By continuing to use our site, you are agreeing for us to set a small number of cookies. Cookie policy

Meetings

Internal Audit reports

This page gives details of any meetings held which will, or did, discuss the matter, and includes links to the relevant Papers, Agendas and Minutes.

Note: Meeting Agenda can change at short notice. Particularly where future meeting dates are indicated more than a week in advance. Please check before planning to attend a Committee Meeting that the item you are interested in has not been moved.

Meeting: 20/01/2020 - Assembly Commission Audit and Risk Assurance Committee (Item 4.)

Consider the proposed Internal Audit strategy

Supporting documents:

  • Restricted enclosure 2

Meeting: 21/10/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 5.)

Consider latest Internal Audit reports

Supporting documents:

  • Restricted enclosure 4

Meeting: 21/10/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 6.)

Review HMT/other guidance for Audit and Risk Assurance Committees (Chair and Head of Internal Audit)


Meeting: 17/06/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Latest Internal Audit Report/Previously circulated Internal Audit Report

Supporting documents:

  • Restricted enclosure 7
  • Restricted enclosure 8

Minutes:

ACARAC (03-19) Paper 6 – Cyber-security 2019
ACARAC (03-19) Paper 7 – Assembly Members’ Expenses 2019

6.1        The Committee agreed to consider the cyber-security audit report under item 9 together with the corporate risk.

6.2        Gareth introduced the report on Assembly Members’ Expenses and invited comments from Committee members. All previous recommendations had been implemented and there was one minor recommendation in this year’s report. Gareth assured the Committee that his findings showed further evidence of improved communication between Assembly Members and Members’ Business Support in relation to their allowances.

6.3        Suzy asked whether, during the course of the audit, any issues had come to Gareth’s attention around the recent Remuneration Board recommendation relating to Assembly Members buying their own equipment. Gareth indicated that there was currently good guidance in place in terms of asset management but would provide further assurance on this issue for next year’s audit.

6.4        The Chair was pleased with the findings of the reports and had been reassured to note that no major issues were identified.


Meeting: 17/06/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Annual Report 2018-19

Supporting documents:

  • Restricted enclosure 11

Minutes:

ACARAC (03-19) Paper 4 – Internal Audit Annual Opinions and Report 2019

4.1        The Committee considered and noted the Internal Audit Opinion and Report presented by Gareth. They were pleased to be updated on Victoria Paris’ progress towards her Certified Internal Auditor (CIA) qualification which would help provide further audit resilience within the Commission.

4.2        Gareth confirmed that the level of assurance had not changed since the previous year but was now described as “Moderate” to bring it into line with the Government Internal Audit Agency (GIAA) model of assurance.


Meeting: 17/06/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Governance & Assurance Update Report

Supporting documents:

  • Restricted enclosure 14

Minutes:

ACARAC (03-19) Paper 3 – Governance & Assurance Update Report June 2019

3.1        Gareth Watts presented his report which provided the Committee with an update on internal audit and other activities undertaken by him and his team. He advised that the 2018-19 audit plan had been completed, highlighted the positive responses from management and that any outstanding recommendations would be followed up throughout the year. The Committee asked to return to the implications for Assembly Commission governance arising from proposals relating to Electoral Commission at a future meeting.

3.2        In response to questions from Committee members, Gareth advised that there were no unmanageable risks posed by delaying production of data processing agreements between the Assembly Commission and Members until after the 2021 Election. This would also provide the best opportunity to capture the new cohort of Members. Gareth assured Committee members that this was in line with other UK parliaments.

Actions

·         Implications for the Commission arising from proposals relating to the Electoral Commission to be added to the forward work programme.


Meeting: 17/06/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Annual Report on Fraud

Supporting documents:

  • Restricted enclosure 17

Minutes:

ACARAC (03-19) Paper 5 – Annual Report on Fraud 2019

5.1        Gareth presented the Annual Report on Fraud. Committee members were content with the assurance provided by the report. They were pleased that Gareth and Nia had continued to be in regular contact with officials from the Wales Audit Office and the Government’s Internal Audit Agency, receiving the latest information on current scams and fraudulent activity across the UK.

5.2        Suzy noted that in relation to the internal audit on Assembly Member expenses, Members were being challenged consistently on their expenditure by Members’ Business Support. The Committee noted that controls were tight and that rules and procedures appeared well understood.

5.3        The Chair acknowledged the difficulty some public sector organisations have in managing fraud as a risk but had been pleased to see the assurance provided by the report.


Meeting: 25/03/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 20

Minutes:

ACARAC (02-19) Paper 3 – update report

3.1        Gareth Watts presented his update report which provided the Committee with a flavour of his activities above and beyond internal audit work. 


Meeting: 25/03/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Internal Audit Charter and Internal Audit's Compliance with Public Sector Internal Audit Standard (PSIAS)

Supporting documents:

  • Restricted enclosure 23
  • Restricted enclosure 24

Minutes:

ACARAC (02-19) Paper 5 – Internal Audit Charter

3.10     Gareth advised that there had been no updates to the Internal Audit Charter or the Public Sector Internal Audit Standards (PSIAS).  He also confirmed continued compliance with PSIAS and that the next External Quality Assessment (EQA) was due by April 2022.  

 


Meeting: 25/03/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Plan 2019-20

Supporting documents:

  • Restricted enclosure 27

Minutes:

ACARAC (02-19) Paper 4 – Internal Audit Plan 2019-20

3.1        Due to this meeting being so soon after the February meeting, there were no internal audit reports to present.  Any reports approved before the June meeting would be shared with the Committee in advance.

3.2        Gareth confirmed that he was covering the role of designated Data Protection Officer for the Commission and explained the arrangement that had been put in place with the office of the Public Services Ombudsman for Wales to provide cover for the data protection and GDPR function during a period of maternity leave.

3.3        Gareth had also been involved in discussions with the Electoral Commission around proposed changes to governance arrangements contained in the Senedd and Elections (Wales) Bill.  He agreed to provide a note of potential implications for the Assembly Commission when more information was available.

3.4        In relation to the review of procurement, Committee members discussed how the Commission could better engage with small Welsh suppliers.  One member of the Committee advised of attendance at a meeting with the local Chambers of Commerce where this issue had been discussed.  Dave Tosh agreed to discuss with Ann Beynon and Jan Koziel (Head of Procurement) options to engage with relevant organisations to inform the Commission’s procurement strategy to better understand supply chain barriers to engaging with the public sector.

3.5        The Committee questioned the focus of audit work on the Business Directorate.  Gareth and Siwan Davies had discussed the timing of future audits and the scope of that work, but Siwan was in the process of appointing a Head of Committee Service, who would be responsible for leading this work. 

3.6        The Chair welcomed the opportunity to be involved in discussions with Gareth and Siwan on the terms of reference for the end to end Committee review. 

3.7        Gareth thanked the Committee for their comments and was happy to receive further suggestions about his audit plan by email.  He agreed to share the review of the Leadership Team and Executive Board with the Chair and was happy to re-schedule the sickness absence review to ensure a report was approved in time for the autumn Public Accounts Committee (PAC) scrutiny session.

3.8        Gareth confirmed that his annual report, to be presented in June, would capture any outstanding recommendations.

Actions

      (3.4) Gareth to provide a note of potential implications for Assembly Commission governance arrangements arising from proposals relating to the Electoral Commission contained in the Senedd and Elections (Wales) Bill.  

      (3.5) Dave to discuss with Ann Beynon and Jan Koziel options to engage with relevant organisations to inform the Commission’s procurement strategy to better understand supply chain barriers.

      (3.6) Gareth and Siwan to engage in discussions with Bob on plans for assurance reviews within the Assembly Business Directorate.

      (3.8) Committee members to provide comments to Gareth on the 2019-20 Internal Audit Plan.

      (3.8) Gareth to share his report on the review of Leadership Team and Executive Board with Chair when available.

-     (3.8)  ...  view the full minutes text for item 4


Meeting: 11/02/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 30

Minutes:

ACARAC (01-19) Paper 3 – update report

3.1     Gareth and Dave Tosh had met with the WAO to ensure accurate reflection of the Assembly’s work in their forthcoming report on Welsh public sector’s preparedness for Brexit. Dave briefly described the work in terms of legislation and scenario planning. The Committee asked for an update following a further planning session due to be held later that week.

3.2     Gareth had met with the Head of Procurement to discuss timings of the audit into the Commission’s procurement approach in terms of opportunities for Welsh suppliers to win contracts. It was agreed to delay the audit until the Autumn of 2019 when there would be more evidence on which to evaluate the effectiveness of the approach. In the meantime, a paper was due to be presented to the Commission outlining the approach to engaging Welsh suppliers. Given the potential political and reputational risks, and recent scrutiny of the Welsh Government’s procurement procedures, Gareth agreed to consider and discuss the timings further.

3.3     There were no concerns around implementation of outstanding recommendations and an update would be provided at the next meeting.

3.4     Gareth would be discussing the timing of the audit into integrated committee support with Siwan Davies.

Actions

      (3.1) Siwan Davies to share the update report on follow-up Brexit meetings with the Committee.

      (3.2) Gareth to consider and further discuss the timing of the procurement audit.

      (3.3) Gareth to present a report on implementation of recommendations to the March meeting.

 


Meeting: 11/02/2019 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

TIAA internal audit partner and latest Internal Audit reports

Supporting documents:

  • Restricted enclosure 33
  • Restricted enclosure 34
  • Restricted enclosure 35

Minutes:

Oral item - TIAA internal audit partner

4.1     The Committee welcomed Clive Fitzgerald from TIAA, the Commission’s co-sourced internal audit partner, to the meeting. For the benefit of the new Committee members, Clive provided some background to the company, which was the largest independent provider of internal audit, business assurance and counter-fraud in the country, covering a wide range of public sector organisations. Gareth described how the co-sourced arrangement works in practice, bringing in specific expertise and knowledge and protecting the independence of the internal audit function. 

ACARAC (01-19) Paper 4 - Scheme of Delegation

4.2     The Committee commented that the substantial assurance was a positive reflection on the work of the Finance Team’s engagement with budget holders and the maturity of the scheme of delegation. In response to questions around the levels of delegation, Nia Morgan described the increased sense of ownership and interest in budget management, partly as a result of allowing budget holders to set appropriate delegations in their areas.

ACARAC (01-19) Paper 5 - GDPR Compliance Follow Up

4.3     The Committee welcomed this follow-up review of assurances around GDPR compliance. Dave advised that a revised Data Protection Policy had been approved by Executive Board, and that an electronic staff training package would be ready for delivery in the coming weeks. This had been developed in-house as there was nothing commercially available which was suitable. The Commission agreed to consider how best to evidence receipt of this training.

4.4     The Commission were considering options for appointing a temporary Data Protection Officer to cover for maternity leave.  Team resilience would be increased by training another member of staff.

4.5     The practical issues around data protection agreements for elected members was being discussed further at an inter-parliamentary forum at the end of February and this could inform decisions around the Commission’s approach.

4.6     The Committee discussed testing the security of sensitive personal information held by the Commission and the role and importance of the Information Asset Registers and Registers of Personal Data. It was noted that the move to SharePoint as a document management system would provide further mitigation for information-related risks and that the forthcoming review of cyber-security would help to test the controls. It was agreed that Dave and Bob should consider this further.

4.7     Committee members asked for GDPR compliance to be reviewed at a future meeting.

4.8     The Committee asked for the issue of the data protection agreement with the HR/Payroll system provider to be re-visited, and suggested keeping the ICO informed.

ACARAC (01-19) Paper 6 – Payroll

4.9     The Committee asked for assurance that the recommendations from the previous audit had been implemented effectively. Gareth explained that the focus for this review was around the systems in place whereas the previous review had focused on data analytics for which assurance is provided from the routine and thorough reviews by the WAO when auditing the accounts. The effectiveness of data analytics was also discussed regularly at inter-parliamentary meetings. He also reported that inefficiencies around manual  ...  view the full minutes text for item 4


Meeting: 26/11/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Review HMT/other guidance for Audit and Risk Assurance Committees (Chair and Head of Internal Audit)

Minutes:

Oral item

7.1        The HM Treasury audit and risk assurance committee handbook published in March 2016 remained the most up to date version.  The Clerking team confirmed that the terms of reference and forward work programme were based on the latest version of the handbook.  The Chair remained a member of the WAO Committee Chairs forum and encouraged the future Committee chair to become involved next year. He would share the latest WAO ARAC Chairs Forum papers with Committee members and officials.  He also highlighted NAO guidance for digital transformation programmes, challenging costs in major projects and excellence in reporting.            

7.2     Gareth Watts had previously shared National Audit Office, CIPFA and TIAA updates with Committee members and welcomed questions on the information circulated.     

7.3     Committee members asked if the WAO had any examples of good practice to share with the Committee.  Gareth Lucey described a Good Practice hub on the WAO website for public sector organisations and charities.  The Clerking team would ensure a link was circulated.    

Action

      Eric Gregory to circulate latest WAO ARAC Chairs Forum papers to Committee members and officials (complete). 

 


Meeting: 26/11/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Consider latest Internal Audit reports and Previously circulated IA Report(s)

Supporting documents:

  • Restricted enclosure 40
  • Restricted enclosure 41
  • Restricted enclosure 42

Minutes:

ACARAC (05-18) Paper 4 – Events review (Moderate Assurance)

5.1        The Committee welcomed this report.  The review was initiated by changes to the booking system and to the structure of the team. 

5.2     Manon Antoniazzi described the booking system that had been in place for over a year and the on-going need to communicate and engage with Assembly Members.

Action

      Gareth to circulate the action plan for communications and benefits realisation. 

ACARAC (05-18) Paper 5 – Risk Management (Substantial Assurance)

5.3     The Committee were encouraged by the result of this audit and paid tribute to Kathryn Hughes and Jane Legge for their work in developing the system. 

5.4     The Chair confirmed that the Commission had demonstrated increasing risk management maturity during his tenure, and that he was encouraged by the risk management forums and networks in place and the involvement of staff at all levels. 

5.5     Members questioned the roll-out of the new risk management system, the training involved and how effective the risk forum was in terms of engagement, especially if risk champions were absent from the meeting.  Gareth and Kathryn described the training involved which included a full refresh of risk management for all heads of service and risk champions.  They agreed that risk champions should be encouraged to attend, but felt that the forum was established and robust enough to cope with a fluctuating membership.  Forum minutes were circulated to Heads of Service and published internally which Kathryn felt kept those involved updated.      

5.6     The Committee queried the absence of issue management reporting.  This was in development and would be presented by Dave at the February meeting.   

Action

      Dave Tosh to present the Committee with an issue management log. 

ACARAC (05-18) Paper 6 – Assurance Framework (Advisory Review, no assurance opinion)

6.1     The Committee welcomed the positive review.  They suggested that a process flowchart would have helped clarify the report, and that third line assurance should include the Independent Adviser review of directorate governance statements.

 


Meeting: 26/11/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 45

Minutes:

ACARAC (05-18) Paper 3 – update report

4.1        Gareth Watts presented his latest summary of the Governance and Assurance team’s work.  He referenced a GDPR training course attended by the Data Protection Officer, the CIPFA Better Governance Forum conference attended by the Governance Manager and further professional development of the trainee internal auditor.

4.2     Gareth had discussed those elements within his plan which were of most interest to the WAO, in particular regarding the financial statements. He would continue to liaise with the WAO to ensure mutual support in accordance with their joint working protocol.    

4.3     When questioned by the Committee on the use of TIAA, Gareth explained that as Head of Governance and Assurance, when areas within his responsibility were audited, a provision in the Internal Audit Charter stated that these audits had to be outsourced to ensure neutrality.  He would update the new Committee members regarding TIAA and invite a representative to the February meeting.     

4.4     He confirmed that there were no outstanding recommendations from 2016-17.

Action

     Gareth to provide the new Committee members with further information about TIAA and to invite a representative to the February meeting.

 


Meeting: 18/06/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 8)

Latest Internal Audit Reports - Assembly Members' Allowances Audit Report

Supporting documents:

  • Restricted enclosure 48

Meeting: 18/06/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 7)

Internal Audit Fraud Report

Supporting documents:

  • Restricted enclosure 51

Meeting: 18/06/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Internal Audit Annual Report 2017-18

Supporting documents:

  • Restricted enclosure 54

Meeting: 18/06/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 57

Minutes:

ACARAC (03-18) Paper 3 – IA update report

Item 4 - Internal Audit Annual Report 2017-18

ACARAC (03-18) Paper 4 – Internal Audit Annual Report and Opinion 2017-18

Item 5 - Internal Audit Fraud Report

ACARAC (03-18) Paper 5 – Internal Audit Fraud Report

Item 6 - Latest Internal Audit Report

ACARAC (03-18) Paper 6 – Assembly Members’ Allowances Audit Report

5.1        Gareth Watts presented these four items to the Committee. His update report was noted and he outlined that his Annual Report provided an overall opinion for 2017-18 that ‘…the framework of governance, risk management and control is adequate and effective’ which was in line with the Public Sector Internal Audit Standards (PSIAS) descriptions. 

5.2     Gareth highlighted areas where his work had added value to the organisation, for example: establishing prioritisation criteria; review of the Investment and Resourcing Board which had resulted in changes to the governance structure; and the Capacity Review. He added that there was good general recognition of Internal Audit’s advisory role.

5.3     Gareth also informed the Committee of a trainee auditor within the Governance and Assurance team who should be qualified by the end of the year. This was welcomed by the Committee as necessary support for Gareth alongside the TIAA contract. In response to questions about approval of the work produced by TIAA, Gareth explained that, as the contract manager, he carried out quality assurance of all reports produced by TIAA. He added that Dave would sign off audits of areas within his remit, such as risk management and information governance.

5.4     The Committee commended the completion of all the recommendations by management, including the recommendations in relation to the audit on Key Financial Controls, which had been implemented before the report was presented to the Committee.

5.5     The Committee encouraged Gareth to place additional focus on the Business Directorate in future years and continue to ensure that his audit programme and independence was not compromised. 

5.6     Both Gareth and Dave provided assurance to the Committee by describing how, as outlined in the Internal Audit Charter update previously presented, independence was safeguarded. Dave added that during their weekly catch-ups Gareth’s work was discussed at length to ensure that there was no conflict of interest and that his independence was protected.     

5.7     Regarding the Annual Report on Fraud, Gareth confirmed that the report covered third party contractors and online card systems. During 2017-18 there were no reported cases of fraudulent activity brought to Gareth’s attention.

5.8     Subsequent to the implementation of the procurement card online system, and following the Key Financial Controls audit, Nia continued to ensure that Heads of Service approved purchases made using the cards to minimise any delays.  

5.9     Gareth’s final item was the Assembly Members’ Allowances audit report. His assurance rating was moderate, with all four recommendations being agreed. He was assured that the Members’ Business Support (MBS) team were following the correct processes and procedures, and the identified duplicate payments (made by human error) were  ...  view the full minutes text for item 5


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 15)

Update from attendance at TIAA Audit Chairs Conference

Supporting documents:

  • Restricted enclosure 60
  • Restricted enclosure 61

Minutes:

Oral Item

15.1     This item was deferred until the July meeting.

Action

Update on the role of Audit and Risk Assurance Committees and Internal Audit, including feedback from the TIAA Chairs Conference, to be added to the July agenda.

 


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 14)

Review the Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)

Supporting documents:

  • Restricted enclosure 64
  • Restricted enclosure 65

Minutes:

ACARAC (02-18) Paper 15 – Internal Audit Charter cover paper

ACARAC (02-18) Paper 15 – Internal Audit Charter

14.1    The Committee noted the minor changes to the Internal Audit Charter which had been updated in accordance with PSIAS, and approved the Charter for 2018-19.    


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 12)

Consider Internal Audit's outline audit plan for 2018-19

Supporting documents:

  • Restricted enclosure 68

Minutes:

ACARAC (02-18) Paper 10 – Internal Audit Plan 2018-19

12.1     The Committee approved the audit plan for 2018-19.

 


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 13)

Latest Internal Audit Report and previously circulated reports

Supporting documents:

  • Restricted enclosure 71
  • Restricted enclosure 72
  • Restricted enclosure 73

Minutes:

ACARAC (02-18) Paper 11 – Cyber Security

Previously circulate IA Reports

ACARAC (02-18) Paper 12 – AMs’ Pension Scheme

ACARAC (02-18) Paper 13 – GDPR

ACARAC (02-18) Paper 14 – Security Assurance Review

13.1     The Committee had discussed ACARAC (02-18) Paper 11 – Cyber Security under agenda item 3. The Committee noted the papers that had been previously circulated and agreed to discuss feedback with Gareth in the private session which followed this meeting.   

 


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 11)

Internal Audit External Quality Assurance (EQA)

Supporting documents:

  • Restricted enclosure 76
  • Restricted enclosure 77

Minutes:

ACARAC (02-18) Paper 9 – EQA cover paper

ACARAC (02-18) Paper – progress of EQA action plan

11.1     The Committee noted the good progress made against the recommendations raised in the 2017 report.

 


Meeting: 23/04/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 10)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 80

Minutes:

ACARAC (02-18) Paper 8 – IA update report

10.1     Gareth introduced his update report. He highlighted the progress made since the February meeting, which included the completion of four internal audit reports. His additional commitments during 2017-18 meant that some internal audit work remained outstanding. He congratulated Victoria Paris, who had recently passed Part 1 of the Certified Internal Audit qualification.

10.2     The Committee was content with the report and recognised the additional work Gareth has been involved in over the past year. They questioned whether, given Gareth’s additional workload, the Commission could make more use of TIAA. Gareth acknowledged that there remains flexibility in the contract for this, and highlighted the increase in resilience and in-house capacity for internal audit which was also being introduced by training Victoria. He confirmed that he was still in a position to present an annual opinion at the June 2018 meeting. He committed to keep the capacity and resourcing of internal audit activity under review.

 


Meeting: 05/02/2018 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 83

Minutes:

ACARAC (01-18) Paper 3 – IA progress report and monitoring recommendations

3.1        The Committee questioned Gareth’s capacity to meet the commitments outlined in his audit plan. He confirmed that the revised plan takes account of his work on the Capacity Review and remained on target.  His time had been spent almost exclusively on the Capacity Review since the November meeting and number of reports would, however, be circulated before the April meeting. 

3.2        The Committee questioned the Commission’s preparedness for the General Data Protection Regulation (GDPR) in May 2018. Dave and Gareth believed that the level of engagement and the amount of guidance produced by the Information Governance Manager, as well as the sharing of documentation and practice with other organisations, demonstrated that the Assembly Commission was well prepared.

3.3        The Committee were impressed with, and re-assured by, the Commission’s pro-active approach, particularly the production of guidance for Assembly Members in the absence of guidance for elected representatives from the Information Commissioners Office (ICO). They suggested this guidance could be shared with the ICO. They welcomed the forthcoming GDPR - Preparedness Review which was due to take place in February. 

3.4        Gareth highlighted that, as well as GDPR, the discussions at the Intra Parliamentary Forum covered Brexit and the related devolution of powers. Committee members agreed that the Commission’s ability to navigate significant risk and related assurances within a political environment was commendable.

3.5        Gareth’s External Quality Assurance (EQA) review of the Northern Ireland Assembly was yet to be arranged. He would present progress against his own EQA action plan at the next meeting.      

Actions

-         Gareth to present progress against his External Quality Assurance action plan at the April meeting.    

 


Meeting: 27/11/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Review HMT/other guidance for Audit and Risk Assurance Committees

Supporting documents:

  • Restricted enclosure 86

Minutes:

Oral update

ACARAC (05-17) Paper 9 – NAO Guidance – Cyber and Information Security

6.1        Dave provided an update on cyber and information security activity and future plans.  There was currently a focus on raising awareness with Assembly Member Support Staff (AMSS) at Constituency Offices.  Mock phishing exercises on Assembly Commission staff had proved positive in highlighting vulnerabilities and the sharing of information between external organisations that Dave and his colleagues were in contact with was also proving useful.  Further information on testing and recovery procedures was also discussed but due to the nature of the discussion, detail minutes were not taken. 

Actions

-         Dave to share details of existing vulnerabilities and resolution plan with Committee members.

 


Meeting: 27/11/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Latest Internal Audit Report

Supporting documents:

  • Restricted enclosure 89
  • Restricted enclosure 90
  • Restricted enclosure 91
  • Restricted enclosure 92

Minutes:

ACARAC (05-17) Paper 5 – New Finance System Controls

Reports/updates circulated out of committee

ACARAC (05-17) Paper 6 – Review of Committee Integrated Teams

ACARAC (05-17) Paper 7 – Internal Audit Recommendations – MBS Follow up report

ACARAC (05-17) Paper 8 – Fraud Prevention and Detection

5.1        All four audit reports were noted and Gareth had responded to the points raised by the Committee on the pre-circulated reports. The Committee were very impressed with the turnaround of the recommendations in the report on the Finance System Controls.

5.2        Nia was bitterly disappointed with the Limited Assurance rating, especially when compared to the Strong rating given last time. She assured the Committee that this was not a reflection of her team or the new system in place and there had been no deterioration in services.  Recommendations concerning the documenting of tasks had been tightened, as had the process of monitoring the time taken to approve credit card purchases.  Nia would now see a list of outstanding actions on a monthly basis to ensure the level never rose to that identified by the audit.  An exercise to review the usage and number of credit cards was scheduled for December. 

5.3        The Committee also noted and discussed the responses to recommendations in the Review of Committee Integrated Teams, in particular the acceptance and timeliness of their implementation.

 


Meeting: 27/11/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 95

Minutes:

ACARAC (05-17) Paper 4 – IA progress report and monitoring recommendations

4.1        Gareth presented his activity report and update on recommendations.  The Capacity Review was consuming much of Gareth’s time and changes to his 2017-18 audit plan may be necessary as a result.  The Committee noted the plan to defer the audit on change management.  

monitoring recommendations

4.2        Gareth presented his activity report and update on recommendations.  The Capacity Review was consuming much of Gareth’s time and changes to his 2017-18 audit plan may be necessary as a result.  The Committee noted the plan to defer the audit on change management.  

 


Meeting: 19/06/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 98
  • Restricted enclosure 99

Minutes:

ACARAC (03-17) Paper 5 – Assembly Members’ Allowances Audit Report

ACARAC (03-17) Paper 6 – Advisory Internal Audit Report on GDPR (TIAA)

4.1        Gareth presented two audit reports, both of which were welcomed by the Committee.

4.2        In relation to the audit of Assembly Members’ Allowances, Gareth reported that strong control procedures were in place for AMs’ expenses claims.  He also advised that the introduction of formal delegations of authority to office managers to submit claims on behalf of AMs had improved efficiency.  Suzy Davies confirmed that, despite this delegated authority, AMs fully understood their accountability for expenses claimed.

4.3        As well as testing resettlement grants paid to outgoing AMs and redundancy payments to outgoing AM support staff following the 2016 election, Gareth also tested staff recruitment processes.  Management had accepted all three of his recommendations.

4.4        In relation to the General Data Protection Regulation advisory audit, Gareth advised that assurance could be taken from the minor nature of the recommendations, which demonstrated the significant amount of preparatory work carried out by the Commission.  He also referred to a working group which had been established and a high level action plan which was being closely monitored by Alison Bond, the Commission’s Information Governance Manager.  Committee members commended the comprehensive action plan which had been circulated.

4.5        Dave mentioned that, like other legislatures and organisations, they were awaiting further detailed guidance from the Information Commissioner’s Office, which was due in the autumn. Once this guidance was produced, the action plan would be reviewed and would include a focus on advising Assembly Members as data controllers.     

4.6        The Committee were impressed and encouraged by the amount of preparation and the outcome of the advisory report, but urged officials not to be complacent.  It was agreed that AMs and their staff should be reminded of their obligations under the current data protection legislation as well as any future changes.          

         Action

-         Gareth to provide an update on recommendations of Assembly Members’ Allowances Audit report at the autumn meeting.

 


Meeting: 19/06/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 102
  • Restricted enclosure 103

Minutes:

ACARAC (03-17) Paper 3 – IA update report 

ACARAC (03-17) Paper 4 – PSIAS report 

3.1     Gareth Watts introduced his update report. Fieldwork had begun on the Integrated Committees audit which cut across six different service areas.  Due to the scale of this audit, Gareth advised the Committee that this work was not likely to be completed until the autumn.

3.2     The Committee welcomed Gareth’s Public Sector Internal Audit Standards (PSIAS) report, which was presented to appraise the Committee of the most recent changes to the standards. Gareth assured the Committee that no changes were required to the Commission’s processes.        

3.3     Gareth advised that he would shortly be able to share the outcome of the tender exercise which had recently been completed for the Internal Audit contract.           

3.4     The Committee noted the final External Quality Assessment report, which had been circulated out of committee. When questioned, Dave Tosh, as Director of Resources confirmed he was satisfied with the assurances. Gareth confirmed that this assessment was based on the previous version of the PSIAS and that future assessments would be based on the revised version.  

3.5     The Committee congratulated Nia Morgan and her team on the successful migration of data to the new finance system.  Nia expressed her thanks to her team for their hard work during the implementation of this project, especially considering the year-end obligations and reduced resources.       

Action

-         Gareth Watts to share conclusion of Internal Audit tender exercise with ACARAC members by email. 

 


Meeting: 19/06/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Internal Audit Annual Report

Supporting documents:

  • Restricted enclosure 106

Minutes:

ACARAC (03-17) Paper 10 – Internal Audit Annual Report and Opinion 2016-17

6.1     The Committee approved Gareth’s annual report, which recognised that ‘…generally adequate and effective risk management, control and governance processes were in place…’, and congratulated him on his work and the continued contribution internal audit had made to providing assurance.  They particularly welcomed the focus on the impact and outcomes of the audit work and encouraged further focus on this in future reports. They were also encouraged to hear that a team member was due to commence internal audit training to further support his work.

 


Meeting: 19/06/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Consider any comments following report circulated out of committee

Supporting documents:

  • Restricted enclosure 109
  • Restricted enclosure 110
  • Restricted enclosure 111

Minutes:

ACARAC (03-17) Paper 7 – Report on IRB Review

ACARAC (03-17) Paper 8 – Update on IRB Review

ACARAC (03-17) Paper 9 – Review of Closing Balances (data migration from CODA to NAV)

5.1     The Committee welcomed all three reports, on which they had shared comments with Gareth outside of the meeting. 

5.2     Discussion focused on the functions and responsibilities of the Commission’s Management Board and Investment and Resources Board (IRB).  Manon advised that she and the Directors were about to review the membership and roles of each board to ensure that they remained fit for purpose and to provide clarity on decision-making responsibilities and processes.

5.3     In response to questions about the level of challenge for IRB decisions, Dave referred to the amount of challenge that took place before proposals were presented to the board which the Committee thought could be clarified.  Manon agreed to consider alternative methods of communicating IRB decisions more widely, including with Commissioners, and would share the results of the review of governance structures after an away day.   

5.4     The Committee welcomed this positive review and the agreed actions and welcomed the proactive way in which external scrutiny was invited.  

Actions

-         Manon to consider methods of communicating IRB decisions more widely.

-         Manon to share results of review of governance structures post IRB away-day.

 


Meeting: 20/03/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 6)

Review the Internal Audit Charter and Internal Audit's compliance with Public Sector Internal Audit Standard (PSIAS)

Supporting documents:

  • Restricted enclosure 114
  • Restricted enclosure 115
  • Restricted enclosure 116

Minutes:

ACARAC (02-17) Paper 7 – Internal Audit Charter cover paper

ACARAC (02-17) Paper 7 – Internal Audit Charter

ACARAC (02-17) Paper 8 – EQA Interim Report

6.1     The Committee noted the revised Internal Audit Charter for 2017-18 and welcomed the interim External Quality Assessment Report, produced by Andrew Munro, Head of Internal Audit at the Scottish Parliament. The report concluded that the internal audit service generally conforms to internal auditing standards as set out by, and in accordance with, HM Treasury’s Internal Audit Quality Assessment Framework. The Committee congratulated Gareth on such a positive result and requested the final report be circulated out of committee.

Action

-         Gareth to circulate the EQA Final Report to Committee members.

 


Meeting: 20/03/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Report

Supporting documents:

  • Restricted enclosure 119
  • Restricted enclosure 120

Minutes:

ACARAC (02-17) Paper 4 – Data Analytics (Payroll) review

ACARAC (02-17) Paper 5 – Project Management

4.1        Gareth presented two audit reports, both of which were welcomed by the Committee.

4.2     The Data Analytics review demonstrated the integrity and robustness of the payroll data and had indicated no evidence of any fraudulent behaviour. The Committee questioned the validation necessary to prove the integrity of the data within the HR/Payroll system. Gareth assured the Committee that data was thoroughly checked and exception reporting took place where necessary. He then described some of the reporting functions of the new finance system which included contract spend analytics.     

4.3     Gareth introduced his second report on the review of the Commission’s approach to project management where four recommendations had been identified and agreed by management.

4.4     Given the challenges that lay ahead for the Commission to deliver an ambitious set of objectives, the Committee encouraged officials to develop clear criteria for prioritising projects, and to focus on benefits realisation.

4.5     The Committee again questioned the lack of project progress reporting within the Corporate Performance (KPI) Report. Dave agreed to consider including the Directors’ updates on progress of projects, which were provided quarterly to IRB, as annexes to future KPI Reports. 

4.6     Dave was pleased to see real progress since Gareth’s previous review in 2015. He described the process in place at the fortnightly IRB meetings to assess resource and budget implications of projects, as well as how they contributed to achieving the Commission’s strategic goals and priorities. He would take on board the Committee’s suggestion of detailing prioritisation criteria in a more formal manner.

4.7     The Committee questioned the scrutiny of business cases and officials recognised improvements were needed to capture lessons learned and to monitor benefit realisation. It was agreed that further guidance was needed, including around the development and iterations of business cases. Gareth also agreed to circulate a useful report he had recently found on agile project management methodology to Committee members.

4.8     Officials welcomed the discussion on programme and project management and the Committee welcomed a review of change management principles and processes which was scheduled for September 2017. The current project guidance would be updated and developed collaboratively by members of the Community of Practice and other key stakeholders.   

         Actions 

        Data Analytics (Payroll) audit

-         Gareth to provide the Committee with further information regarding the sample sizes used for data analytics.

Project Management audit

-         Gareth to circulate outcome of IRB review discussion in advance of the June meeting.

-         Dave to consider prioritisation criteria for projects.

-         Dave to consider inclusion of IRB ‘Directors updates’ as annexes to the KPI Report. 

-         Gareth to circulate report on agile project management methodology.

 


Meeting: 20/03/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Consider Internal Audit's outline audit plan for 2017-18

Supporting documents:

  • Restricted enclosure 123

Minutes:

ACARAC (02-17) Paper 6 – Internal Audit Plan 2017-18

5.1        The Committee approved Gareth’s audit plan for 2017-18.  Gareth assured the Committee that his key areas of focus were in line with the Commission’s corporate risks. The Committee questioned whether there was enough focus on the Assembly Business function as this was where the forthcoming changes would be concentrated. The Committee were satisfied with Gareth’s response around covering the change management elements in the review planned for September 2017, and for flexing his plan to accommodate specific areas of concern during the year.    

5.2        Gareth would be using internal resource to assist him with his review of integrated support for Committees.  He had also added indicative days to the audit plan to ensure the Committee understood his commitments. 

 


Meeting: 20/03/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Update Report

Supporting documents:

  • Restricted enclosure 126

Minutes:

ACARAC (02-17) Paper 3 – IA update report 

3.1     Gareth Watts introduced his update report. He outlined the work being carried out on the audit of Assembly Members’ expenses, the final report on which would be circulated in advance of the June meeting.

3.2     He had also worked with officials to scope the forthcoming audit of integrated support for Assembly Committees and completed a review of the migration of data from the legacy CODA finance system to the new Microsoft Dynamics NAV system. 

3.3     The review he had carried out of the Commission’s Investment and Resourcing Board (IRB) was due to be discussed by the Board on 21 March. Gareth agreed to circulate the report, along with details of the actions agreed by the Board, to the Committee in advance of the June meeting.

3.4     The Internal Audit contract with TIAA would expire in 2017 and Gareth and the procurement team had finalised the specification document to start the tender process. The panel for reviewing tenders consisted of the Head of Internal Audit, the Director of Finance and a Senior Procurement Officer.    

 


Meeting: 06/02/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 129
  • Restricted enclosure 130

Minutes:

Internal Audit 

3.0     Item 3 – Internal Audit Activity Report 

ACARAC (01-17) Paper 3 – IA progress report 

ACARAC (01-17) Paper 4 – IA Monitoring Recommendations  

3.1        The Committee welcomed Gareth’s progress report and monitoring documents.  A Payroll audit had commenced and the final report would be circulated out of committee, as would the IRB review.

3.2        Gareth was scheduled to audit the payments made to Assembly Members (AMs) in terms of resettlement grants, redundancy payments to AM Support Staff, and setting up regional and constituency offices of new AMs following the Fifth Assembly elections.

3.3        Gareth advised that the contract for the co-sourced Internal Audit arrangements would be awarded in June 2017.     

3.4        After some discussion on the scope and sample sizes of the specific audits that Gareth was about to undertake, the Committee suggested that he consider how best to report the outcomes and benefits to the Commission of his audit reports, as well as recommendations that had been rejected by Management.     

Actions 

-         Gareth to circulate recommendations and actions from the review of IRB after consideration by IRB.

-         Gareth to capture the outcomes of recommendations made by audit reviews in future reports.

-         Gareth to include in IA reports recommendations that are not accepted by Management, and the reasons for this.

 


Meeting: 06/02/2017 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit reports

Supporting documents:

  • Restricted enclosure 133

Minutes:

4.0       Item 4 – Latest Internal Audit Report  

ACARAC (01-17) Paper 5 – Cyber Security 

4.1           The Cyber Security audit resulted in a ‘needs improvement’ rating.  This was due to the amount of work which was still in progress to improve the Assembly Commission’s arrangements for cyber security.  12 recommendations had been raised to enhance the current arrangement but none of these were High/Critical priority. 

4.2           The Chair felt that this was a thorough report and that the Commission was well-sighted on quickly delivering the recommendations.  He agreed with the Commission’s rejection of one of the recommendations.

4.3           Dave described the work that was taking place on a UK-wide level and confirmed all 12 recommendations would be complete by the end of the 2016-17 financial year.  The appointment of a cyber security network specialist within the ICT team would further strengthen this area, although he recognised the challenges facing the organisation and the importance of raising awareness with Commission staff, AMs and support staff.  Gareth would follow up on the ISO27001:2013 review and continue to meet on a regular basis with the Head of ICT before performing a follow up audit and updating the Committee when appropriate.

4.4           Dave confirmed that cyber security was about to be added to the Commission’s Corporate Risk Register and the Committee questioned whether bringing the ICT function in-house had highlighted historic failings in the security of the network.  Dave confirmed that the transition to in-house ICT services had exposed some vulnerabilities with the outsourced arrangement but the control gained by bringing the services in-house had improved the situation.   


Meeting: 21/11/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 136
  • Restricted enclosure 137

Minutes:

Internal Audit

3.0        Item 3 – Internal Audit Activity Report

          ACARAC (05-16) Paper 3 – IA progress report

          ACARAC (05-16) Paper 4 – IA Monitoring Recommendations

3.1        Gareth introduced his usual progress update documents which described the areas of focus during 2016-17. He also detailed his Continuous Professional Development including attending an Intra Parliamentary Heads of Internal Audit meeting and other networking opportunities such as meetings with Heads of Internal Audit from other public sector organisations across Wales. 

3.2        The Committee asked how Gareth would approach the re-tendering of the Internal Audit contract, as the contract with TIAA was due to expire in July 2017.  Gareth proposed continuing with a co-sourced arrangement, for which he would expect several tenders but said he would also build resilience within the team with a view to carrying out more in-house reviews. 

3.3        The Chair thanked Gareth for his comprehensive updates and reminded the Committee that Gareth relies on a co-sourced partner to help him deliver the internal audit work. He also expressed his hope that there would be strong competition for the procurement exercise.

3.4        Gareth then explained how he had scoped the audit of Assembly Member expenses which would now be done in-house.  He had discussed the audit with the WAO and with Members’ Business Support, primarily to gain an understanding of their work and the systems in place.  His main focus would be on the resettlement grant and the cost of office set up following the election.  The audit was on track to report to the Committee in April.

3.5        In accordance with Public Sector Internal Audit Standards, on a quinquennial basis the Head of Internal Audit is required to perform an External Quality Assurance (EQA) Review.  At the recent Intra Parliamentary Forum meeting (17 November), Gareth had mentioned the possibility of carrying out this review through reciprocal arrangements with the other legislatures.  He had also taken advice on this from his counterpart in the Welsh Government who was involved in setting the guidelines and standards for such reviews.

3.6        The Committee questioned the impartiality and independence of such an arrangement and Gareth explained it would be based on an initial self-assessment with external validation by one of his counterparts. They suggested that the standard review framework should be adapted to capture how each of the legislatures work differently.  The reviewer should also be adequately qualified to perform the review.

3.7        Claire Clancy assured the Committee that assurance on the external validation would be sought as appropriate. 

3.8        The Committee questioned why the number of high priority recommendations had fallen significantly over the past three years.  Gareth suggested that it was dependent on the subject matter and that in previous years there had been several audits with numerous audit recommendations such as those on Recruitment, Security and the HR-Payroll project. More recently subject areas audited had received more positive audit opinions and hence fewer recommendations. 

3.9        Dave Tosh added that work undertaken to embed governance and compliance within the organisation  ...  view the full minutes text for item 3


Meeting: 21/11/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Report

Supporting documents:

  • Restricted enclosure 140

Minutes:

4.0        Item 4 – Latest Internal Audit Report

ACARAC (05-16) Paper 5 – Pensions Administration

4.1        The Pensions Administration audit resulted in a ‘strong’ rating.  It was reported that there were strong arrangements in place for the administration of both the Principal Civil Service Pension Scheme and the AMSS pension schemes.  Opportunities were identified to improve efficiency and reduce the need for further manual intervention.     

4.2        Gareth confirmed that recommendations had been accepted and that implementation was in progress.  The need for manual intervention would be removed by January when a validation exercise would be carried out.

 


Meeting: 21/11/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Internal Audit reports circulated in October

Supporting documents:

  • Restricted enclosure 143
  • Restricted enclosure 144
  • Restricted enclosure 145
  • Restricted enclosure 146
  • Restricted enclosure 147

Minutes:

5.0        Item 5 – Internal Audit reports circulated in October

ACARAC (05-16) Paper 6 - Assurance review of VES

ACARAC (05-16) Paper 7 - Cyber Security Briefing note – (to be discussed under item 8)

ACARAC (05-16) Paper 8 - Procurement Audit – update report

ACARAC (05-16) Paper 9 - Risk Management IA report cover paper

ACARAC (05-16) Paper 9 - Annex A - Risk Management Audit Report

5.1        The Committee thanked Gareth for circulating a number of papers out of committee and for sharing his responses to the comments he had received.  Gareth agreed that he would re-introduce acceptance or rejection of Internal Audit recommendations in his reports.   

5.2        The Clerking team confirmed that the papers contained within the pack were the same as those circulated in October and they would consider referencing these papers differently in future.  

Actions

-        Re-introduce acceptance or rejection of Internal Audit recommendations in reports.  

-        Clerking team to clarify referencing of papers that have been circulated out of committee.

 


Meeting: 13/06/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Annual Report

Minutes:

ACARAC (03-16) Paper 4 – IA Annual Report

4.1     Gareth presented his 2015-16 Internal Audit Annual Opinion and Report.  This report provided an overview of the work undertaken by the Internal Audit service during the year and provided an opinion based on that work and other wider observations. 

4.2     In response to questions from Committee members about outstanding recommendations, Gareth explained that these related to the documentation of processes for key performance indicators (KPIs) for which a review was on-going by members of his team.  The review, which was considering the process of collating and reporting on the KPIs as well as how meaningful they were, would address these recommendations.  He confirmed that engagement with Heads of Service had so far been positive.  

4.3     Gareth’s opinion stated, ‘the Assembly Commission has adequate and effective risk management, control and governance processes to manage the achievement of its objectives.’  

4.4     Gareth had shared his report with Ann-Marie Harkin and Matthew Coe prior to this meeting.  They both praised the report for its detail and informed the Committee that they had used the key financial controls audit to aid them when auditing the accounts.   

4.5     The Committee welcomed this comprehensive report and Gareth’s audit opinion. They encouraged Gareth to share reports and updates with them through the year which he was more than happy to do. 

4.6     In relation to the review of the Commission’s Fraud, Bribery and Corruption policy, the Committee suggested checking the relevance of recent Ministry of Justice guidance on fraud and bribery.

Actions

-        Gareth to check Ministry of Justice guidance on fraud and bribery risk assessments and report findings to the Committee.

 


Meeting: 13/06/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Minutes:

ACARAC (03-16) Paper 3 - IA Update Report 2015-16

3.1     Gareth Watts updated the Committee on recent audit work.  He had finalised all 2015-16 audits and had completed his Annual Report and the Annual Report on Fraud.  He had also completed a self-assessment against the Public Sector Internal Audit Standards (PSIAS).

3.2     Gareth had discussed his 2016-17 audit plan with the TIAA, the Commission’s outsourced internal audit service provider, and an audit of risk management had commenced on Monday 13 June. 

3.3     Although the focus would be on future audits, which could be subject to change depending on the new Assembly Commission’s priorities, Gareth assured the Committee that he would continue to follow-up on recommendations from prior years’ audits.  The Committee welcomed this, particularly in relation to the procurement follow-up audit.  Gareth would also continue to provide assurance on: the Voluntary Exit Scheme; be an active member of project board for the new finance system; and carry out a review of the Investment and Resourcing Board (IRB).

3.4     In relation to HM Treasury’s revised Audit and Risk Assurance Committee Handbook, the Committee suggested further consideration should be given to the relevance of guidance in the new appendices on cyber security and whistleblowing.

3.5     The Committee asked for clarification on the timing of the External Quality Assurance (EQA) of internal audit services and the outcome of a review of the Governance and Audit team.  Gareth explained that whilst PSIAS required the EQA be completed by 2018, he was aiming to complete it sooner.  He also described how an away day had generated clear proposals on how to take the team forward.  He agreed to keep the Committee informed of any changes. 

Action

-        Gareth to review appendices of HMT’s revised Audit and Risk Assurance Committee Handbook regarding cyber security and whistleblowing and report findings to the Committee.

-        Gareth to update the Committee in November of changes to the Governance and Audit team. 

 


Meeting: 25/04/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 154

Minutes:

ACARAC (32) Paper 3 - IA Update Report 2015-16

3.1        Gareth Watts updated the Committee on recent audit work.   In February, he had attended an Inter-Parliamentary Internal Audit Forum where they had discussed approaches to planning, cyber security and Members’ expenses.

3.2        Gareth had provided details of the discussions around cyber security at the forum to the Commission’s Head of ICT and Broadcasting who would consider how to take this on board. 

3.3        It had also been agreed that Gareth would be taking over future audits of Members’ expenses from the WAO, as this was more cost-effective. 

3.4        At a recent Investment and Resourcing Board (IRB) meeting, the business case for replacing the finance system was approved and Gareth confirmed that he would attend meetings of the project board.

3.5        Gareth advised that, as well as a planned effectiveness review of the IRB, he had been considering options for the governance team to provide additional support for programmes and projects. The Chair encouraged him to consider agile techniques as part of this review.

3.6        As a recently appointed member of the Coleg Gwent Audit Committee, Gareth described the contributions he had made and the networking opportunities this had brought.  As Coleg Gwent had recently implemented a new finance system he would share contact information with Nia Morgan.

 


Meeting: 25/04/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Consider Internal Audit's outline audit plan for 2016-17

Supporting documents:

  • Restricted enclosure 157

Minutes:

ACARAC (31) Paper 8 – IA outline plan 2016-17

5.1        The Committee had approved Gareth’s strategy at the February meeting and welcomed his outline plan for 2016-17. 

5.2        When questioned whether his plan should include the new finance system, Gareth agreed to discuss this with Nia to determine the level of assurance required by the project board.

5.3        Gareth also provided the Committee with some further information on the planned security review.  Following a period of restructuring within the team, Gareth wanted to ensure that the changes were well embedded within the service area before carrying out his review. 

5.4        A wider discussion centred on security provided by South Wales Police.  Claire assured the Committee that the financial implications of increasing the police presence had been considered carefully to ensure they were necessary and cost effective.   

5.5        Dave also provided an update on work to assess the Commission’s exposure to cyber security risks, including the engagement of an inspector from North Wales to help identify and manage risks of attacks to our Building Management System.

 


Meeting: 25/04/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Report & Previously circulated IA reports

Supporting documents:

  • Restricted enclosure 160
  • Restricted enclosure 161
  • Restricted enclosure 162
  • Restricted enclosure 163

Minutes:

ACARAC (32) Paper 4 – Making the most of the Assembly Estate

4.1        Gareth presented this review which detailed the progress made against one of the Commission’s corporate priorities.  He informed the Committee that a new Visitor Experience and Venue Manager had recently been appointed who would take the recommendations forward.  

4.2        In response to questions from Committee members on refurbishing Members’ accommodation, Gareth and Dave explained the work had been undertaken as part of the planned maintenance programme.     

4.3        A further discussion centred on the long-term value for money on the use of the Assembly estate, including the potential to purchase Tŷ Hywel.  Dave agreed to revisit this.  It was agreed that wider considerations about accessibility to the Cardiff Bay area were important, but largely outside the Commission’s control.

4.4        The Committee welcomed this comprehensive report especially in addressing the objectives set by the Commission, and encouraged the continued use of visitor experience feedback. 

Action

-        Dave to investigate options for the purchase of Tŷ Hywel.    

Previously Circulated IA reports

ACARAC (32) Paper 5 – Bilingual Services

ACARAC (32) Paper 6 – Data Analytics

ACARAC (32) Paper 7 – Budgetary Control

4.5        Three internal audit reports were circulated out of committee on 30 March and Gareth summarised the comments/queries he had received.  One point highlighted was that the support to individuals and the use of technology identified in the Enhanced Bilingual Services audit should be applauded.  

4.6        The Data Analytics audit, undertaken by TIAA, confirmed that there was no indication of fraudulent behaviour during the financial year in question. Committee members suggested that the objective of future audits should explicitly state that its purpose is to identify any evidence of fraudulent behaviour.

4.7        The audit on Budgetary Control had identified some areas that could be improved with a new finance system but Nia confirmed that the manual workarounds, although resource intensive, were effective.   


Meeting: 08/02/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Internal Audit Strategy for 2016-17

Supporting documents:

  • Restricted enclosure 166

Minutes:

ACARAC (31) Paper 7 – Internal Audit Strategy 2016-17

5.1        Gareth presented his strategy document for 2016-17 which would be subject to change on appointment of the new Assembly Commission.  As always, he would continue to share instances of good practice and amend his way of working if he felt it would benefit internal audit.   

5.2        Pending a change to include a link to the working protocol between Internal Audit and External Audit, the committee approved the strategy. 

Action

-        Gareth to include reference in the Internal Audit Charter section of the strategy to the working protocol between Internal Audit and External Audit.

 


Meeting: 08/02/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Report

Supporting documents:

  • Restricted enclosure 169

Minutes:

ACARAC (31) Paper 6 – Key Financial Controls

4.1        The audit of the Key Financial Controls was carried out by TIAA and a strong rating given.  Gareth commented that a full complement of staff in the Finance team had significantly increased the robustness and strength of the controls in place.  Committee members commended the Finance team on the robustness of controls.

 

4.2        The WAO were pleased with the assessment and would hopefully be able to place some reliance on this during the audit of the accounts.     

4.3        Committee members were assured that despite the limitations already identified in the current finance system, the necessary controls were in place.         

4.4        Committee members then questioned the dissemination of information to those outside of the finance team.  Officials informed the committee that Finance Co-ordinators exists within each service area and monthly meetings were used to share information, as well as regular meetings with budget holders to discuss forecasting and staffing matters.

4.5        Finally, the committee suggested that officials should check the process in place for recovery of overpayments. 

 


Meeting: 08/02/2016 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit update

Supporting documents:

  • Restricted enclosure 172
  • Restricted enclosure 173
  • Restricted enclosure 174

Minutes:

ACARAC (31) Paper 3 - IA Update Report 2015-16

ACARAC (31) Papers 4 & 5 – IA Recommendations Monitoring

3.1        Gareth Watts updated the committee on recent audit work undertaken.  Audits on Enhanced Bilingual Services and Financial Management and Budgetary Control were complete and would be circulated outside of the meeting, once management responses had been received.  Work on Data Analytics was scheduled for the end of February and again, Gareth planned to circulate this report out of committee. 

3.2    Claire Clancy and Dave Tosh had recently approved a paper outlining a revised Governance and Audit team structure.  Although not circulated to the committee, Gareth would discuss his proposal during the private session between committee members and the Head of Internal Audit.   

3.3        Gareth then updated the committee on work that he and Kathryn Hughes had undertaken on the Governance and Assurance Frameworks.  They had met with Directors and Heads of Service and were in the process of analysing the completed Assurance Mapping tables, progress on which would be presented to the committee in April. 

3.4        With specific reference to the recent public engagement audit, the committee urged officials to share good practice and lessons learnt with future Assembly Committees and Commissioners.

3.5        When questioned on the number of recommendations made during his time at the Commission, Gareth believed that the variation on numbers year on year reflected the different topics investigated and the amount of issues identified with the different subject areas.  For example, the high number of recommendations in 2014-15 could largely be attributed to the audits of Recruitment and Security.  2012-13, due to the changes in Internal Audit arrangements, had been one of transition and there had been more focus on follow up of prior years’ recommendations. 

3.6        The Chair noted that Internal Audit’s processes for monitoring and reporting recommendations were now more streamlined and proactive, and Claire indicated she was happy with the current approach to Internal Audit work focussing on areas of highest risk and concern which would sometimes result in high numbers of recommendations.     

3.7        Committee members were very encouraged that there were no concerns about any of the management responses to, and progress on, audit recommendations.

Action

-        Gareth to circulate audit reports on Bilingual Services, Financial Management and Budgetary Control and Data Analytics out of committee.


Meeting: 16/11/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 177
  • Restricted enclosure 178

Minutes:

ACARAC (30) Paper 5 – Audit Report - Public Engagement

ACARAC (30) Paper 6 – Quality Assurance and CPD Updates

4.1        The Committee welcomed the Public Engagement audit report, noting that the Assembly is fully focussed on public engagement. That said, the Committee felt that participation methods needed to be reviewed, the organisation needed to be more resilient to negative press and should strive for more positive coverage of its activities. 

4.2        Claire Clancy informed the Committee that, following negative feedback from several sources, the website needed substantial improvement.  Funds had been allocated by the Investment and Resourcing Board to make the website more accessible and navigable.  The Committee welcomed this commitment and emphasised that improvements should be enduring. 

4.3        Officials confirmed that the Engagement Strategy would be a high priority and developed by the Fifth Assembly.  The strategy should consider what indicators would be used to measure performance.  The Committee suggested that engagement in general should be considered when discussing the risks around future constitutional change.       

4.4        As agreed by the Chair, Gareth issued the Procurement audit and ICT Futures Review reports in October. 

4.5        Since the Procurement audit, training sessions had been arranged with a positive take up.  Extracting management information from CODA (the finance system) was problematic but the National Procurement Service had provided information spend analysis on commodity buying which would enhance the quality of management information available to the Procurement Team for monitoring purposes.  Gareth assured the Committee that non-compliance of procurement rules was taken very seriously by management and he was comfortable with progress being made and the actions management are taking to address the issues.

4.6        The Committee questioned the lack of a benefits realisation report for the ICT Futures Review.  Officials confirmed that a full review of the benefits was not carried out at project closure and this had been agreed at various checkpoints, throughout the life of the project.  Wider project management guidance and a benefits framework was now in place to ensure that benefits realisation had appropriate focus in the future.               

4.7        The Chair congratulated Gareth on his recent appointment to Coleg Gwent’s Audit Committee. 

Action

-        Gareth to follow up Public Engagement recommendations.

 


Meeting: 16/11/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit update

Supporting documents:

  • Restricted enclosure 181
  • Restricted enclosure 182

Minutes:

ACARAC (30) Paper 3 - Internal Audit Update Report 2015-16

ACARAC (30) Paper 4 – Internal Audit Recommendations – Monitoring

3.1        Gareth Watts updated the Committee on progress against his 2015-16 audit plan.  He assured the Committee that his planned schedule of work was on course and that he would continue to monitor the outstanding recommendations.  Good progress was being made in implementing the recommendations from previous audits, including Value for Money and Expert Advisors.  Gareth agreed to present an itemised report of outstanding actions in February 2016. 

3.2        The Committee welcomed Gareth’s update on a series of meetings that he had attended with Kathryn Hughes (Risk Manager) and Heads of Service.  The ‘Governance Matters’ meetings were part of the Assurance Framework, building on the Assurance and Governance statement and raising the profile of the Governance and Audit team.  Once approved, Gareth agreed to share an updated Governance and Audit team structure with the Committee.      

3.3        Over the coming months, he would focus on providing assurance of the Commission’s enhanced bilingual services and key financial controls.  In addition to the approved plan, he has agreed an additional piece of work with the Director of Finance on controls over pension disclosures.

Actions

-        Gareth to provide an itemised report of outstanding recommendations of the last four years.

-        Gareth to present updated Governance Framework.

-        Gareth to update ACARAC on revised Governance and Audit team structure.           

 


Meeting: 08/06/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Internal Audit Quality Assessment Framework

Supporting documents:

  • Restricted enclosure 185
  • Restricted enclosure 186

Minutes:

ACARAC (28) Paper 5 – Quality Assessment Framework – cover paper

ACARAC (28) Paper 6 – Quality Assessment Framework

5.1        Gareth provided the Committee with a summary of the results of a self-assessment against the Internal Audit Quality Assurance and Improvement Programme, carried out in line with requirements of the Public Sector Internal Audit Standards.    

5.2        He commented on his work to raise the profile of Internal Audit within the organisation and felt that engagement had improved since he was appointed.   A scoping exercise needed to take place, before exploring potential procurement routes and suppliers to carry out an external review.  

5.3        The Committee thanked Gareth for his update and welcomed the suggestion from him to update the Committee on progress against actions in the future.  Committee members also welcomed his self-critical approach.         

Actions

-        Gareth Watts to provide regular updates on progress against actions contained in the Internal Audit Quality Assessment Framework.

 


Meeting: 08/06/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Internal Audit Annual Report

Supporting documents:

  • Restricted enclosure 189

Minutes:

ACARAC (28) Paper 4 – IA Annual Report

4.1        The Committee considered the report to be a good assessment of work undertaken by Gareth during the year.  Committee members were encouraged by the forums and events that he had attended recently and his pro-active approach in seeking contacts and examples of good practice.  Gareth agreed to share these best practice methods with the Committee.

Actions

-        Gareth Watts to share experiences of public sector internal audit best practice

 


Meeting: 08/06/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit update

Supporting documents:

  • Restricted enclosure 192

Minutes:

ACARAC (28) Paper 3 - IA Progress Report

3.1        Gareth updated the Committee on activity since the April meeting.  The scope for the procurement audit had been finalised and a report would be produced over the summer.    

3.2        The Committee asked about activity planned for January 2016 – ‘Value for Money Study into making use of the Assembly Estate’, in light of proposals to review business efficiency more widely.  Gareth explained that this was linked to one of the Assembly Commission’s key priorities.  Dave Tosh and Mike Snook would lead on this work, which would feed into the wider business efficiency review.  The Committee also asked about the results of the benchmarking of the Governance Statement against WAO guidance. Gareth explained that this showed that all guidance had been taken into account.

3.3        Nicola Callow informed the Committee that the business case for the replacement finance system project had been scrutinised by the Investment and Resourcing Board (IRB) and Keith Baldwin.  A revised business case would be presented to the IRB before the procurement exercise.         

 


Meeting: 20/04/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 195
  • Restricted enclosure 196
  • Restricted enclosure 197

Minutes:

ACARAC (27) Paper 6 - Review of the appointment of Expert Advisers to Committees

4.1        The Committee welcomed this report and the robust recommendations to strengthen the process, which they hoped to see implemented so that expert advisors are used more widely and effectively in the future.  As part of this, they suggested that officials should examine the need for training for Committee Chairs or Clerks and Deputy Clerks in the use of expert advisors.  They reflected on the potential conflicts of interest but recognised the small pool of experts available to some Committees.  The evaluation of the effectiveness of advisers was also encouraged.  Members noted that the Commission should consider the NAO Report from November 2014 and take account of this and any additional guidance the Wales Audit Office may provide on managing conflicts in the future.

Actions

-        Appointment of Expert Advisors to Committees – ensure the agreed recommendations are implemented and that there are no obstacles to using expert advisors in the future.

-        Examine the need for, and if appropriate make available, training for Committee Chairs or Clerks and Deputy Clerks in the use of Expert Advisors.

ACARAC (27) Paper 7 – Value for Money report

4.2        Gareth was pleased to report that there was a strong Value for Money (VfM) culture across the organisation, although efficiencies could be more widely captured. 

4.3        The Committee queried whether recruitment delays should be reflected as VfM savings.  Claire confirmed that delays in appointing staff were sometimes inevitable and that recruitment had sometimes been purposely delayed in order to deliver savings.

4.4        Nicola’s team had discussed savings with Heads of Service across the organisation and VfM savings would be captured in the Annual Accounts.   

4.5        The Chair welcomed the inclusion of this information in the accounts and encouraged officials to concentrate on capturing efficiency/process streamlining and procurement savings. 

ACARAC (27) Paper 8 - Review of the Assembly Commission’s Project Management Arrangements (also item 12)

4.6        Gareth’s audit confirmed that there were no surprises in this area.  Many of the historical issues that had been identified would continue to be addressed.  Business cases could be sharper, as could post implementation reviews and benefits realisation analysis.        

4.7        Dave informed the Committee of the increased involvement of Business Analysts in projects and the on-going work on benefits management.  He highlighted the culture already embedded in some areas of the Assembly where formal project management processes were in place. 

4.8        Committee Members urged officials to ensure that there was a sufficient focus on delivery, that clear objectives were set and that post project reviews captured and shared lessons learned. 

4.9        The Chair welcomed both papers, was satisfied with progress to date and noted that the papers were complementary.      

 


Meeting: 20/04/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Review of the Internal Audit Charter

Supporting documents:

  • Restricted enclosure 200

Minutes:

ACARAC (27) Paper 9 – Internal Audit Charter

5.1        Gareth highlighted the sole change to the charter which was that his reporting line was directly to Claire Clancy.

5.2        The Committee were content with the charter.

 


Meeting: 20/04/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 203
  • Restricted enclosure 204
  • Restricted enclosure 205

Minutes:

ACARAC (27) Paper 3 – Progress report 2014-15 IA Programme

ACARAC (27) Paper 4 – IA Recommendations – Monitoring

ACARAC (27) Paper 5 – Internal Audit Strategy 2013-16

3.1        Gareth Watts had completed his 2014-15 programme of work and focussed on the good progress made in relation to 2014-15 recommendations.    

3.2        The Committee questioned the Data Analytics - accounts payable audit which did not have a conclusion rating.  Gareth confirmed that he had no concerns regarding the integrity of the data or the risk of fraud. 

3.3        They also asked for details of Gareth’s plans to audit the Finance Accounting System.  Nicola Callow and Gareth confirmed that when a project was established, he would schedule it into his work programme.  Nicola had shared the business case with TIAA and received some valuable feedback.  She would also review the initiative with Keith Baldwin.

3.4        Gareth confirmed that he would be including his vision for the role of Internal Audit in the Assembly as part of his forward programme of work.  He would also discuss with the Head of Communications whether the Better Engagement audit could be brought forward.    

3.5        The Chair thanked Gareth for his revised strategy and welcomed his flexible approach, especially the increased focus on Assembly Business areas.

3.6        The Committee then received an update from Mike Snook on the Security Vetting audit.  His team had identified those employees who required Security Clearance (SC) and had been working to ensure they were all vetted by the start of summer recess in July 2015.

3.7        For the lower level clearance (CTC), discussions were on-going with the trade unions and the vetting process should be completed by May 2016.  Mike and Dave Tosh had also spoken with the Welsh Government about their approach.

3.8        Committee members were assured that there are close links with South Wales Police (SWP), but questioned whether all intelligence was being shared with Assembly Officials at appropriate times.  

3.9        Dave confirmed that SWP had been heavily involved in discussions recently and were providing the Assembly Commission with updates and intelligence.  The Assembly Commission would be discussing security in the round at their meeting on 23 April.

3.10     Overall, Committee members and Internal Audit were satisfied with progress. 

Actions

-        Discuss with SWP whether there is further intelligence on local threats that they are able to share and how this can be disseminated more widely.

-        IA Strategy 2013-16 - Ensure the IA strategy document captures the vision for the future role of Internal Audit in the Assembly. 

-        Ensure information contained in tables presented in the IA Strategy and the IA Charter is aligned.

-        Better Engagement - assess whether the date of the final report can be brought forward from January 2016 to autumn 2015.

 


Meeting: 09/02/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 17)

Promoting cooperation between auditors and other review bodies

Minutes:

17.1    Gareth would be presenting the working protocol with WAO at the April meeting, which reflected some updates.  The Chair also asked Gareth to consider and summarise sources, or potential sources of external assurance, to complement those identified in the Assurance Framework.

Action

-       Gareth to summarise sources, or potential sources of external assurance.

 


Meeting: 09/02/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 5)

Proposed Internal Audit Strategy and Periodic Work Plan

Supporting documents:

  • Restricted enclosure 210

Minutes:

5.1     Eric welcomed the update from Gareth and congratulated him on raising the profile of Internal Audit across the Commission.  He would like reassurance that the strategy could be flexed depending on priorities.  He also requested a summary of the feedback received from Heads of Service involved in audits. 

5.2     Committee members requested clarification on how the audit on Better Engagement with the People of Wales would add value as the measurement of success was not as tangible as in other areas.  They also re-emphasised the importance of focussing on the Assembly Business Directorate and asked Gareth to describe the Governance and Audit Service audit.    

5.3     Gareth thanked the Committee for their comments and agreed to provide further detail in April, along with a summary of the comments received from Heads of Service.  His audit of the services provided by Governance and Audit would involve benchmarking against other organisations and potentially identifying different ways of delivering services.

Actions

-       Take on board the Committee’s comments on the Internal Audit Strategy 2013-16 and present a final version to the Committee in April.  Including:

o   Flexibility and how plan may be refreshed,

o   balanced focus on business areas,

o   detailed timetable for 2014-15.

-       Incorporate feedback from audit sponsors in the Internal Audit Annual Report.

 


Meeting: 09/02/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 213
  • Restricted enclosure 214

Minutes:

3.1        Gareth Watts provided an update on progress against the 2014-15 audit programme.  The Committee agreed that progress was positive but suggested that Gareth should ensure appropriate focus on the Assembly Business Directorate in the 2015-16 audit plan. 

 


Meeting: 09/02/2015 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 217
  • Restricted enclosure 218
  • Restricted enclosure 219

Minutes:

4.1        Gareth introduced the three reports and assured the Committee that he was satisfied with the Management Board responses.

4.2        The Payroll audit highlighted that controls were in place and working effectively, although policies and procedures could be improved.  Gareth would update the Committee at future meetings as part of his recommendations monitoring reports. 

4.3        The Legislative Work Bench audit highlighted some historical issues around project management practices but the audit focused on the user experience rather than implementation of the system.  Officials at the Commission made good use of the system.  The joint contract with Welsh Government was due to expire in 2017 and the decision on whether to retain or replace the system would ultimately rest with them. 

4.4        The Committee were content with the report and welcomed the proposed timescales for implementation of recommendations and the potential influence officials may have with the user group.            

4.5        They also made reference to officials being intelligent customers and exploring every option, including outsourcing non-core functions.  Dave explained that the Business Analysts were involved early in the project process but not involved in specific solution specification.  Use of internal knowledge and expertise would be supplemented with market research where appropriate.  The Procurement team would advise on the appropriate framework before a business case was prepared.                     

4.6        A substantial discussion took place with regards to the Security Vetting audit.  Gareth confirmed that management had engaged positively with the audit and had accepted the recommendations in the report. 

Actions

-       Dave to accelerate the implementation of recommendations on the Security vetting audit.

-       Gareth to update the Committee at April meeting on implementation of all recommendations, as part of Internal Audit recommendations monitoring.

-       Dave to review the Welsh Government’s approach to bolstering vetting procedures.

 


Meeting: 10/11/2014 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 222
  • Restricted enclosure 223

Minutes:

3.1        Gareth Watts provided an update on progress against the 2014-15 programme of work which was on course for delivery. He also updated the Committee on other activity such as attendance at project board meetings.

3.2        He reported that good progress had been made on the implementation of recommendations which would be followed up in due course.

3.3        Dave Tosh provided an update on progress against recommendations from the review of information governance, where the focus had been on resolving practical issues such as security of mobile assets and storage of information. The Committee requested a presentation of the Information Governance Framework at the next meeting.

3.4        Gareth confirmed that the review of physical security was due to be completed in the coming weeks and agreed to circulate the report to Committee members when it had been approved.

3.5        The Chair congratulated Kathryn Hughes, the Commission’s Risk Manager, on the “strong” opinion on controls around risk management.

Actions

-                   Gareth Watts to formally document the feedback received from Committee members on reports circulated over the summer, and his responses to this.  Feedback and responses to be captured as a matter of course in future for reports circulated out of committee.

-                   Dave Tosh to present the Information Governance Framework to the February meeting.

-                   Gareth Watts to circulate the report on the review of physical security when complete.

 


Meeting: 10/11/2014 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 226
  • Restricted enclosure 227
  • Restricted enclosure 228
  • Restricted enclosure 229
  • Restricted enclosure 230
  • Restricted enclosure 231

Minutes:

4.1        Gareth introduced the report on the review of fixed asset management, for which all recommendations had been accepted and the follow-up report on the review of facilities contract management.

4.2        In response to questions from Committee members in relation to fixed assets, Nicola Callow assured the committee that:

a.    the Commission’s accountant would be working with ICT to identify assets which needed to be capitalised;

b.   assets over £5,000 would be picked up as part of the interim review of the accounts;

c.    serial numbers for all assets would be recorded before the year-end; and

d.   an assessment of exposure on leases had been carried out to prepare for any impact.

4.3        Gareth presented the report on the review of recruitment which had been carried out in response to a request from the Chief Executive.

4.4        Claire assured the Committee that the results of the audit were being used to inform a series of improvements. This would include:

a.     the development, by the Management Board, of a set of principles around decision-making for recruitment;

b.     ensuring that the policies, processes and guidance were coherent, accessible, regularly reviewed and properly understood by staff;

c.     ensuring that the adoption of the principles and policies, and the reasons for decisions around recruitment exercises were transparent;

d.     ensuring that thorough reviews were carried out for each recruitment exercise which would include checks that records had been captured and retained in accordance with records management rules and data protection legislation; and

e.     encouraging better ownership of issues by Heads of Service around recruitment, development and performance.

4.5        The Committee endorsed this approach and emphasised the importance of transparency, fairness, and effective record-keeping.

4.6        The Chair also offered to work with the Head of HR to develop the recruitment principles and review the underpinning policies and processes.  The recruitment business case template would be shared with Committee members.

4.7        Gareth introduced the HR Payroll report via a presentation.  The review was carried out by Gareth and Gwyn Thomas, an independent expert. 

4.8        This review concentrated on the governance of the project, rather than the core functionality of the system.  Gareth concluded that the scope was ambitious, the resources were limited and that the timescales were fixed.  These factors contributed to delays in delivering phase 1 of the HR Payroll project. 

4.9        His report did not single out individuals, but highlighted recommendations around questions that could have been raised by the Investment Board and Management Board. 

4.10     Committee members were surprised that individuals with little or no project management experience were allocated to this important and complex project and that such contradictory answers were given to some of the questions asked of the project team. 

4.11     Claire was disappointed and frustrated that this project was not executed to the normal standard of other high profile, complex projects within the Commission.  She assured the Committee that for future projects of this scale, SROs and PMs would be selected at the Investment and Resourcing Board.  Claire also confirmed  ...  view the full minutes text for item 4


Meeting: 07/07/2014 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Minutes:

3.1        Gareth Watts provided an oral update to the Committee.  Since June, the Risk Management and Information Governance Management audit reports had been completed but were awaiting clearance.  The Committee agreed for these and other reports to be circulated over the summer recess, along with the Recruitment audit, which had generated a lot of interest throughout the organisation.  The Equalities audit had also been scoped and work would start shortly.

3.2        He had attended the Assembly Commission meeting on 18 June, and presented his report on their effectiveness.  All recommendations were accepted, and over the coming weeks he would meet with the Secretariat to discuss an action plan.  He then went on to highlight some key findings in his report, including their effective challenge of the ICT Futures programme and Machine Translation project, but identified that their communication within the organisation could be improved.  

3.3        On 18 July, Gareth would be hosting a Head of Internal Audit inter-Parliamentary forum with his counterparts from across the UK.  He would report on this at the November meeting.   

 


Meeting: 09/06/2014 - Assembly Commission Audit and Risk Assurance Committee (Item 4)

Latest Internal Audit Reports

Supporting documents:

  • Restricted enclosure 236

Minutes:

4.1        Vicky Davies introduced this item which was a report on the migration of payroll data following the HR and Payroll project.  This was a limited scope review, with a sample of 30 staff records checked.

4.2        TIAA assessed the controls surrounding Payroll – Data Migration as ’Reasonable’.  The assessment related only to Payroll Data Migration and excluded the wider new Payroll and HR system project.  9 recommendations were made and accepted. 

4.3        Dave Tosh, as a member of the HR Payroll project board, mentioned some issues regarding the Commission’s relationship with the supplier and that the additional resource seconded from Monmouthshire County Council was working well in resolving outstanding issues.  Actions and resources were being re-planned and the Investment Board would be reviewing the revised plans.

4.4        The Chair asked for a follow up report to be provided in the autumn outlining the project’s progress.   

Actions

-               Mike Snook (SRO, HR Payroll project) to provide an update for the Committee at the November meeting. 

 


Meeting: 09/06/2014 - Assembly Commission Audit and Risk Assurance Committee (Item 3)

Internal Audit Activity Report

Supporting documents:

  • Restricted enclosure 239
  • Restricted enclosure 240
  • Restricted enclosure 241
  • Restricted enclosure 242
  • Restricted enclosure 243

Minutes:

3.1        Gareth Watts provided an update in relation to the 2014-15 programme of work.  2013-14 work was detailed in his annual report.   

3.2        Since April 2014, he explained that he had continued to work with Dave Tosh and Alison Rutherford on the Information Governance review.  In response to a recent staff survey, he was performing a Recruitment Procedures audit and aimed to produce a report before the summer recess.  TIAA were currently scoping the Risk Management Framework audit. 

3.3        He also informed the Committee that he had completed follow up work on the Scheme of Financial Delegation and the National Assembly for Wales shop. He would be reporting to the Assembly Commission on 18 June following a review of their effectiveness. 

3.4        Following a brief discussion on Business Continuity, the Committee urged officials to accelerate this area of work and provide an update by November 2014. 

3.5        Dave Tosh explained that a mock plenary was held over the Easter recess which specifically tested the manual voting procedures.  Service areas have drafted plans, but they were yet to be tested and refined.  Work may also be delayed over the summer recess with many of the service areas taking their annual leave during this period.     

3.6        Gareth Watts introduced his annual report of work during the 2013-14 financial year.  The programme of work was successfully delivered, despite the changes to internal audit in year, which included both a new Head of Internal Audit and a new external contractor. 

3.7        Committee members questioned the definition of the opinion ‘Reasonable’.  Gareth explained that this was a moderate rating and that given the scope of the audits, was the highest achievable score. 

3.8        He confirmed that he intended to carry out more full scope audits this year which, potentially, could give a higher level of assurance.         

3.9        Dave Tosh mentioned the Information Governance area as an example of vast improvement in the last 2-3 years.  From the 12 original recommendations, 4 remain outstanding in 2013-14.  Tighter controls, clear policies and structures were now in place.  He was hopeful that this improved position would be reflected in the update in November. 

3.10     Committee members also questioned how the specific internal audit reviews were selected.  Officials confirmed that by their very nature, internal audit chose areas of weakness in order for improvements to be identified.  Gareth’s work would continue to focus on these areas. 

3.11     The Chair agreed that this was a constructive approach and that the Management Board was taking the recommendations seriously and was acting in a positive way to improve the functions within the organisation. 

3.12     The Annual report on Fraud was finalised mid-May and at the time of writing provided a fair reflection of the position. 

3.13     Lots of positive work had taken place since this area was audited in November 2011, especially access to policies and training by the Head of Procurement and from the Chartered Institute of Purchasing and Supply. 

3.14     Gareth was considering Fraud Response plans across the public sector  ...  view the full minutes text for item 3


 

 

You are in :

  1. Home
  2. Assembly Business

Partners & Help