Audit and Risk Committee Minutes 29 June 2021
- Last updated:
- Download this document (PDF, 145.2 KB)
Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Tuesday 29 June 2021 by Zoom, at 14:00.
Present: Michael Hampson (Chair), Paul Benjamin, Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.
In Attendance: Professor Colin Riordan (Vice-Chancellor), Jason Clarke (PwC), Clare Eveleigh (Senior Auditor), Owen Hadall (Assistant Director, IT Service and Operations, for minute 915, Laura Hallez (Senior Risk Advisor), Rashi Jain (General Counsel and University Secretary), Alison Jarvis (Director of Financial Operations), Vari Jenkins (Minute-taker), Faye Lloyd (Head of Internal Audit), Carys Moreland (Senior Internal Auditor), Catrin Morgan, Head of Compliance and Risk for minute 914), Ruth Robertson (Head of Corporate Governance), Claire Sanders (Chief Operating Officer) and Robert Williams (Chief Financial Officer).
911 Preliminaries
Noted
911.1 that apologies had been received from Ian Davies, PwC;
911.2 that the Chair welcomed Carys Morland, Senior Internal Auditor, to her first meeting of the Audit and Risk Committee.
912 Matters arising from the minutes
Received and considered paper 20/720 ‘Matters arising from the previous meeting’. The Chair spoke to this item.
Noted
912.1 that all items have either been completed or are covered under the agenda
912.2 that an update on Benefits Realisation will be reported at the next meeting;
912.3 Redacted
912.4 that the committee wished to receive a response to a set of cyber security questions provided to the Chair of the committee by a lay member;
912.5 that the Crisis Communication plan is due to be updated at the start of the next academic session;
912.6 that the use of emails for personal use is limited as set out in the Acceptable Use Policy of the IT Regulations and communicated via university training.
913 Declarations of Interest
Noted
913.1 that there were no declarations of interest received.
914 Revised Whistleblowing Policy
Received paper 20/721 ‘Revised Whistleblowing Policy’. Catrin Morgan, Head of Compliance and Risk spoke to this item.
Noted
914.1 that there is a requirement for an annual report;
914.2 that it would be helpful to report a nil return to the committee if there aren’t any incidents to report;
914.3 that harassment cases would fall within the Dignity at Work and Study Policy.
Resolved
914.4 to recommend the revised Whistleblowing Policy to Council for approval.
915 Cyber Security Dashboard template
Received paper 20/722 ‘Cyber Security Dashboard Template’. Owen Hadall, Assistant Director, IT Service and Operations, spoke to this item.
Noted
915.1 that it would be helpful to limit the number of metrics presented to those which will assist Council in terms of monitoring trends, and to include predictive metrics to help identify changes and action required;
915.2 The Committee would welcome oversight of the resilience testing;
915.3 that consideration could be given to the use of existing templates within the sector. It was noted that Gartner Consulting will help to identify possible templates;
915.4 that disaster recovery and business continuity are being considered holistically and ‘walk through’ scenarios are being conducted to determine how specific types of information security incidents would be managed (e.g. the University response to ransomware attacks);
915.5 that Better Ways of Working is looking at potential cyber security implications as a result of home working. It was noted that over 3,500 laptops have been issued to staff, with the laptop build being certified to Cyber Security Standards (NCSC). Two factor authentication has also recently been rolled out to all staff with the roll out to students in the planning stages to consider the timing and mechanisms;
Resolved
915.7 the Assistant Director, IT Service and Operations, to consider the inclusion of predictive metrics in the dashboard;
915.8 the Assistant Director, IT Service and Operations, to feedback to the Committee on the outcome of the discussions regarding Disaster Recovery and Business Continuity;
915.9 the Assistant Director, IT Service and Operations, and the University Secretary to review the policy for emails for personal use;
915.10 the Assistant Director, IT Service and Operations, to consult TIAA on the proposed dashboard given their involvement in the internal audit of our systems;
915.11 the Cyber Security Dashboard is to be presented to next meeting of the Audit and Risk Committee.
The Assistant Director, IT Service and Operations, left at the end of this item.
916 Minutes from the previous meeting
Received for discussion paper 20/459, ‘Minutes – Audit and Risk Committee 25 February 2021’. The Chair spoke to this item.
Noted
916.1 that Minute 910 should be amended to reflect that the University Secretary was in attendance at the in-camera session, along with Dr Jonathan Nicholls, as an observer for the Governance Effectiveness Review, and Jason Clarke, PwC, for part of the session.
Resolved
916.2 the minutes of the meeting held on 25 February were approved as a true and accurate record, with the amendment to point 910.
917 Live Incidents
Received and considered for discussion paper 20/723HC, ‘Live Incidents’. The Vice-Chancellor was invited to speak to this item.
Noted
917.1 Redacted
917.2 Redacted
The Head of Compliance and Risk left at the end of this item.
918 Risk Register
Received and considered for discussion paper 20/724C, ‘Risk Register’. The Vice-Chancellor was invited to speak to this item.
Noted
918.1 that risks have changed in the past month since the register was considered by UEB;
918.2 that an announcement from the Welsh Government is imminent to confirm the teaching of up to 30 students in a class without social distancing, which will increase the capacity in lecture rooms. However, some teaching may continue to be delivered remotely;
918.3 Redacted
918.4 Redacted
918.5 Redacted
918.6 Redacted
918.7 that there is proactive planning to maintain teaching and research space and University Residences;
918.8 that the Equality, Diversity and Inclusion (EDI) Sub-Committee oversees EDI activity with three strands of work feeding into the sub-committee which reports to the Governance Committee. The annual Strategic Equality Plan sets out the objectives of the University and the progress against it;
918.9 that the REF results are expected at end of March 2021. UEB recently reviewed the equality impact assessments to analyse outcomes and identify areas for improvements across research equality;
918.10 that the carbon net zero board currently advises UEB of any significant resource requirements, as well advising on the technical and specialist related activities;
918.11 that Appendix A of the risk register did not need to be presented to Council, following scrutiny by the Audit and Risk Committee.
Resolved
918.12 Redacted
919 Development of the Risk Register – update
Laura Hallez, Senior Risk Advisor, presented this item.
Noted
919.1 Redacted
919.2 Redacted
919.3 Redacted
Resolved
919.4 Revised register template and risk appetite to be presented to the Audit and Risk Committee for consideration;
919.5 to include a standard item on developing risks in future risk registers.
920 Internal Audit strategy and plan 2021/22
Received and considered for discussion paper 20/725, ‘Internal Audit Strategy and Plan 2021/22’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.
Noted
920.1 Redacted
920.2 Redacted
920.3 Redacted
920.4 that an audit on workload planning and resource allocation may be helpful;
920.5 that benchmarking against the audit work of other institutions of a similar size may be helpful to consider whether more audits and resource are required;
920.6 that the University is comparable with benchmarking provided by the Council of Higher Education Internal Auditors (CHIER) and British Universities Finance Directors Group (BUFDG) surveys;
920.7 that environmental sustainability will be built in to the internal audit schedule for early 2022/23 plan. Plans to schedule work later than this could impact on the ability for work across environmental sustainability to mature.
Resolved
920.8 the in-camera session should consider the benefits of inviting an external view to the Audit and Risk Committee to give challenge and an alternative perspective to the planned approach for internal audits;
920.9 to invite the Director of HR and Chief Financial Officer to talk to the Committee regarding arrangements for workload planning and resource, to determine the associated risk;
920.10 to approve the Internal Audit Strategy and Plan 2021/22.
921 Progress report 2020-2021 Internal Audit Programme
Received and considered for discussion paper 20/726C, ‘Progress Report Against Internal Audit Programme. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.
Noted
921.1 that key performance indicators are being met and there has been a noticeable improvement over the past year;
921.2 that there was some disruption during the year, following staff changes. Contingency, advice and support provided by the internal audit team was reviewed to redistribute resource, and completion of the scheduled audit plan was prioritised;
921.3 Redacted
Resolved
921.4 Chief Operating Officer and Chief Financial Officer to review suggestions made by the Head of Internal Audit to provide assurance of value for money, and update the Committee at its meeting in October;
921.5 to circulate the agreed assurance plan to the committee for consideration, prior to the next meeting.
922 Discussion points for Internal Audit reports
Received and considered for discussion paper 20/727C, ‘Discussion Points for Internal Audit Reports’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.
Treasury Management
Noted
922.1 that work is ongoing to update policies alongside the financial regulations, and evidence of value for money;
922.2 progress against the agreed recommendations are already underway, delivering helpful changes to the treasury function and across the team.
Counter-fraud and anti-bribery arrangements
Noted
922.3 Redacted
922.4 Redacted
Resolved
922.5 an update on ownership of counter-fraud and anti-bribery arrangements to be confirmed at the next meeting;
922.6 to bring the Risk Assurance Mapping Support internal audit report back to the committee for discussion as a separate item at the October meeting.
PCI-DSS Compliance Support
Noted
922.7 that TIAA had supported the development of these actions;
922.8 Redacted
922.9 Redacted
Research Income Forecasting
Noted
922.10 that there has been improved budgeting and forecasting in schools, and improvements made to the University’s finance systems, along with a review of roles and responsibilities within schools;
922.11 that a review of the strategic direction of research has identified the types of awards the University wishes to pursue and benefits these would delivered.
923 Follow-up of highly rated recommendations report
Received and considered for decision, paper 20/728C, ‘Follow-up of highly rated recommendations report’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.
Noted
923.1 that improvements continue to be made against the recommendations, noting that some actions are due for review in July 2021 which may add to the outstanding recommendations;
923.2 Redacted
923.3 that service level agreements between the University and Cardiff and Vale Health Board are being reviewed;
923.4 that staff mandatory training is on going and continues to be addressed via annual personal development reviews. Individual alerts will be set up, along with a communications campaign to remind staff of the importance and requirement to complete it. It was noted that the completion rates within the College of Arts, Humanities and Social Sciences were lower and that discussions were in train with the College Registrar
924 External Audit plan for the financial year end activities 31.07.21
Received and considered for decision, paper 20/729C, ‘External Audit Plan for the Financial Year End Activities 31.07.21’. Jason Clarke, PwC, was invited to speak to this item.
Noted
924.1 that senior officers should not seek or receive personal financial or tax advice from PwC. Non-executives who receive such advice from PwC (e.g. in connection with employment by a client of the firm) or who also act as director for another audit or advisory client of the firm should notify PwC so that appropriate conflict management arrangements can be put in place;
924.2 that PwC confirmed that their internal checks should identify such individuals, but it would also be helpful if members of Council identified themselves if this was the case;
924.3 that there were two changes proposed to the year end activities. These related to going concern given the work involved in 2020/21; and a full exercise undertaken on any estimates within balances on the financial statements to determine where on the scale these sit;
924.4 that the external fee proposal had been discussed with Chief Financial Officer. The fee remains in lower quartile, but is an increase in previous years;
924.5 that student debt recoverability, recovery of assets, research income and USS pensions will remain considerations for this year’s external audit;
924.6 that the Government’s Department for Business, Energy and Industrial Strategy (BEIS) consultation is considering increased transparency around risk management and disclosures, and increased responsibility for non executive directors for overseeing the publication of financial accounts (which would include Audit Committees). Changes are likely to impact in 2022/23 onwards. The Chief Financial Officer will send a response to the BEIS consultation and continue to brief the Committee on the consultation.
Resolved
924.7 to draw to the attention of Council members the provisions in Minute 924.1 above;
924.8 Chief Financial Officer to present a paper to outline action taken to prevent fraudulent activities;
924.9 to approve the agreed the External Audit Plan for the Financial Year End Activities 31 June 2021.
925 External Audit contract update
Received and considered an oral report from Rob Williams, Chief Financial Officer.
Noted
925.1 the initial tender was unsuccessful in that it generated only one response. A second tender exercise has to be carried out in order to ensure that the regulatory requirement for consideration of at least two competitive bids is met. The requirements of the new tender will be revised to remove the requirement to have higher education experience. This approach has been successful in other higher education institutions who faced similar challenges;
925.2 that all members of the Audit and Risk Committee will be required to consider the appointment of the external auditors.
926 Annual review of External Audit
Received and considered for decision, paper 20/730C, ‘Annual Review of External Audit’. The Chair spoke to this item.
926.1 that the Committee would welcome regular communication and updates from PwC regarding issues in the sector;
Resolved
926.2 Chair of Audit and Risk Committee to discuss communication with PwC at an in-camera session.
927 Post meeting Risk Register review
Noted
927.1 that the Committee agreed that the information received at the Committee is accurately reflected by the risk register, and they did not have any further matters to raise.
928 Any other business
Resolved
928.1 to arrange a one hour session towards the end of July, with the Pro Vice-Chancellor Education and Student Experience, the Head of Internal Audit and Audit and Risk Committee members, to discuss how the Committee can discharge its responsibilities for assurance of academic quality and standards;
928.2 the Vice-Chancellor and University Secretary are to discuss the academic assurance session with the Pro Vice-Chancellor Education and Student Experience.
929 Schedule of committee business for 2021/22
Received and considered, paper 20/738 ‘Schedule of Committee Business for 2021/22’. The Chair spoke to this item.
Resolved
929.1 that the schedule should include the annual effectiveness review of the Audit and Risk Committee. The methodology for the review is to be determined;
929.2 to approve the 2021/22 schedule of committee business for the year, subject to the amendment above;
929.3 to recommend to Council that approval powers be delegated in respect of the reports/statements highlighted in bold.
930 Items received for information
Financial Regulations Review Update
Received and considered an oral report from Alison Jarvis, Director of Financial Operations.
Noted
930.1 that work on the review of all policies had commenced and a number of policies had been produced and updated. Finance have also been working with the Corporate Governance Team to review the levels of authority for approval.
The Committee NOTED the following papers:
Paper 20/732C Assessment Panel report under the University’s Whistleblowing Policy
Paper 20/735 Framework for the reporting of serious incidents or failures
Paper 20/736HC Serious Incident Report
Paper 20/733C Information Security Training Compliance Update
Paper 20/737C Mapping against the requirements of HEFCW’s Financial Management Code for 2019/20
Paper 20/739 Annual Report and Financial Statements Template – new format
Paper 20/740 Queen’s Speech 2021 – implications for higher education
Resolved
930.2 to ensure that the Assessment Panel reflected those set out in the Terms of Reference (paper 20/732C);
930.3 for the Chief Operating Officer to provide the Committee with an update on how the university will achieve compliance with the mandatory Information Security Training and the planned trajectory of travel;
930.4 to review the format in which the Committee will receive assurance of compliance with the HEFCW’s Financial Management Code, rather than the full mapping exercise.
931 In-camera
Following the meeting of the Audit and Risk Committee, an in-camera was held. Only the members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.