Agenda and minutes

1.1 The Chair welcomed everyone to the meeting.

1.2 Apologies were noted from Aled Eirug, Independent Adviser.

1.3 Lee Glover, Chief Audit Executive, attended a private session with members of the Committee before formal proceedings had commenced. No other Commission officials were present, and no minutes were taken.

2.1 The minutes of the 23 June meeting had been approved out of committee and the updates to the action schedule were noted.

2.2 The Chair noted the circulation of the following since the last formal meeting: the Payroll and Pension Internal Audit report; the Senedd Commission’s Draft Budget 2026-27; and the Finance Committee’s report on its Scrutiny of the Senedd Commission Draft Budget 2026-27. 

3.1 Lee Glover presented the progress report, summarising the status against the 2024-25 and 2025-26 plans. He reported that approximately half of the audits in the 2025-26 plan had been completed, with several reports issued and others pending finalisation. The final report on the Cyber-security audit remained outstanding. Lee also highlighted that some of the audits in the 2025-26 plan, including the audit of business continuity arrangement, would be reported to the June meeting.

3.2 Lee highlighted the low completion rates for client satisfaction surveys that were sent out with the final reports, noting this was a key mechanism for gaining feedback from clients. It was suggested that time constraints may be a factor, and officials agreed to encourage greater participation. The Chair emphasised the importance of feedback for assessing the value of internal audit reviews.

3.3 The Chair proposed regular reporting on the status of recommendations and requested an update at the February meeting.

Actions

-      Officials to be encouraged to complete a client satisfaction survey on completion of audits.

-      A report on the implementation of audit recommendations to be presented at the February meeting.

4.1 Lee Glover confirmed that both the Dignity and Respect and Print Room audits received positive assurance ratings, with adequate assurance provided. He explained the risk grading system (RAG: Red, Amber, Green) and its role in prioritising findings.

4.2 In relation to the Print Room audit, the Chair queried whether non-compliance with processes might warrant a limited assurance rating. In response, Lee explained that the overall assurance was based on professional judgement and the nature of recommendations, concluding that adequate assurance was appropriate given recent improvements to tighten controls and the introduction of new processes. The Chair welcomed the explanation and noted that auditors and officials should not be concerned about the occasional negative assurance rating, as this could lead to improvements.

5.1 Clare Thomas presented the update report which covered the 2024-25 audit fee, considerations for the 2025-26 audit and national studies undertaken by Audit Wales. In response to a question from Uzo Iwobi, Clare outlined the introduction of IFRS 17 (insurance contracts) and its potential implications for guarantees and contracts. She advised officials to consider any potential training requirements for staff on changes to IFRS 17 that would be required for compliance.

5.2 Clare referenced plans for early discussion with officials on accounting for capital versus revenue expenditure, and the timeline for the interim audit. She also noted that the audit fee may increase slightly due to higher expenditure going through the accounts this year.

5.3 In response to questions from a Committee member, officials agreed that zero based budgeting is something that could be considered at a future date for the Seventh Senedd.

Some details have not been captured in the minutes due to their sensitive nature

6.1 The Chair noted the importance of taking this opportunity for the Committee to receive a comprehensive update on cyber security, ahead of the Senedd elections in May.

6.2 Jamie Hancock presented a summary of key cyber security updates, including improvements in attack detection, operational performance, compliance progress, and cultural initiatives. He reported statistics in relation to the number of attacks blocked by the intrusion prevention system, the number of phishing attempts reaching mailboxes and improvements in perimeter defences.

6.3 The Committee discussed ongoing risks, including ransomware and nation-state actors, the importance of responsible use of AI, the continued use of Personal Cyber Assistance Service (PCAS) for Members’ personal device security and mandatory cyber security training. Work was continuing on the Welsh language version of the User Awareness platform. This was expected to have a measurable impact on compliance in due course.

Lessons from Recent Cyber Incidents

6.4 The Committee reviewed the paper which referred to a number of recent, and widely reported, cyber incidents experienced by large UK organisations, noting the catastrophic impacts and the prevalence of social engineering and AI-driven attacks. The Senedd’s defences were outlined, including multi-factor authentication, strict identity checks, 24/7 monitoring by the Security Operations Centre and restricted VPN access requiring Senedd devices for system access. Committee members emphasised the need for rapid incident response and the human impact of cyber-attacks.

6.5 The Committee noted plans to test business continuity and incident response plans, including simulated attacks, and to work with all service areas to ensure robust business continuity (BC) and disaster recovery (DR) plans were in place.

6.6 The Committee and ICT officials wished to record their thanks to Tim Bernat who had recently left the organisation. Tim had made a huge contribution and undertook the role with such professionalism and dedication. Recruitment was underway for the position of ICT Security Architect. 

6.7 The Chair thanked Mark Neilson and Jamie for the update and for sharing the information presented to the Senedd’s Finance Committee and Public Accounts and Public Administration Committee. It was agreed that a further update focused on BC and DR plans would be presented at the February meeting.

Actions

-      Share statistics on Members’ support staff uptake for PCAS with Lesley Griffiths, Commissioner.

-      Ensure details of the Personal Cyber Assistance Service (PCAS) are communicated across the Commission and Members and staff.

-      Provide an update on business continuity (BC) and disaster recovery (DR) plans.

7.1 Lisa Bowkett updated the Committee on the progression of major projects already budgeted and on the decision process for prioritisation of all other projects. She also provided an update on budget debates, and scenario planning should the Welsh Government budget not be approved. 7.2 The Committee noted this would have a significant impact on the Commission’s budget for 2026-27 and welcomed the consideration of contingency planning.

7.3 In response to questions from Committee members in relation to Commission staff pay, Lisa advised that, despite one of the unions rejecting the offer, the pay award would be implemented for 2025-26, and that negotiations would begin with Trade Unions for future years.

8.1 Phil Boshier provided an update on the assurance framework, risk management framework, business continuity and the planning framework.

8.2 In relation to the assurance framework, Phil reminded the Committee of the work done previously to enhance assurance mapping at the corporate level and outlined plans to adapt service level assurance gathering to bring this into line and simplify it where possible.

8.3 In relation to business continuity (BC), Phil outlined progress on the fundamental review and refresh of the BC management system, with Executive Board approval of an updated policy and corporate BC Plan which would inform a review of BC plans at all levels across the Commission. 

8.4 In relation to the strategic planning framework, Phil outlined how the integrated three-year planning cycle in place worked in practice in terms of service planning informing budget and project planning, highlighting the integration of corporate and service plans.

8.5 Phil also outlined the changes to the governance structure around major programmes for the Seventh Senedd as they moved from planning into the delivery phase. The component workstreams were now being managed directly by the three Directors as SROs, replacing the programme boards, with closer collective oversight by the Change Board, which had updated terms of reference. The Change Board had approved the reporting process by which it was reviewing election readiness reports monthly. The Clerking team would continue to circulate dashboard when available.

8.6 In response to questions from Committee members, Julian Luke described how this change had enabled oversight of the interdependencies across the programmes as they moved into the delivery phase. 

Action

-      Continue to share monthly Change Board dashboards on readiness reviews for the three Seventh Senedd workstreams with Committee members when available.

9.1 The Committee reviewed the report on data breaches, noting an increase in incidents attributed to human error. Officials also noted the higher risk of breaches relating to the implementation of the new HR/Payroll system and provided assurance these were being addressed.

10.1 The Committee noted three departures from normal procurement procedures to report since the June meeting. No issues were raised.

11.1 The Committee noted the updated summary Corporate Risk Register. Kathryn Hughes asked Committee members for feedback on the presentation of the summary and detailed information contained in the reports. Suggestions were made around incorporating risk appetite and for the use of colour coding to help identify new information. Kathryn agreed to take this on board. 

11.2 Kathryn described how the Executive Board carried out comprehensive reviews of the individual risks, including the risk rating as well as the risk profile, providing challenge on the updates provided by risk owners. She also highlighted the new risk added to the Register regarding financial resources, noting this had been discussed under item 7. 

Action

-      Consider including risk appetite and highlighting new information in risk reports.

12.1 Julian Luke presented an update on the management of risks relating to Senedd Reform. This included plans for changes to Standing Orders, induction and training for new Members (linked with Welsh Government training of Ministers), and resource planning in preparation for the start of the Seventh Senedd. Scenario planning exercises were underway to address uncertainties in the post-election period. As noted under item 8 of these minutes, the governance structure had been revised to improve oversight and cross-directorate collaboration. Prior to this, over the past two years, various workstreams had been reporting into formal programme governance structures. Risks associated with capacity, capability, and project deadlines were acknowledged, with phased recruitment and contingency plans in place. 

12.2 Julian described planning for a new Senedd noting this was on a much larger scale given the changes that were needed to deliver Senedd Reform and the number of new Members. He also outlined the evidence being gathered to inform early decisions on the organisation of business and committee structures, for example.

12.3 Julian also outlined the ongoing work relating to the Family-Friendly and Inclusive Parliament Review (as a result of the Parliamentary Gender Sensitive Audit). Members were engaging with other parliaments and academics were involved in the review. In response to a query by Lesley Grifiths, Julian acknowledged the critical role of Standing Orders. The work in hand  was likely to lead to further changes to Standing Orders if the recommendations were approved.

12.4 Reviews around Dignity and Respect and the Code of Conduct for Members were also ongoing, taking account of the provisions of the Government’s Member Accountability Bill.

12.5 In response to questions from Committee members, Julian provided assurances on how the complexities of preparing for such a transformational change and the inherent risks were being managed.

12.6 The Chair thanked Julian for his comprehensive summary of preparations underway for the Seventh Senedd, particularly given the complexities.

13.1 This item was covered as part of the update on the Senedd Reform corporate risk under item 12.

14.1 Arwyn Jones described the work being undertaken by his directorate in collaboration with the Electoral Commission. The Engagement team were prioritising secondary schools, by targeting young voters aged between 16-17 years old. 

15.1 Ed Williams provided the Committee with an update on the progress of works in Tŷ Hywel, which included creating a mix of accommodation for the 36 additional Members. He also outlined that the project to reconfigure the 15.1 Siambr in the Senedd remained on budget and on schedule; however, it was considered high-risk due to the tight timeline. The current plan was for Members to return to the Siambr following the February recess.

16.1 The Committee noted the paper which outlined a number updates to HM Treasury’s Audit and Risk Assurance Handbook. 

17.1 The Committee’s updated terms of reference were noted.

18.1 The Committee agreed to consider the following items at its future meetings:

- 23 February 2026 - Deep dive: Capacity and Capability

- April (tbc) – Deep dive: Dignity and Respect

- June (tbc) – sickness absence (as reported in the KPI’s)

18.2 The Chair thanked everyone for their contributions and the quality of the papers presented. 

Next meeting is scheduled for 23 February 2026.