Audit and Risk Committee Minutes 17 November 2022

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Monday 17 November 2022 at 10:00 in rooms 2.25/2.26, Centre for Student Life.

Present: Michael Hampson (Chair), Pers Aswani, Dónall Curtin, Suzanne Rankin, Robert Weaver, and Agnes Xavier-Phillips.

In Attendance: Jonathan Brown (KPMG), Ruth Davies, Millicent Ele, Clare Eveleigh, Ellie Hetenyi (KPMG), Rashi Jain, Faye Lloyd, Sian Marshall, Claire Morgan [minute 1079], Carys Moreland, Jo Regan, Melanie Rimmer [minute 1079], Claire Sanders, Vice-Chancellor [minutes 1064-1070], Darren Xiberras.

Apologies: None

1064 Welcome and preliminaries

1064.1  All were welcomed to the meeting, including Millicent Ele, Governor Apprentice for 2022-23.

1064.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1065 Apologies for absence

No apologies were received.

1066 Declarations of Interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were noted.

1067 Minutes of the previous meeting

The minutes of the meeting held on 10 October 2022 (22/208C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1068 Matters arising from the minutes

Received and considered paper 22/220 ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1044.14: Cyber Security Deep Dive

1068.1 That the Chief Operating Officer was to discuss the approach to the deep dive with the Director of IT. Penetration and resilience testing was being undertaken, supported by JISC, to ensure appropriate security measures were in place.

1068.2  That the University had been able to achieve a further year’s Cyber Essentials Plus reaccreditation and an update paper was provided to the Governance Committee.

1068.3  That there may be merit in inviting an external expert to challenge our approach to cyber security. KPMG could not support this activity as it was prohibited under the provision of non-audit services.

Resolved

1068.4 For KPMG to recommend an external individual to support the University in undertaking a deep dive.

1069 Items from the Chair

Noted

1069.1 That contract negotiations had been undertaken with TIAA for the IT internal audit work and a limitation of liability of [Part-Redacted] aggregate had been agreed. This would be notified to the Council via the Chair’s report.

1069.2 That there had been no items approved via Chair’s action since the last meeting.

1070  Risk Register

Received and considered paper 22/237C ‘Risk Register’. The Vice-Chancellor spoke to this item.

Noted

1070.1 That three emerging risks had been identified within the report: energy crisis/power outages, cost of living crisis, and industrial action. Work was underway to understand the impact on the University, the mitigations already in place and any further work required.

1070.2 That the University had agreed a further exceptional payment of £500 to staff in recognition of the impact of the increased cost of living on the health and wellbeing of staff. It was known that at least one other University in the sector had also given a payment to students but this was not an approach agreed at Cardiff University.

1070.3 [Redacted]

1070.4 [Redacted]

1070.5 That a decline in the Chinese market had been anticipated with the maturing of the Chinese higher education system but the zero-covid policy in China had also impacted.

1070.6 That the University had adjusted its recruitment strategy to target countries other than China but this would not offset the drop entirely.

1070.7 That a sudden change in China’s status would pose a risk to the University with [Figure Redacted] of the University’s overseas tuition fee income from China. However, this would be an issue for the sector as a whole and it was anticipated that the UK Government would put in place contingency plans in this situation.

1070.8 That the handling of the safeguarding matter and subsequent reporting indicated that the serious incident process was working well, which provided assurance to the Committee.

Resolved

1070.9 To recommend to Council the Risk Register.

The Vice-Chancellor left the meeting after this item.

1071 Annual Internal Audit Opinion

Received and considered paper 22/209HC ‘Annual Internal Audit Opinion’.  The Head of Internal Audit spoke to this item.

Noted

1071.1 That the draft version was received at the meeting on 10 October 2022 and no substantial changes had been made to the report.

Resolved

1071.2 To recommend the report to Council for approval.

1072 Reconciliation of the Forecast Outturn vs Statements year end 31 July 2022

Received and considered paper 22/198C ‘Reconciliation of the Forecast Outturn vs Statements year-end 31 July 2022’. The Chief Financial Officer spoke to this item.

Noted

1072.1 [Redacted]

1072.2 That pension movements were based on market conditions, which were typically unpredictable, and the Council was advised to consider only the pre-pension figures when monitoring the financial position. However, it was acknowledged that there was a need to review accounting for pensions given the level of volatility.

1072.3  That there was little merit in requesting updated pensions figures on a more frequent basis as this would not provide greater certainty owing to the level of volatility in the markets.

1072.4 That notwithstanding pension liabilities, there were significant variances between the forecast and final result; the variances were primarily related to non-pay movements and higher than anticipated research costs. There was an ongoing issue with budgeting and forecasting particularly in the Colleges, where savings were not identified until year-end. It was difficult to incentivise Finance Managers to deliver financial performance with the current devolved structure. An objective of the proposed Target Operating Model was to ensure alignment with University objectives.

1072.5  That the University’s policy of not carrying forward budgets to the next academic year could be impacting the budgeting and forecasting processes in the Schools and Colleges and there may be merit in reviewing this approach.

1072.6  That it would be beneficial for the Committee, and particularly the new members, to have a better understanding of the University’s financial model, including the movement in cash/cash equivalents, investments, financial instruments, pension provisions and the bond repayment fund.

Resolved

1072.7  For the Chair and the Chief Financial Officer to consider if a further development session on the University’s financial model is required following the Committee development session on 18 November 2022.

1072.8 For the Chief Financial Officer to review the University’s policy on not carrying forward budgets.

1073 Judgements and Estimates for the Financial Statements for the year ending 31 July 2022

Received and considered paper 22/197C ‘Judgements and Estimates for the Financial Statements for the year ending 31 July 2022’.  The Chief Financial Officer spoke about this item.

Noted

1073.1  That the key judgements and estimates related to the provision for pension liabilities for USS, Cardiff University Pension Fund (CUPF) and the Local Government Pension Scheme. For USS the estimates were based on the finalised 2020 valuation available from 31 July 2021. For CUPF, the assumptions were provided annually by Deloitte as advisors and were reviewed by an independent actuary. All pension provisions were subject to extensive audits by the KPMG actuarial team.

1073.2  That dilapidations provision had been made for the first time to the value of £2.1m following a survey of leased properties by Knight Frank.

1073.3  That a detailed Going Concern paper had been provided including relevant assumptions and stress testing for scenarios that would impact the Going Concern assessment. The Finance and Resources Committee had requested that the paper be updated to take account of the Q1 forecast, which was behind the Budget owing to reduced tuition fee income. This was not anticipated to impact Going Concern as the cash position was expected to be higher than forecast.

1073.4  That the Going Concern assessment was based on projected cash flow to 2026, which was provided to the Council as part of the financial forecasts but not to the Committee.

1073.5  That fundraising was a priority area for the University as income compared to the sector was low and Council had agreed on a KPI in relation to fundraising activity. It was planned that the Council would receive a presentation on fundraising at the Development Day in February 2023.

Resolved

1073.6 To approve the contents of the paper, subject to the Going Concern Review being updated with the Q1 forecast.

1073.7  For the Committee to receive a copy of the cashflow forecasts underpinning the Going Concern assessment in future.

1073.8 For research income judgements to be included in the next iteration of the paper.

1074 Fixed Asset Accounting

Received and considered paper 22/221C ‘Fixed Asset Accounting’.  The Chief Financial Officer spoke about this item.

Noted

1074.1  That the approach taken to date with large new building projects was to charge a full year’s depreciation when the asset was transferred to the fixed asset register irrespective of the timing of assets coming into use. This approach had been challenged by KPMG in relation to the Translational Research Hub and Sparc which had come into use in March and July respectively and had been depreciated for a full year. A revised approach of charging six months’ depreciation had been agreed upon, which had resulted in [Part-Redacted] reduction in depreciation costs.

1074.2 [Redacted]

1074.3  That a series of process improvements were required for fixed asset accounting. A manual year-end process was currently undertaken to review capital/revenue expenditure, the disposal process for smaller assets was largely non-existent and at College-level all budgeting and forecasting was done on a cash-only basis.

1074.4  That fixed asset information was currently maintained on spreadsheets and the quality of information held was poor. The external audit had identified elevated risk associated with capital developments and fixed assets and additional testing had been undertaken as a result. KPMG had made a recommendation to improve the fixed asset register.

1075 Letter of Representation Assurance – Evidence of Compliance

Received and considered paper 22/210C ‘Letter of Representation Assurance – Evidence of Compliance’.  The Chief Financial Officer spoke about this item.

Noted

1075.1  That the paper provided evidence of the assurances required to be given to the External Auditors by the Council in relation to the Annual Report and Financial Statements for the year ending 31 July 2022.

Resolved

1075.2 To approve the contents of the paper.

1076 Report on External Audit Year End (including Management Letter)

Received and considered paper 22/239C ‘Report on External Audit Year End (including Management Letter)’.  KPMG spoke to this item.

Noted

1076.1  That the audit had commenced late due to the contract negotiations and additional testing had been undertaken where errors had been identified. The majority of testing had now been completed and many of the outstanding items had now been concluded. It was anticipated that the audit would be completed prior to the meeting of the Council scheduled for the following week.

1076.2 That KPMG had received excellent support from the Finance team.

1076.3  That KPMG had identified a number of incorrect disclosures from the previous year. The most significant area related to Overseas Agents’ fees which had been netted against tuition fee income, whereas both the income and expenditure should have been disclosed as gross. The prior year period comparative would need to be restated to reflect this adjustment. PWC would also need to be notified as the increase in revenue could affect the materiality level for the previous audit.

1076.4 That KPMG had concluded that the overall assumptions adopted by the University in relation to the CUPF pension liability and USS pension provision were slightly optimistic but within the acceptable range.

1076.5 That KPMG had made a series of recommendations to improve the internal control environment. This included one priority recommendation to maintain an accurate fixed asset register, a further six priority two recommendations and two priority three recommendations.

1076.6 That deadlines within the year had been given for the majority of actions but it was acknowledged that some of the recommendations could only be addressed in full over a much longer time period. It was feasible to review the fixed asset register, put in place a coherent register in Excel and formalise the disposals process by April 2023. The Budget was in place to recruit a new post to undertake this work.

1076.7 That investment in systems, staff and training would be required to address the recommendations raised by KPMG.

1076.8  That it would be important to put in place a permanent central Finance team structure prior to making significant investments in systems or structures and any requests for investment would need to be made in the context of other investment requests across the University. It was planned to bring a systems business case for consideration either at the end of the academic year or the beginning of the next academic year, which would allow time to put in place other changes first.

1076.9 That workshops would be held with Finance staff, particularly staff based in the Colleges, to provide training and to ensure staff were following the correct procedures.

1076.10 That the devolved structure and academic culture presented a challenge to addressing the issues identified, with most Finance staff being based in the Colleges without a reporting line to the Chief Financial Officer. There was strong opposition to greater centralisation of Professional Services functions but this would likely be required to address the issues. The appropriateness of reporting lines was being considered as part of the development of the Target Operating Model proposal, and Council would receive a presentation on this in February 2023. The Chief Financial Officer would be working with the Chief Operating Officer to consider the interface with Schools and Colleges.

1076.11 That the Committee had requested that the previous Chief Financial Officer put in place a finance strategy but this had not been taken forward. It would be important going forward for the Committee and Council to be assured that the right systems and resources were being put in place to ensure a coherent Finance function.

Resolved

1076.12  For the Chief Financial Officer to set out a more detailed action plan to address the recommendations raised by the next meeting of the Committee in March 2023 and the progress made, in order to provide assurance to the Committee that the financial control issues were being addressed.

1076.13 For the final report and management letter to be circulated to the Committee once the audit was completed.

1077 Annual Report and Financial Statements

Received and considered paper 22/199C ‘Annual Report and Financial Statements.  The Chief Financial Officer spoke to this item.

Noted

1077.1 That the principal risks detailed in the Annual Report did not align with the current iteration of the risk register with no reference to cyber security, Estates or regulatory compliance, which were identified as high-risk areas.

1077.2 That some organisations successfully used infographics to present positive messages in a more approachable way to non-specialists within their Annual Reports, which could be considered for future years.

1077.3 That the University paid around £8m in Overseas Agents fees with overseas tuition fee income at around £112m. There was perceived to be a risk of bribery and corruption and the forthcoming audit of due diligence processes would not review in detail processes around Overseas Agents. This would be an important area for the new Financial Compliance Manager to investigate and document.

1077.4 That there was considered to be a greater level of risk relating to overseas direct entry students from certain countries and UEB would be considering a paper on this issue.

1077.5 That there had been an increase to the Vice-Chancellor’s pension costs and the rationale for this was not clear.

Resolved

1077.6  For the principal risks to be updated to reflect the latest iteration of the risk register.

1077.7  For the reporting of the Vice-Chancellor’s pension costs to be checked and confirmed as accurate.

1077.8  To recommend the report to Council, subject to the points 1077.6 and 1077.7 above.

1077.9   For best practice examples of the use of infographics to be shared with the Finance team to consider a revised approach for future years.

1077.10  For a paper to be provided to the next meeting on Overseas Agents to provide a summary for each Agent of fees paid, number of students recruited, confirmation of due diligence checks and bribery and corruption clauses, taxation and payment arrangements (not to offshore accounts/connected person/company) and off-contract expenses.

1078 Audit and Risk Committee Annual Report 2021-22

Received and considered paper 22/224C ‘Audit and Risk Committee Annual Report 2021-22’.  The Chair spoke to this item.

Noted

1078.1 That there were a number of areas covered by the report that were being considered by the Committee at this meeting and would need to be revised following the meeting.

Resolved

1078.2 That the final version of the report should be approved by the Chair following the meeting and circulated to the Committee.

1078.3 To approve the Audit and Risk Committee Annual Report, subject to the addition of paragraphs on culture and consideration of the External Audit Report.

1079 Fee and Access Plan (FAP) Monitoring 2021/22

Received and considered paper 22/222C ‘Fee and Access Plan (FAP) Monitoring 2021/22’.  The Pro Vice-Chancellor of Education & Student Experience and the Director of Strategic Planning was invited to the meeting to speak on this item.

Noted

1079.1 That the paper provided a monitoring report on performance against the Plan for 2021-22 and assurance in relation to the statements that must be confirmed to HEFCW as part of the Annual Assurance Return submitted by 31 December 2022.

1079.2 That there was an underspend against the 2021-22 Budget. The University had committed to spending 15-20% of the full-time, undergraduate fee income on the FAP but the final spend was only 13.5%, which was below the 15% threshold set by HEFCW. This was a result of lower-than-anticipated numbers of students taking up the Cardiff University bursary, higher than forecast income from additional student numbers and the decision by UEB to fund additional staff to support the larger student intake. The underspend was not considered a matter of concern as expenditure had been impacted by the ongoing post-pandemic impacts but it was possible that HEFCW may query the level of expenditure achieved.

1079.3 That it was difficult to understand the reasons for the lower take-up of student bursaries compared to the previous year. It was planned to review recruitment data over a longer period in future, which would help to identify any trends.

1079.4 That further enhancement were planned to the FAP and its monitoring, including greater alignment with the Widening Participation Strategy and its evaluation, greater review of the data underpinning the national measures, and quarterly reporting on spend against the budget to ensure mitigating action could be taken sooner in future.

1079.5  That the Welsh national measures did not provide useful benchmarks nor did they compare the University with comparable institutions, however, HESA data showed the University was performing in line with similar institutions.

Resolved

1079.6 To recommend the paper to Council for approval.

1079.7 To confirm the statements for the Annual Assurance Return to HEFCW.

1080 Annual Complaints Report: Students, Staff and Third Parties

Received and considered paper 22/226HC ‘Annual Complaints Report: Students, Staff and Third Parties'.  The Chief Operating Officer spoke about this item.

Noted

1080.1 [Redacted]

1080.2  [Redacted]

1080.3  [Redacted]

1080.4  [Redacted]

1080.5  [Redacted]

Resolved

1080.6 To bring a short report to the Committee later in the year on the operation of the Whistleblowing Policy.

1080.7 To approve that the report provides assurance over the degree to which adequate and effective complaint-handling processes are in place.

1080.8  For the Committee to be informed where the outcome of a complaints process indicated a serious internal control weakness.

1081 Compliance Report: HEFCW Financial Management Code and Terms and Conditions of Funding 2022

Received and considered paper 22/223 ‘Compliance Report: HEFCW Financial Management Code and T&Cs 2022’.  The University Secretary spoke about this item.

Noted

1081.1  That a review of compliance with the HEFCW Financial Management Code and HEFCW’s Terms & Conditions of Funding 2021-22 had been undertaken by the University Secretary’s Office with input from the Finance department.

1081.2  That the report provided assurance of compliance, with a number of areas where better evidence of compliance was required. This would be put in place over the coming year.

Resolved

1081.3 To approve the report to support the inclusion of a statement of compliance within the Annual Report and Financial Statements 2021-22, together with an explanation provided as to areas for enhancement.

1082 Any Other Business

There was no further business discussed.

1083 Review of risks identified in the risk register

Resolved

1083.1 That the risk register accurately represented the information that had been received by the Committee.

1084 Items received for approval

Resolved

1084.1 To approve the following papers:

22/227HC Major and Serious Incidents Update

1085 Items received for information

Noted

1085.1 The following paper:

22/228C HEFCW Institutional Assurance Visit – Final Report

1085.2  That there had been no reports made under the Public Interest Disclosure (Whistleblowing) Policy since the last meeting of the Committee.

The Head of Corporate Governance left the meeting.

1086 Report of Live Litigation

Received and considered paper 22/225HC ‘Report of Live Litigation’.  The University Secretary and General Counsel spoke to this item.

Noted

1086.1 [Redacted]

1086.2 [Redacted]

Resolved

1086.3  For the Committee to be kept updated on any developments with the potential claim.

1086.4  For a contingent liability note to be included in the accounts in relation to the potential failure to educate claim.

All Officers left the meeting for the Senior Salary Recommendation item apart from the Chief Operating Officer.

1087 Senior Salary Recommendation

Received and considered paper 22/211HC ‘Senior Salary Recommendation’.  The Chief Operating Officer spoke about this item.

Resolved

1087.1 To approve the recommendation in the paper.

1088 In-Camera

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.