Venue: Conference Room 4B - Tŷ Hywel. View directions
Contact: Clerk: Kathryn Hughes Deputy Clerk: Buddug Saer
Introductions, apologies and declaration of interests
1.0 Item 1 - Introductions, apologies and declarations of interest
1.1 The Chair welcomed Victoria Paris to the meeting as an observer from the Governance and Audit team.
1.2 He declared that he was a Non-Executive Director on the Cabinet Office Modern Electoral Registration Programme and a business representative for the Parliamentary Review of Health and Social Care.
1.3 No other interests were declared.
Minutes of 11 July, actions and matters arising
2.0 Item 2 - Minutes and matters arising
ACARAC (05-16) Paper 1 - Minutes of 11 July 2016
ACARAC (05-16) Paper 2 - Summary of actions
2.1 The minutes of the meeting on 11 July 2016 were agreed and the updates on actions, captured in paper 2, were noted.
2.2 Suzy Davies thanked the Chair, Assembly Commission staff and the Wales Audit Office (WAO) for taking the time to meet with her since the previous meeting.
2.3 Gareth provided an update to the Committee on changes to the Governance and Audit team (ref action at paragraph 3.4). He stated that following a productive team away day in May, some changes had been implemented to provide a more joined up governance advisory and support service across the Commission.
2.4 He added that the Business Continuity Manager and Information Governance Manager joining the team on a permanent basis had increased resilience within the wider team. An example of this was the combined work being done on reviewing our cyber security risks and resilience and raising awareness of this across the Commission and with Assembly Members and their support staff.
2.5 Gareth then described a number of initiatives that had been continued or recently introduced by the team. They included:
· ‘Governance Matters’ meetings which had been conducted with all Heads of Service for the second year running.
· The launch of a key governance dates calendar which had been well received. This was used to inform Heads of Service of key governance events that they may have to prepare for or contribute to.
· A partnership approach with a member of the Governance and Audit team assigned to specific service areas to act as an initial point of contact and to develop links and forge closer relationships.
2.6 Victoria Paris described her work on the key performance indicator (KPI) reports and on the policy review. This review will create a formal policy register for the Commission, provide for clear branding of policies, clarify ownership, and review responsibilities and timescales.
2.7 Gareth informed the Committee that a follow up session would be arranged in January to track the actions agreed in May and he would present a further update to the Committee in February.
- Gareth to feedback to the Committee on the outcome of the Governance and Audit team away day.
Internal Audit Activity Report
3.0 Item 3 – Internal Audit Activity Report
ACARAC (05-16) Paper 3 – IA progress report
ACARAC (05-16) Paper 4 – IA Monitoring Recommendations
3.1 Gareth introduced his usual progress update documents which described the areas of focus during 2016-17. He also detailed his Continuous Professional Development including attending an Intra Parliamentary Heads of Internal Audit meeting and other networking opportunities such as meetings with Heads of Internal Audit from other public sector organisations across Wales.
3.2 The Committee asked how Gareth would approach the re-tendering of the Internal Audit contract, as the contract with TIAA was due to expire in July 2017. Gareth proposed continuing with a co-sourced arrangement, for which he would expect several tenders but said he would also build resilience within the team with a view to carrying out more in-house reviews.
3.3 The Chair thanked Gareth for his comprehensive updates and reminded the Committee that Gareth relies on a co-sourced partner to help him deliver the internal audit work. He also expressed his hope that there would be strong competition for the procurement exercise.
3.4 Gareth then explained how he had scoped the audit of Assembly Member expenses which would now be done in-house. He had discussed the audit with the WAO and with Members’ Business Support, primarily to gain an understanding of their work and the systems in place. His main focus would be on the resettlement grant and the cost of office set up following the election. The audit was on track to report to the Committee in April.
3.5 In accordance with Public Sector Internal Audit Standards, on a quinquennial basis the Head of Internal Audit is required to perform an External Quality Assurance (EQA) Review. At the recent Intra Parliamentary Forum meeting (17 November), Gareth had mentioned the possibility of carrying out this review through reciprocal arrangements with the other legislatures. He had also taken advice on this from his counterpart in the Welsh Government who was involved in setting the guidelines and standards for such reviews.
3.6 The Committee questioned the impartiality and independence of such an arrangement and Gareth explained it would be based on an initial self-assessment with external validation by one of his counterparts. They suggested that the standard review framework should be adapted to capture how each of the legislatures work differently. The reviewer should also be adequately qualified to perform the review.
3.7 Claire Clancy assured the Committee that assurance on the external validation would be sought as appropriate.
3.8 The Committee questioned why the number of high priority recommendations had fallen significantly over the past three years. Gareth suggested that it was dependent on the subject matter and that in previous years there had been several audits with numerous audit recommendations such as those on Recruitment, Security and the HR-Payroll project. More recently subject areas audited had received more positive audit opinions and hence fewer recommendations.
3.9 Dave Tosh added that work undertaken to embed governance and compliance within the organisation ... view the full minutes text for item 3.
Latest Internal Audit Report
4.0 Item 4 – Latest Internal Audit Report
ACARAC (05-16) Paper 5 – Pensions Administration
4.1 The Pensions Administration audit resulted in a ‘strong’ rating. It was reported that there were strong arrangements in place for the administration of both the Principal Civil Service Pension Scheme and the AMSS pension schemes. Opportunities were identified to improve efficiency and reduce the need for further manual intervention.
4.2 Gareth confirmed that recommendations had been accepted and that implementation was in progress. The need for manual intervention would be removed by January when a validation exercise would be carried out.
Internal Audit reports circulated in October
5.0 Item 5 – Internal Audit reports circulated in October
ACARAC (05-16) Paper 6 - Assurance review of VES
ACARAC (05-16) Paper 7 - Cyber Security Briefing note – (to be discussed under item 8)
ACARAC (05-16) Paper 8 - Procurement Audit – update report
ACARAC (05-16) Paper 9 - Risk Management IA report cover paper
ACARAC (05-16) Paper 9 - Annex A - Risk Management Audit Report
5.1 The Committee thanked Gareth for circulating a number of papers out of committee and for sharing his responses to the comments he had received. Gareth agreed that he would re-introduce acceptance or rejection of Internal Audit recommendations in his reports.
5.2 The Clerking team confirmed that the papers contained within the pack were the same as those circulated in October and they would consider referencing these papers differently in future.
- Re-introduce acceptance or rejection of Internal Audit recommendations in reports.
- Clerking team to clarify referencing of papers that have been circulated out of committee.
Review HMT/other guidance for Audit and Risk Assurance Committees and share examples of best practice from IA and Committee Chair forums
6.0 Item 6 – Review HMT/other guidance for Audit and Risk Assurance Committees and share examples of best practice from IA and Committee Chair forums
6.1 Gareth briefly updated the Committee on his recent Intra Parliamentary Forum meeting. A suggestion was made that Chairs of Audit and Risk Assurance Committees could meet in the future to discuss common themes and share best practice. The Committee endorsed this idea and the Chair was happy for members of the Committee to be involved.
6.2 Revised and updated Public Sector Internal Audit Standards were scheduled for release in 2017 and although it was not anticipated that these would deviate significantly from existing standards, Gareth confirmed that he would update the Committee on any changes. Following a round table discussion on risk management and assurance frameworks, Gareth had concluded that the Assembly Commission was mature in these areas relative to others.
6.3 Cyber security was one of the main topics of discussion and the group recognised the importance of engaging with ICT specialists and agreed to share any future developments in this area.
Chair had recently attended an all Wales Audit Committee Chairs’ workshop,
organised by the WAO where one of the main topics discussed was committee
effectiveness reviews. He had shared an example of the most recent ACARAC
survey with the group. The Chair will
circulate papers from the workshop once received from the WAO.
6.5 Ann-Marie Harkin advised that the afternoon session had concentrated on critiquing Governance Statements from across the public sector. The Chair said he would be interested to receive feedback on the Assembly Commission’s Governance Statement.
- Chair to circulate papers from the WAO Chairs of Audit Forum.
- Ann-Marie Harkin to circulate details of comparison and scoring of Annual Governance Statements against other public sector organisations.
Update from WAO
7.0 Item 7 – Updates from WAO
ACARAC (05-16) Paper 10 – External audit update
ACARAC (05-16) Paper 11 – 2017 Audit Plan
7.1 Ann-Marie Harkin and Matthew Coe presented their update paper and audit plan for 2017. They summarised the review of the 2015-16 accounts and identified some low level process changes, but nothing of significance. They also advised that there were no outstanding actions from the 2015-16 ISA260.
7.2 As the audit approach would remain unchanged, it was likely that the fee would remain static, although it was yet to be agreed. The Committee was encouraged to hear that the WAO were expecting a smooth audit process as the auditors were experienced and had a good working relationship with the Commission’s Finance team.
7.3 The Committee questioned the WAO on the omission from their papers of the impending replacement finance system. The WAO assured the Committee that discussions had taken place with Nia Morgan. They had identified some capacity issues if the Finance team’s efforts were diverted to work on implementing the system, for example during the transfer of the data. The Committee would be kept informed of any delays to the audit process.
- WAO to circulate confirmation of the fee early in the New Year.
Update from the SIRO on FWP and Cyber Security
8.0 Item 8 - Update from the SIRO on FWP and Cyber Security
ACARAC (05-16) Paper 12 – SIRO Annual Report 2015-16
8.1 Dave Tosh presented the Senior Information Risk Owner (SIRO) annual report, which in future would be timed to coincide with the Assembly Commission’s Annual Report. He assured the Committee that the report portrayed a continuing good picture of work on information governance, particularly in terms of compliance and awareness raising.
8.2 Dave highlighted that there were no incidents or personal data losses requiring reporting to the Information Commissioner’s Office. He praised Alison Bond (Information Governance Manager) and legal colleagues for their work with Assembly Members (AMs) and their support staff pre-and post-election. They also commended the thorough preparation of an action plan prior to the new General Data Protection Regulations (GDPR) which the Information Commissioner’s Office had endorsed as best practice.
8.3 He then described the penetration testing of internal facilities management systems and the IT infrastructure in general. He was assured by the safeguards in place, but increased vigilance was required by Commission staff, AMs and support staff.
8.4 Along with the cyber security awareness sessions that had been rolled out, the Investment and Resourcing Board had recently agreed to appoint a cyber security specialist. All Outlook mailboxes had been successfully migrated to the cloud, with migration of the data planned for next year, which would strengthen controls.
8.5 Dave had discussed cyber security with a contact at the Ministry of Justice who described similar awareness sessions and guidance that they had developed.
8.6 Dave also mentioned the roll out of Office 365 which had security benefits for sharing sensitive documents in a secure manner. Dave would look into potential options for sharing access to Office 365 with Committee members.
Dave confirmed that all but three employees had
now been security cleared to CTC or above.
- Dave to consider strengthening the advice to AMs and AMSS on their responsibilities around cyber security.
Corporate Risks Report
9.0 Item 9 - Corporate Risks Report
ACARAC (05-16) Paper 13 - Corporate Risks
ACARAC (05-16) Paper 13 – Annex A - Corporate Risks Summary Report
ACARAC (05-16) Paper 13 – Annex B - Corporate Risks plotted
9.1 The Committee felt that the management of risks in the organisation was strong. In response to comments about the lack of movement on the risk ratings, Dave advised that the risks were being continually monitored and that the Management Board would review the corporate risk register in full in December.
9.2 Officials responded as follows to a number of specific questions from Committee members:
· Dave assured the Committee that strict controlled access would be in place for contractors working on the ground floor refurbishment.
· Dave and Adrian Crompton confirmed that the risk around corporate capacity was regularly reviewed by the Management Board.
· Adrian provided assurance on the preparations being carried out to mitigate the risks around leaving the EU as far as possible at this stage. Practical steps included the restructuring of support for Assembly committees to accommodate the new External Affairs and Additional Legislation Committee and the establishment of a Constitutional Change Group, made up of senior officials who were meeting on a monthly basis. The risk would be continually monitored to take account of developments.
9.3 The Committee endorsed the approach of documenting such risks to provide clarity and transparency on their management.
Assembly Commission's Strategy 2016-21
10.0 Item 10 - Assembly Commission’s strategy 2016-21
ACARAC (05-16) Paper 14 – Strategy document 2016-21
Item 11 - Critical examination of one identified risk – emerging risks associated with new Commission Strategy
10.1 Claire presented an update on the Commission’s strategy, as announced in a press release from the Llywydd, which had been circulated in advance of this meeting to Committee members.
10.2 The focus of the discussion was on: future requirements for the Assembly estate; the capacity of the Assembly and potential for change if the Wales Bill is passed; and work to develop a youth parliament and enhanced use of digital information.
10.3 In response to questions from Committee members, Claire confirmed that options for funding the additional work around reconfiguring space in Tŷ Hywel would be largely funded from an expected under-spend in the Remuneration Board budget and postponing other projects if necessary.
10.4 Costs were yet to be clarified for the legislative aspects of the strategy, which would require the creation of a specialist team. Adrian explained that a group of experts would marshal the evidence that already existed (the Richard Commission, the Silk Commission, Wales Governance Centre reports etc.) on the number of new Assembly Members required, as well as potential electoral arrangements to deliver the changes. Options, including secondment of specialist staff from the Welsh Government, were being considered to keep costs to a minimum.
10.5 Claire advised that the Assembly Finance Committee had approved the 2017-18 budget strategy but noted that this had not included the costs of any future reform work. She also advised that the Committee had not yet reached a conclusion on the budgets beyond 2017-18. She emphasised that real pace was needed to respond to and deliver the Commission’s strategy.
10.6 Adrian updated the Committee on proposals to consult on the naming of the Assembly. The consultation documents would be launched in the coming weeks. Committee members urged officials to ensure that the consultation reached as wide an audience as possible, beyond those who already engage with the Assembly. Adrian confirmed that the Commission’s Outreach and Communications teams were actioning this.
- Adrian to update ACARAC on consultation and engagement regarding the Commission’s strategy
Critical examination of one identified risk - Emerging risks associated with new Commission Strategy
Finance Committee and Public Account Committee update
11.0 Finance Committee (FC) and Public Accounts Committee (PAC) update
ACARAC (05-16) Paper 15 – FC and PAC update
ACARAC (05-16) Paper 15 – Appendix 1 Letter to PAC
ACARAC (05-16) Paper 15 – Appendix 2 Letter to FC
ACARAC (05-16) Paper 15 – Annex to FC Budget 2017-18
ACARAC (05-16) Paper 15 – Appendix 3 FC report
ACARAC (05-16) Paper 15 – Appendix 4 FC & PAC update
11.1 Nia Morgan thanked Suzy and the Committee for their assistance in preparing for the Finance and Public Account Committees. She advised that two further responses were due to be sent to the Finance Committee.
11.2 The Committee welcomed the feedback and were pleased that the preparation had paid dividends.
2016-17 Budget update
12.0 2016-17 Budget update
ACARAC (05-16) Paper 16 – Finance update
12.1 Nia informed the Committee that the 1% target underspend was on track and she would work closely with the WAO to fully determine whether there were any capital implications for the works planned on the reconfiguration of Tŷ Hywel.
Update on replacement Finance system project
13.0 Update on replacement Finance system project
ACARAC (05-16) Paper 17 – Finance system project update
ACARAC (05-16) Paper 17 – Annex A – Dashboard
13.1 Adrian introduced the update paper and dashboard. Comprehensive project planning and preparation had resulted in identification of a capable supplier which was approved by the Investment and Resourcing Board in April. The Finance team and the project board were content with progress so far, with the project on track to complete all three phases by the end of the financial year.
13.2 Dave agreed with Adrian’s analysis of the capability of the supplier from an ICT perspective, especially their history of working with other public sector organisations.
13.3 The Committee were pleased to note that Keith would continue to act as a critical friend and officials agreed to ensure that the necessary documentation was circulated to him for comment. They also noted Gareth’s membership of the project board, which provided additional independent assurance. The Committee also noted that this demonstrated improvement in the project management capability of the organisation.
13.4 In response to questions from the Committee on the timescales for the project, especially considering the thorough User Acceptance Testing (UAT) required, Adrian and Nia agreed to revisit the ‘go live’ criteria, roll back and contingency plans with the project manager and board.
- Officials to engage Keith Baldwin in discussions around implementation of the Finance System Replacement Project and feed back to the Committee at the February meeting.
- Adrian and Nia to discuss the UAT, ‘go live’ criteria, roll back and contingency plans with the project manager and board.
Corporate performance report - mock KPI report
14.0 Corporate performance report – mock KPI report
ACARAC (05-16) Paper 18 – mock KPI report - cover paper as presented to the Commission
ACARAC (05-16) Paper 18 – Annex A - Mock KPI report
14.1 Committee members were impressed with the new KPI report, the format for which had been approved by the Commission in September. The format and content would be subject to continual review to ensure it remained fit for purpose and to take on board feedback from the Commission.
14.2 In response to questions from Committee members around the setting of performance targets, Dave confirmed that targets were set by Heads of Service, based on previous reports or on statutory compliance.
14.3 The Committee urged officials to be realistic about how achievable targets of 100% would be. They suggested that the report could include some outcome-based KPIs rather than just targets, average performance statistics of key systems and progress of key projects and programmes.
14.4 Dave agreed to consider the Committee’s suggestions and thanked Victoria for her hard work in reviewing and producing the new KPI report.
- KPI report to be circulated when published.
HR Payroll review
15.0 HR Payroll review
ACARAC (05-16) Paper 19 – HRP project review
15.1 The Committee welcomed this honest and useful review of the recent HR/Payroll project and urged officials to ensure future reviews captured benefits realisation and post implementation analysis.
Revised Risk Management Policy
16.0 Revised Risk Management Policy
ACARAC (05-16) Paper 20 – Risk Management Documentation – Cover Paper
ACARAC (05-16) Paper 20 – Part 1 Risk Management Policy
ACARAC (05-16) Paper 20 – Part 2 Risk Management Process
16.1 The Committee was pleased with the comprehensive Risk Management Policy and Process documents and that arrangements for risks and issues were captured in one document. The Committee suggested that templates included as annexes were populated with examples.
Update on presentation of ACARAC Annual Report to Assembly Commission in July
17.0 Update on presentation of ACARAC Annual Report to Assembly Commission in July
17.1 The Chair had attended the Assembly Commission meeting in July to present the Committee’s Annual Report. Suzy advised that, whilst the Commissioners had only been appointed for a matter of weeks, they welcomed the process.
17.2 The Clerking team would prepare a summary of the November ACARAC for Suzy to brief the Commission.
Forward Work Programme
18.0 Forward Work Programme
ACARAC (05-16) Paper 21 – Forward Work Programme
18.1 The Clerking team would update and circulate the Forward Work Programme.
19.0 Private session
19.1 Dave and Nia had attended a private session with members of the Committee prior to the meeting. No minutes were taken.