Audit and Risk Committee minutes 5 October 2021

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Tuesday 5 October 2021 by Zoom, at 09:00.

Present: Michael Hampson (Chair), Paul Benjamin, Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In attendance: Professor Colin Riordan (Vice-Chancellor), Jason Clarke (PwC), Clare Eveleigh (Senior Auditor), Bruna Gil (Governor Apprentice) Owen Hadall (Assistant Director, IT Service and Operations) for minute 943, Laura Hallez (Senior Risk Advisor), Rashi Jain (General Counsel and University Secretary), Alison Jarvis (Director of Financial Operations), Vari Jenkins (Minute-taker), Faye Lloyd (Head of Internal Audit), Sue Midha (Director of HR) up to minute 938, Carys Moreland (Senior Internal Auditor), Ruth Robertson (Head of Corporate Governance), Claire Sanders (Chief Operating Officer) and Robert Williams (Chief Financial Officer).

932 Preliminaries

Noted

932.1 that no apologies had been received;

932.2 that Bruna Gill, Governor Apprentice, was welcomed to the meeting as an observer;

932.3 that Sue Midha, Director of HR, was welcomed to the meeting for the Risk Register item.

933 Minutes from the previous meeting

Received paper 20/783, ‘Minutes – Audit and Risk Committee 29 June 2021’. The Chair spoke to this item.

Resolved

933.1 that minute 918.9 incorrectly referred to March 2021 and should have referred to March 2022;

933.2 that the minutes of the meeting held on 29 June 2021 were approved as a true and accurate record, subject to the amendment of minute 918.9.

934 Matters arising from the minutes

Received paper 21/88 ‘Matters arising from the previous meeting’. The Chair spoke to this item.

Noted

934.1 that an update on item 915.8 regarding the Disaster Recovery and Business Continuity will be provided under the Security Dashboard item;

Resolved

934.2 that the Committee would find it helpful to include a timeframe in the matters arising to track the completion of tasks and to ensure that incomplete actions remain on the matters arising list until they are closed;

934.3 that the Committee wished to receive a response to the cyber security questions, as noted in minute 912.4 of 25 June 2021;

934.4  that the Value For Money paper being considered by the Finance and Resources Committee will be added to the November Audit and Risk Committee agenda, to determine if there is a robust process.  Value For Money is also referenced within the Head of Internal Audit’s Annual Opinion and within internal audit reports;

934.5 that a case is being proposed for a Finance Compliance Officer to provide resource to this activity, and assist in the prevention of fraudulent activities.  An update is to be provided at next meeting.

935 Declarations of interest

Noted

935.1 that there were no declarations of interest received.

936 Constitution and membership

Received paper 21/89 ‘Audit and Risk Composition and Membership’. The Chair spoke to this item.

Noted

936.1 that membership is being discussed between the Chair and Secretary to ensure there are succession plans in place;

936.2 that seeking assurance on value for money is an important part of the Terms of Reference and that the committee needed to understand how it was provided with assurance on this topic;

936.3 that value for money can include activities such as the COVID-19 screening service and the secure and clean environments provided to staff and students and it would be helpful to identify criteria and scoring to be used in assessing value for money, so that it can reflect the wider remit, not just the financial aspect.

Resolved

936.4 to request that the Chief Financial Officer brings an item back to the committee on how to measure value for money including reference to any relevant existing frameworks.

936.5 to recommend the Audit and Risk Composition and Membership to Council for approval.

937 Live incidents

The Vice-Chancellor was invited to speak to this item.

Noted

937.1 [Redacted]

937.2 that a contingency planning group has been established to look at resources and supply chain issues which may impact the institution;

937.3 that UEB will be considering a paper from the Chief Financial Officer this week on utilities and energy supplies;

937.4 that identifying and formalising lessons learnt from contingency groups is part of the review process.

938 Risk register

Received paper 21/90C, ‘Risk Register’. The Vice-Chancellor was invited to speak to this item.

Noted

938.1 that risk scores have changed in the past month since the register was considered by UEB, but that there are no new risks;

938.2 that the risk to student welfare and wellbeing has increased due to the anticipated increased student intake;

938.3 that there had been a degradation of NSS scores over the years resulting in HEFCW intervention;

938.4 that it would be beneficial to conduct an internal audit of teaching quality to review if the agreed plans in response to the NSS were implemented, what worked well and what didn’t, and what lessons have been learnt;

938.5 that the internal audit team were in discussions with the PVC for Education and Student Experience to deliver a piece around teaching quality and how best to deliver this, with plans to revisit in January 2022;

938.6 that as part of the University’s commitment to the Data Futures project conducted by HESA, a group has been established to review data collection as part of data strategy, to ensure the correct data is collected for its intended purpose.  There are reputational risk associated with this activity;

938.7 that the regulatory compliance risk net score was 20 to recognise the potential impact if HEFCW removed support to charge the full tuition fee level;

938.8 [Redacted]

938.9 that the University has accreditation for the ISO45001 which provides an international health and safety management standard covering the breadth of health, safety and environment requirements;

938.10 that the University is working towards a submission for ISO45003 accreditation in May 2022, which addresses psycho-social risks as well as poor well-being;

938.11 that progress is being made across the five strands of the Staff Well-Being strategy which was launched in September 2020, and runs up to 2023;

938.12 that the HR risk register sits under the overall University risk register and is heat mapped to identify areas which require mitigation, along with weekly one-to-ones amongst the senior management team which are used to review and identify any action required;

938.13 that in a recent pulse survey, 80% of staff agreed or strongly agreed that the University had supported wellbeing.

Resolved

938.14 that given the urgency to understand more about the decrease in NSS scores, the Head of Internal Audit will review capacity to determine whether it is possible to undertake an audit sooner than currently scheduled;

938.15 that an internal presenter would be invited to speak to the Committee in the new year to discuss sustainability and the University’s confidence to achieve carbon zero, and how this will be achieved;

938.16 that it would be helpful to indicate on the risk register if the net risk score is within the University’s agreed level of risk appetite;

938.17 HR would seek to highlight its staff well being activities in its recruitment materials.

Sue Midha, Director of HR, left the meeting after this item.

939 Risk appetite

Received Paper 21/91C Risk Appetite.  Laura Hallez, Senior Risk Advisor, presented this item.

Noted

939.1 that it is recommended that the University adopts an approach similar to the Durham model in the first instance, summarising these opinions in a similar format to Edinburgh;

939.2 that the Durham methodology received the most positive feedback at the Audit & Risk Away Day as it articulates the areas in which more or less risk is accepted.

Resolved

939.3 to recommend to Council the application of a risk appetite statement for 2021/22 based on the Durham Model.

940 2020/21 Financial position paper

Received paper 21/92C ‘2020/21 Financial Position paper’. The Director of Financial Operations spoke to this item.

Noted

940.1 [Redacted]

940.2 [Redacted]

940.3 [Redacted]

940.4 [Redacted]

940.5 [Redacted]

940.6 [Redacted]

941 External Audit update/progress

Jason Clarke, PricewaterhouseCoopers, provided an oral update.

Noted

941.1 that the external audit for the year ended 31 July 2021 is progressing well.

Jason Clarke and Ian Davies, PricewaterhouseCoopers, left the meeting for minute 942.

942 External Audit tender

Noted

942.1 that the University had identified 2 potential auditors and were confident that a successful appointment would be made.

943 Cyber Security Dashboard template

Received paper 21/95C ‘Cyber Security Dashboard. Owen Hadall, Assistant Director, IT Service and Operations, spoke to this item.

Noted

943.1 that the Committee welcomed the format and content of the cyber security dashboard;

943.2 that the Governance Committee has oversight of regulatory requirements and therefore cyber security will be included in the annual information management report presented to them;

943.3 that there will be an implementation plan which will be owned by ISOG and the Assurance and Risk Group;

943.4 that cyber insurance will be explored to support the University’s costs.  There are an increasing number of universities claiming against this form of insurance;

943.5 that new risks are identified as they emerge and are mitigated with technical controls, communication and training.

Resolved

943.6 that the Governance Committee should consider how Council will receive regular updates regarding quarterly cyber security dashboard;

The Assistant Director, IT Service and Operations, left at the end of this item.

944  Annual Risk Management report

Received paper 21/93C Annual Risk Management Report. Rashi Jain, University Secretary spoke to this item.

Noted

944.1 that the Annual Risk Management Report summarises the work undertaken in 2020/21 to improve the risk management process, including updating risk appetite, risk workshops and dedicated training.

Resolved

944.2 to approve the Annual Risk Management Report.

The Vice-Chancellor left the meeting at the end of this item.

945 Risk assurance mapping Internal Audit report

Received paper 21/94 Risk Assurance Mapping Support.  Faye Lloyd, Head of Internal Audit and Laura Hallez, Senior Risk Advisor, spoke to this item.

Noted

945.1 that the risk assurance map will help to determine if the correct level of risk is being applied and assist with mapping risk within the risk appetite.

Resolved

945.2 to discuss progress on the risk assurance map at the Audit and Risk Committee in March 2022.

946 Fraud, Bribery and other Financial Compliance annual report

Paper 21/96C Fraud, Bribery and other Financial Compliance – Annual Report.  Rashi Jain, University Secretary spoke to this item.

Noted

946.1 [Redacted]

Resolved

946.2 to approve the Fraud, Bribery and other Financial Compliance – Annual Report.

947 Audit and Risk Committee self-evaluation of effectiveness

The Chair of the Committee spoke to this item.

Resolved

947.1 that members were asked to complete the self-evaluation where they had not already done so;

947.2 that the results of the Audit and Risk Committee Self- Evaluation of Effectiveness would be reviewed at the next meeting.

948 Progress report 2020-2021 Internal Audit Programme

Received paper 21/97 ‘Progress Report Against Internal Audit Programme. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

948.1 that the 2020/21 internal audit programme was now complete;

948.2 that there had been improvements in the key performance indicators, as a result of increased engagement and discussion with management, and constructive dialogue during the year.

949 Discussion points for Internal Audit reports

Received paper 21/101, ‘Discussion Points for Internal Audit Reports’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Procurement

Noted

949.1 that the Procurement strategy is supported by an action plan which looks at the maturity of the organisation.  Significant improvements have been made and it is anticipated that it will require two to three years to develop this further;

949.2 that there is currently a recruitment exercise for a Director of Procurement. The new team and structure will help drive future change;

949.3 that there will be an internal audit in 2022 to look at how effectively procurement is operating within Schools;

949.4 the need for consistency across Schools and to share best practice and solutions.

950 Follow-up of highly rated recommendations report

Received paper 21/98C, ‘Follow-up of highly rated recommendations report’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

950.1 that negotiations are due to start in the next couple of weeks to review service level agreements with the NHS.

Resolved

950.2 to rebase four ITS recommendations to 31 July 2022 and to rebase four finance recommendations all to be completed by 31 March 2022.

951 Internal Audit annual report

Received Paper 21/99C Internal Audit Annual Report 2020/21.  Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

951.1 that there had been considerable improvement during 2020/21 as a result of audit recommendations being addressed;

951.2 that the full internal audit programme had been delivered, remotely during 2020/21;

951.3 that if unusual activity is detected, the University’s Counter-Fraud and Anti-Bribery policy requires legal checks to be undertaken;

951.4 that the Committee supported the internal audit annual opinion, which would be submitted to the November meeting for approval.

952 Internal Audit Quality Assurance and Improvement programme

Paper 21/100 Internal Audit Quality Assurance and Improvement Programme. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

952.1 that an external quality assurance exercise has been undertaken annually, facilitated by the Council of Higher Education Internal Auditors (CHEIA). The process used adopts a peer-review of an evidence-based self-assessment that has been completed by the Head of Internal Audit;

952.2 that every five years the institution is required to consider how internal audit services are provided at the institution, to comply with the Financial Management Code. This action is due to be completed in the current financial year.

Resolved

952.3 that the University Secretary will discuss the manner in which the external evaluation could be conducted with the Chief Operating Officer;

952.4 to recommend to UEB that it considers a tender process to identify an external assessor, to include submissions from a commercial external provider and another HEI, by the end of the 2021/22 academic year, and brings back a recommendation to the committee on how to proceed;

953 Post meeting Risk Register review

Noted

953.1 that the Committee agreed that the information received at the Committee is accurately reflected by the risk register, and they did not have any further matters to raise.

954 Items received for information

Serious incidents reports

Noted

954.1 that there were currently no serious incidents to report to the Committee (other than that already reported under minute 937.1 Live incidents.

Financial irregularities

954.2 that there were no Financial Irregularities to report to the Committee.

954.3 that the Committee noted the following papers:

• Paper 21/102 HEFCW Accounts Direction Summary
• Paper 21/103 Preliminary Judgement Paper to include going concern)
• Paper 21/104 CUC HE Audit Committee Code of Practice (May 2020)

955 In-camera

Following the meeting of the Audit and Risk Committee, an in-camera was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present. Bruna Gill, Governor Apprentice, attended as an observer.