors and Heads of Service and apply his knowledge around significant risks. Gareth agreed to produce an outline of internal audit reviews carried out over the past few years for presentation at the autumn meeting. This would provide the Committee with reassurance and understanding of the approach to future internal audit strategies and plans. 

3.7 The Chair thanked Gareth for his substantive update and noted the approved Internal Audit Plan for 2023-24 which would be published shortly. 

Action

·       Present an outline of internal audit reviews carried out over the past few years to the  ...  view the full minutes text for item 3.

4.1 Gareth informed the Committee that the Public Sector Internal Audit Standards (PSIAS) required all internal audit activities to implement and retain an ‘Internal Audit Charter’. He presented his Charter to the Committee, in order to provide formal definition of the purpose, authority and responsibility of Internal Audit.

4.2 In accordance with PSIAS Gareth had reviewed the Charter for 2023-24 and confirmed that there were no changes required to the version approved by the Committee for 2022-23. He also confirmed that there had been no further revisions to PSIAS since 1 April 2017. 

4.3 Gareth explained that the PSIAS recommendation was for an External Quality Assessment (EQA) on internal audit services to be carried out every five years.  The last assessment was carried out in 2017-18. Audit Wales also reviewed the  work of internal audit as part of their own audit arrangements and had not raised any concerns. 

4.4 Gareth was currently undertaking his own self-assessment against the standards which would be independently verified as part of the next EQA. This had been delayed due to the pandemic and staff changes in the other legislatures, with whom he had previously established a working group to undertake the assessments. Gareth explained that, as there was no appetite for an external review with CIPFA or the Institute of Internal Auditors, partly due to the cost, he was exploring alternative arrangements and would seek the Committee’s approval on the approach to be adopted. He provided additional re-assurance by confirming that the previous and existing co-sourced internal audit partners had all scored very highly in their own EQAs.

4.5 The Committee thanked Gareth for his update and encouraged him to ensure arrangements were in place for an EQA to be carried out in time for his successor and to continue participation in the legislative networks.

4.6 Gareth informed the Committee that a consultation was underway on global Internal Audit Standards, which formed part of an International Professional Practices Framework. The new standards were likely to come into force by early 2024. The internal audit lead at CIPFA would subsequently set the UK public sector standards which were likely to come into force in April 2025. Gareth agreed to produce a summary of the new internal audit standards before his departure.   

4.7 The Committee formally approved the Internal Audit Charter for 2023-24, noting that there were no substantive changes.

ARAC (23-02) Paper 5 – Internal Audit Annual Report and Opinion for 2022-23

5.1 Gareth introduced his Annual Report and Opinion which reported that the Accounting Officer could take moderate assurance that arrangements to secure governance, risk management and internal control, were suitably designed and applied effectively. 

5.2 Gareth highlighted the substantial assurance provided by the audit of key financial controls which was particularly pleasing given the new finance system, the impact of Covid and volume of work. He also reflected on the positive and mature working relationship with colleagues, including those dealing with Members’ expense and cyber security.

5.3 The review of outstanding audit recommendations from prior years identified one recommendation which was yet to be implemented. This was in relation to the prominence and visibility of project and programme risks and issues and would be revisited in the audit review due to be carried out in 2023-24. This was particularly relevant given the ongoing major transformational change programmes and projects and Gareth acknowledged that the Committee would remain focused on these.

5.4 Kathryn Hughes, as the Commission’s Risk Manager would be working with programme and project managers to support them in the management of risk. Kathryn had provided feedback on the Senedd Reform Programme risk register and assured the Committee that it was well structured for presentation to the programme board. She would also review the Ways of Working programme risk register and the Committee encouraged her to ensure read across and consistency between these two programmes. 

5.5 The Committee noted Gareth’s Annual Report and Opinion and commented that the moderate opinion provided a good level of assurance.

ARAC (23-02) Paper 6 – Annual Report Fraud

6.1 Gareth presented his report, noting that this was not a requirement of the PSIAS but good practice as it provided a further level of assurance on the Commission’s control environment. Gareth reported that during 2022-23, there had been no cases brought to his attention of actual or suspected fraudulent activity regarding cash, allowances and expenses or theft of assets. 

6.2 The 2022-23 audit plan contained the following specific audits which considered potential risks of fraud as part of the scoping: Key Financial Controls; Members Expenses and Resettlement Allowances; and Lessons Learned – Covid 19.

6.3 The Commission’s Finance Team continued to play an important role in raising awareness and received regular training from Barclays Bank as well as other providers. Finance co-ordinators from across the Commission were also encouraged to attend these sessions.

6.4 As well as staff training, Gareth drew on a number of sources of assurance such as the outsourced internal audit partner and Audit Wales, both of whom shared intelligence on fraud activity with the Senedd Commission. 

6.5 On 30 March 2023, the UK National Audit Office (NAO) published a report on tackling fraud and corruption against Government. In the coming months Gareth would assess this report and consider any learning points relevant to the Commission.

6.6 The Committee noted and thanked Gareth for his Annual Report on Fraud.

ARAC (23-02) Paper 7  - Whistleblowing and Fraud 2023 - updates

ARAC (23-02) Paper 7 – Annex A - Whistleblowing policy

ARAC (23-02) Paper 7 – Annex B - Fraud Corruption and Bribery Policy – 2023

ARAC (23-02) Paper 7 - Annex C - Fraud Response Plan – 2023

7.1 Gareth presented his annual update on the Commission’s Whistleblowing and Fraud policies. He reported that there had been no internal disclosures received under the remit of our Whistleblowing Policy during the last eight years but noted that were other means in which staff could raise concerns such as disciplinary and complaints procedures and policies.

7.2 Gareth highlighted reference in his paper to the suggestion of rebranding the Whistleblowing Policy as ‘Speaking Up’ and the rationale for doing so. He asked for the Committee’s views. 

7.3 The Committee welcomed a discussion on this and felt that the term ‘whistleblowing’ was so well known that changing it, albeit in an effort to simplify it, could result in confusion and loss of understanding of its meaning. Any change would also need to make sure it was clearly connected to the legislation on whistleblowing (i.e. the Public Interest Disclosure Act). Committee members also noted that the policy needed to balance the rights of those complaining against those facing allegations. They also questioned how the current policy was communicated to staff.

7.4 Manon believed that the culture of the organisation meant that staff were comfortable raising concerns and complaints but welcomed the Committee’s suggestion to consider including an appropriate question on understanding of whistleblowing arrangements in a future staff survey. 

Action

·       The Commission to review the Whistleblowing policy again in the autumn in light of the UK Government review.

ARAC (23-02) Paper 8 - Lessons Learned - Covid 19

8.1 Gareth presented his report on the Lessons Learned from Covid-19 which focused on delivering Senedd business, the effectiveness of governance and the wellbeing of staff.

8.2 The Committee welcomed this review and noted in particular the effectiveness of the Covid Reporting and Monitoring (CRAM) group, the dynamic management of risk, and the use of technology and innovation to enable strong business continuity practices. 

8.3 The Committee encouraged officials to have a continued focus on staff wellbeing, and fostering internal contacts and relationships within the organisation, and acknowledged the challenges of balancing flexibility and fairness. The Committee also encourage officials to be mindful of practical aspects such as energy efficiency. 

8.4 Mark referred to proxy voting as an example of the Senedd leading the way in British politics during the pandemic and questioned the controls in place to ensure compliance with the rules, given that this practice was to continue. Manon understood the potential risks and provided assurance that the correct controls were in place.

8.5 Manon welcomed the Committee’s feedback. She outlined how management were dealing with the challenges posed by variations in working patterns whilst maintaining fairness with those teams, such as Security and Visitor Experience, which needed to be on site, and flexibility for other teams which were able to work effectively remotely. She also recognised the need for personal interaction, particularly for new team members and for staff development activities. This would all be taken into account as part of the Ways of Working Programme.

8.6 Gareth’s report outlined that a hybrid model was now well established with flexible working patterns fitting in with the needs of the business. Periodic ‘in person’ team meetings had become a feature of a number of well-being plans in services across the Commission.

8.7 The Committee welcomed this informative report and believed it was important not to lose sight of it as the organisation dealt with the pandemic in such a remarkable way.

ARAC (23-01) Paper 9 - AW Detailed Audit Plan-2022-23

9.1 The Chair welcomed Clare James to the meeting. 

9.2 Clare presented the 2022-23 audit plan, outlined the materiality levels, and highlighted three significant financial statement risks and the other areas of focus. She also shared the audit timetable which would be tight but achievable with certification by the Auditor General for Wales scheduled for 22 June.

9.3 The estimated audit fee for 2023 would be £68,985 (2021-2022 £59,987) but Clare explained that, as the planning was ongoing, changes to the programme of audit work may be required if any key new risks emerged, which could in turn affect the estimated fee. In relation to the risk around key changes to finance personnel, she highlighted that such changes always posed a risk to accounts preparation and could therefore increase the risk of material misstatements.

9.4 Clare confirmed that the interim Head of Finance had already provided information related to the new IFRS16 Leases accounting standard which would be reviewed and tested as part of the audit to ensure expenditure was appropriately classified in the 2022-23 financial statements.

9.5 The Committee welcomed the clear and helpful format of the document and noted the tight timetable. The Chair urged the early identification of issues to allow time for these to be resolved. The specific dates were also noted, with the audit due to commence on 9 May, presentation of a draft set of accounts to Audit Wales by 12 May and plans to issue a draft opinion in time for issuing the Committee papers on 5 June.

Oral item

10.1 Clare James explained that the joint working protocol between Audit Wales and the Commission’s Head of Internal Audit, which had been in place for a number of years, was reviewed annually. She also explained that, since it was last reviewed in 2022, new auditing standards did not allow as much formal reliance on the work of internal audit work for assurance purposes, although Audit Wales could still take this into account. It was agreed that an updated and simplified joint working protocol would be produced and shared with the Committee before Gareth’s departure. 

Action

·       Gareth Watts and Clare James to provide briefing for the Committee on the joint working protocol.

ARAC (23-02) Paper 10 - Draft Annual Report 2022-23 - cover paper

ARAC (23-02) Paper 10 – Annex A – draft Annual Report Narrative

ARAC (23-02) Paper 10 – Annex B – draft Accounts

ARAC (23-02) Paper 10 – Annex C – draft Annual Governance Statement

11.1 The Chair invited Arwyn to introduce this item and Committee members to comment on the draft narrative included in the Commission’s draft Annual Report and Accounts (ARA) and the draft Governance Statement for 2022-23.

11.2 Arwyn explained that, whilst the ARA would be available in pdf format for the purposes of auditing and laying it as a document, its presentation in an interactive online format would be similar to last year. This made it more accessible to a wider audience. Arwyn then described the process of drafting the articles and gathering the online content and thanked all those involved in working on this.

11.3 The Committee welcomed early sight of the report and also congratulated the team for undertaking the task of pulling vast amounts of information together and presenting it in such a concise, clear and easy to read format. 

11.4 The Committee questioned the consistency of some key performance indicators (KPIs), and those with only one year’s worth of data and suggested that it may be worth adding some additional narrative to these figures. Committee members understood the challenges around devising meaningful measures in a parliamentary setting but questioned why some of the Commission’s priorities did not have specific KPIs. 

11.5 Manon thanked the Committee members for their observations and explained that the KPIs had been reviewed, updated and approved by the Commission at the start of the Sixth Senedd. She added that any changes to the measures would need to be approved by the Commission and noted that changes would result in no year-on-year data comparison.

11.6 The Chair welcomed Simon Hart’s presentation of the accounts section of the ARA which remained unchanged from last year. No financial information was available for this meeting, but it demonstrated the volume and complexity of the information to be presented. 

11.7 The Chair invited Manon to introduce the Annual Governance Statement. Manon briefly described the process for gathering assurances from Heads of Service and Directors to inform the statement and the value added by the independent challenge from Aled and Bob at a meeting of the Executive Board in March. Manon expressed her thanks to Kathryn Hughes for expertly drawing the information together into a substantive draft for her to review and finalise. The Chair also thanked Kathryn for her work on the assurance gathering process.

11.8 The Committee was very pleased with such a comprehensive and balanced statement and acknowledged its importance. On behalf of the Committee, the Chair noted and accepted the statement as part of the assurance process.

Oral update

12.1 Simon Hart updated the Committee on the 2023-24 budget. The first Supplementary Budget for 2023-24 would put forward a £435,000 reduction in the Commission’s approved budget, resulting in a 3.4% increase on the 2022-23 budget compared to the originally approved 4.1% increase. Simon also outlined the specific budget reduction measures for 2023-24 which had been approved at a Commission meeting on the 27 March.

12.2 A first supplementary budget was due to be tabled on 13 June to allow for a debate on 4 July, prior to the summer recess. This allowed a period of three weeks for scrutiny under Standing Orders.

Senedd Reform Programme - oral update

13.1 Siwan Davies updated the Committee on progress of the Senedd Reform Programme (SRP) which remained on track. Progress had been made across all workstreams and a key milestone had been passed with the submission of the Senedd Commission cost estimates to the Welsh Government.

13.2 Siwan outlined the plans for taking forward the two main activities of the Seventh Senedd business-focused workstreams: procedures and practice; and capacity and capability, which was inter-related with the Ways of Working Programme. Discussions were also underway to establish the mechanism for dialogue with the Independent Remuneration Board in terms of how Members are supported, and the intersection between the services provided by the Commission and the allowances which Members can access through the Board’s Determination. 

13.3 Siwan outlined preparations for supporting the legislative process which would include scenario planning for the legislative approach to Senedd Reform and other electoral reforms being proposed by the Welsh Government. In response to questions from the Committee, Siwan explained the potential implications and risks which would be explored, including the complexity of some scenarios and implications for the Commission in terms of capacity to support the scrutiny process.

13.4 In terms of programme governance, Siwan highlighted the following progress:

·       the development of a programme risk register, working with the Commission’s Risk Manager to refine this;

·       discussions with relevant officials around the links between the Senedd Reform corporate and programme-level risks with the Ways of Working Programme, as well as risks being identified by the Welsh Government and other stakeholders;

·       development of the stakeholder mapping using the RACI (Responsible, Accountable, Consult, Inform) matrix;

·       engagement with the Strategic Planning Unit to develop a joint Senedd Reform Programme-Ways of Working Programme reporting tool for the Executive Board; and

·       development of internal and external communications plans to be discussed at meetings of the Senedd Reform Programme Board and the Joint Assurance Board with the Welsh Government.

13.5 Siwan advised that the Joint Assurance Board, which had met that morning was working well. Briefings were also being co-ordinated in advance of bilateral meetings between the Llywydd and the First Minister.

13.6 In response to questions from the Chair around resources, Siwan explained that detailed workforce planning was ongoing in conjunction with the Ways of Working Programme. She also noted that the additional resources ringfenced in the budget were based on dedicated time allocated for Senedd Reform, and this did not include some of the business as usual work activities such as legislative scrutiny and parliamentary skills. Some resource had already been redeployed whilst others were taking on additional responsibilities as part of their current roles.

13.7 The Committee acknowledged the challenges around allocating time and resources to supporting the legislative scrutiny process alongside delivering the SRP workstreams and business as usual activities. Siwan acknowledged that the timetable would be extremely tight, particularly given the timescales required for a boundary review. The Welsh Government is providing assurance that the legislation is on track for introduction in  ...  view the full minutes text for item 13.

ARAC (23-02) Paper 11 – Corporate Risk

ARAC (23-02) Paper 11 – Annex A - Summary Corporate Risk Register

ARAC (23-02) Paper 11 – Annex B – Corporate Risks plotted

14.1 The Committee noted the comprehensive updates in the Commission’s Corporate Risk Register.

14.2 The Chair noted that workforce planning would provide key mitigation around capacity and capability risks (HR-R-170) by identifying skills requirements. He suggested that, given concerns over the ability to recruit to certain specialist posts, issues around ‘pay competitiveness’ should be reflected in the documentation of the risk.

14.3 In response to questions from the Committee around the continued high risk rating for cyber-security, data protection and Senedd Reform risks, Manon explained that, despite mitigation in place, some of the causes were beyond the Commission’s control.   

Action

·       Add ‘pay competitiveness’ to Risk Ref: HR-R-170 – Corporate Capacity and Capability.

Oral item – reference to STS-R-153 in CRR

15.1 The Chair welcomed Anna Daniel, Sulafa Thomas and Meriel Singleton to the meeting for this item. Siwan Davies presented an update on mitigation for the corporate risk relating to the Members’ Regulatory Framework. 

15.2 Siwan outlined the reasons for adding this risk to the Commission’s Corporate Risk Register following the 2021 Senedd Elections. This was to reflect the need to ensure awareness and understanding of, and adherence to the various codes, rules, procedures and guidance as they applied to Members of the Senedd. She explained the intention of embedding long-term improvements through simplification, and to ensure processes were Member-focused and future-proofed.

15.3 Siwan described the action being taken forward as part of a simplification thematic review by the Independent Remuneration Board, which formed part of its strategic work programme.

15.4 The Standards of Conduct Committee had also taken forward action to:

·       improve Members’ awareness of the standards regime;

·       provide clarity on rules for claiming expenses as a result of its report on cross party rules; and

·       conduct inquiries into the registration and declarations of interests and on lobbying.

15.5 Progress had also been made on simplifying systems for processing claims to aid clarity and make it as easy as possible for Members and the Members’ Business Support team were also now recording precedents.

15.6 In terms of ensuring processes were Member-focused, Siwan described the improvements in communication through liaison with the Political Contact Group and Operations Group (which included Chiefs of Staff). Representatives of the Independent Remuneration Board were also meeting with Members and their staff. Both of these activities had led to improved engagement with, and development of a training programme for Members. The reorganisation of the Members’ Business Support team, splitting out the HR and claims functions had also provided clarity to Members on who to contact for support. Deployment of additional resources to support the Independent Remuneration Board would also help provide more focus on preparations for the future.

15.7 Siwan described the actions being taken forward to help future-proof processes. This has included:

·       participating in an in-person inter-parliamentary conference around standards of conduct;

·       networking with bodies such as IPSA to inform planning the Independent Remuneration Board’s work programme; and

·       facilitating consultation with Members on behalf of the Independent Remuneration Board and the Commission on ways of working and provision of services in the longer-term with a potentially larger Senedd.

15.8 The report on the Effectiveness Review of the Independent Remuneration Board had been published along with the Board’s response. An action plan to address the recommendations was being developed.

15.9 An important part of the mitigation for this risk was to clarify to Members the accountabilities and relationships between the Independent Remuneration Board, the Llywydd, and the Chief Executive and Clerk. This ongoing work would also be informed by the forthcoming internal audit review of the controls in place, and action being taken to mitigate the risk.

15.10 The Committee thanked Siwan and her team for the  ...  view the full minutes text for item 15.

ARAC (23-02) Paper 12 – SIRO Annual Report

16.1 The Chair invited Ed to introduce the SIRO Annual Report, noting that this provided important assurance as part of the Annual Report and Accounts. Ed highlighted the amount of recent activity on progress against delivery of the Data Protection Officer’s detailed action plan, now that the Information Governance team was fully resourced. This included action to take forward data processing agreements for Members and the Commission. He also highlighted the benefits of fortnightly meetings he had with the Head of ICT and the Data Protection team.

16.2 The proposals for a SIRO group would be considered further in light of an ongoing effectiveness review of the Executive Board which Gareth Watts would be completing in the coming weeks. Ed was pleased to report that there were no serious issues or breaches reported to the Information Commissioner’s Office.

16.3 The Chair thanked Ed for the report which provided the Committee with the necessary assurances. In response to questions from Committee members around the structure of various functions which fell under the remit of the SIRO, Ed explained that he was considering this.

ARAC (23-02) Paper 13 – Departure Summary

17.1 The Committee noted one departure from normal procurement procedures and raised no concerns.

ARAC (23-02) Paper 14 - updated ToR March 2023

18.1 The Chair confirmed that the minor revisions to the Terms of Reference had been agreed with Committee members and that the revised version could be published.

ARAC (23-02) Paper 15 – 2021-22 Annual Report – Welsh (link in pack)

ARAC (23-02) Paper 15 – 2021-22 Annual Report – English (link in pack)

19.1 The Chair invited members of the Committee to suggest content for the Committee’s Annual Report and encouraged them to share their ideas with the Clerking team.  

ARAC (23-02) Paper 16 – Forward Work Programme

20.1 A number of future agenda items had been raised during the meeting.  A revised forward work programme would be shared at the June meeting. 

21.1 No other business was raised.

Clare James, Audit Wales attended a private session with members of the Committee once formal proceedings had concluded. No Commission officials were present and no minutes were taken.

Next meeting is scheduled for 12 June 2023.