Venue: Microsoft Teams
Contact: Clerk: Kathryn Hughes Deputy Clerk: Ryan Bishop
Introductions, apologies and declaration of interests
1.1 The Chair welcomed everyone to the meeting and noted apologies had been received from Ann-Marie Harkin, Audit Wales.
1.2 No interests were declared.
1.3 It had been agreed out of committee that, in order to reflect the change of name from the Assembly Commission to the Senedd Commission which would come into effect on 6 May, the full name of the Committee would change to the Senedd Commission Audit and Risk Assurance Committee (SCARAC) and would be commonly referred to internally as ARAC.
Minutes of 20 January, actions and matters arising
ACARAC (02-20) Paper 1 - Minutes of 20 January 2020
ACARAC (02-20) Paper 2 – Summary of actions
2.1 The minutes of the 20 January meeting were agreed.
2.2 Committee members agreed to have further discussions with officials to take forward actions around attending a future Executive Board meeting to discuss the strategy for the sixth Senedd, and a briefing session with Members’ Business Support on the monitoring of Assembly Members’ expenses.
2.3 Gareth responded to questions on timescales for implementation of the cyber security audit recommendations and for conducting the audit on compliance culture. Gareth explained that due to the disruption caused by the Coronavirus (Covid-19) outbreak, and his involvement in the leadership of the Commission’s response, some audit work would be delayed.
2.4 The Chair invited Arwyn to update the Committee on the communications plan for the name change project. Arwyn explained that, as the name change date was set in legislation, there was no scope to change it. However, due to the Covid-19 outbreak, the planned launch events had been replaced with a more low key approach, with the possibility of a harder launch later in the year. He also explained that discussions were ongoing around the opportunities presented by the lowering of the voting age to allow 16 and 17 year olds to vote, registrations for which would be opening on 1 June 2020 (for the 2021 Senedd elections) to further launch or raise awareness of the name change.
2.5 Committee members acknowledged the change in approach and discussed the potential for raising awareness through social media channels, including those of Assembly Members, along with the use of focus groups. In response, Arwyn outlined plans to increase expertise within the Commission on the use of social media. It was noted that the messages should be kept as simple as possible to help the public understand the role of the Senedd as a legislature and holding the Welsh Government to account.
2.6 The Committee noted there had been early engagement with key stakeholders and that there would be a written statement from the Llywydd on 6 May.
2.7 The Chair thanked Arwyn for the update and asked him to keep the Committee informed of communication plans. It was agreed that the Committee would return to this at the June meeting.
· (2.2) The Chair and Dave to discuss with the Chair of the Remuneration, Engagement and Workforce Advisory Committee, the timing of a meeting of Executive Board with Independent Advisers to discuss the strategy for the sixth Senedd.
· (2.2) The Chair and Gareth to discuss the best approach to providing the briefing to ACARAC on the work of Members’ Business Support (MBS) and the monitoring of Assembly Members’ expenses
· (2.3) Gareth to discuss with Suzy timeframes for implementing recommendations from review of cyber-security
· (2.3) Gareth to advise on timing of the review of compliance culture
· (2.7) Arwyn to share details of revised communications strategy on name change with ACARAC members – and provide feedback to ACARAC at ... view the full minutes text for item 2.
Governance and Assurance Update Report
ACARAC (01-20) Paper 3 – G&A update report
3.1 Gareth Watts introduced the report, which provided the Committee with an update on recent Governance and Assurance work, including heavy involvement with the Commission’s business continuity planning arrangements relating to the recent Covid-19 pandemic. He highlighted the following areas of progress:
· preparation of the first draft of the Annual Report and Accounts for 2019-20, which was being presented to the Committee at this meeting;
· completion of the internal audit review on cyber security, which was circulated out of committee, and recorded a moderate assurance rating;
· completion of the audit on project governance, which would be shared with the Committee shortly and had also recorded a moderate assurance rating;
· work on a review of compliance with the Official Languages Scheme in which, due to the Covid-19 outbreak he had taken a different approach to that planned. This had involved discussions with colleagues in the Translation and Reporting Service whereby he was able to obtain assurance and good evidence of compliance, including through a Memorandum of Understanding between the Commission and the Welsh Language Commissioner. A paper covering the findings of the review would be shared with the Committee in due course: and
· Victoria Paris’ successful completion of the Certified Internal Audit examinations.
3.2 Gareth explained that, due to difficulties presented by remote working, the planned audit on the Research Service would be delayed and that further consideration was being given to the viability of carrying out the audit on Members’ Expenses for 2019-20.
3.3 Committee members enquired about the recent Audit Wales report on Counter-Fraud Arrangements in the Welsh Public Sector and officials agreed to circulate this.
3.4 The Chair thanked Gareth for the update and Committee members welcomed his pragmatic approach to the prioritisation of work, given the circumstances.
3.5 In response to questions from Ann about the impact of delaying the audit of Members’ expenses and whether there were technological solutions in place to mitigate this, Gareth informed the Committee this was not possible at this time due to the processed involved. He added that discussions with Audit Wales and colleagues in Members’ Business Support were taking place to be in a position to provide minimal assurance for 2019-20. The Chair highlighted that the planned briefing on Members’ expenses would help to provide Committee members with a greater understanding of the processes in place.
3.6 In relation to questions about use of technology, Aled asked for clarification on rationale for the prominent use of Zoom video conferencing software over other technologies available on the market. In response Dave and Manon explained that Zoom had been chosen as it was able to facilitate the legal obligation to provide simultaneous translation for official Assembly business. It also had other useful features, including the ability to display a higher number participants on the screen than other platforms.
3.7 Responding to requests for an update on the theft of camera equipment during 2018-19, Gareth explained that this would be covered by the planned ... view the full minutes text for item 3.
Internal Audit Annual Report and Opinion for 2019-20
ACARAC (02-20) Paper 4 - Internal Audit Annual Report and Opinion for 2019-20
4.1 Gareth outlined the Internal Audit Annual Report and Opinion for 2019-20 noting that, although he had been unable to complete parts of the agreed internal audit plan for the year, he was still able to issue a moderate opinion on the adequacy and effectiveness of the Assembly Commission’s framework of governance, risk management and internal control.
4.2 Gareth added that this was, in part, due to the continued healthy culture of engagement with internal audit by service areas, with management responding positively to recommendations made and their implementation.
4.3 The Committee noted the report and thanked Gareth for his work over the year.
Internal Audit Fraud Report
ACARAC (02-20) Paper 5 - Internal Audit Fraud Report
5.1 Gareth presented the Internal Audit Fraud Report to the committee and invited comments. Responding to questions about why there were no apparent attempts of fraud reported, Gareth acknowledged that the Commission had robust controls in place which had taken account of lessons learned from a previous experience. He added that further assurances were provided by the ongoing sharing of intelligence on fraud occurrences by external partners including Audit Wales.
5.2 In response to questions around possible additional exposure to fraud risks as a result of the Covid-19 pandemic, Gareth provided assurance that the Commission was alert to these risks and offered to share a recent CIPFA report on fraud in local government for further information.
5.3 Committee members were reassured that assets taken from the office by staff to facilitate working at home during the Covid-19 pandemic had been logged and that an annual audit of all assets was carried out.
5.4 The Committee noted the report and thanked Gareth for the additional assurances provided.
(5.2) Gareth to share CIPFA report on fraud in local government with ACARAC members.
Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)
6.1 The Committee noted and thanked Gareth for his paper which outlined compliance with the Public Sector Internal Audit Standard (PSIAS) and contained the Internal Audit Charter.
6.2 In relation to the Internal Audit Charter, the Chair noted that he would discuss development opportunities with Gareth, as part of his ongoing Continuing Professional Development (CPD) as Head of Internal Audit.
(6.2) Chair to discuss continuing professional development for Head of Internal Audit with Gareth.
Emerging findings and advice to Accounting Officer regarding submission of the draft Annual Report and Accounts to the Commission
ACARAC (02-20) Paper 7 – Audit Wales update
7.1 The Chair welcomed Gareth Lucey to the meeting. Gareth highlighted the following to the Committee:
· that the Wales Audit Office had recently undergone a re-branding and re-naming exercise and should now be referred to as Audit Wales;
· that work on the 2019-20 audit had been progressing well, and on that basis, the estimate fee was anticipated to be the same as in previous years, barring any unexpected changes;
· that whilst every effort would be made to honour agreed timeframes for the audit through built-in contingency elements, due to uncertainties around the COVID-19 pandemic this would be under constant review through discussions with Gareth Watts and Nia Morgan; and
· that the Auditor General would be writing to all audited bodies outlining the changes in the audit process due to the disruption caused by the COVID-19 pandemic.
7.2 In response to a query from the Chair, Gareth Lucey provided assurance to the Committee that effective audit trails would be maintained by Audit Wales when conducting live online sampling of the NAV system as part their audit.
7.3 The Chair thanked Gareth for the update.
Review of Joint Working Protocol
ACARAC (02-20) Paper 8 – Joint Working Protocol
8.1 The Committee noted and were content with the Joint Working Protocol.
ACARAC (02-20) Paper 9 – Update on financial position
9.1 Nia introduced the item, asking Committee members to note the latest financial position for 2019-20 and the anticipated financial position for 2020-21 and 2021-22. Nia explained that due to the timing of the meeting, it was not possible to provide an accurate 2019-20 year end position, but that these figures would be provided in due course.
9.2 Nia asked the Committee to note that a supplementary budget was being considered by the Commission, in relation to the delay in the implementation of changes to IFRS16 - Leases, which was due to come into force on 1 April 2020. This has been deferred to 1 April 2021. In response to questions from the Chair, Nia added that this change had a significant impact on the 2020-21 outturn, therefore a supplementary budget was required.
9.3 In response to questions about the calculation of the Commission staff annual leave provision, Nia provided assurance that this was not a significant issue but that accounting standards required this provision to be included in the resource accounts.
9.4 The Committee thanked Nia for the update.
Commission's draft Annual Report and Accounts and Governance Statement for 2019-20
ACARAC (02-20) Paper 10 – Draft Annual Report and Accounts
ACARAC (02-20) Paper 10 Annex A – Annual Report narrative (including KPI report)
ACARAC (02-20) Paper 10 Annex B – draft Statement of Accounts
ACARAC (02-20) Paper 10 Annex C – draft Governance Statement
10.1 Nia outlined the overall approach taken for the 2019-20 draft Annual Report and Accounts. In terms of the Accounts section (Annex B), Nia reported that, despite the current circumstances, the Commission anticipated meeting its underspend targets.
10.2 The Chair thanked Nia for the update on the accounts and invited Arwyn to outline the narrative document (Annex A), suggesting that detailed comments on which should be sent to him after the meeting. Arwyn explained the process for compiling the narrative, thanking colleagues, and in particular Victoria Paris for their considerable efforts to date and noted that contributions from some service areas were to follow.
10.3 Comments from Committee members would be captured separately by the clerking team and would be considered for incorporation into the narrative. A deadline for any further comments would be set due to the tight timescales for production of the final report.
10.4 Suzy referenced Laura McAllister’s report on Assembly Reform and the Committee discussed whether the Annual Report should include reference to the recommendations which had not been taken forward and the steps taken by the Commission to mitigate this. It was agreed that further discussions on this would be held out of committee.
10.5 Committee members and officials discussed the presentation of the KPI around international engagement, specifically whether Committee visits should also be incorporated.
10.6 The Chair thanked officials for the work that had gone into preparing the draft report, noting the high standard throughout.
10.7 The Committee considered the draft Governance Statement and noted that, as this was an early draft, there were gaps where contributions from relevant officials were to follow. The Chair commented on the importance of the document in a governance context and commended officials for work done on it to date.
10.8 Suzy suggested officials consider inserting a footnote within the draft Governance Statement, to provide clarity on references to the Commission’s heads of service.
· (10.3) Kathryn to capture and share comments provided on the narrative of the Annual Report and the Governance Statement
· (10.3) Bob to advise on timings for further comments to be provided by Committee members on the narrative of the Annual Report and the Governance Statement
· (10.4) Arwyn to consider how to capture ways in which we have mitigated against not taking forward some recommendations in Laura McAllister’s report
Senior Information Risk Owner (SIRO) Annual Report
ACARAC (02-20) Paper 11 – SIRO Annual Report
11.1 Dave introduced the paper, outlining the challenges faced over the year, mainly relating to continuity of staffing in the area of data protection over the period.
11.2 Dave advised that, despite the challenges, progress had been made in areas such as revising the Data Protection policy. He also praised the work of Nisha Jadva, the temporary Data Protection Officer in engaging well with service areas across the organisation and with Assembly Members’ support staff to further enhance awareness. He added that the need for ongoing, additional resilience in this area had been recognised.
11.3 In response to questions from Chair about the management of Subject Access Requests (SARs), Dave explained the challenges faced by the Commission in dealing effectively with the increasing volume and complicated nature of the requests. He added that, whilst there were clear processes for handling SARs these would be kept under review.
11.4 In the context of data risk management, Ann highlighted the need to consider how external forces could impact on the organisation and not to be driven just by process. Dave advised that this was already being taken into account as part of Executive Board horizon scanning discussions in this area.
11.5 Dave also highlighted several organisation-wide software changes which had taken place, including migrating to Sharepoint and Office 365, as well as the introduction of Microsoft Teams, each bringing challenges from an information governance perspective.
11.6 Sharepoint was due for rollout to Assembly Members and Suzy asked for an update on plans for migrating information and the protective marking scheme. Dave informed the Committee of the ongoing work to ensure the platforms used worked for both the Commission and Assembly Members and acknowledged the balance to be struck between protection of information and supporting the ability of Assembly Members to engage effectively with the public.
11.7 In response to a question from Aled around archiving and specifically on collaborating with the National Library of Wales, Dave agreed to provide an update.
11.8 Committee members were content with the paper and thanked Dave for the update.
· (11.2) Dave to share revised Data Protection Policy with Committee members
· (11.5) Dave to discuss with Aled the Commission’s approach to archiving, in particular any future plans to work with National Library of Wales
Assembly Reform - Name Change
ACARAC (02-20) Paper 12 – Name Change External Engagement - as previously circulated out of committee
12.1 This was considered under Item 2.
Items circulated out of committee before meeting
12.1 The Chair invited comments on papers circulated out of committee:
· Corporate Risks Report (CRR);
· Departure Summary; and
· Forward Work Programme
12.2 No comments were received.
Next meeting is scheduled for 15 June 2020.