Agenda and minutes
Venue: Conference Room 4B - Tŷ Hywel. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Buddug Saer
No. | Item |
---|---|
Introductions, apologies and declaration of interests Minutes: 1.0
Item
1 - Introductions, apologies and declarations of interest 1.1
The
Chair welcomed Victoria Paris to the meeting as an observer from the Governance
and Audit team. 1.2
He declared that he was a Non-Executive
Director on the Cabinet Office Modern Electoral Registration Programme and a
business representative for the Parliamentary Review of Health and Social Care.
1.3
No other interests were declared. |
|
Minutes of 11 July, actions and matters arising Minutes: 2.0
Item
2 - Minutes and
matters arising ACARAC (05-16) Paper 1 - Minutes of 11 July 2016 ACARAC (05-16) Paper 2 - Summary of actions 2.1
The minutes of the meeting on 11 July 2016 were agreed and the updates on
actions, captured in paper 2, were noted. 2.2
Suzy Davies thanked the Chair,
Assembly Commission staff and the Wales Audit Office (WAO) for taking the time
to meet with her since the previous meeting.
2.3
Gareth provided an update to the
Committee on changes to the Governance and Audit team (ref action at paragraph 3.4).
He stated that following a productive team away day in May, some changes
had been implemented to provide a more joined up governance advisory and
support service across the Commission. 2.4
He added that the Business
Continuity Manager and Information Governance Manager joining the team on a
permanent basis had increased resilience within the wider team. An example of this was the combined work
being done on reviewing our cyber security risks and resilience and raising
awareness of this across the Commission and with Assembly Members and their
support staff. 2.5
Gareth then described a number of
initiatives that had been continued or recently introduced by the team. They
included: ·
‘Governance Matters’ meetings which
had been conducted with all Heads of Service for the second year running. ·
The launch of a key governance
dates calendar which had been well received.
This was used to inform Heads of Service of key governance events that
they may have to prepare for or contribute to.
·
A partnership approach with a
member of the Governance and Audit team assigned to specific service areas to
act as an initial point of contact and to develop links and forge closer
relationships. 2.6
Victoria Paris described her work
on the key performance indicator (KPI) reports and on the policy review. This
review will create a formal policy register for the Commission, provide for
clear branding of policies, clarify ownership, and review responsibilities and
timescales. 2.7
Gareth informed the Committee that
a follow up session would be arranged in January to track the actions agreed in
May and he would present a further update to the Committee in February. Action -
Gareth to feedback to the Committee on the outcome
of the Governance and Audit team away day. |
|
Internal Audit Activity Report Minutes: Internal Audit 3.0
Item 3 – Internal Audit
Activity Report ACARAC (05-16) Paper 3 – IA progress report ACARAC (05-16)
Paper 4 – IA Monitoring Recommendations 3.1
Gareth introduced his usual progress update documents which described
the areas of focus during 2016-17. He also detailed his Continuous Professional
Development including attending an Intra Parliamentary Heads of Internal Audit
meeting and other networking opportunities such as meetings with Heads of
Internal Audit from other public sector organisations across Wales. 3.2
The Committee asked how Gareth would approach the re-tendering of
the Internal Audit contract, as the contract with TIAA was due to expire in
July 2017. Gareth proposed continuing
with a co-sourced arrangement, for which he would expect several tenders but
said he would also build resilience within the team with a view to carrying out
more in-house reviews. 3.3
The Chair thanked Gareth for his comprehensive
updates and reminded the Committee that Gareth relies on a co-sourced partner
to help him deliver the internal audit work. He also expressed his hope that
there would be strong competition for the procurement exercise. 3.4
Gareth then explained how he had scoped the audit of Assembly
Member expenses which would now be done in-house. He had discussed the audit with the WAO and
with Members’ Business Support, primarily to gain an understanding of their
work and the systems in place. His main
focus would be on the resettlement grant and the cost of office set up
following the election. The audit was on
track to report to the Committee in April. 3.5
In accordance with Public Sector Internal Audit Standards, on a
quinquennial basis the Head of Internal Audit is required to perform an
External Quality Assurance (EQA) Review.
At the recent Intra Parliamentary Forum meeting (17 November), Gareth
had mentioned the possibility of carrying out this review through reciprocal
arrangements with the other legislatures.
He had also taken advice on this from his counterpart in the Welsh
Government who was involved in setting the guidelines and standards for such
reviews. 3.6
The Committee questioned the impartiality and independence of such
an arrangement and Gareth explained it would be based on an initial
self-assessment with external validation by one of his counterparts. They
suggested that the standard review framework should be adapted to capture how
each of the legislatures work differently.
The reviewer should also be adequately qualified to perform the review. 3.7
Claire Clancy assured the Committee that assurance on the external
validation would be sought as appropriate.
3.8
The Committee questioned why the number of high priority
recommendations had fallen significantly over the past three years. Gareth suggested that it was dependent on the
subject matter and that in previous years there had been several audits with
numerous audit recommendations such as those on Recruitment, Security and the
HR-Payroll project. More recently subject areas audited had received more positive
audit opinions and hence fewer recommendations.
3.9 Dave Tosh added that work undertaken to embed governance and compliance within the organisation ... view the full minutes text for item 3. |
|
Latest Internal Audit Report Minutes: 4.0
Item 4 – Latest Internal
Audit Report ACARAC
(05-16) Paper 5 – Pensions Administration 4.1
The
Pensions Administration audit resulted in a ‘strong’ rating. It was reported that there were strong arrangements
in place for the administration of both the Principal Civil Service Pension
Scheme and the AMSS pension schemes.
Opportunities were identified to improve efficiency and reduce the need
for further manual intervention. 4.2
Gareth
confirmed that recommendations had been accepted and that implementation was in
progress. The need for manual
intervention would be removed by January when a validation exercise would be
carried out. |
|
Internal Audit reports circulated in October Minutes: 5.0
Item
5 – Internal Audit reports circulated in October ACARAC
(05-16) Paper 6 - Assurance review of VES ACARAC
(05-16) Paper 7 - Cyber Security Briefing note – (to be discussed under item 8) ACARAC
(05-16) Paper 8 - Procurement Audit – update report ACARAC
(05-16) Paper 9 - Risk Management IA report cover paper ACARAC
(05-16) Paper 9 - Annex A - Risk Management Audit Report 5.1
The Committee thanked Gareth for
circulating a number of papers out of committee and for sharing his responses
to the comments he had received. Gareth
agreed that he would re-introduce acceptance or rejection of Internal Audit
recommendations in his reports. 5.2
The Clerking team confirmed that
the papers contained within the pack were the same as those circulated in
October and they would consider referencing these papers differently in future.
Actions -
Re-introduce acceptance
or rejection of Internal Audit recommendations in reports. -
Clerking team to clarify referencing of papers that
have been circulated out of committee. |
|
Review HMT/other guidance for Audit and Risk Assurance Committees and share examples of best practice from IA and Committee Chair forums Minutes: 6.0
Item 6 – Review HMT/other
guidance for Audit and Risk Assurance Committees and share examples of best
practice from IA and Committee Chair forums Oral item 6.1
Gareth
briefly updated the Committee on his recent Intra Parliamentary Forum meeting.
A suggestion was made that Chairs of Audit and Risk Assurance Committees could meet
in the future to discuss common themes and share best practice. The Committee endorsed this idea and the
Chair was happy for members of the Committee to be involved. 6.2
Revised
and updated Public Sector Internal Audit Standards were scheduled for release
in 2017 and although it was not anticipated that these would deviate
significantly from existing standards, Gareth confirmed that he would update
the Committee on any changes. Following
a round table discussion on risk management and assurance frameworks, Gareth
had concluded that the Assembly Commission was mature in these areas relative
to others. 6.3
Cyber
security was one of the main topics of discussion and the group recognised the
importance of engaging with ICT specialists and agreed to share any future
developments in this area. 6.4
The
Chair had recently attended an all Wales Audit Committee Chairs’ workshop,
organised by the WAO where one of the main topics discussed was committee
effectiveness reviews. He had shared an example of the most recent ACARAC
survey with the group. The Chair will
circulate papers from the workshop once received from the WAO. 6.5
Ann-Marie
Harkin advised that the afternoon session had concentrated on critiquing
Governance Statements from across the public sector. The Chair said he would be interested to
receive feedback on the Assembly Commission’s Governance Statement. Actions -
Chair
to circulate papers from the WAO Chairs of Audit Forum. -
Ann-Marie
Harkin to circulate details of comparison and scoring of Annual Governance
Statements against other public sector organisations. |
|
Update from WAO Minutes: External
Audit 7.0
Item 7 – Updates from WAO ACARAC
(05-16) Paper 10 – External audit update ACARAC
(05-16) Paper 11 – 2017 Audit Plan 7.1
Ann-Marie
Harkin and Matthew Coe presented their update paper and audit plan for
2017. They summarised the review of the
2015-16 accounts and identified some low level process changes, but nothing of
significance. They also advised that
there were no outstanding actions from the 2015-16 ISA260. 7.2
As
the audit approach would remain unchanged, it was likely that the fee would
remain static, although it was yet to be agreed. The Committee was encouraged to hear that the
WAO were expecting a smooth audit process as the auditors were experienced and
had a good working relationship with the Commission’s Finance team. 7.3
The
Committee questioned the WAO on the omission from their papers of the impending
replacement finance system. The WAO
assured the Committee that discussions had taken place with Nia Morgan. They had identified some capacity issues if
the Finance team’s efforts were diverted to work on implementing the system,
for example during the transfer of the data.
The Committee would be kept informed of any delays to the audit
process. Action -
WAO
to circulate confirmation of the fee early in the New Year. |
|
Update from the SIRO on FWP and Cyber Security Minutes: Commission Governance 8.0
Item 8 - Update from the
SIRO on FWP and Cyber Security ACARAC
(05-16) Paper 12 – SIRO Annual Report 2015-16 8.1
Dave
Tosh presented the Senior Information Risk Owner (SIRO) annual report, which in
future would be timed to coincide with the Assembly Commission’s Annual
Report. He assured the Committee that
the report portrayed a continuing good picture of work on information
governance, particularly in terms of compliance and awareness raising. 8.2
Dave
highlighted that there were no incidents or personal data losses requiring
reporting to the Information Commissioner’s Office. He praised Alison Bond (Information
Governance Manager) and legal colleagues for their work with Assembly Members
(AMs) and their support staff pre-and post-election. They also commended the thorough preparation
of an action plan prior to the new General Data Protection Regulations (GDPR)
which the Information Commissioner’s Office had endorsed as best practice. 8.3
He
then described the penetration testing of internal facilities management
systems and the IT infrastructure in general.
He was assured by the safeguards in place, but increased vigilance was
required by Commission staff, AMs and support staff. 8.4
Along
with the cyber security awareness sessions that had been rolled out, the
Investment and Resourcing Board had recently agreed to appoint a cyber security
specialist. All Outlook mailboxes had been
successfully migrated to the cloud, with migration of the data planned for next
year, which would strengthen controls. 8.5
Dave
had discussed cyber security with a contact at the Ministry of Justice who
described similar awareness sessions and guidance that they had developed. 8.6
Dave also mentioned the roll out of Office 365
which had security benefits for sharing sensitive documents in a secure
manner. Dave would look into potential
options for sharing access to Office 365 with Committee members. 8.7
Dave confirmed that all but three employees had
now been security cleared to CTC or above. Action -
Dave to consider
strengthening the advice to AMs and AMSS on their responsibilities around cyber
security. |
|
Corporate Risks Report Minutes: 9.0
Item 9 - Corporate Risks
Report ACARAC
(05-16) Paper 13 - Corporate Risks ACARAC
(05-16) Paper 13 – Annex A - Corporate Risks Summary Report ACARAC
(05-16) Paper 13 – Annex B - Corporate Risks plotted 9.1
The
Committee felt that the management of risks in the organisation was strong. In
response to comments about the lack of movement on the risk ratings, Dave
advised that the risks were being continually monitored and that the Management
Board would review the corporate risk register in full in December. 9.2
Officials
responded as follows to a number of specific questions from Committee members: ·
Dave
assured the Committee that strict controlled access would be in place for
contractors working on the ground floor refurbishment. ·
Dave
and Adrian Crompton confirmed that the risk around corporate capacity was
regularly reviewed by the Management Board.
·
Adrian
provided assurance on the preparations being carried out to mitigate the risks
around leaving the EU as far as possible at this stage. Practical steps included the restructuring of
support for Assembly committees to accommodate the new External Affairs
and Additional Legislation Committee
and the establishment of a Constitutional Change Group, made up of senior
officials who were meeting on a monthly basis.
The risk would be continually monitored to take account of developments.
9.3
The
Committee endorsed the approach of documenting such risks to provide clarity
and transparency on their management. |
|
Assembly Commission's Strategy 2016-21 Minutes: 10.0
Item 10 - Assembly
Commission’s strategy 2016-21 ACARAC
(05-16) Paper 14 – Strategy document 2016-21 Item
11 - Critical examination of one identified risk – emerging risks associated
with new Commission Strategy Oral item 10.1 Claire presented an update
on the Commission’s strategy, as announced in a press release from the Llywydd,
which had been circulated in advance of this meeting to Committee members. 10.2 The focus of the discussion
was on: future requirements for the Assembly estate; the capacity of the Assembly
and potential for change if the Wales Bill is passed; and work to develop a
youth parliament and enhanced use of digital information. 10.3 In response to questions
from Committee members, Claire confirmed that options for funding the
additional work around reconfiguring space in Tŷ Hywel would be largely
funded from an expected under-spend in the Remuneration Board budget and
postponing other projects if necessary. 10.4 Costs were yet to be
clarified for the legislative aspects of the strategy, which would require the
creation of a specialist team. Adrian
explained that a group of experts would marshal the evidence that already
existed (the Richard Commission, the Silk Commission, Wales Governance Centre
reports etc.) on the number of new Assembly Members required, as well as
potential electoral arrangements to deliver the changes. Options, including secondment of specialist
staff from the Welsh Government, were being considered to keep costs to a
minimum. 10.5 Claire advised that the
Assembly Finance Committee had approved the 2017-18 budget strategy but noted
that this had not included the costs of any future reform work. She also advised that the Committee had not
yet reached a conclusion on the budgets beyond 2017-18. She emphasised that real pace was needed to
respond to and deliver the Commission’s strategy. 10.6 Adrian updated the Committee
on proposals to consult on the naming of the Assembly. The consultation documents would be launched
in the coming weeks. Committee members
urged officials to ensure that the consultation reached as wide an audience as
possible, beyond those who already engage with the Assembly. Adrian confirmed that the Commission’s
Outreach and Communications teams were actioning this. Action -
Adrian
to update ACARAC on consultation and engagement regarding the Commission’s
strategy |
|
Critical examination of one identified risk - Emerging risks associated with new Commission Strategy |
|
Finance Committee and Public Account Committee update Minutes: 11.0
Finance Committee (FC) and
Public Accounts Committee (PAC) update ACARAC (05-16) Paper 15 – FC
and PAC update ACARAC (05-16) Paper 15 –
Appendix 1 Letter to PAC ACARAC (05-16) Paper 15 –
Appendix 2 Letter to FC ACARAC (05-16) Paper 15 – Annex
to FC Budget 2017-18 ACARAC (05-16) Paper 15 –
Appendix 3 FC report ACARAC (05-16)
Paper 15 – Appendix 4 FC & PAC update 11.1 Nia Morgan thanked Suzy and
the Committee for their assistance in preparing for the Finance and Public
Account Committees. She advised that two
further responses were due to be sent to the Finance Committee. 11.2 The Committee welcomed the
feedback and were pleased that the preparation had paid dividends. |
|
2016-17 Budget update Minutes: 12.0
2016-17 Budget update ACARAC (05-16) Paper 16 –
Finance update 12.1 Nia informed the Committee
that the 1% target underspend was on track and she would work closely with the
WAO to fully determine whether there were any capital implications for the
works planned on the reconfiguration of Tŷ Hywel. |
|
Update on replacement Finance system project Minutes: 13.0
Update on replacement
Finance system project ACARAC (05-16) Paper 17 –
Finance system project update ACARAC (05-16) Paper 17 –
Annex A – Dashboard 13.1 Adrian introduced the update
paper and dashboard. Comprehensive
project planning and preparation had resulted in identification of a
capable supplier which was approved by the Investment and Resourcing Board in
April. The Finance team and the project
board were content with progress so far, with the project on track to complete
all three phases by the end of the financial year. 13.2 Dave agreed with Adrian’s
analysis of the capability of the supplier from an ICT perspective, especially
their history of working with other public sector organisations. 13.3 The Committee were pleased
to note that Keith would continue to act as a critical friend and officials
agreed to ensure that the necessary documentation was circulated to him for
comment. They also noted Gareth’s membership
of the project board, which provided additional independent assurance. The
Committee also noted that this demonstrated improvement in the project
management capability of the organisation. 13.4 In response to questions
from the Committee on the timescales for the project, especially considering
the thorough User Acceptance Testing (UAT) required, Adrian and Nia agreed to
revisit the ‘go live’ criteria, roll back and contingency plans with the
project manager and board. Actions -
Officials
to engage Keith Baldwin in discussions around implementation of the Finance
System Replacement Project and feed back to the Committee at the February
meeting. -
Adrian
and Nia to discuss the UAT, ‘go live’ criteria, roll back and contingency plans
with the project manager and board. |
|
Corporate performance report - mock KPI report Minutes: 14.0
Corporate performance report
– mock KPI report ACARAC (05-16) Paper 18 –
mock KPI report - cover paper as presented to the Commission ACARAC (05-16) Paper 18 –
Annex A - Mock KPI report 14.1 Committee members were
impressed with the new KPI report, the format for which had been approved by
the Commission in September. The format
and content would be subject to continual review to ensure it remained fit for
purpose and to take on board feedback from the Commission. 14.2 In response to questions
from Committee members around the setting of performance targets, Dave
confirmed that targets were set by Heads of Service, based on previous reports
or on statutory compliance. 14.3 The Committee urged
officials to be realistic about how achievable targets of 100% would be. They suggested that the report could include
some outcome-based KPIs rather than just targets, average performance
statistics of key systems and progress of key projects and programmes. 14.4 Dave agreed to consider the
Committee’s suggestions and thanked Victoria for her hard work in reviewing and
producing the new KPI report. Action -
KPI
report to be circulated when published. |
|
HR Payroll review Minutes: 15.0
HR Payroll review ACARAC (05-16) Paper 19 –
HRP project review 15.1 The Committee welcomed this
honest and useful review of the recent HR/Payroll project and urged officials
to ensure future reviews captured benefits realisation and post implementation
analysis. |
|
Revised Risk Management Policy Minutes: 16.0
Revised Risk Management
Policy ACARAC (05-16) Paper 20 –
Risk Management Documentation – Cover Paper ACARAC (05-16) Paper 20 –
Part 1 Risk Management Policy ACARAC (05-16) Paper 20 –
Part 2 Risk Management Process 16.1 The Committee was pleased
with the comprehensive Risk Management Policy and Process documents and that
arrangements for risks and issues were captured in one document. The Committee suggested that templates
included as annexes were populated with examples. |
|
Update on presentation of ACARAC Annual Report to Assembly Commission in July Minutes: Other
Business 17.0 Update
on presentation of ACARAC Annual Report to Assembly Commission in July Oral item 17.1 The Chair had attended the
Assembly Commission meeting in July to present the Committee’s Annual
Report. Suzy advised that, whilst the
Commissioners had only been appointed for a matter of weeks, they welcomed the
process. 17.2 The Clerking team would
prepare a summary of the November ACARAC for Suzy to brief the Commission. |
|
Forward Work Programme Minutes: 18.0
Forward Work Programme ACARAC
(05-16) Paper 21 – Forward Work Programme 18.1 The Clerking team would
update and circulate the Forward Work Programme. 19.0
Private session 19.1 Dave and Nia had attended a
private session with members of the
Committee prior to the meeting. No
minutes were taken. |