Agenda item

ARAC (23-01) Paper 3 – G&A update report 

3.1 Gareth Watts provided an update on audit and wider governance activity. He thanked Kathryn Hughes for her work on managing the process for gathering assurances from across the Commission to feed into the 2022-23 Governance Statement. This had involved adapting the approach to assurance mapping in line with emerging best practice. Directors had reviewed the service-level assurance statements and Directorate statements had been submitted to Manon for review. Aled and Bob would be providing independent challenge on the Directors’ Assurance Statements at an Executive Board meeting scheduled for 13 March.

3.2 Gareth had presented his findings from the Effectiveness Review of the Independent Remuneration Board to the Board at a meeting on 2 February. The report was due to be published by the Board in April. He was also working on a review of Executive Board (EB) Effectiveness. An initial desktop analysis had been carried out by Kathryn Hughes and Victoria Paris and Gareth would be engaging with EB members and relevant stakeholders. 
 

3.3 The audit of Key Financial Controls had been completed in advance of the departure of the outgoing Director of Finance and Head of Finance. The report had been shared with the Chair and would be shared with Committee members. Gareth was also finalising a follow-up report on lessons learned from Covid-19.
      

3.4 Victoria and Gareth had met with Haines Watts to scope out audits on business continuity and cyber security which would commence in March.  Work had commenced on the 2023-24 internal audit plan with discussions held with colleagues and Haines Watts. Gareth was pleased to report that he had been approached about a potential audit in the Business Directorate which he would discuss with relevant EB members.
  

3.5 Finally, Gareth informed the Committee that he had been supporting the Finance team to ensure the year-end audit was as smooth as possible. He would provide audit challenge and a review of the process following a dry run audit at month 10.

3.6 Officials responded to a number of observations and questions raised by Committee members, as follows:

i.             Gareth agreed to share a link to the report on the Effectiveness Review of the Independent Remuneration Board report when published and the Committee would discuss the recommendations at a future date.

ii.            Gareth confirmed that Haines Watts, the co-sourced internal audit partner, had carried out the audit on key financial controls and would be carrying out the forthcoming audits on business continuity and cyber-security.

iii.          Gareth would circulate his follow-up report on lessons learned from Covid-19 to Committee members as a matter of course. It would also be shared with the Remuneration Committee for information.

iv.          Gareth explained the reason for delaying the review of the People Strategy. This was to ensure it was properly aligned with the work relating to the people element of the Ways of Working programme and to eliminate duplication. Ed Williams confirmed that the new strategy should be in place by the end of the calendar year, noting this was a significant piece of work linked to the Resourcing Framework and the Ways of Working programme. 

v.            Gareth and Arwyn provided assurance that the management of cyber-security risks remained in sharp focus and outlined the current mitigation in place. This included constant horizon scanning, membership of national and local networks, links with the National Cyber Security Centre (NCSC), investment in a Security Operations Centre and the ongoing recruitment of an additional team member. An internal audit review of cyber-security was also conducted annually, focusing on specific elements each year. Gareth agreed to share details of past audit reviews with the new Committee members, along with recent Cyber Security Assurance Reports.

3.7 Ken Skates also suggested that, following a recent cyber-attack on a Member of Parliament, a reminder should be sent to Members of the Senedd on the importance of remaining vigilant to the threat of such attacks. Arwyn agreed to take this forward with the ICT team.  

Actions

·         Share a link to the report on the Effectiveness Review of the Independent Remuneration Board when published.

·         Share report on the audit of Key Financial Controls with ARAC members.

·         Provide a note for Members of the Senedd reminding them of the need for vigilance following the recent cyber-attack on a Member of Parliament.