Audit and Risk Committee Minutes 16 March 2022

Minutes of the Meeting of the Cardiff University Audit and Risk Committee held on Wednesday 16 March 2022 at 9:30 via Zoom.

Present: Michael Hampson (Chair), Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In Attendance: Vice-Chancellor, Eileen Brandreth [Minute 999], Jonathan Brown (KPMG), Moeen Essa (KPMG), Rhodri Evans [minute 996-67], Clare Eveleigh, Professor Kim Graham [minute 992], Laura Hallez, Rashi Jain, Alison Jarvis, Faye Lloyd, Carys Moreland, Claire Morgan [minute 996-67], Ruth Robertson, Claire Sanders, Peter Sheppard (TIAA) [Minute 999], and Dr Huw Williams [minute 993].

986 Welcome and Preliminaries

All were welcomed to the meeting, especially Jonathon Brown & Moeen Essa from KPMG who were attending their first meeting.

987 Apologies for Absence

Apologies were received from Paul Benjamin.

988 Declarations of Interest

The Chair reminded the Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were noted.

989 Minutes of the Previous Meeting

The minutes of the meetings held on 15 November 2021 (21/267C) and 17 December 2021 (21/511C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

990 Matters Arising from the Minutes

Received and considered paper 21/522 ‘Matters Arising’.  The Chair spoke to this item.

Noted

990.1  [Minute 967.5] that clarification on the roles of the Committee and the Finance & Resources Committee in relation to Going Concern assessments would be concluded via the on-going work on the Scheme of Delegation;

990.2 [Minute 969.14] that it had been proposed that material errors in VAT returns greater than £50k would be reported to the Committee and any penalties levied also reported to the Committee;

990.3 [Minute 973.2-4] that a report would be provided to the next meeting on succession planning and skills required for the Committee;

990.4 [Minute 979.2] that the University had no Non-Disclosure Agreements (NDAs) and the default position was not to enter into NDAs;

990.5 [Minute 938.15] that an update would be presented in relation to net carbon zero at the next meeting.

Resolved

990.6 for any material errors in VAT returns greater than £50k to be reported to the Committee;

990.7 for KPMG to present their views on viability at the next meeting.

991 Items from the Chair

Noted

991.1 that it was proposed to increase quoracy for meetings of the Committee from two members to three members; it was queried whether the membership of the Committee should be increased as well and it was proposed to review this following completion of the succession planning review for the Committee; it was also queried whether there was best practice among Audit & Risk Committees in other institutions.

Resolved

991.2 for KPMG to review the size and quoracy of Audit & Risk Committees elsewhere and provide detail;

991.3 for the Chair and University Secretary to review the succession plan for membership of the Committee and a paper be brought to the next meeting; the paper should be shared with Committee members in advance for comment;

991.4 [Redacted]

Dónall Curtin left the meeting

991.5 that Dónall Curtin’s first term of office was ending on 31 July 2022 and that he would be willing to continue for a second term.

Resolved

991.6 to support a proposal to Council to re-appoint Dónall Curtin to the Committee for a second term.

Dónall Curtin re-joined the meeting.

Noted

991.7 that the University had received a draft Institutional Risk Review (IRR) letter from HEFCW and a draft response was being compiled;

991.8 it was confirmed that the final IRR letter and the University’s response would be received by this Committee prior to approval by Council.

Resolved

991.9 to ensure that a review of the HEFCW IRR Letter is covered in the Terms of Reference for the Committee.

992 Internal Audit Advisory Report: 2022_C03 Research Data Systems

The Pro Vice-Chancellor Research Innovation & Enterprise joined the meeting to speak to this item.

Noted

992.1 that there had been ongoing issues with research data systems and reporting which had impacted on the ability for rapid and intelligent decision-making and monitoring of strategy;

992.2 that a detailed systems map was produced as part of the audit;

992.3 that the report highlighted the current system did not ensure data was being shared, analysed, verified and used in the same way across the institution, relying on manual data which was not efficient; following the report, a stream of work had been authorised to review possible options and solutions, looking at systems, structures and training across the institution and looking to produce a new data framework aligned to dashboard reporting;

992.4 that a Data Governance Framework had been established with data owners in place and work in this area was being taken forward as part of Recast Transforming Services;

992.5 that actions from the report would not be included in the Audit Tracker as the work had been undertaken on a consultancy basis;

992.6 that thanks were extended from the Pro Vice-Chancellor to the Committee and Internal Audit team for their support; the Committee congratulated the Pro Vice-Chancellor on their new role;

992.7 that there was a concern in relation to ensuring key papers submitted to REF were open access and a paper would be submitted to UEB on this to ensure key papers were tracked;

992.8 that there were discussions ongoing around ensuring resilience was maintained in relation to REF and the efforts put in to the submission delivery; papers had been submitted to UEB to identify the risks and propose strategic and operational recommendations, whose implementation was being overseen by the REF Oversight Group and REF Operational Group.

Resolved

992.9 for an update on the report to be shared with the Committee in twelve months’ time.

Professor Kim Graham (Pro Vice-Chancellor Research Innovation & Enterprise) left the meeting.

993 Update on Welsh Language Cultural Commitments and Action

The Dean for Welsh Language joined the meeting to present this item.

Noted

993.1 the University had implemented a University-wide strategy in relation to Welsh Language which had 5 key commitments: education, civic mission, staff and student experience, marketing, and research; it was hoped Welsh Language provision would become integrated into business as usual practices;

993.2 that targets were set by HEFCW for enrolment for Welsh Medium provision and this was tied to the University’s Fee & Access Plan; the University reviewed the number of students enrolled on 40-credits of Welsh Language medium annually (which equated to around a third of their studies) and also enrolled on 5-credits annually;

993.3 the University was falling short in achieving these targets and were looking to address this initially through a “Cardiff Citizen” 5-credit module as part of first-year student induction, which looked to encourage Welsh-speaking students to undertake some of their studies through this provision and link them to the wider network;

993.4 the University had established Yr Academi Gymreag as a hub for Welsh Language activity and to progress the aims of the Welsh Language Strategy; a survey had been created for staff and students and it was hoped to use this and future surveys to track progress and cultural change in this area;

993.5 that the Welsh Language Strategy was embedded within the wider strategic aims of the University and work was being undertaken to imbed this into specific areas and streams of work;

993.6 that the HEFCW targets would be a good indicator of whether the actions taken were proving effective;

993.7 that the Vice-Chancellor noted it was of key importance to celebrate and promote the Welsh Language and Welsh culture and the role of the University in promoting this within the whole of Wales was noted;

993.8 that thanks were extended to Dr Williams for his presentation and work in this area.

Resolved

993.9 for the Committee to review whether there should be a requirement for a Welsh Language speaker to be a member of the Committee.

Dr Huw Williams (Dean for Welsh Language) left the meeting.

994 University Risk Register

Received and considered paper 21/523C ‘Risk Register’.  The Vice-Chancellor spoke to this item.

Noted

994.1 that the risk in relation to Internationalisation had been heightened due to the pandemic and associated travel restrictions and the University was monitoring this closely;

994.2 that the Student Welfare and Wellbeing risk had been increased due to anticipated impacts of the Omicron variant but this had now settled;

994.3 the risk relating to Industrial Action had increased due to the announcement of further ballots;

994.4 that the University had cut ties with any Russian government agencies or funding and the University had limited formal international collaborations with Russia; the University was now reviewing links with any satellite states or organisations and was focussing on ensuring support was provided for all students and staff who needed it in relation to the conflict;

994.5 that there was no indication around the results of REF or any associated impact on funding;

994.6 [Redacted]

994.7 that the risk in relation to partnerships and collaborations had been added to highlight the University was aware of this and the risk would continue to be monitored; there was a planned audit in relation to Taith.

995 Live Incidents

Received and considered paper 21/513HC ‘Live Incidents’.  The Vice-Chancellor spoke to this item.

Noted

995.1 [Redacted]

996 Academic Assurance Framework

Received and considered paper 21/515HC ‘Academic Assurance Framework’.  The Pro Vice-Chancellor Education & Student Experience and Head of Registry joined the meeting to speak to this item.

Noted

996.1 [Redacted]

996.2 [Redacted]

996.3 [Redacted]

996.4 [Redacted]

997 Internal Audit Assurance Report: 2022_C04 HEFCW Intervention and NSS Risk

The Pro Vice-Chancellor Education & Student Experience spoke to this item.

997.1 that the limited assurance result was disappointing but realistic and the findings and recommendations were fully accepted;

997.2 the timing of the report was useful, following on from previous NSS results;

997.3 that this year further layers had been added to how this area was monitored which may have contributed to a lack of co-ordination; a framework was being drafted in relation to NSS to address this and was hoped to be in place for the next cycle of NSS results; this would include Professional Services actions as well;

997.4 work was also being undertaken to promote the actions and work completed in relation to the Student Voice recommendations;

997.5 that thanks were extended by the Committee for the work undertaken in this area.

Claire Morgan (Pro Vice-Chancellor Education & Student Experience) and Rhodri Evans (Head of Registry) left the meeting.

998 Progress Update on the Risk Assurance Map

Received and considered paper 21/516HC ‘Risk Assurance Map Update’.  The University Secretary spoke to this item.

Noted

998.1 [Redacted]

998.2 [Redacted]

998.3 [Redacted]

998.4 [Redacted]

998.5 [Redacted]

998.6 [Redacted]

Resolved

998.7 for the Committee to receive an update at a future meeting in relation to the key risks for the University estate and the actions and mitigations being taken.

999 Discussion Points for Internal Audit Reports

Received and considered paper 21/510C, ‘Discussion Points for Internal Audit Reports’. The Head of Internal Audit spoke to this item.

Peter Sheppard (TIAA) and Eileen Brandreth (Chief Information Officer) joined the meeting.

IT: Virtual Desktop Interface (VDI) implementation and remote access solutions

999.1 that Peter Sheppard (TIAA) and Eileen Brandreth (Chief Information Officer) joined the meeting to speak to this item;

999.2  that this system was required to enable a safe and secure remote working environment for teaching and support staff;

999.3 that the IT team were congratulated for their ability to deliver this at short notice during the pandemic and focus had now shifted to ensuring a mature and robust infrastructure;

999.4 that TIAA had worked with University staff to identify gaps in the current provision and also identify future needs;

999.5 the key recommendations were for multi-factor authentication (MFA) to be used on all devices, for external penetration testing to be undertaken and for a centralised record of patching status and compliance; it had been reported that a number of the recommendations had already been completed;

999.6 that the audit was welcome by University IT and recommendations were accepted; the University would not be continuing with the RAS service from June 2022 and so would not be implementing recommendations in relation to the ‘service wrapper’ for that element; budget had been included for penetration testing and MFA was being rolled out;

999.7 that there has been support from the COO in relation to resource and strengthening of the cyber security element but it was felt that recruitment and retention of IT staff would be an issue for the coming year;

COBIT (Control objectives for information and related technologies) framework assessment

999.8 that the report reflected the risk associated with the new hybrid way of working and heightened security concerns;

999.9 that the framework was internationally recognised;

999.10 that there had been positive progress since the last report;

999.11 that the COBIT self-assessment also provided an opportunity for management to reflect on the current controls in place and consider areas to focus on for improvement;

999.12 that the decline in indicators for managed service agreements was largely due to the pandemic as a number of perception measurements had been halted;

999.13 that the managed risk element focussed on enterprise management of risk (as opposed to IT management of risk) and it was hoped this would open up discussions with other areas of the institution;

Resolved

999.14 for the Committee to be provided with a paper at its next meeting on the patching policy and how it is implemented;

999.16 for an update to be provided to the Committee on whether simulation testing for IT business continuity is carried out or planned to be carried out and any procedures in relation to this.

Peter Sheppard (TIAA) and Eileen Brandreth (Chief Information Officer) left the meeting.

Noted

999.17 that the Internationalisation and Regulatory Compliance reports involved a risk assurance mapping process which had been very useful outputs, with the Internal Audit reports perhaps seen as a secondary output;

999.18 that overall responsibility for regulatory compliance sat with the University Secretary but the risk register had identified this was unclear in some areas; the work undertaken to review regulatory compliance in relation to the risk assurance map would help to address this.

1000 Progress Report Against Internal Audit Programme

Received and considered paper 21/508C, ‘Progress Report against Internal Audit Programme’. The Head of Internal Audit spoke to this item.

1000.1 there were no issues around delivery for the 21/22 programme;

1000.2 that there were a number of similar issues and themes being identified and root cause analysis was being undertaken;

1000.3 that the Committee had sight of the planning principles for the 22/23 programme and that an audit of culture has been captured as part of the plan;

1000.4 that there remained a high number of advisory assignments and these continued to deliver value for money; this would be discussed with UEB to confirm they remained of benefit for the recipients and considered at the next meeting.

1001 CIC progress update against ARUP recommendations

The Director of the CIC Programme joined the meeting to provide an oral report.

1001.1 that a key recommendation from the report had been to appoint a programme Director which was now complete; an initial observation had been the team were working well and to look at work outside of the construction phase;

1001.2 other observations from the Programme Director noted that the executive were well engaged and supportive, with a good reporting structure; it was also noted the change control process was well managed with a robust risk process;

1001.3 there had been a need to increase focus on post-completion works and transition, and to complete the clean-room design;

1001.4 a full project team had been created and more regular team meetings held to ensure communication remained strong;

1001.5 a detailed project execution plan had been created, to cover the entire project up to business as usual;

1001.6 a dedicated team had been allocated to the clean room tools project and a specific risk register created for the clean room element; similarly, a dedicated team had been established for the hook-up part of the project;

1001.7 that now the sparc building had been handed over, this team were focussing on the TRH building and clean room; the handover of sparc had provided a boost to the team;

1001.8 that generally it was felt the risks had been mitigated and were being well managed;

1001.9 that some of ARUP recommendations did not fit with the University’s structures or operations; the team had identified those which were felt to be most relevant and important to take forward.

Resolved

1001.10 for a summary report to be presented to the Committee which responded to the ARUP report recommendations and noted which were actioned (in relation to minute 1001.9).

The Director of the CIC Programme (Jan Ponsford) left the meeting.

1002 Follow-up of Highly Rated Recommendations

Received and considered paper 21/509C, ‘Follow-up of Highly Rated Recommendations Report’. The Head of Internal Audit spoke to this item.

1002.1 that good progress continued to be made on the tracker with a fairly small number of overdue recommendations remaining compared to previous years; there remained a small number that were proving tricky to progress; the Committee noted the significant progress in closing down outstanding recommendations;

1002.2 a number of recommendations had been removed where they related to the update of the Financial Regulations; this work had been pushed back and so a number of recommendations would be added back into the tracker;

1002.3 the Assurance & Risk Group and UEB continued to review outstanding actions which would help ensure overdue recommendations were progressed;

1002.4 that a meeting had been arranged with the Chief Financial Officer and the NHS to review the recommendation outstanding since 2019 in relation to the service level agreement with the University Health Board.

Resolved

1002.5 for an update on the overdue outstanding actions from September 2019 and October 2020 to be presented to the next meeting.

1003 Update on the External Quality Review of the Internal Auditor Provision

Clare Everleigh, Faye Lloyd and Carys Moreland left the meeting.

Received and considered an oral report from the Chief Operating Officer.

Noted

1003.1 that work had been undertaken to obtain three quotes for an external provider to undertake a quality review of the internal audit provision; the Chartered Institute of Internal Auditors (IIA) had provided a comprehensive quote which appeared to meet the needs of the University and they were recommended for appointment;

1003.2 the IIA would provide in-house personnel for this review;

1003.3 that work would commence after Easter and it was hoped to report in September 2022;

1003.4 the Committee supported the appointment of IIA for this work.

Clare Everleigh, Faye Lloyd and Carys Moreland re-joined the meeting.

1004 Any Other Business

Noted

1004.1 that the reduction in the number of pages within the meeting book was welcomed;

1004.2 that the Chair had attended a seminar led by KPMG which had covered value for money (VFM); it was noted it would be useful for the Committee to see how the report on VFM would be structured and what items it would cover;

1004.3 that an audit of culture and had been discussed and it was confirmed that the Council Away Day in May would focus on culture; it was noted there may be an event of interest to the internal audit team on how to audit culture.

Resolved

1004.4 for KPMG to share details of the seminar and other possible information or training tools on how VFM is covered by other committees;

1004.5 for the Committee to see a draft format for the VFM annual report for comment;

1004.6 for details of the seminar be shared with the internal audit team;

1004.7 for next steps of the audit of culture to be discussed at the next meeting;

1005 Review of risks identified in the risk register

Noted

1005.1 that no further updates were required to the Risk Register as a result of the business of the meeting.

Resolved

1005.2 to recommend to Council approval of the University Risk Register.

1006 Items Received for Information

Noted

Financial Irregularities

1006.1 that there were no Financial Irregularities to report to the Committee;

1006.2 that the Committee Noted the following papers:

• Paper 21/514HC Serious Incidents Report
• Paper 21/524C Whistleblowing Report

1007 In-Camera

Following the meeting of the Audit and Risk Committee, an in-camera was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.