Agenda and minutes

1.0    Item 1 - Introductions, apologies and declarations of interest

1.1    The Chair welcomed everyone to the meeting and noted apologies from Aled Eirug, Independent Adviser, Anthony Veale, Audit Wales, Mark Neilson, Head of ICT and Broadcasting and Anna Daniel, Head of Strategic Transformation.

1.2    No interests were declared.

2.0    Item 2 - Actions and matters arising

ARAC (24-05) Paper 1 – Summary of actions 

2.1    The minutes from the June and July meetings had been approved out of committee and published on the website.

2.2    The action scheduled had been updated and all outstanding actions were complete.

Internal Audit

3.0    Item 3 – Internal Audit Plan 2024-25 and review of progress of Internal Audit activity

ARAC (24-05) Paper 2 - Internal Audit Plan 2024-25 and Progress Report

3.1    The Chair welcomed Lee Glover, Head of Internal Audit, to the meeting. Lee referred to the Internal Audit Progress Report which contained the 2024-25 Internal Audit Plan and an update on progress. He noted that the audit of Members’ Expenses was complete, the report on which would be covered under item 4. An audit brief had been issued for the Counter Fraud Health Check and the Procure to Pay audit was about to commence.

3.2    In response to questions from Committee members about the timeline of audits contained within the plan, Lee advised that the dates were as proposed by officials and provided assurance that resources within Validera had been scheduled.

3.3    The Chair thanked Lee for this update and urged all involved in any future audits to process them as quickly as possible. He noted the importance of the Head of Internal Audit’s Annual Opinion at the end of the financial year, to enable the Committee to provide the necessary assurances to the Commission.

4.0    Item 4 – Internal Audit report

ARAC (24-05) Paper 3 – Internal Audit Report - Member Expenses - 2024

4.1    Lee introduced the Member Expenses audit report which was given a ‘Substantial’ level of assurance. The report highlighted areas of good practice in terms of controls, and three minor areas of improvement.

4.2    The Committee welcomed this report and the high level of confidence demonstrated in the Members’ Business Support (MBS) team. It was clear that the team were following set processes and were prepared to challenge Members and their offices when necessary.

4.3    Arwyn described the processes in place to ensure consistency and continual improvement. He also agreed to share some further information with the Committee in relation to the number of expense claims that were challenged by the MBS team. 

4.4    Manon reminded the Committee of the formal appeal process in place for rejected claims. On receipt of an appeal, the Head of Legal Services provided her, as the Accounting Officer, with the necessary advice and the outcome was published anonymously on the website.

4.5    The Committee noted the report and the Chair noted the importance of achieving substantial assurance in this area. 

Action

Arwyn to provide further information on the number of expense claims that required additional scrutiny.

External Audit

5.0    Item 5 – Audit Wales update

ARAC (24-05) Paper 4 – Audit Wales Update Report - Nov 2024

5.1    The Chair welcomed Clare James to the meeting. Clare summarised the 2023-24 audit and advised that, as the new audit approach had delivered some efficiencies, the final fee would be 12% less than estimated. 

5.2    All five recommendations in the audit report had been accepted by the Commission, although it was noted that none were significant in nature and related to improvements which were worthy of consideration.  

5.3    The planning of the 2024-25 audit was underway and Audit Wales were working on a similar timescale to 2023-24. Contained within the paper was the Auditor General’s wider programme of national value-for-money studies.

5.4    The Committee thanked Clare for her update and the additional information included in the report. 

Commission Governance

6.0    Item 6 - Update on cyber security

         ARAC (24-05) Paper 5 - Internal Audit Report - Cyber Security - 2024

         ARAC (24-05) Paper 6 – Cyber Security Assurance Report

         ARAC (24-05) Paper 7 – Supply Chain Security

6.1    Lee Glover introduced the Internal Audit Report on Cyber Security which was given an overall ‘Adequate’ level of assurance and ‘Good’ in the application of controls. Three actions had been agreed by management, one of which was in relation to testing user understanding of cyber security requirements following induction and training.  

6.2    Jamie Hancock was currently involved in a procurement exercise for a User Awareness Training Platform, due to be completed by the end of November. From the demonstrations he had witnessed, the new training would be very interactive and informative.

6.3    The use of, and preferred methods of communication used by Members was also discussed and Lee noted the work being done to promote the most secure methods to staff and Members.

6.4    The Committee were assured that the processes and technologies in places for managing lost mobile devices was sufficient, especially as Members of the Senedd were data controllers in their own right. 

6.5    Jamie Hancock and Tim Bernat presented the Cyber Security Assurance Report. Tim described the threat landscape. During 2024 there had been an increase in the volume and sophistication of cyber-attacks. Internal data, as well as industry data from Verizon and Microsoft, indicated a notable rise in the risk of phishing, ransomware, and supply chain vulnerabilities. These trends served to further highlight the importance of the ICT team’s ongoing efforts to maintain and enhance cyber security and protect digital assets.

6.6    In response to questions from the Committee, officials described the work being carried out in areas such as: addressing ransomware threats; logging and reporting on incidents (a high level version was captured in the assurance report); maintaining robust business continuity, contingency and disaster recovery plans; and training, communication and awareness, including the continued offer of bespoke briefings for Members and their staff. Despite the threat landscape, Tim assured the Committee that, from a technical and cyber security hygiene perspective, the Senedd was in a good position, but he emphasised that the risk remained high.

6.7    Officials agreed with the Committee that a new Senedd term would be an ideal opportunity to consider revising procedures and guidance ahead of the Seventh Senedd.

6.8    The Committee noted the assurance report and the supply chain paper and thanked all involved for their work in this area. The Chair believed that the assurance report was fit for purpose but welcomed feedback from other Committee members. It was agreed that a discussion focussing on the Cyber Assessment Framework (CAF) would be tabled at the February meeting. 

Action

Discuss Cyber Assessment Framework (CAF) at the February meeting.

7.0    Item 7 – Budget Update

Oral update

7.1    The Chair invited Simon Hart to update the Committee on the latest budget position.

7.2    Simon confirmed that the first supplementary budget had been approved. This budget included a net increase in employer pension contributions as well as the backdated pay offer for junior pay bands. The increase in National Insurance contributions would have a substantial impact on the 2025-26 budget, although the increase in the Barnett consequential and supplementary budget would cover the additional cost.  

7.3    With a substantial increase in the 2025-26 budget, Simon highlighted four key areas of ringfenced spend relating to transformational change:

Senedd Reform;

-      Bay 32;

-      works on Tŷ Hywel; and

-      increase in Commission staff pay.

7.4    The Commissioner, Hefin David, along with Senedd officials had discussed these commitments at the Finance Committee in October, and all recommendations made by the Committee had been accepted. It was noted that, in relation to savings, the intention was to consider using a three-year average GDP deflator as a mechanism for estimating future budgets.

7.5    The Finance Committee had requested development of a plan to set out how the Commission intended to engage with Members about budget commitments.  

7.6    Hefin took this opportunity to thank the Finance team for the quality of advice and detailed briefings he had received, and he was confident that the budget would be approved during an upcoming Plenary debate. 

Action

Include engagement plan in the budget update item at the February meeting

8.0    Item 8 – Governance Update Report (to include update on programme governance structures and sharing info with ARAC)

ARAC (24-05) Paper 8 – Governance Update Report – Nov 2024

8.1    The Chair invited Phil Boshier to present the report on progress against areas of governance. Phil reminded the Committee that the Senedd 26 Dashboards would be made available in the ARAC members’ library fortnightly. He also highlighted the work being done to evolve assurance gathering at a corporate level, taking on board feedback from Independent Advisers, and the development of Commission risk appetite statements. He also outlined the integrated annual planning cycle aligned with budget planning and the development of a Portfolio Strategy and Senedd 26 Change Strategy.

8.2    The Committee noted the continual improvements in the governance arrangements and, in response to questions from Committee members on how these governance arrangements would work in practice, Phil provided further details and assurances whilst acknowledging the cultural change needed around service planning and prioritisation. 

9.0    Item 9 – Reflection on Key Performance Indicators (KPIs)

ARAC (24-05) Paper 9 – KPIs

9.1    The Chair invited Menai Owen-Jones and Phil Boshier to introduce this item. Phil summarised the paper presented which showed the history of the development of the current KPIs and the plan to review these in light of the Commission Strategy for the Seventh Senedd, in 2026. 

9.2    The Committee discussed the process and framework for reviewing the KPIs and its role in this. Committee members also noted the need to ensure the Commission was measuring the services delivered to Members of the Senedd and the use of information gathered through surveys, for example.

9.3    Manon explained that the current KPIs included a mix of core and stretch measures, some of which would take time to achieve. She highlighted the importance of retaining a core set of measures to allow for year on year comparisons and the importance of the narrative which supported and gave context to the measures in the Annual Report. Phil added that there was also a suite of internal measures used at a service level.

9.4    It was also noted that care was needed around reliance on staff and Member survey results, particularly if there was insufficient engagement with the surveys. 

9.5    The Committee found the paper and discussion useful and would discuss KPIs further as part of its review of the Commission’s next Annual Report and Accounts.

10.0  Item 10 – Reporting on data breaches

ARAC (24-05) Paper 10 – Data Breaches

10.1  Matthew Richards reported on five data breaches, none of which were over the threshold for reporting to the Information Commissioner’s Office. 

10.2  The Committee welcomed this update and noted that human error could never be completely eliminated. 

11.0  Item 11 – Corporate Risk

ARAC (24-05) Paper 11 – Corporate Risk

         ARAC (24-05) Paper 11 – Annex A -  Summary Corporate Risk Register

         ARAC (24-05) Paper 11 - Annex B – Corporate Risks plotted ARAC

11.1  Ed Williams highlighted that the risk rating for Corporate Capacity and Capability risk (HR-R-170) had moved from High to Medium, partly as a result of the development of a Workforce Plan as part of the Medium Term Resourcing Framework.

11.2  The Committee noted the updates in the Register.

12.0  Item 12 – Critical examination of one identified corporate risk or topical issue – EFM-R-192 - Failure of the Bay 2032 Project

Oral update

12.1  The Chair invited Ed Williams to provide an update on the management of risks relating to the Bay 2032 project.

12.2  Ed referred to the details included in the Corporate Risk Register (paper 11) and the Gateway Review Report which had been circulated in advance of the meeting. He highlighted the Amber to Green rating and the recommendation to proceed to the next stage. The review had been an iterative process with lots of discussion with the independent panel members and summing up at the end of each day. There were six recommendations, all of which were discussed with SRO and none of which came as a surprise. These would be taken forward with the immediate focus on resources and the procurement plan, including the development of evaluation criteria.

12.3  Committee members acknowledged the magnitude of the project and thanked Ed for sharing the report in real time, which demonstrated good transparency. They also welcomed the assurances that the project was progressing along the right lines.

12.4  In response to questions from the Committee about the current position and next steps, Ed explained the process and timeline for developing the Outline Business Case to facilitate market engagement, the development of evaluation criteria and the legal advice in place to support this. In terms of resources, consideration was being given to the internal and external teams needed to deliver the project, and the possible appointment of a project director to oversee the work.

12.5  The Committee also discussed the political risks given the Senedd Elections due to take place in May 2026. Ed described the work being done to prepare for various scenarios and noted it would be the current Commission making the decisions, with some key decision being made in the Autumn of 2025.

12.6  In response to further questions from Committee members, Ed and Simon provided assurances around engagement with the Welsh Government at the most senior levels and on the operation and effectiveness of a Joint Assurance Board. They also referred to the technical briefings presented to the Senedd Finance Committee.

12.7  The Chair thanked officials for these updates and suggested a further briefing session with the proposed integrated team to cover progress, issues arising and the implementation of recommendations from the gateway review.

12.8  During the discussion it was agreed that information relating to the Senedd Elections would be shared with the Committee when it was available. Arwyn advised that a communications and engagement plan would go live in 2025 and that Election FAQs were already available on the website.

Action

Briefing session with the Director of Resources, project director and relevant officials to update ARAC on the issues highlighted in the gateway review

13.0  Item 13 – Departure Summary and trend analysis on all departures from normal procurement procedures over the past two years

ARAC (24-05) Paper 12 - Departure summary and trend analysis

ARAC (24-05) Paper 12 – Annex 1 Departure approvals

13.1  The Chair invited Phil Boshier and Helena Grant to introduce the paper.

Phil highlighted that the number of departures due to single tenders had been decreasing overall in recent years and that reasons for these, and for receiving less than three bids were documented in the paper. The Procurement team had noted that some suppliers were unable to meet our requirements relating to cyber-security or Welsh language, for example, which were non-negotiable. 

13.2  The Committee thanked officials for this useful update which had provided additional assurances.

Committee Business

14.0  Item 14 - Results of Committee’s effectiveness survey 

ARAC (24-05) Paper 13 – ARAC Effectiveness Survey 2024 – Report

14.1  The Chair thanked the Clerking team for their work on analysing the results of the latest effectiveness survey.

14.2  A theme that had been raised previously was the lack of visibility or clarity of the relationship and communication between ARAC and the Commission. The Chair was confident that improvements he had noticed with the two-way flow of information would continue.

14.3  A small number of comments related to the level of input to the internal audit strategies and plans and the tracking of internal audit recommendations. The Chair noted that interactions around internal audit were now more formal than they had been previously, and that he had been assured that a log of recommendations was being managed by officials. 

14.4  Overall, despite the small sample size, the Chair was content with responses and thanked everyone for their participation. 

15.0  Item 15 – HM Treasury/other guidance for Audit and Risk Assurance Committees

ARAC (24-05) Paper 14 – HMT-handbook 2024

15.1  The Chair noted the paper as presented.

16.0  Item 16 - Review of Terms of Reference

ARAC (24-05) Paper 15 – Terms of Reference

16.1  The Chair noted the terms of reference with no changes to be processed.

17.0  Item 17 – Forward work programme

ARAC (24-05) Paper 16 – Forward Work Programme

17.1  The Chair noted the Committee’s forward work programme and that dates for meetings beyond February 2025, to be aligned with the timetable for auditing the accounts, would be arranged as soon as possible. 

18.0  Item 18 – People and Remuneration Project (HR/Payroll system)

Oral update

18.1  The Chair thanked Eve Jennings for the note she had provided in advance of the meeting and invited her to update the Committee.

18.2  Eve reported that the stage gate 4 parallel runs were in progress following user acceptance testing, with the first having been signed off as successful. Migration and cleansing of MyCSP pensions data for Commission staff and Members was ongoing.

18.3  Communications with the organisation had included presentations at team meetings, supplemented with emails and intranet news page articles. 18.4         The timing of the communications was crucial as all users needed to download P60s and payslips by a specific date. Feedback on the presentations of the new system had been very positive.

18.5  Issues relating to the bilingual capability of the manager portal were still being addressed and this meant that only the English version of that part of the guidance had been completed. There was also a risk of a delay to the go-live date if these issues had not been resolved but officials provided assurance that everything possible was being done to avoid this. This including the escalation of the issue to the Chief Executive of the supplier company and assurances that a solution for full Welsh language functionality would be found.

18.6  In response to questions from Committee members about ensuring awareness of the need for all users to download P60s and payslips, Eve explained that, as well as the communications being pushed out, these would be downloaded for those absent. She also confirmed that the Employee Self Service part of the system was tested, fully bilingual and ready for go live subject to further successful parallel runs.

18.7  The Chair thanked Eve and Ed for keeping the Committee informed and acknowledged the hard work of all involved in the project. Eve agreed to keep the Committee updated on any emerging issues.

19.0  Item 19 – Ways of Working

Oral update

19.1  Further to the discussion under item 12, Ed explained the next phase of sharing design proofs for accommodating additional Members of the Senedd with the Commission. The Siambr design had already been agreed and Tŷ Hywel designs were being discussed. 

20.0  Item 20 – Seventh Senedd

Oral update

20.1  In Anna Daniel’s absence, Matthew Richards provided a brief update on activity relating to preparations for the Seventh Senedd. The Future Senedd Committee had been established and was working towards producing a report in May 2025. 

20.2  The Independent Remuneration Board was also working on a new Determination ahead of the next Senedd Elections in 2026. 

AOB

21.0  Item 21 – Any other business

21.1  No other business was raised.

Manon Antoniazzi, Chief Executive and Clerk of the Senedd attended a private session with members of the Committee once formal proceedings had concluded. No other Commission officials were present, and no minutes were taken.

Next meeting is scheduled for 10 February 2025.