Audit and Risk Committee Minutes 9 October 2023

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Monday 9 October 2023 at 09:00 via Zoom.

Present:  Dr Robert Weaver (Chair), Pers Aswani, Dónall Curtin, and Agnes Xavier-Phillips.

In Attendance:  Jonathan Brown (KPMG), Ruth Davies [minute 1181-1183], Rob Davies [minute 1183], Anita Edson [minute 1182-1183], Clare Eveleigh, Rashi Jain, Julie-Anne Johnston, Sian Marshall, Carys Moreland, Sue Midha [minute 1185], Mark O’Connor [minute 1177], Melanie Rimmer [minute 1179], Claire Sanders, Laura Sheridan, Natalie Stewart, Vice-Chancellor, Darren Xiberras.

1166 Welcome and Preliminaries

1166.1 All were welcomed to the meeting, including Natalie Stewart, Group Financial Controller, and Laura Sheridan, Interim Head of Internal Audit, who were attending their first meetings of the Committee, and Julie-Anne Johnston, Apprentice Governor, who was observing the meeting.

1166.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1167 Apologies for Absence

Apologies were received from Suzanne Rankin.

1168 Declarations of Interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were received.

1169  Minutes of the Previous Meeting

The minutes of the meetings held on 15 June 2023 (22/842C), 19 July 2023 (22/851C) and 5 September 2023 (23/93C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1170  Matters Arising from the Minutes

Received and considered paper 23/94C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1151.1: Internal Audit Future Options

1170.1 That the scope of the external review of the internal audit function would be set in the context of the Committee’s decision in July 2023 to retain the current model of a partially outsourced, hybrid internal audit service; that the scope would include consideration of the service’s role, reporting line, budget, and assurance responsibilities.

1170.2  That the Committee would be asked to consider the scope via email circulation for expediency.

1171 Constitution and Membership

Received and considered paper 23/116 ‘Constitution and Membership’.  The University Secretary spoke to this item.

Noted

1171.1  That the paper proposed amendments to the Constitution to formalise the requirement to report any material errors (greater than £50k) in tax and other returns as agreed by the Committee in March 2022 and to remove the requirement for the Committee to scrutinise the process of review of the financial regulations as authority rested with the Council and Finance and Resources Committee under the Scheme of Delegation.

Resolved

1171.2  To recommend the changes to the Committee’s constitution to Council for approval.

Sustainability Reporting

Noted

1171.3  That the Committee had agreed in March 2023 to amend its Constitution to include a requirement to provide an annual opinion on the adequacy and effectiveness of the University’s arrangements for sustainability; that there was limited sector guidance on the definition of sustainability or the format of reporting and so the Committee needed to agree its own approach.

1171.4  That the proposed structure and content of the report appeared to be fit for purpose and further feedback would be provided following receipt of the first iteration of the report.

Resolved

1171.5  To approve the definition of sustainability as financial, environmental and strategic.

1171.6  To approve the proposed structure and content of the annual assurance report.

1172  Items from the Chair

Noted

That there were no items to report under this agenda item.

1173 Strategic Risk Register Report

Received and considered paper 23/125C ‘Strategic Risk Register Report’. The Vice-Chancellor spoke to this item.

Noted

1173.1 That Reinforced Autoclaved Aerated Concrete (RAAC) had been added as strategic risk following the establishment of a major incident group; that all University buildings had been surveyed; that RAAC had only been identified in the Students’ Union fourth floor, which had been closed with remedial work underway; that this swift action provided the Committee with assurance of the University’s effective management of emerging and serious incidents.

1173.2 That the Business Continuity – Major Incident risk was proposed for de-escalation as the residual risk score was within appetite; that the University had effective processes in place to manage major incidents, which had been robustly tested in live situations; that the new Vice-Chancellor had been impressed with the processes in place.

1173.3 That the DENTL risk likelihood had increased owing to the deteriorating condition of the School’s building structure and facilities; that the School was located within the Dental Hospital, a facility owned and managed by Cardiff and Vale University Health Board (CVUHB); that the School had escalated concerns that the seriousness of the challenges faced were not fully appreciated nor being addressed appropriately by CVUHB.

1173.4 That the data quality residual likelihood score had decreased to 3 (possible) owing to the adoption of a University Data Strategy, and the rollout of a framework which would improve data quality across the whole institution.

1173.5 That the risk score for the Student Recruitment and Internationalisation risk was considered to be appropriate given that postgraduate student numbers would not be known until 3 November 2023 and the ongoing volatility in the postgraduate market.

Resolved

1173.6 To recommend the risk register to Council for approval.

1174 Financial Position 2022/23

Received and considered paper 23/122C ‘Financial Position 2022/23’.  The Chief Financial Officer spoke to this item.

Noted

1174.1 [Redacted]

1174.2 That the crediting of capital grants to the balance sheet and the creation and writing off of the fixed asset over its lifetime was consistent with the HE SORP; that KPMG was able to confirm this approach was widely used by other universities.

1175 External Audit Progress Update

Received and considered paper 23/95C ‘External Audit Progress Update’.  Jon Brown from KPMG spoke to this item.

Noted

1175.1 That, since the last report in June, KPMG had finalised its planning and risk assessment procedures, completed testing on a number of areas and commenced testing on others; that the final audit was slightly behind schedule but KPMG were confident of its completion ahead of the deadline this year.

1175.2  That the Finance team had been strengthened and KPMG was receiving good engagement and buy-in; that responses from outside the Finance team were slower than desirable in some instances but outstanding requests were reviewed at least weekly and escalated to the Chief Financial Officer for action where required; that delays of this nature were not uncommon across other organisations with which KPMG were engaged.

1175.3  That data analytics were being successfully used for journal population testing at Cardiff University; that data analytics was in use more widely at some institutions, typically where investment in systems had been much greater or where systems were better configured; however, it was recognised that the benefits of investment in systems may not always justify the cost when prioritised against other investment needs.

1176 Update on External Audit Recommendations

Received and considered paper 23/123C ‘Update on External Audit Recommendations’.  The Chief Financial Officer spoke to this item.

Noted

1176.1 That work had been undertaken to implement manual and retrospective controls in response to the priority level 1 recommendation – Journals Authorisation Control; that investigation into the benefits and disadvantages of implementing controls in Oracle remained ongoing; that interim measures had been put in place for 2022-23 for the Chief Financial Officer to review and retrospectively authorise all journals above certain threshold values (£50,000); that KPMG had advised that this issue and associated recommendations were common amongst their clients.

1176.2  That the priority level 2 recommendation – Manual Work Arounds had been addressed via planned system upgrades and it was anticipated that improvements would be in place in time for the 2023-24 audit and in line with the timetable originally set out in the management response.

1176.3  That a proposal to restructure the Post Awards team had been accepted and would provide additional resource; that it would take time to recruit and train staff but this action would ultimately lead to improvements to address priority level 3 recommendation – Research Project Review Control.

1176.4 That reasonable progress had been made with the other recommendations and it was anticipated that this would be reflected in the 2023 ISA260 report; that KPMG concurred with the Chief Financial Officer’s summary of the progress made in addressing the recommendations; that the Committee recognised the hard work put in by the Chief Financial Officer and their team in addressing the recommendations.

Resolved

1176.5 To approve that the report provides an appropriate level of assurance in relation to the KPMG audit recommendations.

1177 Internal Control Framework

Received and considered paper 23/120C ‘Internal Control Framework’.  Mark O’Connor, Consultant in Finance joined the meeting for this item.

Internal Control Framework Progress Update

Noted

1177.1 That the work to date to create an Internal Control Framework (ICF) had concluded that the control environment operating across all reviewed processes was generally robust and there were no obvious key controls missing.

1177.2  That a number of “pain points” had been identified where controls were not operating as expected, which was attributed to over-reliance on manual processes and controls, a lack of clear process documentation and clearly defined roles and responsibilities, and a lack of resource in some key areas; that these “pain points” caused frustration with systems and processes and could result in non-compliance; that short, medium and long term actions would be put in place to address the issues identified as appropriate.

1177.3 That it would be helpful for the Committee to have visibility of the action plan and progress against the recommendations; that the work to map the ICF would be completed by the end of the calendar year and the development of the action plan and schedule would be taken forward in January 2024; that this work was closely aligned to the Target Operating Model (TOM), including the development of the future research service.

Resolved

1177.4 For the Committee to receive an update on the action plan to address the control recommendations and progress with their completion at a future meeting.

1177.5  For a review to be undertaken to identify any other key processes, including those which sit outside Finance, which would benefit from being mapped as part of the ICF project.

Fraud and Error in the Recognition of Research Revenue

Noted

1177.6  That the Committee had requested a paper to provide assurance on the robustness of the controls in place to prevent the risk of error or fraud in the recognition of research income; that this was a significant area of risk identified as part of the 2022 External Audit, however no control issues were identified in the ISA260 report.

1177.7  That research income was recognised in the accounts in accordance with the performance model; one of the two methods permitted under FRS 102; that where no performance conditions were specified income was recognised in line with project spend.

1177.8   That the review undertaken had identified no material errors and a number of immediate control improvements; that periodic assurance visits were undertaken by UKRI with an outcome of moderate assurance received at the last visit in March 2023; that given the regular reviews undertaken by KPMG and UKRI, there was little merit in commissioning deep dives on specific areas or projects until the current year’s audit was completed.

1177.9 That staff in the Schools and Colleges played a key role in this area of activity and the TOM work aimed to clearly define the roles and responsibilities of staff in Professional Services, Schools and Colleges; that this work would be important in ensuring that robust and effective controls were in place across all areas of the institution.

Resolved

1177.10 To approve that appropriate level of assurance in relation to risks arising from the recognition of Research revenue at the University.

1177.11  To approve the direction, scope of work and summary findings coming out from the work on development of an Internal Control Framework for the University.

1177.12 For the Committee to consider the need for further review or deep dives of individual areas or projects once the external audit was completed.

Mark O’Connor, Consultant in Finance, left the meeting at the conclusion of this item.

1178  Assurance Mapping Update

Received and considered paper 23/126C ‘Assurance Mapping Update’.  The University Secretary spoke to this item.

Noted

1178.1 That the development of the assurance mapping approach had been undertaken in response to a recommendation from the 2017 HEFCW Institutional Assurance Review visit; that HEFCW had been approached recently for their advice on further developing the process and had indicated that Cardiff University was the only institution in Wales to have such a process in development.

1178.2 That the implementation of risk management software would support the development of the assurance map, through alignment of the four lines of defence to each control and the allocation of an assurance rating and weighting to support residual risk scoring.

1178.3  That it was planned for the regulatory assurance risk to be deep dived once the risk management software was in place; that each element identified would be separately risk assessed and recorded individually on a risk register appropriate to that element.

1178.4 That the enhancements to the risk management processes were welcomed by the Committee.

1179 Major and Serious Incidents Update

Received and considered paper 23/121HC ‘Major and Serious Incidents Update’.  The University Secretary and the Chief Operating Officer spoke to this item.

Noted

1179.1 [Redacted]

1179.2 [Redacted]

1179.3  [Redacted]

Resolved

1179.4 To approve that the report provides adequate assurance for the risks in this area.

1180 Assurance of risk relating to data submitted externally

Received and considered paper 23/115C ‘Assurance of risk relating to data submitted externally’.  The Director of Strategic Planning joined the meeting for this item.

Noted

1179.1  That the three lines of defence model had been in place and operating effectively for external returns for a number of years; that oversight by the External Returns Oversight Group (EROG) of the Student Loans Company transactional returns and National Student Survey contact details had been introduced during 2022-23, which provided second and third line assurance for these returns; that EROG escalated any concerns to Data Governance Group under the new data governance framework.

1179.2  That compliance with the requirements of the HESA data futures project was an emerging risk for 2023-24 and would be reported on in the next iteration of the report to the Committee.

Resolved

1079.3  To approve that the report provides an appropriate level of assurance in relation to data submitted externally.

The Director of Strategic Planning left the meeting at the conclusion of this item.

1181 Annual Serious incident report

Received and considered paper 23/114HC ‘Annual Serious incident report’.  The Head of Corporate Governance joined the meeting for this item.

Noted

1181.1 [Redacted]

1181.2 [Redacted]

Resolved

1181.3 For the separate reporting on financial compliance issues to be retained in order to provide visibility of lower level financial threshold risks but to ensure cross-referencing with the serious incident report to ensure clear and accurately reporting.

1181.4 To approve that further work on documenting the new processes/groups for managing the threat of harm and their relationship to the serious incident reporting framework takes place in order to mitigate the risks that incidents of this nature are not fully documented or reported appropriately.

1181.5 To approve that the content of the Annual Report on Serious Incidents provides adequate assurance in this area of risk.

1182 Update on the key risks for the University estate and the actions and mitigations being taken

Received and considered paper 23/110C ‘Update on the key risks for the University estate and the actions and mitigations being taken’.  The Director of Estates joined the meeting for this item.

Noted

1182.1 That progress had been made in addressing the Estates risks over the previous 12 month period; key activities included the approval of an interim Estates Strategy; the completion of the condition survey of the residential estate with the survey of the remainder of the estate due for completion by March 2024; that new software would be introduced to hold the survey results and to support the development of a backlog maintenance programme.

1182.2 That a £5.4m budget for critical maintenance had been allocated and a programme manager was being recruited to oversee it; that an additional £2m had been allocated to the estates maintenance budget prioritised on a risk basis; that two business partners had been recruited to promote communication with Schools and understanding of the issues to enable the prioritisation process; that new posts of Building and Asset Manager and Fire Manager had been created; that a new, more agile contractor framework had been introduced.

1182.3  That the impact on staff welfare and wellbeing was taken into account in defining the maintenance programme where possible.

1182.4  That consideration of the use of space and the condition of the estate would be factors in the development of the new University Strategy; that improving the condition of the full estate would likely not be possible without some rationalisation; that alignment of the future Estates Strategy with the future shape of Cardiff University would be critical.

1182.5  That Finance and Resources Committee provided oversight of estates matters, including budget and the use of contingency funds where required.

Resolved

1182.6  To approve that the report provides an appropriate level of assurance of the management of Estates risks.

1182.7  For a further report to be provided in 12 months’ time on progress with/barriers to addressing the Estates key risks and the development of the Estates Strategy to support the new University Strategy.

1183 Discussion Points for Internal Audit Assurance Reports

Received and considered paper 23/117HC ‘Discussion Points for Internal Audit Assurance Reports’.  The Interim Head of Internal Audit spoke to this item.

Noted

1183.1 [Redacted]

Space Management Report

Noted

1183.2  [Redacted]

1183.3  [Redacted]

Governance Report

The Registrar, College of Biomedical and Life Sciences, joined the meeting for this item.

Noted

1183.4 [Redacted]

1183.5  [Redacted]

1183.6  [Redacted]

The Director of Estates, College Registrar for BLS and Head of Corporate Governance left the meeting at the conclusion of this item.

1184 Progress Report Against Internal Audit Programme

Received and considered paper 23/119HC ‘Progress Report Against Internal Audit Programme’.  The Interim Head of Internal Audit spoke to this item.

Noted

1184.1 [Redacted]

1184.2 [Redacted]

1185 Mandatory Training

The Director of HR joined the meeting for this item.

Noted

1185.1 [Redacted]

1185.2 [Redacted]

1185.3 [Redacted]

The Director of HR left the meeting at the conclusion of this item.

1186 Any Other Business

There was no further business discussed.

1187 Review of risks identified in the risk register

Noted

1187.1  That there was merit in reviewing the articulation of the Estates risk to ensure alignment with the separate report to the Committee; that a deep dive of all risks was already planned to be undertaken (as part of the ongoing risk management exercise) ahead of the next report to the Committee.

Resolved

1187.2 That the risk register accurately represented the information that had been received by the Committee.

1188 Fraud, Bribery and other Financial Compliance - Annual Report

Received and considered paper 23/113HC ‘Fraud, Bribery and other Financial Compliance - Annual Report’. The Chief Financial Officer spoke to this item.

1188.1 [Redacted]

1188.2 [Redacted]

1188.3 [Redacted]

1188.4 [Redacted]

Resolved

1188.5 For confirmation to be provided that staff were not employed via personal service companies.

1188.6  For confirmation to be provided of the process to ensure student fee payments were not made by sanctioned individuals.

1188.7  To approve that the content of the Annual Report provides adequate assurance in this area of risk.

1189 Whistleblowing reports

The University Secretary and Chief Operating Officer spoke to this item.

Noted

1189.1 That there had been no reports made under the Public Interest Disclosure (Whistleblowing) Policy since the last meeting of the Committee.

1189.2 That the absence of any reportable complaints did not indicate that the Policy was not operating effectively; that a number of issues had been raised under the Policy but these had been triaged and referred for action under other procedures.

Resolved

1089.3 For the Committee to receive an overview of the number of issues raised under the Policy that were referred for action under other procedures.

1190 Items received for approval

Resolved

1190.1 To approve the following papers:

• 23/96 Compliance Report - CUC HE Audit Code of Practice & CUC HE Code of Governance
• 23/127C Annual Risk Management Report
• 23/124C Value For Money

1191 Items Received for Information

Noted

1191.1  The following papers:

• 23/97 Constitution and Membership of the Joint Committee of Audit and Risk and Finance and Resources Committee
• 23/118C HEFCW Institutional Assurance Visit Action Plan Update

All Officers apart from the Chief Operating Officer, University Secretary and Interim Head of Internal Audit left the meeting for the reserved items.

1192 Assessment Panel Management Response

Received and considered paper 22/100HC ‘Assessment Panel Management Response’. The Chief Operating Officer spoke to this item.

Noted

1192.1 [Redacted]

1192.2  [Redacted]

1192.3  [Redacted]

1192.4 [Redacted]

Resolved

1192.5  To approve that an appropriate level of assurance has been provided that actions are being taken to address the recommendations made.

The Chief Operating Officer left the meeting at the conclusion of this item.

1193 Minutes of the meeting held on 22 September 2023

The minutes of the meeting held on 22 September 2023 (23/128C) were confirmed as a true and accurate record and were approved to be signed by the Chair subject to the amendments below:

1193.1 [Redacted]

1193.2 [Redacted]

1194 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the Head of Internal Audit, the external auditors and the University Secretary were present.