Audit and Risk Committee Minutes 14 March 2023

Minutes of the Cardiff University Audit and Risk Committee held on Tuesday 14 March 2023 at 9:00 via Zoom.

Present: Michael Hampson (Chair), Pers Aswani, Dónall Curtin, Dr Robert Weaver.

Attendees: Neil Bickerstaff [minute 1103], Jonathan Brown (KPMG), Rhodri Evans [minute 1103], Clare Eveleigh, Rashi Jain, Faye Lloyd, Sian Marshall, Alexander Middleton (KPMG), Claire Morgan [minute 1103], Carys Moreland, Jo Regan, Pete Sheppard (TIAA) [minute 1103], Vice-Chancellor, Prof. Roger Whitaker [minute 1101], Simon Wright [minute 1102], Darren Xiberras.

1089 Welcome and preliminaries

All were welcomed to the meeting.

1090 Apologies for absence

Apologies were received from Ruth Davies, Suzanne Rankin, Claire Sanders and Agnes Xavier-Phillips.

1091 Declarations of Interest

The Chair reminded the Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were noted.

1092 Minutes of previous meeting

The minutes of the meeting held on 17 November 2022 (22/298C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1093 Matters Arising

Received and considered paper 22/436 ‘Matters Arising’. The Chair spoke to this item.

Noted

1093.1 That all open matters arising were either in progress or were planned for an update to a future meeting of the Committee.

1093.2  That it was a priority to schedule the date for the Committee’s next development session as soon as possible to ensure all members could attend.

1094 Constitution and Membership

Received and considered paper 22/448, ‘Constitution and Membership’. The University Secretary spoke to this item.

Noted

1094.1 That the Committee’s role had been revised to providing oversight of the Counter-Fraud and Anti-Bribery Policy, Anti-Money Laundering Policy and Whistle-blowing Code of Practice, to align with the new Scheme of Delegation which delegated approval of policies to the Vice-Chancellor unless they were specifically applicable to Council and/or lay members, or specifically required by external bodies to be approved by the governing body or a committee.

1094.2 That the terms of reference had been updated to ensure alignment with the CUC HE Audit Committees Code, including oversight of compliance with the legal and regulatory framework, and receiving assurance regarding the institution’s arrangements for sustainability.

1094.3 That provision had been included for approval of requests for non-audit services by the External Auditors. Council would be asked to give approval for this authority to be delegated to the Committee as part of the recommendation to approve the Policy on Non-audit Services.

1094.4 That it would be important to define the scope of the Committee’s role in relation to sustainability, which was not explicitly defined by the CUC HE Audit Committees Code, but broadly covered financial, environmental and strategic sustainability.

Resolved

1094.5 To recommend the changes to the Committee’s constitution for approval by Council.

1094.6 For a paper to be brought back to the Committee’s next meeting on the scope of the Committee’s role in relation to sustainability and the mechanism for assurance. This would include feedback from how other institutions in the sector are taking forward this issue.

1095 Items from the Chair

Noted

1095.1 That the final version of the Annual Report & Financial Statements was approved by the Chairs of the Finance & Resources and Audit & Risk Committees. The Chair of Council approved the amendments by Chair’s Action on behalf of Council.

1095.2 That the Chair had met with Stephen Williamson, Financial Compliance Manager, to discuss the reporting to the Committee on financial compliance following a recommendation made in the counter-fraud and anti-bribery internal audit report.

1095.3 That it had been agreed to take forward the recommendation as follows:

1. To introduce a standing item on the agenda to provide a report on financial compliance issues, including any cases identified or prevented, where systems or controls have worked effectively, and areas of risk and the progress made in reducing/removing risk. This could be a nil report if there were no cases.

2. To continue to provide an annual report to the Committee, which would include resourcing but not include benchmarking data as we currently do not have a baseline to benchmark against. Instead, there would be a focus on the risk profile/number of risks and whether this is increasing or decreasing.

3. To develop a template for reporting on financial compliance issues.

1096 Risk Register

Received and considered paper 22/453HC, ‘Risk Register’. The Vice-Chancellor spoke to this item.

Noted

1096.1 [Redacted]

1096.2 [Redacted]

1096.3 [Redacted]

1096.4 [Redacted]

1096.5 [Redacted]

1096.6 [Redacted]

1096.7 [Redacted]

Resolved

1096.8 To recommend to Council the Risk Register for approval.

1096.9 For details of the external company engaged to assess the threat of spearfishing to be provided.

1097 Action Plan to address External Audit recommendations

Received and considered paper 22/437C ‘Action Plan to address External Audit Recommendations’. The Chief Financial Officer spoke to this item.

Noted

1097.1 [Redacted]

1097.2 [Redacted]

1097.3 [Redacted]

1097.4 [Redacted]

1097.5 [Redacted]

1097.6 [Redacted]

1097.7 [Redacted]

1097.8  [Redacted]

1097.9  [Redacted]

1097.10 [Redacted]

1097.11 [Redacted]

1097.12 [Redacted]

1097.13 [Redacted]

Resolved

1097.14  For the Chief Financial Officer and Head of Internal Audit to bring a report to the next meeting on the work being undertaken to strengthen financial internal controls and the evidence of assurance that could be provided to the Committee.

1097.15  For the position around financial internal controls to be reviewed again in October 2023 when the Committee would receive the draft Head of Internal Audit Opinion.

1098 Late submission of Annual Report and Financial Statements: Lessons Learnt

Received and considered paper 22/438C ‘Lessons Learned KPMG’. The Chief Financial Officer spoke to this item.

Noted

1098.1 That there were two primary reasons for the delay in finalising the audit; firstly, the University’s status as a Public Interest Entity required increased internal review and an expectation of a strong internal control and reporting environment. Secondly, due to a delay in the agreement of a contract, the audit had started much later than originally planned and it had not been possible to perform an interim visit to review systems and test key controls, as well as complete some of the substantive testing work.

1098.2 That there had been significant challenge received from the second line of defence team, which had taken longer than anticipated, in relation to the sampling errors identified, most notably within capital accounting and prior year adjustments, and whether KPMG should qualify their report in some way.

1098.3 That the interim audit would bring forward work from the year end audit to ensure a smoother final audit visit in September-November 2023. An update would be provided to the Committee on progress with the interim audit at the next meeting.

1098.4  That many of the actions being taken forward by the Finance Team would result in fewer errors and enable less deviation from the planned timetable.

1098.5  That it was acknowledged that the Committee could have been made aware of the likelihood of further delays at its meeting in November 2022.

1099 Summary of Cultural Findings and Behaviours

Received and considered paper 22/439HC ‘Summary of Cultural Findings and Behaviours’. The Head of Internal Audit spoke to this item.

Noted

1099.1 [Redacted]

1099.2  [Redacted]

1099.3 [Redacted]

1099.4 [Redacted]

Resolved

1099.5 For the Chair to discuss the approach to onward reporting to Council with the Chair of Council.

1100 Policy on Non-Audit Services

Received and considered paper 22/449 ‘Policy on Non-Audit Services’. Darren Xiberras, Chief Financial Officer spoke to this item.

Noted

1100.1 That the Policy had been drafted to meet the requirements of the CUC HE Audit Committees Code of Practice, which required institutions to have a Policy in place.

1100.2 That it would be good practice to introduce a requirement to review any non-audit service after it had been provided to ensure that any activity had not exceeded the agreed scope. That this would be covered in the ISA 260 report.

1100.3 That guidance had been issued by the IESBA that prohibited advised against the delegation of authority to approve non-audit services from the Audit and Risk Committee to individuals, which would need to be reflected within the Policy.

Resolved

1100.4 To recommend the Policy to Council for approval, subject to the Policy being updated to take account of the comments in 1100.2-1100.3.

1100.5 For the Chair to approve the revisions to the Policy to enable it to go forward immediately to Council for approval.

1101 Update on Internal Audit Advisory Report 2022_C03 Research Data Systems

Received and considered paper 22/440 ‘Update on the Future Research Service Programme [Internal Audit Advisory Report: 2022_C03 Research Data Systems]’.

Professor Roger Whitaker, Pro Vice-Chancellor Research, Innovation and Enterprise joined the meeting to present this item.

Noted

1101.1 That the Future Research Service Programme was established in April 2022 under Recast Transforming Services to address the audit findings, as well as seek to transform the wider research service. That the programme aimed to improve a range of research and innovation areas, including research grants creation and management, research contracts management, research ethics management, and impact and commercialisation.

1101.2 That a business case had been developed to implement a system for costing and pricing research grants and creation of contracts at the commencement of these grants. That the system was modular, which would enable further modules to be added over time as the use of the system matured. It was planned for the system to go live during the second quarter of 2024, which represented significant progress at pace.

1101.3 That the programme incorporated a significant people element with consideration being given to delivering services efficiently and better coordinating staff; this would be taken forward as part of the TOM.

1101.4 That the new system would bring the University in line with other institutions in the sector and would provide a reliable, well tested system. It would not be best in class but there was scope for further developments over time.

1102 Progress Report against Internal Audit programme

Received and considered paper 22/441HC ‘Progress Report, Internal Audit Programme 2022-23’. The Head of Internal Audit spoke to this item.

Noted

1102.1 [Redacted]

1102.2  [Redacted]

1102.3  [Redacted]

1102.4  [Redacted]

Resolved

1102.5 To approve the proposed change to the audit programme.

1102.6 For the Committee to be kept informed of any further or ongoing issues impacting the delivery of the internal audit programme.

1103 Discussion points for Internal Audit Assurance Reports

Received and considered paper 22/443HC ‘Discussion Points for Internal Audit Assurance Reports’. The Head of Internal Audit spoke to this item.

Noted

Peter Sheppard (TIAA) and Neil Bickerstaff (Director of IT) joined the meeting

Core Cyber Security Review Advisory report

1103.1 [Redacted]

1103.2 [Redacted]

1103.3 [Redacted]

1103.4  [Redacted]

1103.5  [Redacted]

1103.6  [Redacted]

1103.7  [Redacted]

1103.8 [Redacted]

1103.9 [Redacted]

1103.10 [Redacted]

Virtual Desktop Interface Follow Up

1103.11 [Redacted]

1103.12 [Redacted]

PCI-DSS Compliance Follow Up

1103.13 [Redacted]

1103.14 [Redacted]

Peter Sheppard (TIAA) and Neil Bickerstaff (Director of IT) left the meeting

Results Notification Process: In-year resits

Claire Morgan (Pro Vice-Chancellor, Education and Student Experience), Simon Wright (Academic Registrar), Rhodri Evans (Head of Education Governance) joined the meeting

1103.15  [Redacted]

1103.16  [Redacted]

1103.17  [Redacted]

1103.18 [Redacted]

1103.19 [Redacted]

1103.20 [Redacted]

Resolved

1103.21  For a follow up audit of in-year resits to be included in the 2023-24 plan.

Results Notification Process: Minimise risk of error

1103.22 [Redacted]

1103.23 [Redacted]

1103.24 [Redacted]

1103.25 [Redacted]

Claire Morgan (Pro Vice-Chancellor, Education and Student Experience), Simon Wright (Academic Registrar), Rhodri Evans (Head of Education Governance) left the meeting

Management of Legal Risk Activities

1103.25 [Redacted]

Due Diligence Activities (Risk Management)

1103.26 [Redacted]

1104 Follow-up of Highly Rated Recommendations

Received and considered paper 22/443HC ‘Follow-up of Highly Rated Recommendations’. The Head of Internal Audit spoke to this item.

Noted

1104.1 [Redacted]

1104.2  [Redacted]

Resolved

1104.3 For an update to be provided to the Committee on the Service Level Agreement, to include a realistic and achievable timetable for completing the action.

1105 Review of External Quality Assessment 0utcomes and actions

Received and considered paper 22/444HC ‘External Quality Assessment Outcome and Actions’. The Head of Internal Audit spoke to this item.

Noted

1105.1  [Redacted]

1105.2  [Redacted]

1105.3  [Redacted]

1105.4  [Redacted]

1105.5  [Redacted]

1106 Assurance Mapping Update

Received and considered an oral report from the University Secretary.

Noted

1106.1 That progress had been impacted as the Senior Risk Advisor had left and it had taken time to replace them. The new Senior Risk Advisor had been appointed and would be in post from mid-April 2023.

1106.2 That a regulatory compliance heat map had been developed to highlight the areas with a high degree of risk and low level of assurance.

1106.3 That a policy framework had been developed to ensure best practice in drafting, reviewing and maintaining policies. The next step would be to develop the policy repository.

1106.4 That the internal audit of due diligence had recommended the development of a policy and framework; all recommendations had been accepted.

1106.5 That an audit of conflicts of interests was in progress and the recommendations awaited.

1106.6  That meetings had been held with each of the 24 Schools to discuss regulatory compliance and a questionnaire had been used to assess the level of assurance for each School. This information would be collated into an action plan and the recommendations would be prioritised for further action.

Resolved

1106.7 For the new Senior Risk Advisor to be invited to attend the Committee’s next meeting.

1106.8 For the updated regulatory compliance heat map to be brought to the Committee.

1107 International Agents review

Received and considered paper 22/445HC ‘International Education Agents Review’. The Chief Financial Officer spoke to this item.

Noted

1107.1 [Redacted]

1107.2 [Redacted]

1107.3  [Redacted]

1108 Major and Serious Incidents update

Received and considered paper 22/451HC ‘Major and Serious Incident Update Report’. The University Secretary spoke to this item.

Noted

1108.1 [Redacted]

1108.2 [Redacted]

Resolved

1108.3 To approve that the report provides adequate assurance for the risks in this area.

1109 Anti-Money Laundering Policy

Received and considered paper 22/446 ‘Anti-Money Laundering Policy’. The Chief Financial Officer spoke to this item.

Noted

1109.1 That the Anti-Money Laundering Policy had been approved by UEB and published on the University intranet and via the staff newsletter.

1109.2 That the processes for staff to report suspected money laundering activity did not appear to be user friendly and this could deter staff from reporting their concerns.

Resolved

1109.3 For the next iteration of the Policy to consider the Committee’s comments on the user-friendliness of the reporting process.

1110 Any Other Business

There was no further business discussed.

1111 Review of risks identified in the Risk Register

Resolved

That the risk register accurately represented the information that had been received by the Committee.

1112 Items received for information

Noted

• Paper 22/447  Academic Assurance Framework
• Paper 22/450C HMRC Error Notification

1113 Whistleblowing Reports

Noted

That there had been no reports made under the Whistleblowing Policy since the Committee’s last meeting.

All Officers left the meeting for the Assessment Panel Outcome item apart from the Head of Internal Audit.

1114 Assessment Panel Outcome

Received and considered an oral report from the University Secretary.

Noted

1114.1 [Redacted]

1114.2 [Redacted]