Audit and Risk Committee Minutes 10 October 2022

Minutes of the Meeting of the Cardiff University Audit and Risk Committee held on Monday 10 October 2022 at 13:00 via Zoom.

Present: Michael Hampson (Chair), Pers Aswani, Dónall Curtin, Suzanne Rankin, and Dr. Robert Weaver

In Attendance: Jonathan Brown (KPMG), Ruth Davies, Anita Edson [minute 1043], Clare Eveleigh, Laura Hallez, Rashi Jain, Faye Lloyd, Sian Marshall, Alexander Middleton (KPMG), Carys Moreland, TJ Rawlinson [minute 1042], Jo Regan, Melanie Rimmer [minute 1047], Claire Sanders, Vice-Chancellor, Deputy Vice-Chancellor [minutes 1042-1043], Darren Xiberras.

Apologies: Agnes Xavier-Phillips

1034 Welcome and preliminaries

1034.1         All were welcomed to the meeting, including Suzanne Rankin, Pers Aswani and Dr. Robert Weaver who had joined the Committee with effect from 1 August 2022.

1034.2         The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1034.3         The Chair noted that item 31 – Financial Irregularities had been covered under item 8 – Major and Serious Incidents Update.

1035 Apologies for absence

Apologies were received from Agnes Xavier-Phillips.

1036 Declarations of interest

The Chair reminded the Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were noted.

1037 Minutes of the previous meeting

The minutes of the meeting held on 6 June 2022 (21/958C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1038 Matters arising from the minutes

Received and considered paper 22/86C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1016 External Progress Report and Technical Update

1038.1 That KPMG had not yet shared any further information on the risk management benchmarking exercise.

1038.2 That all other agenda items had either been completed or had been added to the Committee’s

1039 Constitution and membership

Received and considered paper 22/87 ‘Constitution and Membership’.  The Chair spoke to this item.

Noted

1039.1  That the terms of reference had been reviewed to ensure accurate representation of the Committee’s responsibilities. A number of minor changes were proposed to ensure alignment with the CUC Audit Code of Practice and the HEFCW Financial Management Code.

Resolved

1039.2  To recommend the changes to the Committee’s constitution to Council for approval.

1040 Items from the Chair

Noted

1040.1  That a number of papers had been approved via circulation since the June meeting of the Committee, as follows:

• University Response June 2022 to HEFCW Institutional Risk Review 2021 – approved by Council 7 July
• Contract for External Audit Services – approved by Council 7 July
• Updated Serious Incident Reporting Framework
• Final External Audit Plan

1040.2  That Laura Hallez, Senior Risk Advisor, was attending her last meeting as she is leaving the University to take up a role at Hargreaves Lansdown. The Committee thanked Laura for her contribution to the University, particularly in developing the risk assurance framework.

1040.3  That sessions on culture and development had been scheduled for 17 and 18 November to coincide with the Committee’s next meeting on 17 November.

1041 Major and serious incidents update

Received and considered paper 22/88HC ‘Major and Serious Incidents Update’. The Chief Operating Officer spoke to this item.

Noted

1041.1  [Redacted]

1041.2  [Redacted]

1041.3  [Redacted]

1041.4  [Redacted]

1041.5 [Redacted]

Resolved

1041.6  To approve that the report provides adequate assurance for the risks in this area.

1042 Sustainability and the University’s confidence to achieve net zero, and how this will be achieved

Received and considered a presentation on  ‘Sustainability and the University’s confidence to achieve net zero, and how this will be achieved’ from the Deputy Vice-Chancellor and the Director of Development and Alumni Relations.

Noted

1042.1 That the Way Forward Recast included an Environmental Sustainability sub-strategy, which set out the timescales for achieving net zero scopes 1 and 2 by 2030 and scope 3 by 2050 with reference to the Welsh Government Wellbeing and Future Generations Act and the UN sustainable development goals. The University was committed to embedding its net zero commitments throughout all its activities.

1042.2  That the University’s pre-pandemic carbon emissions were estimated to be around 140k tonnes per year, 20k of which was considered to be within scopes 1 and 2.

1042.3  That a clear governance structure had been put in place to monitor and support the achievement of the net zero targets and the wider sustainability strategy.

1042.4  That UEB had approved additional resource in Summer 2022 to establish and recruit a professional staff team to support net zero. This included a Communications Officer to support both internal messaging.

1042.5  That calculating accurately the University’s carbon emissions was challenging owing to the lack of staff capacity and patchy and unreliable metering across the estate.

1042.6  That the introduction of the mandatory Welsh Government reporting standard from 2023 would provide greater structure and guidance to how the University should be recording and reporting its targets and progress.

1042.7 That a Carbon Management Plan was in place and staff were being recruited to support it. The University was on track to reach the 15% reduction target by 2023 primarily owing to decarbonisation of the electricity grid.

1042.8 That a review of the University’s most intensive carbon-use buildings had been undertaken by an external consultant and the draft report had been received. This had enabled a rapid action plan to be developed by the Interim Director of Estates in addition to developing longer-term actions to integrate carbon reduction within the full Estates and Facilities function.

1042.9  That the University was consulting on the approach to carbon offset, including the principles and timescales for its adoption, with a view to approving a policy in early 2023.

1042.10  That there was merit in reviewing and implementing green procurement policies as this could have a significant impact on the achievement of targets. It was anticipated that this would be undertaken as part of the scope 3 strategy.

1042.11 That it was difficult to provide an indication of the costs required to achieve the scope 1 and 2 targets. A range of funding opportunities were available, which would be explored as the University developed its understanding of the work required.

1042.12 That ensuring behavioural change would be key to the University’s success in achieving its targets in the absence of reliable monitoring. It was anticipated that both staff and students would be prepared to change their behaviour in order to support the University’s ambitions.

1042.13  That the University was required by HEFCW to report in greater detail on environmental and sustainability issues in the Annual Report and Financial Statements this year. KPMG would review sector reporting and provide an overview as part of its annual ESG benchmarking exercise.

Resolved

1042.14  That the report provided a good level of assurance to the Committee on the University arrangements to achieve its net zero commitments.

1042.15 That further information should be provided to the Committee on the indicators that would be used to monitor staff and student behavioural change.

1043  Update on the key risks for the University estate and the actions and mitigations being taken

Received and considered paper 22/89C ‘Update on the key risks for the University estate and the actions and mitigations being taken’.  The Deputy Vice-Chancellor and the Interim Director of Estates spoke to this item.

Noted

1043.1  That the University estate was large and diverse with a number of important historical buildings. Owing to underinvestment in the maintenance programme, some areas of the estate had degraded and significant maintenance was required. Other risks included the escalating costs of estates projects, the fuel shortage, net zero and accessibility.

1043.2  That a condition survey was being undertaken to enable a longer-term maintenance plan to be developed as the information currently held was outdated and largely based on the survey undertaken in 2014. The survey would take over a year to complete and a further six months would be required to review the results and agree plans.

1043.3  That no new health and safety or compliance issues had been identified as a result of the condition survey activity undertaken thus far.

1043.4  That the use of space was actively management across the University; the Better Ways of Working initiative had resulted in a reduction in leased buildings. A new Space Management Policy had been introduced and the Space Management Group were responsible for reviewing requests and challenging the use of space, with regularly reporting to the Estates and Infrastructure Group.

1043.5  That oversight of estates matters was the responsibility of the Finance and Resources Committee and the Audit and Risk Committee would receive updates on the risk profile relating to estates via the risk register.

Resolved

1043.6  To request an update on the key risks for the University estate in 12-months’ time.

1044  Risk Register

Received and considered paper 22/90C ‘Risk Register’.  The Vice-Chancellor spoke to this item.

Noted

1044.1 That three new risks had been proposed for inclusion in the risk register: Business Continuity – Major incidents, Future Research Quality and Data Quality.

1044.2   That the four student related risks had been reviewed in light of the new Education Governance structure being implemented and had been replaced with three revised risks: Student Welfare and Wellbeing, Quality of Education and Learning Environment

1044.3  That the risk of industrial action was a concern for the University Executive owing to the increasing likelihood of strike action being called.

1044.4  That cyber security was a key area of risk for the University despite the preventative measures being taken given the reports from other institutions of cyber-attacks.

1044.5  That further work was required to improve completion rates of Information Security training. An internal audit of mandatory training had been requested to identify opportunities for improvement and to address the Committee and UEB’s concerns.

1044.6  That there had been a further decline in postgraduate student recruitment from China. It was anticipated that any collapse in the Chinese market would occur over a sufficiently long period of time to enable the University to take mitigating action.

1044.7  That the University had improved its position in the 2023 Times Good University Guide league table by 10 places.

1044.8  That there was considerable uncertainty around future research funding opportunities, which was largely outside the University’s control. The new Pro Vice-Chancellor for Research, Innovation and Enterprise would be reviewing the strategy for research over the coming year in order to identify opportunities and further mitigating actions.

1044.9  That Regulatory Compliance was one of the top risks on the UEB risk register. The report included details of the key steps being taken to reduce the risk to a more acceptable level. An update on progress would be provided to each of the Committee’s meetings.

1044.10  That the impact of the cost of living crisis was identified within the Student Welfare and Wellbeing risk. It was acknowledged that this was also an area of concern for staff.

Resolved

1044.11 That the potential impact of the cost of living crisis on staff should be represented within the risk register.

1044.12  That the report provided assurance that the approach to risk management was embedded within the University.

1044.13  To agree the current risks, scores and the mitigating actions for recommendation to Council.

1044.14  To receive a deep dive on cyber security at the Committee’s meeting in March 2023.

1045 Financial position 2021/22

Received and considered paper 22/91C ‘Financial Position 2021/22’.  The Chief Financial Officer spoke to this item.

Noted

1045.1  [Redacted]

1045.2  [Redacted]

1045.3  Redacted]

1046 External audit update / progress report

Received and considered paper 22/92C ‘External Audit Update / Progress Report’.  KPMG spoke to this item.

Noted

1046.1  That KPMG had completed the planning and interim work with its specialist planning and IT team, and had reviewed the prior year accounts. No issues had been identified as part of this work.

1046.2  That the final audit was underway and good progress had been made thus far. The audit was currently behind schedule but this was not considered to be a concern at present. A good relationship and regular contact points had been developed with the Finance team.

1046.3 That KPMG had identified opportunities for improvement in relation to the fixed asset and equipment registers and would make recommendations in these areas within their report.

1046.4  That these issues were known to the Chief Financial Officer and would likely require investment to improve the Finance and HR systems.

1047 Assurance of risk relating to data submitted externally

Received and considered paper 22/93C ‘Assurance of risk relating to data submitted externally’.  The Director of Strategic Planning spoke to this item.

Noted

1047.1   That the External Returns Oversight Group (EROG) was a key mechanism for managing and quality assuring data returns and had in place a planned programme of work to ensure assurance could be provided. EROG’s remit also included identifying systems issues, such as data collection and transfer, and working with IT to resolve them.

1047.2    That the processes involved in data quality assurance were predominantly manual and labour intensive. There was software available that could automate processes which the University may consider in future. The current priority was to address systems issues.

Resolved

1047.3  To approve the report.

1047.4  For KPMG to share any information regarding suitable data quality software that the University might consider.

1048 Annual Risk Management report

Received and considered paper 22/94C ‘Annual Risk Management Report’.  The University Secretary spoke to this item.

Noted

1048.1   That the development of the risk assurance map for regulatory compliance represented significant progress during the year in terms of how the University manages risk. This work had enabled second and third lines of defence to be mapped and gaps to be identified and remedied.

1048.2  That gaps had been identified in relation to emerging internationalisation requirements, which was an area under greater scrutiny from Government.

1048.3  That risk management processes had not yet been fully embedded within University functions and local areas, which placed a greater burden on the central staff resource. This was part of a wider issue of ensuring sufficient staff resources for compliance and assurance functions and the University Secretary was discussing this matter with UEB.

1048.4  That UEB had to make difficult decisions regarding the prioritisation of resources and was aware of the concerns regarding the adequacy of resources.

Resolved

1048.5  To recommend the paper to Council for approval.

1049 Fraud, bribery and other financial compliance - annual report

Received and considered paper 22/95HC ‘Fraud, Bribery and other Financial Compliance - Annual Report’.  The University Secretary spoke to this item.

Noted

1049.1  That the report provided an update on the steps taken to develop and implement policies relating to these areas of compliance and informed the Committee’s review of the University’s arrangements for the prevention and detection of fraud.

1049.2  That the appointment of a new Financial Compliance Manager from 7 November 2022 would enable the actions detailed in the paper to be progressed.

1049.3  That the report identified some instances of fraud and other financial compliance and the need for controls to be further developed. These instances were significantly below the materiality level used by the External Auditors’ in order to obtain reasonable assurance that the financial statements were free from material misstatement, whether due to fraud or error.

Resolved

1049.4  To recommend the paper to Council for approval.

1050  Value for money

Received and considered paper 22/96C ‘Value for Money’.  The Chief Financial Officer spoke to this item.

Noted

1050.1  That the role of the Committee was to provide assurance that the University has in place effective arrangements to deliver value for money. Council’s role was to consider whether the University has achieved value for money.

1050.2  That the report identified the key mechanisms for providing assurance in relation to the expectations set out within the HEFCW Financial Management Code and the guidance from the Committee of University Chairs.

1050.3  That a number of areas for potential improvement had been identified, including the development of a value for money policy, a review of the procurement strategy and consideration of benchmarking information.

1050.4  That no business process or systems development reviews had been documented in the report and the Chief Financial Officer would work with the Chief Operating Officer to document this information in future.

1050.5  That the impact of value for money activity could be measured by a range of indicators, for example, through improvements in the National Student Survey results.

Resolved

1050.6  To recommend to Council that the institution’s current arrangements give adequate assurance that value for money is being delivered.

1050.7  That there was little merit in establishing a dedicated value for money working group as value for money consideration were effectively embedded within a range of areas and groups across the University already.

1051 Draft Judgement paper (including going concern: financial budget and financial projections)

Received and considered paper 22/97C ‘Draft Judgement Paper (including Going Concern: Financial Budget and Financial Projections)’.  The Chief Financial Officer spoke to this item.

Noted

1051.1  That the paper provided a preliminary review of the judgements that had been made and estimates used in the preparation of the financial statements and a final version of the paper would be submitted to the Committee once the audit was complete.

1051.2   That the estimated pension liabilities had been sourced from USS, Deloitte for CUPF and AON for LGPS. The assumptions would be reviewed by KPMG.

1051.3  That a detailed going concern review had been undertaken and would be subject to further testing using scenarios provided by KPMG. The Chief Financial Officer was confident that the University could adjust its financial plans to mitigate any significant shocks arising from the uncertain external environment. A more significant review of the University’s financial position would be required in the event of any longer-term impacts.

1052   HEFCW 2021 Institutional Assurance Review draft report and action plan

Received and considered paper 22/105C ‘HEFCW 2021 Institutional Assurance Review draft Report and Action Plan’. The University Secretary spoke to this item.

Noted

1052.1  That the draft report of the review undertaken in December 2021 had been provided and the final version of the report was awaited from HEFCW.

1052.2  That an internal action plan had been developed and ownership of the actions and the timeline for their completion had been agreed by UEB.

1052.3  That the actions had been added to the Outstanding Action Tracker overseen by the Governance Committee and completion of the actions would be monitored by the Audit and Risk Committee.

Resolved

1052.4  That updates on progress with the action plan should be added to the Committee’s schedule of business to be reported on via matters arising.

1052.5  That it may be beneficial for the Committee to consider including a member with an academic background in future and it would be helpful for the skills matrix to include academic experience for this to be considered.

1053  Progress report against Internal Audit Programme

Received and considered Paper 22/99HC ‘Progress Report Against Internal Audit Programme’. The Head of Internal Audit spoke to this item.

Noted

1053.1  That the 2021-22 programme of work had been completed with one report on PC I-DSS still to be provided to the Committee.

1053.2  That performance against the KPIs had been achieved within the targets set.

1054 Discussion points for Internal Audit Assurance reports

Received and considered paper 22/99HC ‘Discussion Points for Internal Audit Assurance Reports’. The Head of Internal Audit and the Senior Internal Auditor spoke to this item.

Procurement

Noted

1054.1  [Redacted]

1054.2  [Redacted]

1054.3  [Redacted]

1054.4  [Redacted]

1054.5  [Redacted]

Resolved

1054.6  To provide an update to the Committee later in the year on the new policy and other developments in this area.

Integrated Planning Process

Noted

1054.7 [Redacted]

1054.8  [Redacted]

1054.9  [Redacted]

IT Asset Management

Noted

1054.10 [Redacted]

1054.11  [Redacted]

1054.12  [Redacted]

1055  Follow-up of highly rated recommendations

Received and considered paper 22/100HC ‘Follow-up of Highly Rated Recommendations’. The Head of Internal Audit spoke to this item.

1055.1 [Redacted]

1055.2 [Redacted]

1055.3 [Redacted]

1055.4 [Redacted]

1056 Internal Audit Service annual report 2021/22 - draft

Received and considered paper 22/101C ‘Internal Audit Service Annual Report 2021/22 - Draft’.  The Head of Internal Audit spoke to this item.

Noted

1056.1 That the report had been prepared in line with the HEFCW Financial Management Code and feedback had been received from HEFCW and incorporated into the report. The final version of the report would be submitted to the Committee in November.

1056.2  That a number of limited assurance ratings had been given during 2021-22 but the frequency of priority 1 recommendations was reducing.

1056.3  That 26% of the programme of work was advisory, which was well below the 40% cap.

1056.4  That the level of assurance provided by the report was enhanced by the range of annual reports submitted to the Committee each year and the work undertaken on assurance mapping. This reflected the maturity of the Committee’s work.

1057 External review of the Internal Audit provision

Received and considered paper 22/107C ‘External Review of the Internal Audit provision’.  The Chief Operating Officer spoke to this item.

Noted

1057.1  That the Public Sector Internal Audit Standards required that an external assessment of the service is conducted every five years as a minimum.

1057.2 That the review had concluded: “that Cardiff University’s internal audit team is generally conforming with the International Professional Practice Framework (IPPF) ... It is our view that internal audit activity conforms to 59 of the 61 relevant principles, with partial conformance on 2 principles. Only minor changes are needed to achieve full conformance”.

1057.3  That “generally conforming” was the highest rating of compliance and this outcome provided significant assurance to the Committee on the effectiveness of the internal audit service.

Resolved

1057.4  That the Committee should review the findings of the SWOT analysis at a future date.

1058  HEFCW accounts direction 2021-22

Received and considered paper 22/104 ‘HEFCW Accounts Direction 2021-22’.  The Chief Financial Officer spoke to this item.

Noted

1058.1 That compliance with the Accounts Direction was reviewed by the Finance Team and KPMG as part of the process for producing and finalising the accounts.

1058.2 That the inclusion of a Statement of Internal Control was required within the Annual Report. The Internal and External Auditors provided assurance on the system of internal control as part of their programmes of work.

1059 Any other business

There was no further business discussed.

1060 Review of risks identified in the Risk Register

Noted

1060.1  That the Risk Register accurately represented the information that had been received by the Committee.

1061 Items received for approval

Resolved

1061.1  To approve the following papers:

• 22/106 Compliance with governance code provisions relating to audit and the remit of the Audit & Risk Committee
• 22/102C Annual Serious Incident Report

1062 Items received for information

Noted

1062.1 The following paper:

• 22/103C KPMG Benchmarking report for Financial Statements (2020-21)

1062.2  That there had been no reports made under the Public Interest Disclosure (Whistleblowing) Policy since the last meeting of the Committee.

1063 In-Camera

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.