Audit and Risk Committee Minutes 29 June 2021

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Tuesday 29 June 2021 by Zoom, at 14:00.

Present: Michael Hampson (Chair), Paul Benjamin, Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In Attendance: Professor Colin Riordan (Vice-Chancellor), Jason Clarke (PwC), Clare Eveleigh (Senior Auditor), Owen Hadall (Assistant Director, IT Service and Operations, for minute 915, Laura Hallez (Senior Risk Advisor), Rashi Jain (General Counsel and University Secretary), Alison Jarvis (Director of Financial Operations), Vari Jenkins (Minute-taker), Faye Lloyd (Head of Internal Audit), Carys Moreland (Senior Internal Auditor), Catrin Morgan, Head of Compliance and Risk for minute 914), Ruth Robertson (Head of Corporate Governance), Claire Sanders (Chief Operating Officer) and Robert Williams (Chief Financial Officer).

911 Preliminaries

Noted

911.1 that apologies had been received from Ian Davies, PwC;

911.2 that the Chair welcomed Carys Morland, Senior Internal Auditor, to her first meeting of the Audit and Risk Committee.

912 Matters arising from the minutes

Received and considered paper 20/720 ‘Matters arising from the previous meeting’. The Chair spoke to this item.

Noted

912.1 that all items have either been completed or are covered under the agenda

912.2 that an update on Benefits Realisation will be reported at the next meeting;

912.3 Redacted

912.4 that the committee wished to receive a response to a set of cyber security questions provided to the Chair of the committee by a lay member;

912.5 that the Crisis Communication plan is due to be updated at the start of the next academic session;

912.6 that the use of emails for personal use is limited as set out in the Acceptable Use Policy of the IT Regulations and communicated via university training.

913 Declarations of Interest

Noted

913.1 that there were no declarations of interest received.

914 Revised Whistleblowing Policy

Received paper 20/721 ‘Revised Whistleblowing Policy’. Catrin Morgan, Head of Compliance and Risk spoke to this item.

Noted

914.1 that there is a requirement for an annual report;

914.2 that it would be helpful to report a nil return to the committee if there aren’t any incidents to report;

914.3 that harassment cases would fall within the Dignity at Work and Study Policy.

Resolved

914.4 to recommend the revised Whistleblowing Policy to Council for approval.

915 Cyber Security Dashboard template

Received paper 20/722 ‘Cyber Security Dashboard Template’. Owen Hadall, Assistant Director, IT Service and Operations, spoke to this item.

Noted

915.1 that it would be helpful to limit the number of metrics presented to those which will assist Council in terms of monitoring trends, and to include predictive metrics to help identify changes and action required;

915.2 The Committee would welcome oversight of the resilience testing;

915.3 that consideration could be given to the use of existing templates within the sector.  It was noted that Gartner Consulting will help to identify possible templates;

915.4 that disaster recovery and business continuity are being considered holistically and ‘walk through’ scenarios are being conducted to determine how specific types of information security incidents would be managed (e.g. the University response to ransomware attacks);

915.5  that Better Ways of Working is looking at potential cyber security implications as a result of home working.  It was noted that over 3,500 laptops have been issued to staff, with the laptop build being certified to Cyber Security Standards (NCSC).  Two factor authentication has also recently been rolled out to all staff with the roll out to students in the planning stages to consider the timing and mechanisms;

Resolved

915.7 the Assistant Director, IT Service and Operations, to consider the inclusion of predictive metrics in the dashboard;

915.8  the Assistant Director, IT Service and Operations, to feedback to the Committee on the outcome of the discussions regarding Disaster Recovery and Business Continuity;

915.9 the Assistant Director, IT Service and Operations, and the University Secretary to review the policy for emails for personal use;

915.10 the Assistant Director, IT Service and Operations, to consult TIAA on the proposed dashboard given their involvement in the internal audit of our systems;

915.11 the Cyber Security Dashboard is to be presented to next meeting of the Audit and Risk Committee.

The Assistant Director, IT Service and Operations, left at the end of this item.

916 Minutes from the previous meeting

Received for discussion paper 20/459, ‘Minutes – Audit and Risk Committee 25 February 2021’. The Chair spoke to this item.

Noted

916.1 that Minute 910 should be amended to reflect that the University Secretary was in attendance at the in-camera session, along with Dr Jonathan Nicholls, as an observer for the Governance Effectiveness Review, and Jason Clarke, PwC, for part of the session.

Resolved

916.2 the minutes of the meeting held on 25 February were approved as a true and accurate record, with the amendment to point 910.

917 Live Incidents

Received and considered for discussion paper 20/723HC, ‘Live Incidents’.  The Vice-Chancellor was invited to speak to this item.

Noted

917.1 Redacted

917.2 Redacted

The Head of Compliance and Risk left at the end of this item.

918 Risk Register

Received and considered for discussion paper 20/724C, ‘Risk Register’. The Vice-Chancellor was invited to speak to this item.

Noted

918.1 that risks have changed in the past month since the register was considered by UEB;

918.2 that an announcement from the Welsh Government is imminent to confirm the teaching of up to 30 students in a class without social distancing, which will increase the capacity in lecture rooms.  However, some teaching may continue to be delivered remotely;

918.3 Redacted

918.4 Redacted

918.5 Redacted

918.6 Redacted

918.7 that there is proactive planning to maintain teaching and research space and University Residences;

918.8 that the Equality, Diversity and Inclusion (EDI) Sub-Committee oversees EDI activity with three strands of work feeding into the sub-committee which reports to the Governance Committee.  The annual Strategic Equality Plan sets out the objectives of the University and the progress against it;

918.9 that the REF results are expected at end of March 2021.  UEB recently reviewed the equality impact assessments to analyse outcomes and identify areas for improvements across research equality;

918.10 that the carbon net zero board currently advises UEB of any significant resource requirements, as well advising on the technical and specialist related activities;

918.11 that Appendix A of the risk register did not need to be presented to Council, following scrutiny by the Audit and Risk Committee.

Resolved

918.12 Redacted

919 Development of the Risk Register – update

Laura Hallez, Senior Risk Advisor, presented this item.

Noted

919.1 Redacted

919.2 Redacted

919.3 Redacted

Resolved

919.4 Revised register template and risk appetite to be presented to the Audit and Risk Committee for consideration;

919.5 to include a standard item on developing risks in future risk registers.

920 Internal Audit strategy and plan 2021/22

Received and considered for discussion paper 20/725, ‘Internal Audit Strategy and Plan 2021/22’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

920.1 Redacted

920.2 Redacted

920.3 Redacted

920.4 that an audit on workload planning and resource allocation may be helpful;

920.5 that benchmarking against the audit work of other institutions of a similar size may be helpful to consider whether more audits and resource are required;

920.6 that the University is comparable with benchmarking provided by the Council of Higher Education Internal Auditors (CHIER) and British Universities Finance Directors Group  (BUFDG) surveys;

920.7 that environmental sustainability will be built in to the internal audit schedule for early 2022/23 plan. Plans to schedule work later than this could impact on the ability for work across environmental sustainability to mature.

Resolved

920.8 the in-camera session should consider the benefits of inviting an external view to the Audit and Risk Committee to give challenge and an alternative perspective to the planned approach for internal audits;

920.9 to invite the Director of HR and Chief Financial Officer to talk to the Committee regarding arrangements for workload planning and resource, to determine the associated risk;

920.10 to approve the Internal Audit Strategy and Plan 2021/22.

921 Progress report 2020-2021 Internal Audit Programme

Received and considered for discussion paper 20/726C, ‘Progress Report Against Internal Audit Programme. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

921.1 that key performance indicators are being met and there has been a noticeable improvement over the past year;

921.2 that there was some disruption during the year, following staff changes.  Contingency, advice and support provided by the internal audit team was reviewed to redistribute resource, and completion of the scheduled audit plan was prioritised;

921.3 Redacted

Resolved

921.4 Chief Operating Officer and Chief Financial Officer to review suggestions made by the Head of Internal Audit to provide assurance of value for money, and update the Committee at its meeting in October;

921.5 to circulate the agreed assurance plan to the committee for consideration, prior to the next meeting.

922 Discussion points for Internal Audit reports

Received and considered for discussion paper 20/727C, ‘Discussion Points for Internal Audit Reports’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Treasury Management

Noted

922.1 that work is ongoing to update policies alongside the financial regulations, and evidence of value for money;

922.2 progress against the agreed recommendations are already underway, delivering helpful changes to the treasury function and across the team.

Counter-fraud and anti-bribery arrangements

Noted

922.3 Redacted

922.4 Redacted

Resolved

922.5 an update on ownership of counter-fraud and anti-bribery arrangements to be confirmed at the next meeting;

922.6 to bring the Risk Assurance Mapping Support internal audit report back to the committee for discussion as a separate item at the October meeting.

PCI-DSS Compliance Support

Noted

922.7 that TIAA had supported the development of these actions;

922.8 Redacted

922.9 Redacted

Research Income Forecasting

Noted

922.10 that there has been improved budgeting and forecasting in schools, and improvements made to the University’s finance systems, along with a review of roles and responsibilities within schools;

922.11 that a review of the strategic direction of research has identified the types of awards the University wishes to pursue and benefits these would delivered.

923 Follow-up of highly rated recommendations report

Received and considered for decision, paper 20/728C, ‘Follow-up of highly rated recommendations report’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

923.1 that improvements continue to be made against the recommendations, noting that some actions are due for review in July 2021 which may add to the outstanding recommendations;

923.2 Redacted

923.3 that service level agreements between the University and Cardiff and Vale Health Board are being reviewed;

923.4 that staff mandatory training is on going and continues to be addressed via annual personal development reviews.  Individual alerts will be set up, along with a communications campaign to remind staff of the importance and requirement to complete it.  It was noted that the completion rates within the College of Arts, Humanities and Social Sciences were lower and that discussions were in train with the College Registrar

924 External Audit plan for the financial year end activities 31.07.21

Received and considered for decision, paper 20/729C, ‘External Audit Plan for the Financial Year End Activities 31.07.21’. Jason Clarke, PwC, was invited to speak to this item.

Noted

924.1 that senior officers should not seek or receive personal financial or tax advice from PwC.  Non-executives who receive such advice from PwC (e.g. in connection with employment by a client of the firm) or who also act as director for another audit or advisory client of the firm should notify PwC so that appropriate conflict management arrangements can be put in place;
924.2 that PwC confirmed that their internal checks should identify such individuals, but it would also be helpful if members of Council identified themselves if this was the case;

924.3 that there were two changes proposed to the year end activities.  These related to going concern given the work involved in 2020/21; and a full exercise undertaken on any estimates within balances on the financial statements to determine where on the scale these sit;

924.4 that the external fee proposal had been discussed with Chief Financial Officer.  The fee remains in lower quartile, but is an increase in previous years;

924.5 that student debt recoverability, recovery of assets, research income and USS pensions will remain considerations for this year’s external audit;

924.6 that the Government’s Department for Business, Energy and Industrial Strategy (BEIS) consultation is considering increased transparency around risk management and disclosures, and increased responsibility for non executive directors for overseeing the publication of financial accounts (which would include Audit Committees).  Changes are likely to impact in 2022/23 onwards.  The Chief Financial Officer will send a response to the BEIS consultation and continue to brief the Committee on the consultation.

Resolved

924.7 to draw to the attention of Council members the provisions in Minute 924.1 above;

924.8 Chief Financial Officer to present a paper to outline action taken to prevent fraudulent activities;

924.9 to approve the agreed the External Audit Plan for the Financial Year End Activities 31 June 2021.

925 External Audit contract update

Received and considered an oral report from Rob Williams, Chief Financial Officer.

Noted

925.1 the initial tender was unsuccessful in that it generated only one response.  A second tender exercise has to be carried out in order to ensure that the regulatory requirement for consideration of at least two competitive bids is met.  The requirements of the new tender will be revised to remove the requirement to have higher education experience.  This approach has been successful in other higher education institutions who faced similar challenges;

925.2 that all members of the Audit and Risk Committee will be required to consider the appointment of the external auditors.

926 Annual review of External Audit

Received and considered for decision, paper 20/730C, ‘Annual Review of External Audit’. The Chair spoke to this item.

926.1 that the Committee would welcome regular communication and updates from PwC regarding issues in the sector;

Resolved

926.2 Chair of Audit and Risk Committee to discuss communication with PwC at an in-camera session.

927  Post meeting Risk Register review

Noted

927.1 that the Committee agreed that the information received at the Committee is accurately reflected by the risk register, and they did not have any further matters to raise.

928 Any other business

Resolved

928.1 to arrange a one hour session towards the end of July, with the Pro Vice-Chancellor Education and Student Experience, the Head of Internal Audit and Audit and Risk Committee members, to discuss how the Committee can discharge its responsibilities for assurance of academic quality and standards;

928.2 the Vice-Chancellor and University Secretary are to discuss the academic assurance session with the Pro Vice-Chancellor Education and Student Experience.

929 Schedule of committee business for 2021/22

Received and considered, paper 20/738 ‘Schedule of Committee Business for 2021/22’. The Chair spoke to this item.

Resolved

929.1 that the schedule should include the annual effectiveness review of the Audit and Risk Committee.  The methodology for the review is to be determined;

929.2 to approve the 2021/22 schedule of committee business for the year, subject to the amendment above;

929.3 to recommend to Council that approval powers be delegated in respect of the reports/statements highlighted in bold.

930 Items received for information

Financial Regulations Review Update

Received and considered an oral report from Alison Jarvis, Director of Financial Operations.

Noted

930.1 that work on the review of all policies had commenced and a number of policies had been produced and updated.  Finance have also been working with the Corporate Governance Team to review the levels of authority for approval.

The Committee NOTED the following papers:

Paper 20/732C Assessment Panel report under the University’s Whistleblowing Policy

Paper 20/735  Framework for the reporting of serious incidents or failures

Paper 20/736HC Serious Incident Report

Paper 20/733C Information Security Training Compliance Update

Paper 20/737C  Mapping against the requirements of HEFCW’s Financial Management Code for 2019/20

Paper 20/739 Annual Report and Financial Statements Template – new format

Paper 20/740 Queen’s Speech 2021 – implications for higher education

Resolved

930.2 to ensure that the Assessment Panel reflected those set out in the Terms of Reference (paper 20/732C);

930.3 for the Chief Operating Officer to provide the Committee with an update on how the university will achieve compliance with the mandatory Information Security Training and the planned trajectory of travel;

930.4 to review the format in which the Committee will receive assurance of compliance with the HEFCW’s Financial Management Code, rather than the full mapping exercise.

931 In-camera

Following the meeting of the Audit and Risk Committee, an in-camera was held. Only the members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.