Audit and Risk Committee Minutes 6 June 2022

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Monday 6 June 2022 at 13:00 via Zoom.

Present: Michael Hampson (Chair), Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In Attendance: Dev Biddlecombe [minute 1028], Jonathan Brown (KPMG), Ruth Davies [until minute 1032], Clare Eveleigh [until minute 1032], Laura Hallez [until minute 1022], Eleanor Hetenyi (KPMG), Rashi Jain, Alison Jarvis [until minute 1022], Faye Lloyd, Sian Marshall [until minute 1032], Carys Moreland [until minute 1032], Claire Sanders [until minute 1022], Deputy Vice-Chancellor [until minute 1019], Darren Xiberras [until minute 1032].

1008   Welcome and preliminaries

1008.1  All were welcomed to the meeting, including the Deputy Vice-Chancellor who was attending on behalf of the Vice-Chancellor.

1008.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes and would also be shared with the individuals undertaking the external review of the Internal Audit Service.

1008.3 The Chair reported that Paul Benjamin had stepped down from the Committee with effect from 16 April 2022.

1008.4 The Chair noted that Dev Biddlecombe, Director of Estates would be attending for item 21: Update on Cardiff and Vale Health Board SLA.

1009  Apologies for absence

Apologies were received from the Vice-Chancellor.

1010  Declarations of interest

The Chair reminded the Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were noted.

1011  Minutes of the previous meeting

The minutes of the meetings held on 16 March 2022 (21/798C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1012  Matters arising from the minutes

Received and considered paper 21/813 ‘Matters Arising’.  The Chair spoke to this item.

Minute 1004: For next steps of the audit of culture to be discussed at the next meeting

Noted

1012.1 That it was planned that a separate meeting would be convened for the Audit and Risk Committee to consider and agree the approach that would be taken to auditing culture.

1012.2 That a report on the actions and next steps arising from the Council away day on culture was to be prepared and discussed by Council. Once the action plan was developed, it may be possible to identify particular areas or metrics that could be considered for audit or monitoring.

1012.3 That the responsibility of the Committee was to consider the internal controls and level of assurance relating to culture, which was separate to the discussions being had by the Council.

Resolved

1012.4 For an outline agenda for the meeting to be shared with members to comment on the proposed scope and format of the session.

Minute 938: sustainability and the University’s plans to achieve carbon zero

Noted

1012.5 That the item had now been deferred to the October 2022 meeting of the Committee as the University Executive Board (UEB) required further time to consider a paper on the plans and the resource requirements and which would enable a more comprehensive update to the Committee.

1013  Items from the Chair

Noted

1013.1 That this was Dr Janet Wademan’s last meeting and the Committee thanked her for her considerable contribution to the Committee and the University.

1013.2 That Dev Biddlecombe, Director of Estates was leaving the University to take up the role of Director of Estates at the University of Bath and that Alison Jarvis, Director of Financial Operations, was leaving the University to take up the role of Chief Financial Officer at the University of Plymouth. The Committee acknowledged their considerable contribution to the University.

1013.3  The feedback from the KPMG’s ESG Assurance in UK Higher Education benchmarking exercise indicated that the University was performing well in the sector.

Resolved

1013.4  To circulate the KPMG feedback to members and officers.

1014  Risk Register

Received and considered paper 21/805C ‘Risk Register’.  The Deputy Vice-Chancellor spoke to this item.

Noted

1014.1 That three risks had been closed and removed from the risk register, as follows:

(i)    Coronavirus Screening Service;

(ii)    Research Excellence Framework, following the University’s strong performance in REF2021;

(iii)  Business Continuity (Further Outbreaks), which related to the risk of further COVID-19 lockdowns being imposed for which the risk had decreased significantly. A new Major Incident risk was being developed to cover any future pandemics or impositions of a lockdown.

1014.2 That subsequent to the issuing of the paper and following discussions with UCU and the issuing of a joint statement, all industrial action, including action short of strike, had been withdrawn for the remainder of the academic year. The risk score would remain as detailed in the paper as UCU still had a mandate for industrial action and discussions regarding the 2021-22 pay award remained ongoing.

1014.3 That the Student Experience (Teaching and Assessment) risk had increased owing to the potential impact of Industrial Action.

1014.4  That the Carbon Net Zero risk had increased owing to financial constraints hindering investment in environmental sustainability and a lack of Estates expertise to properly map the action required to achieve Scope 1. UEB had now agreed the resource to establish a core team located across Estates and Health, Safety & Wellbeing to focus on activities to achieve carbon net zero.

1014.5 That the Student Experience (Student Life) risk had reduced to reflect the removal of COVID-19 restrictions.

1014.6  That the financial sustainability risk remained high owing to the significantly higher inflationary pressures on the University especially with respect to utilities costs and the consequent impacts on pay inflation which had heightened the risk to achieving medium to long term financial sustainability of the University. The new integrated planning process (IPP), which incorporated academic and financial planning, including the estate, was being reviewed and refined in order to mitigate this risk.

1014.7  That it was intended that short-term, interim cover would be put in place whilst recruitment to the Director of Financial Operations’ post took place and it was planned to review the post and structure of the Finance Team to ensure sufficient resilience going forward.

1014.8  That the cyber security risk remained high owing to the prevalence of incidents and attacks across the sector. Testing was being undertaken to ensure the resilience of the controls in place, including the ransomware incident response plan. A paper was to be presented to UEB regarding the roadmap and resourcing required to achieve Cyber Essentials recertification following a change in the standard that had significantly increased the scope of required controls beyond those in place.

1014.9 That the Estates Repairs and Maintenance risk remained static. A refreshed estate condition survey was to be undertaken, which would enable a better understanding the backlog maintenance. A workshop was being held the next day to start the process of refreshing the estates strategy.

Resolved

1014. 10  That the financial risk from the resignation of the Director of Financial Operations and the appointment of new External Auditors should be reflected within the risk register.

1014.11  For the Committee to consider in June 2023 whether the proposed internal audit programme for 2023/24 has sufficient coverage of estates risks once the estate condition survey had been undertaken and the revised estates strategy was in place.

1014.12  To recommend to Council that, subject to the action in 1014.10 above, the current risks, scores and mitigating actions reflected the risk profile of the University.

1015 External Audit Letter of Engagement

The University Secretary spoke to this item.

1015.1 Noted that the letter of engagement had now been agreed and items 113 – 175 from the Audit Code of Practice section of the HEFCW Financial Management Code had been incorporated.

Resolved

1015.2  To circulate the letter of engagement to members of the Committee.

1016 External progress report and technical update

Received and considered paper 21/810C ‘External Progress Report and Technical Update’.  Jonathan Brown from KPMG spoke to this item.

Noted

1016.1 That work had begun on the planning and risk assessment process but this had been delayed whilst the contract negotiations were concluded.

1016.2 That there was some risk to the audit programme owing to the resignation of the Director of Financial Operations but a plan had been agreed with Finance and KPMG were confident that the audit would be completed on time.

1016.3 That KPMG had reviewed the quorum and membership of seven Russell Group Audit and Risk Committees and had concluded that the University was not out of line with the sector.

1016.4 That KPMG had confirmed that the University’s reporting on longer term viability/sustainability was in line with the sector and met the HEFCW and SORP requirements.

1016.5 That the risk management benchmarking exercise identified the top strategic risk categories across the 11 Russell Group University Assurance Frameworks. Technology/Digital was one of the most commonly included risks not included in the University’s risk register.

Resolved

1016.6  To maintain the current quorum of two members for the Committee as the benchmarking exercise had indicated that the Committee’s membership and quorum were in line with other Audit and Risk Committees in the sector.

1016.7  For KPMG to raise any concerns about potential delays to the completion of the audit immediately with the Chair.

1016.8  For KPMG to share more detailed information on the risk management benchmarking exercise for the Senior Risk Advisor to consider whether there was any relevant information relating to the Technology/Digital risks that should be considered by the University in relation to its risk profile.

1017 Draft External Audit Plan

Received and considered paper 21/809C ‘Draft External Audit Plan’.  KPMG spoke to this item.

Noted

1017.1  That the plan was in draft owing to the delay in agreeing the letter of engagement.

1017.2  That the significant risks to be considered as part of the audit were in line with previous years and included:

(i)      Valuation of Pension Liabilities in relation to the Cardiff University Pension Funding and the Universities Superannuation Scheme. Work would also be undertaken on the Local Government Pension Scheme liabilities but this was not to be considered to be as significant a risk.

(ii)    Fraud risk from revenue recognition in relation to research grants owing to the level of judgement applied in the apportionment of costs.

(iii)  Management override of controls, which would focus on manual journal testing and the identification of any bias in the estimates or judgements made by management.

1017.3  That other audit risks to be reviewed included:

(i)      The capital development programme, including accounting judgements, relevant contracts and purchase agreements.

(ii)    Going concern

(iii)  The use of funds, including ensuring spending was in line with the HEFCW Code of Practice and that the necessary disclosures were made to the regulators.

1017.4  That the Group materiality level was set at £6m based on the 1% benchmark of prior year Group income.

Resolved

1017.5  The Chair and the University Secretary & General Counsel to consider whether a further meeting of the Committee would be required to consider the letter of engagement and the final version of the External Audit Plan.

1018 Membership and succession planning

Received and considered paper 21/814C ‘Membership and Succession Planning’.  The University Secretary spoke to this item.

Noted

1018.1  That a search firm, Veredus, has been engaged to recruit a new member with skills and experience in accounting to succeed Paul Benjamin, and this would be undertaken at the same time as the recruitment of lay members of the Council.

1018.2  That the Governance Committee had agreed to recommend to Council the appointment of Suzanne Rankin to succeed Dr Janet Wademan with effect from 01/08/2022.

1018.3  That Dónall Curtin’s reappointment for a further term of three years was approved by Council on 28 April 2022.

1018.4  That an updated skills matrix had been introduced with a number of new areas, on which the current members had yet to be surveyed. The skills matrix was based on the membership at 1 August 2022 and would be updated in summer 2022.

1018.5  That the proposed induction pack contained a wealth of documentation and there was a benefit to providing it as a reference point to complement meetings and discussions rather than requiring all documentation to be read immediately.

1018.6  That a key attribute of a ‘good’ induction programme was ensuring it took place in a timely way after a member’s appointment.

Resolved

1018.7  To add to the skills matrix template prior Audit & Risk Committee experience as this was considered to be an important area for the Committee.

1018.8  For the Chair and the University Secretary to discuss offering a dedicated session for all Committee members as part of the induction process, which would serve as a refresher for existing members on their role and the responsibilities of the Committee.

1018.9  For the Corporate Governance Team to review the list of induction materials provided by a member of the Committee to consider whether to include any further documentation within the induction pack.

1019 HEFCW Institutional Risk Review

The University Secretary spoke to this item.

1019.1 That the desktop Institutional Risk Review exercise had been undertaken by HEFCW in October 2021, the draft letter received on 23 February 2022 and a management response provided on 21 March 2022. The final letter was received on 1 June 2022 and confirmed that the University was “at low risk of non-compliance with the Financial Management Code”.

1019.2  That the letter indicated that the University had made good progress with the recommendations from the Camm Review and that progress had been made with developing the serious incident framework, though further work was required to embed this, and the implementation of internal audit recommendations.

1019.3  That the letter highlighted a number of actions that remained outstanding from the 2018 HEFCW Institutional Assurance Review which were close to completion, including development and approval of Financial Regulations and the Assurance Map.

1019.4  That a response and action plan would be considered by UEB and circulated to the Committee prior to consideration by Council in July 2022 to enable the Committee to provide a view to Council on matters that fall within its remit.

Resolved

1019.5  The Chair and University Secretary to consider whether a further meeting of the Committee would be required to review the letter prior to the Council meeting in July.

The Deputy Vice-Chancellor left the meeting after this item.

1020 Value for money – Draft annual report format

The Chief Financial Officer spoke to this item.

Noted

1020.1 That the Committee was required to report to Council on the effectiveness of the University’s arrangements for delivering value for money.

1020.2  That the previous year’s report on value for money predominantly detailed the work undertaken around procurement.

1020.3  That other areas to be included in the report included benchmarking data from KPMG, TRAC and HESA; the outputs from the Tribal review which was planned to report in December 2022; wider value for money information such as from NSS, and information from the internal audit programme.

1020.4  That an economic value report was last undertaken in 2017 and there was scope to consider whether this report should be refreshed to provide further evidence to the Committee.

1020.5  That there was merit in considering holding a joint meeting of the Audit and Risk Committee and the Finance and Resources Committee to consider matters that fell within the remit of both Committees, which might include estates and financial sustainability in addition to value for money.

1020.6  That Cardiff Business School had been commissioned previously to prepare a report on value for money, which had included a series of case studies. The Committee had asked for this work to be continued incrementally each year.

1020.7  That reporting on value for money was broader than economy, efficiency and effectiveness but also covered environmental sustainability and value for society.

Resolved

1020.8  For the Chief Financial Officer to prepare a draft report for circulation to the Committee in line with the requirements of the HEFCW Financial Management Code.

1021 Major Incidents and Serious Incidents update

Received and considered Paper 21/808HC ‘Major Incidents and Serious Incidents Update’.  The Chief Operating Officer spoke to this item.

Noted

1021.1 [Redacted]

1021.2 [Redacted]

1021.3 [Redacted]

1022 Progress update on enhancements to the Serious Incident Reporting Framework

Received and considered paper 21/811C ‘Progress Update on Enhancements to the Serious Incident Reporting Framework’. The Head of Corporate Governance spoke to this item.

Noted

1022.1  That it was the responsibility of the Committee to ensure that the process of responding to serious incidents was being managed effectively, to receive assurance that lessons learnt had been identified and new processes or policies had been put in place to reduce the risk of reoccurrence of similar incidents.

1022.2  The Serious Incident Reporting Framework had been launched originally in 2021 to ensure incidents were reported to HEFCW and the Charity Commission. In operating the framework and following the inquest into the death of one of our students [part-redacted], it had become apparent that the Student Death protocol needed to be updated and a further, more detailed process for managing serious incidents involving harm was required.

1022.3  That the new management process for serious incidents involving harm included the establishment of an incident response team. That team is responsible for looking at the lessons learnt and any actions required to address the issues identified or to prevent reoccurrence of the incident, including reporting back to relevant committees and staff once the incident is closed.

1022.4 That the Committee currently received a regular report on major and serious incidents and the closure of incidents was reported as part of this. The report also notes where incidents have been reported to HEFCW and the Charity Commission.

1022.5   That the Serious Incidents Framework was to be audited this year and this would provide assurance to the Committee as to whether the processes in place were appropriate and were operating effectively.

Resolved

1022.6  For the Major and Serious Incidents Report to continue to note where incidents had been closed, and to also include actions taken to address the lessons learnt.

The Chief Operating Officer, Senior Risk Advisor and the Director of Financial Operations left the meeting after this item.

1023 Financial Irregularities

The Chief Financial Officer spoke to this item.

1023.1  Noted that there were no financial irregularities to report.

1024 Internal Audit Strategy and Annual Programme

Received and considered paper 21/800C ‘Internal Audit Strategy and Annual Programme’. The Head of Internal Audit spoke to this item.

Noted

1024.1 That early and extensive engagement was undertaken with key stakeholders from March to May 2022 in developing the programme of work proposed for 2022/23. This was designed to make a positive difference to the audit planning activity and ensure that audit activity added value.

1024.2  [Redacted]

1024.3 That a tender process for the co-sourced provision was proposed for Summer 2022 following the satisfactory conclusion of the external audit tender process. This would likely result in an increase in the budget as the costs for audit days had gone up across the sector.

1024.4  That the planned audit of mandatory training would have a particular focus on culture and behaviour.

1024.5  That consideration of value for money was built into all the audits in the programme and the legal advice audit would have a specific focus on value for money.

1024.6  That the use of advisory work had increased owing to and in support of the University during the COVID-19 pandemic in addition to its application for specific areas that were subject to change and under development. The Strategy included a 40% cap on the level of advisory, contingency and consultancy work undertaken each year and the Committee was invited to discuss whether this cap remained appropriate.

1024.7  That the use of advisory work had provided a real benefit to the University and had had a positive impact in terms of culture and behaviour. The level of advisory work also reflected the level of maturity of the internal control environment.

1024.8   That excessive use of advisory work could impact the independence of the Internal Audit Service and so it was desirable to consider reducing the level of work undertaken over time.

1024.9  That there would always be some work that would need to be advisory as it enabled Internal Audit to support management to progress challenging areas.

1024.10 That the allocation of a single year budget meant that it was not possible to plan the Strategy and Programme over a longer time period.

1024.11  That the Committee would need to consider further the budget for the programme if there were concerns that resources were not sufficient to deliver the programme effectively.

Resolved

1024.12   To approve:

1. the risk-based internal audit plan for 2022/23;
2. the internal audit service budget and resource plan for 2022/23 including that ‘the resources are sufficient bearing in mind the University’s risk profile’;
3. the approach to tendering for the co-sourced provision outlined in section 3;
4. the proposed areas of internal audit coverage for the year.

1024.13 To maintain the 40% cap on the level of advisory, contingency and consultancy work undertaken in 2022/23.

1024.14  To discuss the cap on advisory work later in the year prior to the Committee’s consideration of the Internal Audit Strategy and Programme for 2023/24. This discussion would include consideration of the planned programme with an upper and lower cap on advisory work.

1025 Progress report against Internal Audit programme

Received and considered Paper 21/801C ‘Progress Report Against Internal Audit Programme’. The Head of Internal Audit spoke to this item.

Noted

1025.1  That the audit programme was currently on track for delivery.

1025.2   That the follow-up on the space management audit would be undertaken in 2022/23 as the space management policy and underpinning frameworks were not yet completed. An update would instead be provided to the Committee outlining the significant work that had been completed in its place.

1025.3  That the audit of the soft-landing delivery process (the transition between capital construction to operation of assets) was no longer considered a priority and a number of options for its replacement in the programme were being considered with the Chief Financial Officer.

Resolved

1025.4  To approve the minor amendments to the 2021/22 programme.

1026 Discussion points for Internal Audit Assurance reports

Received and considered paper 21/802C ‘Discussion Points for Internal Audit Assurance Reports’. The Senior Internal Auditors spoke to this item.

Student Admissions Processes – fraud and bribery control aspects [Limited Assurance]

Noted

1026.1 That the absence of detailed operating procedures meant that there were multiple control environments with a lack of clear oversight where admissions decisions were devolved to Schools and processed locally.

1026.2  That a task and finish group had been established to ensure the issues of training, consistency and oversight are addressed across the University.

Equality Act Compliance [Adequate Assurance]

Noted

1026.3   That the review had concluded that there was adequate coverage of compliance with equality legislation, which was considered to be a positive outcome. The findings focused on the deficiencies in the coordination, prioritisation, monitoring and oversight of relevant policies and procedures for EDI activities.

1026.4    That an appointment had been made to the new Head of EDI role, which would play a pivotal part in providing operational leadership for the management of EDI activities.

Insurance [Follow-up of a limited assurance report]

Noted

1026.5  That the University insurance cover contract was out to tender and in support of this a review of insurance requirements had been completed. A review of the insurance control environment and mapping insurance across institutional risks would be addressed after the conclusion of the tender.

Resolved

1026.6  The Chief Financial Officer to report back to the Committee on whether there was sufficient capacity within the Finance Team to manage the insurance tender.

1027 Follow-up of highly rated recommendations

Received and considered paper 21/803C ‘Follow-up of Highly Rated Recommendations’. The Head of Internal Audit spoke to this item.

1027.1 That three recommendations had been completed and removed from the tracker since the last meeting.

1027.2  That the completion of the Register of Processing Activities recommendation for GDPR compliance was a positive achievement and reflected a significant amount of work.

1027.3 That with the maturing of the internal control environment staff were better able to assess the level of work involved in the completion of the recommendations.

1028 Update on Cardiff and Vale Health Board SLA

Received and considered Paper 21/817C ‘Update on Cardiff and Vale Health Board SLA’. The Director of Estates joined the meeting to speak to this item.

1028.1 That a Service Level Agreement (SLA) had been in place with the Cardiff and Vale Health Board since 2001 for maintenance services but was not explicit on the responsibilities for certain areas of maintenance or the method for escalating issues. The SLA had been reviewed a number of times, including in 2004 and 2014, with a view to specifying definitive requirements but the 2014 version remained unsigned.

1028.2 That a meeting had been held with the Health Board Director of Estates and Director of Finance to develop an outline specification. The Health Board would be undertaking an asset survey of the estate over the coming months with a view to creating a revised SLA by the end of the calendar year.

1028.3  That there was no risk of additional retrospective costs for maintenance services but there was a risk of additional costs being sought in future if maintenance services over and above what had been provided in the past were requested or agreed.

1029 Any other business

Noted

1029.1  That there was a long-standing culture of papers being circulated late and that this resulted in insufficient time for members to read and digest the papers prior to the meetings.

1029.2  That the first circulation of papers for this meeting was one week prior to the meeting with one additional paper circulated late. With the Jubilee bank holidays this meant that the papers were received outside of the normal timetable.

Resolved

1029.3  That steps should be taken to ensure papers were circulated a minimum of one week in advance of the meeting in future and that paper authors should be reminded of the need to submit papers in a timely way.

1030 Review of risks identified in the risk register

Noted

1031.1  That there was a business continuity/corporate memory risk arising from the departure of senior staff and that this could impact the delivery of the strategic plan.

1031.2  That Council would be considering progress against the strategy and the critical success factors at the meeting in July.

Resolved

1030.3  For the University Secretary to discuss with the Senior Risk Advisor whether the business continuity/corporate memory risk arising from the departure of senior staff should be reflected at an institutional or local level and to provide an update via the coversheet for the next report on the risk register.

1031 Items received for information

Noted

Whistleblowing

1031.1  That there were no Whistleblowing complaints to report to the Committee;

1031.2  That the Committee noted the following papers:

• Paper 21/804C IT Patching Policy
• Paper 21/812C CIC Update on recommendations of the ARUP Report
• Paper 21/815 Schedule of Committee Business for the Year Ahead

All officers left the meeting for the reserved item.

1032 Annual summary of litigation

Noted

1029.1 That the Committee noted Paper 21/816HC Annual Summary of Litigation.

1033 In-Camera

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.