Agenda and minutes
Venue: Conference Room 4B - Tŷ Hywel. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Buddug Saer
No. | Item |
---|---|
Introductions, apologies and declaration of interests Minutes: 1.1 The Chair welcomed everyone to the meeting and noted apologies from Mark Neilson, Head of ICT and Clare James, Audit Wales. 1.2 No interests were declared. |
|
Minutes of 12 June, actions and matters arising Minutes: ARAC (23-05)
Paper 1 – Minutes of 12 June 2023 2.1 The minutes
of the 12 June meeting had been formally approved out of committee and
published on the website. 2.2 Two
informal meetings were held on 3 and 18 July 2023. No minutes or actions were
captured. 2.3 The Committee noted the progress against actions from the previous meeting. |
|
G&A update report (inc. progress on IA activity) Minutes: ARAC (23-05) Paper 3 –
Governance & Assurance update report
3.1 The Chair thanked
Kathryn Hughes and Victoria Paris for their efforts in ensuring the governance,
assurance and audit activities were taken forward and invited them to highlight
any significant points from the update report. 3.2 Kathryn highlighted
the following in relation to governance and assurance (G&A) activity: · The programme of annual ‘Governance Matters’ meetings with each Head of Service had been completed. These meetings served as a useful reminder of areas identified for focus in the previous year’s assurance statements and to discuss any issues or concerns. · The service planning cycle had been refreshed and two-year plans had been drafted by each service area. The current Corporate Delivery Plan would be refreshed into a two-year Corporate Plan. 3.3 In response to
questions from the Committee, it was agreed that a diagram would be shared
showing the relationship between the updated planning structures and
mechanisms. 3.4 Victoria provided a
comprehensive update on all internal audit activity, including the reports
previously circulated to Committee members. The following points were
highlighted: · The scope for the Cyber Security audit had been agreed and the fieldwork was scheduled to commence in February. · The scope of the review of Project and Programme Governance had yet to be defined. This would be an advisory review and a further update would be provided at the April meeting. · The audit of the Communication and Engagement Strategy planned for this year had been postponed to 2024-25. An informal review would be undertaken to provide the Committee with the necessary assurances and to inform the scope of a future audit. It was agreed that an update would be provided at the February meeting. 3.5 The Chair noted that
he was working with the clerking team to re-design the repository of
information shared with Committee members. ·
Ed Williams to provide a
briefing/diagram on updated corporate planning structures (covering the
relationships between Corporate Plan, MTRF, service plans and the Portfolio
Management Group). ·
Arwyn Jones to provide an update on the
review of the Communication and Engagement Strategy at the February meeting. |
|
Internal Audit Report Minutes: ARAC
(23-05) Paper 4 – Business Continuity 4.1 The Chair welcomed Lee
Glover and Steve Connors to the meeting.
4.2 Steve praised the
Commission’s approach to business continuity (BC) and the focus on critical
business activities. 4.3 Steve highlighted the
reliance on third parties and how the BC plans produced by the Commission must
dovetail with critical service providers. He also highlighted the need for an
organisation wide BC exercise. 4.4 The Committee
questioned how the Commission would plan for a longer lasting event, and sought
Validera’s thoughts on this, as well as horizon-scanning and the
re-introduction of functions that were not identified as a high priority. 4.5 Steve congratulated
the Commission on the planning before Covid which proved extremely useful but
noted that priorities, as well as the recovery time of some services, changed
over time. He recommended that the actions taken by the Commission be written
into future plans to ensure these reactions and lessons were not lost. 4.6 Officials agreed that
BC should be more strategic. The recommendations highlighted in the audit were
being taken forward and discussions were already underway regarding a BC
exercise. The BC function sat within the G&A team who were advising management
on activities and risks. The BC Forum continued to meet on a regular basis with
BC champions within each service area. 4.7 The Committee thanked
Steve for his presentation and would welcome a further update on progress
against recommendations at the February meeting. |
|
External Quality Assessment (EQA) Minutes: ARAC (23-05) Paper 5 – EQA 5.1 The EQA report had
been circulated to Committee members on 20 October. 5.2 Officials had been
pleased with the opinion of general conformance with Public Sector Internal
Audit Standards and Treasury Management IAQAF. The recommendations had been
accepted by management. 5.3 The Committee raised
concerns over the future structure of the Governance & Assurance team. Ed
described a period of assessing the functions of the team and the opportunity
to consider options for an appropriate structure to deliver those functions,
particularly since the arrival of the new Chief Finance Officer. A consultation
would be undertaken on proposals for the structure and views of the Committee
would be sought. |
|
HMT/other guidance for Audit and Risk Assurance Committees Minutes: Oral item 6.1 Lee Glover updated the
Committee on the reviews being carried out on internal audit standards. The new
Global Internal Audit Standards, which were due to be issued in January 2024,
would feed into updates to the Public Sector Internal Audit Standards (PSIAS)
which would be supplemented with detailed guidance on their implementation in
due course. There were no changes of substance expected on how internal audit
activity should be undertaken. |
|
Review of internal audit coverage over the past few years Minutes: ARAC (23-05) Paper 6 –
Internal Audit 7.1 Further to an action
at the 27 April ARAC meeting, Victoria presented an outline of internal audit work
undertaken over the past five years broken down by Directorate. She also
provided the Committee with an update on outstanding internal audit
recommendations. 7.2 Covid had
significantly impacted internal audit activity but it was clear that in recent
years, since the pandemic, a balance between the three Directorates had been
achieved. 7.3 Victoria described the
process of establishing the future audit programme which would involve
discussing priorities with individual Directors. 7.4 The Committee welcomed
this update and encouraged officials to prioritise resources on the outstanding
audit recommendations. It was agreed that recommendations older than six months
would be presented to the Committee biannually. Action · Clerking team to ensure updates on outstanding audit recommendations (over 6 months) are presented twice yearly. |
|
Feedback from 2022-23 audit process Minutes: Oral item 8.1 The Chair welcomed
Anthony Veale to the meeting who had replaced Ann Marie Harkin as the Executive
Audit Director on the Senedd Commission account. 8.2 Kate Innes outlined
how the lessons learned session with Audit Wales had highlighted a number of
reasons why an interim audit had not been completed during the 2022-23 process.
These were primarily related to communication, lack of substantive interim
audit due to resource implications within Audit Wales and the introduction of
the new audit standards, especially as the Senedd Commission was one of the
first organisations to be audited using these new standards. Anthony provided
assurance around planning and processes to minimise the chance of any delays to
finalising the audit of accounts, such as those caused by their use of external
expertise to review the audit of pensions. 8.3 Kate welcomed the
candour of Audit Wales and encouraged them to raise any issues as early as
possible. Audit Wales would start the interim audit early in 2024 and Kate
agreed to keep the Committee updated on any slippage to the timetable. |
|
Audit Wales update report (inc. AW reports/outputs and wider public sector studies and reports and how they impact the Senedd Commission) Minutes: ARAC (23-05) Paper 7 –
Audit Wales update 9.1 Anthony Veale informed
the Committee of the likely 6.4% increase in the audit fee following the usual
consultation exercise, and the proposal to undertake work on a similar
timescale to 2022-23. Recruitment and retention was an ongoing challenge for
Audit Wales but Anthony was hopeful it would not impact the audit of the
Commission’s accounts, adding that they would be considering their audit
delivery strategy across all clients in the coming months. 9.2 The government
financial reporting manual (FReM) had not changed significantly, but the team
were horizon scanning and would inform Kate of any changes. 9.3 By mid-February the
Finance team would have prepared period 10 with the documents ready for the
interim audit by the third week of February.
9.4 The Committee thanked
Audit Wales for the update and reiterated the need to be kept informed of any
delays to the timetable. 9.5 Anthony also outlined
the wider public sector work and reports of interest included in the paper,
which included links to further information. |
|
Update on Cyber Security Minutes: ARAC (23-05) Paper 8 –
Cyber Security Assurance Report 10.1 The Chair welcomed
Jamie Hancock, Tim Bernat and Chris Weaver to the meeting and invited Jamie to
outline any highlights from the report.
10.2 Jamie highlighted the
work being carried out on network infrastructure to further strengthen
resilience. Tim described how the Security Operations Centre (SOC) and
additional resource for investigating and dealing with incidents allowed an
increased focus on preventative measures to manage cyber-security threats. 10.3 Tim also outlined the
Cyber Security event, held over two days at the Pierhead in November. It had
been well attended and included a number of high-profile speakers with
representatives from all four UK parliaments and the National Cyber Security
Centre. 10.4 In response to
questions from Committee members, a wider discussion then focussed on
ransomware attacks. The team described the risks and consequences of an attack
on the Commission and the role of cyber incident response plans in mobilising
immediate action to contain an incident and to assess the extent of the damage.
The team also described the need for organisation-wide focus on communication
and staff wellbeing around any attacks or data breaches, for example, which had
been incorporated into response plan documentation. It was suggested that,
whilst ICT could facilitate the assessment of risk appetite, this should also
involve input from the SIRO. 10.5 The Committee
questioned the establishment of the SIRO group and sought assurance that risks
were being appropriately addressed, including the risks relating to Artificial
Intelligence (AI). Matthew Richards, recently appointed as SIRO, referred to
two groups which had been established: one, chaired by Arwyn Jones, to consider
the opportunities of generative AI and the other, chaired by Matthew, to
consider the risks. He would be progressing the establishment of a SIRO group
in the new year and agreed to update the Committee at its February
meeting. 10.6 The Chair thanked the
team for their comprehensive report and update. Action · Matthew Richards to provide an update on the SIRO group at the February meeting. |
|
Finance update Minutes: ARAC (23-05) Paper 9 –
Update on 2023-24 Financial Position and 2024-25 Budget 11.1 Kate described the
challenges and processes around securing in-year savings. She informed the
Committee that the forecast out-turn position at the end of October was
£93,000, which equated to 0.003% underspend of the approved operational budget
against a target of 1.5%. This small surplus is as a result of needing to
manage significant budgetary pressures due to cost of living costs, as well as
the required savings handed back at the start of the financial year totalling
over £1.2 million. Any surplus would be used by bringing forward essential
building maintenance. 11.2 Kate and Manon
described how decisions were made to secure savings to accommodate the request
from Unions to deliver an in-year cost of living payment to staff, in line with
other public sector organisations. This had included consultations at a
political level and consideration of risks to the Commission if the proposal
had been rejected. They also outlined the challenges the Commission had faced
as a consequence, particularly around pausing projects and recruitment to fill
vacancies. 11.3 Leanne Baker
confirmed this had not appeared to have caused an impact on staff turnover
rates which had remained consistent over the last 3 months, and vacancy rates
had actually decreased. She added that flexible start dates had facilitated a
more strategic approach to recruitment. 11.4 Kate agreed to keep
the Committee informed by sharing information relating to financial and
workforce planning. 11.5 The Committee noted
the losses and special payments contained within the finance update paper. |
|
PAPAC and Finance Committee update Minutes: Oral update 12.1 The Chair noted the
Commission’s appearances at the Finance Committee on 5 and 12 October and the
Public Accounts and Public Administration Committee (PAPAC) on 12 October.
Committee reports and Commission responses had been provided in advance of the
meeting, along with links to Senedd.tv for the committee scrutiny sessions. 12.2 Kate confirmed that
the final budget had been debated in plenary on 15 November 2023 and approved.
The Finance Committee had been presented with details of the cost of living
payment and the implications for staff and projects. Kate also informed the Committee that the
triennial review of Civil Service pension contributions would require a
supplementary budget; HMT confirmed this would be funded. Information on the
impact was not available from GAD in time for this to be included in the
budget. 12.3 Resources would be
carefully planned and managed through the Commission’s Medium-Term Resourcing
Framework and would be informed by service planning and consultation on any
savings before allocating budgets. 12.4 Ken Skates expressed
his thanks to the Finance team for their efforts during the budget planning
process and for their support for the scrutiny sessions. 12.5 The Chair encouraged
officials to continue sharing information as it became available. |
|
Departure Summary Minutes: ARAC (23-03) Paper 10 –
Departure Summary 13.1 The Committee noted
four departures from normal procurement procedures and raised no concerns. |
|
Corporate updates: Senedd Reform Programme and Ways of Working Programme Minutes: Oral updates Senedd Reform Programme 14.1 The Chair invited
Siwan Davies to provide an update on the Senedd Reform Programme (SRP). Siwan provided
assurance that the programme was going to plan and made reference to the
following in her update: · The Welsh Government had introduced the Senedd Cymru (Members and Elections) Bill in September, which was currently going through the Stage 1 Senedd Committee scrutiny process. This would be followed by Stage 2 and 3 scrutiny by the Senedd, with Royal Assent expected in June 2024. · The Commission had been subject to scrutiny on the cost implications of Senedd Reform (as included in the Regulatory Impact Assessment) at Finance Committee and Reform Bill Committee evidence sessions in November. · A second Bill relating to gender quotas was expected to be introduced in December 2023. · The Independent Remuneration Board had launched a series of thematic reviews. The Commission was in dialogue with the Board in relation to its review of the regulatory framework to agree resources, simplification, governance and clarification of roles and responsibilities. The Commission was due to consider this in spring 2024. · The Joint Assurance Board and the Welsh Government’s Senedd Electoral Reform Delivery Board, both of which had senior Commission representation, were meeting regularly. · The Senedd Reform Programme Board continued to monitor the programme-level risks and a review of the Senedd Reform corporate risk would be carried out early in 2024. · Plans for transition to the Seventh Senedd were being developed in line with capacity, capability and workforce planning and the Corporate Delivery Plan. 14.2 In response to
questions about the timetable, particularly around adapting buildings to
accommodate additional Members, Siwan and Ed outlined the planning process and
timescales with a view to starting work when the Bill had received Royal
Assent. It was anticipated that work would be completed by January 2026. Ways of Working Programme 14.3 The Chair invited Ed
to provide a brief update on the Ways of Working Programme. Ed outlined the development of planning
assumptions, plans, options and proposals to deliver the key live projects
underpinning the overall programme. This would involve: · development of business cases for decisions by the Commission; · the development of planning assumptions for adapting Tŷ Hywel office space by 2026; · the procurement process for design support for the Siambr 2026 project; · the plans to finalise the Strategic Outline Case for the Bay 32 project; relating to future accommodation when the lease on Ty Hywel ended; and · the process for presenting options and securing decisions from the Commission on proposals to deliver the programme. 14.4 The Chair asked
officials to keep the Committee informed of progress and the management of
risk, particularly in relation to costs and timing of the procurement. |
|
Corporate Risk Minutes: ARAC (23-05)
Paper 11 – Corporate Risk 15.1 The Committee noted the Commission’s Corporate Risk Register and discussed how Independent Advisers might add value to the assessment of emerging risks such as those relating to the impact of political decision making. 15.2 The discussion focused on physical security risks, given the change to the risk landscape across the UK. Ed provided assurance on the management of risk by the Security team in conjunction with the Police and the Independent Remuneration Board in relation to Members of the Senedd. A programme of risk assessments had been completed and enhanced security measures put in place for Members’ homes and constituency offices. Guidance had also been refreshed in relation to engagement activities. Ed agreed to consider what information to share with the Committee on the management of security risks. |
|
Critical examination of one identified or emerging risk or issue - HR-R-129: Dignity & Respect - Commission Minutes: ARAC (23-05) Paper 12 –
Corporate Risk - Dignity & Respect 16.1 The Chair welcomed
Matthew Richards and Richard Thomas to the meeting. 16.2 Matthew informed the
Committee that the original Dignity and Respect policy was launched in 2019. 16.3 In 2022, the
Commission surveyed all staff to determine their awareness of the policy and
their willingness to report incidents. Fewer cases were being reported in the
Senedd but one area that needed attention was the preparedness of Members’
staff to report incidents. 16.4 On 16 November 2023,
the Standards of Conduct Committee launched an inquiry into dignity and respect
and the Committee’s consultation was due to close on 22 January 2024. The
Independent Remuneration Board had also been consulted. 16.5 Matthew also
responded to questions from the Committee on the time the complaints process
takes and how the timescale could deter potential complainants. Matthew
explained that those against whom complaints were made were permitted a full
opportunity to set out their position and any evidence which can unfortunately
prolong the process. The Committee appreciated the legal issues involved and
wanted to ensure that there was sufficient support in place for those making
complaints. 16.6 Matthew then
described the re-launch of the availability of contact officers (available to
Commission staff and Members’ staff), with posters being displayed around the
Senedd estate as well as sharing an anti-bullying campaign on the staff
intranet. HR had delivered mandatory dignity and respect training for all staff
with some party groups also rolling out this training. 16.7 Commission staff had
been surveyed in 2023 as part of the annual Commission staff wellbeing survey.
The results were yet to be analysed. Once available, they would be shared with
Committee members. Action · Clerking team to share results of the most recent Dignity and Respect Survey when available and provide an update on the outcome of the Standards Committee consultation in due course. |
|
Information breaches (twice yearly) Minutes: Oral
item 17.1 Matthew Richards
informed the Committee that there had been a number of data breaches, none of
which he felt were a particular cause for concern. The Chair agreed that the
details could be shared with Committee members outside of the meeting. |
|
Review the committee's terms of reference Minutes: ARAC (23-05) Paper 13 –
current ToR 18.1 The Committee noted
its Terms of Reference and agreed that no changes were necessary. |
|
Forward work programme Minutes: ARAC (23-05) Paper 14 –
Forward Work Programme 19.1 The Committee
requested that the ways in which the Commission might use Artificial
Intelligence, and the associated risks, be added to the forward work
programme. Action · Clerking team to add Artificial Intelligence (AI) to the forward work programme for the July meeting. |
|
Any other business Minutes: 20.1 No other business was raised. Next meeting was scheduled for 19 February 2024. |