Agenda item
G&A update report (inc. progress on IA activity)
- Meeting of Senedd Commission Audit and Risk Assurance Committee, Monday, 13 February 2023 10.00 (Item 3.)
- View the background to item 3.
Minutes:
ARAC (23-01) Paper 3 – G&A update report
3.1 Gareth Watts provided an update on audit and wider
governance activity. He thanked Kathryn Hughes for her work on managing the
process for gathering assurances from across the Commission to feed into the
2022-23 Governance Statement. This had involved adapting the approach to
assurance mapping in line with emerging best practice. Directors had reviewed
the service-level assurance statements and Directorate statements had been
submitted to Manon for review. Aled and Bob would be providing independent
challenge on the Directors’ Assurance Statements at an Executive Board meeting
scheduled for 13 March.
3.2 Gareth had presented his findings from the Effectiveness
Review of the Independent Remuneration Board to the Board at a meeting on 2
February. The report was due to be published by the Board in April. He was also
working on a review of Executive Board (EB) Effectiveness. An initial desktop
analysis had been carried out by Kathryn Hughes and Victoria Paris and Gareth
would be engaging with EB members and relevant stakeholders.
3.3 The audit of Key Financial Controls had been completed
in advance of the departure of the outgoing Director of Finance and Head of
Finance. The report had been shared with the Chair and would be shared with
Committee members. Gareth was also finalising a follow-up report on lessons
learned from Covid-19.
3.4 Victoria and Gareth had met with Haines Watts to scope
out audits on business continuity and cyber security which would commence in
March. Work had commenced on the 2023-24
internal audit plan with discussions held with colleagues and Haines Watts.
Gareth was pleased to report that he had been approached about a potential
audit in the Business Directorate which he would discuss with relevant EB
members.
3.5 Finally, Gareth informed the Committee that he had been supporting the Finance team to ensure the year-end audit was as smooth as possible. He would provide audit challenge and a review of the process following a dry run audit at month 10.
3.6 Officials responded to a number of observations and questions raised by Committee members, as follows:
i.
Gareth
agreed to share a link to the report on the Effectiveness Review of the
Independent Remuneration Board report when published and the Committee would
discuss the recommendations at a future date.
ii.
Gareth
confirmed that Haines Watts, the co-sourced internal audit partner, had carried
out the audit on key financial controls and would be carrying out the
forthcoming audits on business continuity and cyber-security.
iii.
Gareth
would circulate his follow-up report on lessons learned from Covid-19 to
Committee members as a matter of course. It would also be shared with the Remuneration
Committee for information.
iv.
Gareth
explained the reason for delaying the review of the People Strategy. This was
to ensure it was properly aligned with the work relating to the people element
of the Ways of Working programme and to eliminate duplication. Ed Williams
confirmed that the new strategy should be in place by the end of the calendar
year, noting this was a significant piece of work linked to the Resourcing
Framework and the Ways of Working programme.
v.
Gareth
and Arwyn provided assurance that the management of cyber-security risks
remained in sharp focus and outlined the current mitigation in place. This
included constant horizon scanning, membership of national and local networks,
links with the National Cyber Security Centre (NCSC), investment in a Security
Operations Centre and the ongoing recruitment of an additional team member. An
internal audit review of cyber-security was also conducted annually, focusing
on specific elements each year. Gareth agreed to share details of past audit
reviews with the new Committee members, along with recent Cyber Security
Assurance Reports.
3.7 Ken Skates also suggested that, following a recent
cyber-attack on a Member of Parliament, a reminder should be sent to Members of
the Senedd on the importance of remaining vigilant to the threat of such
attacks. Arwyn agreed to take this forward with the ICT team.
Actions
·
Share a link to the report on the
Effectiveness Review of the Independent Remuneration Board when published.
·
Share report on the audit of Key
Financial Controls with ARAC members.
·
Provide a note for Members of the
Senedd reminding them of the need for vigilance following the recent
cyber-attack on a Member of Parliament.