Audit and Risk Committee Minutes 25.02.2021

Minutes of the Meeting of the Cardiff University Audit and Risk Committee held on Thursday 25 February 2021 by Zoom, at 10:00.

Present: Michael Hampson (Chair), Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In Attendance: Professor Colin Riordan (Vice-Chancellor), Katherine Brieger (ARUP, for minute 898.28) Jason Clarke (PwC), Clare Eveleigh (Senior Auditor), Laura Hallez (Senior Risk Advisor), Phil Hodgson (ARUP, for minute 898.28), Rashi Jain (General Counsel and University Secretary), Alison Jarvis (Director of Financial Operations), Vari Jenkins (Minute-taker), Karl Jones (IT Services, for minute 898.5), Faye Lloyd (Head of Internal Audit), Paul Merison (TIAA, for minute 898.5), Dr Jonathan Nicholls (external observer), Ruth Robertson (Head of Corporate Governance), Claire Sanders (Chief Operating Officer) and Robert Williams (Chief Financial Officer).

892 Preliminaries

Noted

892.1 that apologies had been received from Jason Clarke, PwC, and Paul Benjamin;

892.2 that the Chair welcomed Dr Jonathan Nicholls, who is conducting the Governance Effectiveness Review 2021, as an observer.  Dr Nicholls provided the Committee with an introduction to his professional experience.

893 Matters arising from the minutes

Received and considered for information paper 20/445 ‘Matters arising from the previous meeting.

Noted

893.1 that in relation to minute 867.5, following the ARUP report, procedures had been amended to reflect that procurement regulations will be reviewed if there are any changes to a scope;

893.2 Redacted;

893.3 Redacted;

893.4 Redacted;

893.5 that the £100M bond tap was successfully issued last week;

893.6 Redacted;

893.7 that in relation to minute 878.6, the difference in the numbers reported in the Complaints Report and the Letter of Assurance is due to two different measures.  The finance paper states the number of student and staff claims and the value thereon which is subject to accrual at the end of the year, based on the probability that a payment to settle will ensue.  The complaints paper relates to the actual claims paid during those periods;

893.8 that in relation to minute 881.4, the Chief Operating Officer had held a full discussion around risk with the University’s Executive Board and Head of Internal Audit.  The Internal Audit team are currently recruiting for a Senior Auditor and work is underway to undertake work already agreed.  Once the capacity for work is known, there will be further discussions around additional areas of activity.  A high level assurance map will help identify where work is focussed going forward;

893.9 that the External Audit Annual Review will be circulated to the Committee and members of Finance early next week.

Resolved

893.10 to share the Financial Position paper received by Council in February, with the Committee.

893.11 to share the mapping against the requirements of HEFCW’s Financial Management Code with the committee (minute 876.3)

894 Declarations of interest

894.1 There were no declarations of interest received.

895 Risk register

Received and considered for discussion paper 20/446C, ‘Risk Register’. The Vice-Chancellor was invited to speak to this item.

Noted

895.1 Redacted;

895.2 that the Council had discussed the benefits realisation of capital projects once buildings are operational.  The Estates and Infrastructure Sub-Committee and Investment and Banking Sub-Committee will review risk to ensure investments are generating the anticipated benefits.  Any matters which posed a significant risk would be brought to the attention of the Audit and Risk Committee;

895.3 Redacted;

895.4 that it is important to accurately reflect the risks identified with balanced and considered language;

Resolved

895.5 the Chief Financial Officer and Senior Risk Advisor to review benefits realisation in the risk register;

895.6 the Vice-Chancellor, General Counsel and University Secretary and Senior Risk Advisor to revisit reference to China in the Risk Register to review if risks are appropriately reflected;

895.7 Senior Risk Advisor to provide an update on the development of the risk register and timeline at the June meeting.
The Senior Risk Advisor left the meeting after this item.

896 Live incidents

Received and considered for discussion paper 20/447HC, ‘Live Incidents’.  The Vice-Chancellor was invited to speak to this item.

Noted

896.1 that the weekly Coronavirus Task Force may move to fortnightly meetings, depending on the volatility of the situation.

896.2 Redacted;

896.3 Redacted;

896.4 that there is currently no litigation report to the Audit and Risk Committee.  A report on litigation with potential for high financial impact could help highlight implications for reputation and could be received as part of the reports and accounts;

Resolved

896.5 General Counsel and University Secretary to review the availability and responsibility of litigation reporting and return a recommendation to Audit and Risk Committee for consideration.

897 Progress report 2020-2021 Internal Audit Programme

Received and considered for discussion paper 20/448C, ‘Progress Report Against Internal Audit Programme. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

897.1 that the Internal Audit team is currently recruiting to a vacancy so there may be a risk of not completing the internal audit plan to schedule;

897.2 that all internal audit reports had been delivered in line with the agreed KPIs, which included the management responses;

897.3 Redacted;

Resolved

897.4 Redacted;

898 Discussion points for Internal Audit reports

Received and considered for discussion paper 20/449C, ‘Discussion Points for Internal Audit Reports’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

UUK Code of Practice for the Management of Student Housing

Noted

898.1 that a key emphasis in the report was on fire safety assurance.

CTR Pharmacovigilance

Noted

898.2 that there will be an audit on information security for the clinical trials unit.

Resolved

898.3 the report would be reviewed by Committee members to determine if any further clarification was required around the security of personal data.

Insurance

Noted

898.4 that the report identifies improvements required in skills and management available within the University, which will be taken forward over the summer;

PCI-DSS compliance

Noted

898.5 Paul Merison, TIAA, and Karl Jones, Assistant Director, University IT, joined the meeting for this item.  Paul Merison provided a summary of the report and recommendations;

898.6 that further funding and a project will be required to facilitate improvements, however significant progress has been made;

898.7 that there is a good IT infrastructure for detecting issues.  Working groups have been created for those involved in processing PCI-DSS transactions and individuals are undertaking mandatory training;

Cyber Security Maturity

Noted

898.8 Paul Merison provided a summary of the report and recommendations, followed by a presentation by Karl Jones, Assistant Director, University IT;

898.9 that University IT is working to achieve a level 3 maturity assessment across the range of areas as a minimum, which will require actions against User Education Awareness, Removable Media Control, Secure Configuration, Incident Management and Monitoring and Homeworking;

898.10  that implementing stringent Removeable Media Control is not necessarily appropriate in a University context, where students in addition to staff use the IT network. Measures are in place to mitigate the risks of unmanaged devices such as regular network scanning

898.11 that the General Counsel and University Secretary will be notified of any issues which require escalation;

898.12 that the Committee queried the risk associated with individuals using the University email account for personal emails;

898.13 that the University Executive Board are reviewing information security training compliance and exploring opportunities for emphasis via Personal Development Reviews and enforcement;

Resolved

898.14 Chief Operating Officer to review the IT Policy to determine to what extent the use of email accounts for personal use is discouraged;

898.15 Committee Member to share their documents and applied questioning around Cyber Security;

898.16 General Counsel and University Secretary to provide the Committee with an outline plan at the next meeting, to identify how progress and performance against the Cyber Security recommendations will be monitored and reported back to the Audit and Risk Committee;

Karl Jones and Paul Merison left the meeting at the end of this item

Education Data Governance

Noted

898.17 that an audit on education governance is planned in due course, which will address academic risk and explore how available data is utilised;

898.18 that there is no follow up report planned for this report;

898.19 that there are data rich reports available and further consideration may be given to which Committees receive them;

898.20 that it would be helpful in future to determine how the data is helping to aid our competitive position;

898.21 that the Vice-Chancellor’s Report would include any pertinent points that should be shared with Senate.

CIC

Noted

898.22 that Katherine Brieger and Phil Hodgson from ARUP joined the meeting to present a follow up report on CIC;

898.23 that Katherine Brieger presented the key findings and further recommendations identified in the report;

898.24 that a timeline is required for the outstanding recommendations;

898.25 that the appointment of new project manager is in progress;

898.26 that the measures required in response to Covid restrictions have created additional charges for contractors;

898.27 the importance of embedding the lessons learned and procedures in institutional knowledge for future.  The Project Management Office will reflect findings in document for future application;

898.28 that some aspects of the five case model for business cases are currently being applied.  A review is currently underway to determine whether the full model could be applied;

898.29 that the ARUP follow-up report will be considered by the Estates and Infrastructure Sub-Committee.

Resolved

898.30 to update the committee on progress against recommendations of the CIC report at the October meeting.

899 Follow-up of highly rated recommendations report

Received and considered for decision, paper 20/450, ‘Follow-up of highly rated recommendations report’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

899.1 that substantial progress had been made and that the control environment is improving;

899.2 that a report on Estates maintenance is going to Council via the Health, Safety and Environment Committee, as statutory maintenance is a health and safety matter.  It will report that recommendations are in place and progress being made.

900 Finance Regulations review – update

Received and noted paper 20/457C, ‘Financial Regulations Review – Update’. Alison Jarvis, Director for Financial Operations, was invited to speak to this item.

Noted

900.1 that there has been consultation with stakeholders across the University to understand how finance policies are used across different areas of activity to ensure that policies are effective.  The authority and delegation of responsibility has been reviewed to ensure that financial policies are being considered at the correct level and practices are embedded and training needs identified.

901 External Audit contract update

Received and considered for recommendation paper 20/458C, ‘External Audit Contract. Rob Williams, Chief Financial Officer, was invited to speak to this item.

Noted

901.1 that the open tender is due to commence in early March and complete by the end of the Summer 2021;

901.2 that the contract will be for an initial 5 year period.

Resolved

901.3 that the Chair of the Audit and Risk Committee and one independent lay member would participate in the recruitment panel;

901.4 Chief Financial Officer to consider whether to include knowledge of intellectual property when preparing the requirements for the external audit tender.

902 Review of Constitution & Membership 2020/2021

Received and considered for recommendation paper 20/452, ‘Audit and Risk Committee Terms of Reference’. Rashi Jain, General Counsel and University Secretary, was invited to speak to this item.

Noted

902.1 that culture (item 1g of the Terms of Reference) would be discussed at a future meeting to determine how the Committee would best support this area of activity;

902.2 that item 3d be removed pending completion of work on the scheme of delegation for policy approvals

902.3 that the University’s Crisis Communication Policy, which was reviewed last year, was integral to incident management, and managed in conjunction with the Communications Team.

Resolved

902.4 to ensure that the terms of reference reflected the latest updates to the CUC HE Audit Code of Practice;

902.5 that subject to the above amendments, the Committee recommend the revised Terms of Reference for the Audit and Risk Committee for 2020/21, to Council for approval;

902.6 to confirm when the Crisis Communication Policy was last reviewed and circulate a copy to members of the Committee.

903 Any other business

Academic Assurance

903.1 that the Chair of the Committee had spoken with the Chair of Audit Committee at Southampton University to discuss the role of the Committee in academic assurance;

903.2 That the quality assurance system in England is now significantly different to that in Wales, where assurance remains with the QAA; Council draws its assurance from the QAA findings;

903.3 that there is a Council lay member on the Academic Standards and Quality Committee, who would raise any issues that needed to be drawn to the Audit and Risk Committee’s attention;

903.4 that the Pro Vice Chancellor for Education and Student Experience could be approached to update the Committee if more information on the University’s system of academic assurance was required.

Committee Coversheets

Noted

903.6 a proposal from the Committee Secretary that in order to support the committee in monitoring risk management, committee paper cover sheet should include explicit reference to any risk implications in the paper

Resolved

903.7 that the committee paper coversheet would identify any risk management implications within the content of the paper being presented to the Committee.

Review of Risk Register

Noted

903.8 that there were no matters which required further consideration of the severity of the risk identified in the register.

Resolved

903.9 that there would be a standing item under Any Other Business to ask the Committee if there is anything the Committee has heard during the meeting that has altered their views to the severity of the risks identified in the register.

904 Minutes from the previous Meeting

Received for information paper 20/289, ‘Minutes – Audit and Risk Committee 16 November 2020’ and paper 20/385C ‘Minutes – Audit and Risk Committee 18 January 2021’. The Chair spoke to this item.

Resolved

904.1 the minutes of the meeting held on 16 November 2020 and 18 January 2021 were approved as a true and accurate record.

905 Agenda for the next meeting

Received for discussion paper 20/453, ‘Agenda for the Next Meeting’. The Chair spoke to this item.

Noted

905.1 that the Committee was satisfied with the provisional agenda.

906 Serious Incident Reporting Framework

Received for information paper 20/451, Serious Incident Reporting Framework’.

Noted

906.1 that the paper provided an update on the progress of the framework.

907 Financial Irregularities Report

Alison Jarvis, Director of Financial Operations, was invited to speak to this item.

Noted

907.1 that there are no financial irregularities to report.

908 Receipt of Governance Committee Minutes

Noted

908.1 that the minutes of the Governance Committee on 9 November 2020 and 22 January 2021 had been received by the Committee;

908.2 that in future, minutes received for the Committee’s information would be circulated once they had been approved by the Chair, and not included within the meeting book.

909 CUC HE Audit Committee Code of Practice (May 2020)

Received for information paper 20/455 ‘CUC HE Audit Committee Code of Practice’.

Noted

909.1 that the Committee received the summary of changes from the previous HE CUC Audit Code.

910 In-camera

Following the meeting of the Audit and Risk Committee, an in-camera was held. Only the members of the Audit and Risk Committee and the Head of Internal Audit were present.