Audit and Risk Committee minutes 15 November 2024

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Friday 15 November 2024 at 14:00 via Zoom

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Dr Nick Starkey, Suzanne Rankin, and Agnes Xavier-Phillips.

In Attendance: Roger Adams [minute 1309], Jonathan Brown (KPMG), Ruth Davies, Anita Edson [minute 1315-1316], Clare Eveleigh, Owen Hadall [minutes 1305-1306], Ellie Hetenyi (KPMG), Professor Wendy Larner, Sian Marshall, Alexander Middleton (KPMG), Carys Moreland, Dr Paula Sanderson, Peter Sheppard (TIAA) [minute 1305-1306], Laura Sheridan, Natalie Stewart, Darren Xiberras.

1297 Welcome and preliminaries

1297.1 All were welcomed to the meeting.

1297.2  The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1298 Apologies for absence

Apologies were received from Daisy Gandy. The meeting was confirmed as quorate.

1299 Declarations of Interest

1299.1 The Chair reminded Committee members of their duty to disclose any potential conflicts of interest.

1300 Minutes of the previous meeting

The minutes of the meetings held on 10 October 2024 (24/217C) were confirmed as a true and accurate record.

1301 Matters arising from the minutes

Received and considered paper 24/218C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1279.8: Key Controls Framework

1301.1 That a first iteration of the controls framework would be submitted to the March 2025 meeting; a number of different models were being considered.

1301.2  That not having a framework in place did not mean that controls were not in place or taken seriously; the annual internal audit report provided assurance on the effectiveness of controls.

Resolved

1301.3  For the work undertaken by the Financial Controls Consultant to be shared with the Chief Operating Officer and University Secretary.

Minute 1237.3: Committee Secretary

Noted

1301.4  That the deadline for this action had been pushed back to March 2025; the Governance Advisor would be Acting Secretary to the Committee in the interim period.

1301.5  That an appointment of a Director of Corporate and Legal Services had not been made; Victoria Holbrook had instead been appointed to a one year fixed term role with a specific focus on transforming governance; objectives for the role would include the development of dashboards as a mechanism for Committee reporting on assurance.

1301.6  That the Chief Operating Officer and University Secretary intended to propose that Victoria Holbrook take on the role of Committee Secretary.

Minute 1260.5: Litigation Report

Noted

1301.7  That the deadline for this action had been pushed back to June 2025; information about provisions made in the accounts would be included in the next iteration of the report.

1301.8 [Redacted]

1301.9 [Redacted]

Resolved

1301.10 For a more detailed update on the US potential litigation case reported in paper 24/227HC to be provided to the Chair and Agnes Xavier-Phillips.

1302 Items from the Chair

The Chair spoke to this item.

Noted

1302.1 That there were no reports of chair’s action since the last meeting.

1302.2  That the Senior Risk Advisor would be leaving the University on 6 December 2024; the Committee recorded its thanks to Daisy Gandy for her contributions.

1302.3 That the job description for the role had been updated ahead of a competitive recruitment process; another member of the team was to take on partial responsibility for risk management in the intervening period, including horizon scanning and updating risk registers in response, and the quarterly risk review meetings.

1303 Summary of decisions from the Joint Meeting with F&RC

Noted

1303.1 That members of the Committee confirmed there were no further matters to discuss in relation to the items considered by the Joint Committee Meeting.

1304 External Audit Report

Received and considered paper 24/219C ‘External Audit Report’.  Representatives from KPMG spoke to this item.

Noted

1304.1 That the ISA260 report was in draft as there were a number of audit matters outstanding at the time the report was issued; the majority of matters had now been concluded and KPMG expected to be in a position to sign the report by the end of November.

1304.2 That progress with the audit had been impacted by system limitations and legacy work-arounds, which had caused some delays; early testing during the interim audit had been undertaken during the previous year, which had not been possible this year owing to the general ledger transfer and the unavailability of staff; KPMG would discuss with the Finance Team whether early/interim testing could be planned for 2024-25.

1304.3 That KPMG had made 14 control findings, including one priority one, seven priority two and six priority three findings; this was an increase on the previous two years and appeared to indicate that the control environment had worsened rather than improved.

1304.4 That KPMG had noted progress in the control environment despite the additional recommendations made this year, the positive impact of increased stability in the finance team and the changes in progress regarding systems and processes, which would take time to embed.

1304.5 [Redacted]

1304.6 That KPMG was able to confirm that no indication of fraud had been identified as part of the audit; a number of journals had been found to have been incorrectly posted and this had been reviewed in detail.

1304.7 That three control findings had been raised in relation to research income; no material errors had been identified; the Pro Vice-Chancellor (Research, Innovation and Enterprise) and the Director of Research Services were leading on the future research service project and the automation of the research environment into Worktribe that would be important in resolving the control findings raised.

Resolved

1304.8  For KPMG to discuss with the Finance Team whether early testing could be incorporated in an interim audit during 2024-25.

1304.9  For the Finance transformation plan to be circulated to the Committee and members to be invited to attend a briefing session with the Chief Financial Officer.

1305 Internal Audit Progress Report

Received and considered paper 24/220HC ‘Internal Audit Progress Report’.  The Head of Internal Audit spoke to this item. Peter Sheppard from TIAA and Owen Hadall, Assistant IT Director, joined the meeting for this item.

Noted

Cyber Security Review

1305.1 [Redacted]

1306  Internal audit report: IT Asset Management

Received and considered paper 24/231HC ‘Internal audit report: IT Asset Management’.  The Head of Internal Audit spoke to this item.

Noted

1306.1 [Redacted]

1306.2  [Redacted]

1306.3  [Redacted]

1306.4 [Redacted]

1306.5 [Redacted]

1306.6 [Redacted]

Peter Sheppard and Owen Hadall left the meeting at the conclusion of this item.

1307 Encampment lessons learnt report

Received and considered paper 24/224HC ‘Encampment lessons learnt report’.  The Head of Internal Audit spoke to this item.

Noted

1307.1 [Redacted]

1307.2 [Redacted]

1307.3 [Redacted]

1307.4 [Redacted]

1307.5 [Redacted]

Resolved

1307.6 For the Chair and Chief Operating Officer and University Secretary to meet to discuss scenario planning for “black swan” events.

1308 Internal Audit Annual Report and Opinion 23-24

Received and considered paper 24/221HC ‘Internal Audit Annual Report and Opinion 23-24’.  The Head of Internal Audit spoke to this item.

Noted

1308.1 [Redacted]

1308.2 [Redacted]

1308.3 [Redacted]

Resolved

1308.4 To recommend to Council the internal audit annual opinion for approval and subsequent commentary on the University’s arrangements for risk management, governance, internal control and value for money.

1309 Fee and Access Plan Monitoring 2023/24

Received and considered paper 24/203C ‘Fee and Access Plan Monitoring 2023/24’.  The Chief Operating Officer and University Secretary spoke to this item. The Head of Planning & Policy joined the meeting for this item.

Noted

1309.1 That the Fee and Access Plan was a statutory document and the means by which a provider could become a ‘regulated institution’; this meant that a provider could charge fees up to the maximum level and full-time, home undergraduate students could automatically access financial and maintenance support.

1309.2 That Medr required governing bodies to confirm four statements in the Annual Assurance Return to enable oversight of the Fee and Access Plan; the internal monitoring report was also shared with Medr.

1309.3 That the current Fee and Access Plan was in place until 2027; Medr was in the process of developing its approach to regulation; it was expected that Medr would introduce a condition of registration relating to equality of opportunity from 2027 onwards.

1309.4  That the University strategy confirmed the University’s commitment to widening participation and this included a specific KPI; the regulatory framework in Wales required institutions to invest 15-20% of full-time, home undergraduate tuition fee income in activities to widen participation in, and support student success; this was more than the equivalent approach in England where institutions were required to invest 10%.

Resolved

1309.5 To confirm the statements relating to the Fee and Access Plan in the Annual Assurance Return:

1. No regulated course fees have exceeded the applicable fee limit as set out in the Fee and Access Plan;
2. The institution has assurances in relation to the management of the provision of fee information across all recognised sources of the institution’s marketing;
3. The institution has taken all reasonable steps to comply with the general requirements of the Fee and Access Plan; and
4. The institution has taken all reasonable steps to maintain previous levels of investment, including maintaining: the splits between investment to support equality of opportunity and promoting higher education, and investment to support the Reaching Wider partnership and student support investment.

1309.6  To recommend the document for submission to Council.

Roger Adams left the meeting at the conclusion of this item.

1310 Annual Complaints Report: Students, Staff and Third Parties

Received and considered paper 24/222HC ‘Annual Complaints Report: Students, Staff and Third Parties’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1310.1 [Redacted]

1310.2 [Redacted]

1310.3 [Redacted]

1310.4 [Redacted]

1310.5 [Redacted]

Resolved

1310.6 To approve that the report provides assurance over the degree to which adequate and effective complaint handling processes are in place.

1311 Major and Serious Incidents Update

Received and considered paper 24/223HC ‘Major and Serious Incident Update Report’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1311.1 [Redacted]

Resolved

1311.2 To approve that the report provides adequate assurance for the risks in this area.

1312 Financial Compliance Report

The Group Financial Controller spoke to this item.

Noted

1312.1 That Helen Bennett had been appointed as the new Head of Financial Compliance and would commence in post during week commencing 18 November 2024; Helen would bring considerable experience, including from financial services.

1312.2 That two suspicious activity reports had been received and were in the early stages of being reviewed.

1312.3  That a review of all financial compliance matters would be undertaken by the new Head of Financial Compliance and an annual report of 2023-24 would be provided to the Committee summarising the status of all issues, the findings and any lessons learned.

1313 Annual Report on Serious Incidents 2023-24

Received and considered paper 24/225C ‘Assurance of risk relating to data submitted externally’.  The Head of Corporate Governance spoke to this item.

Noted

1313.1 That the number of incidents reported during 2023-24 was in line with previous years; the potential gaps in financial compliance external reporting would be addressed with the appointment of the Head of Financial Compliance.

1313.2 That the incidents carried forward from prior years tended to be staff disciplinary matters; these cases were often complex in nature and could take a long time to resolve, particularly when external agencies were involved; plans were in place to modernise and streamline these processes.

1313.3  That the data indicated a potential trend in cases being more serious in nature; it would be useful to consider whether this trend was continued in 2024-25.

Resolved

1313.4 To approve that the Annual Report on Serious Incidents provides adequate assurance in this area of risk.

1313.5  For the 2024-25 report to consider whether there was evidence of a trend in cases becoming more serious in nature.

1314 Audit and Risk Committee Annual Report

Received and considered paper 24/226C ‘Audit and Risk Committee Annual Report’.  The Chair spoke to this item.

Noted

1314.1 That the paper presented the Audit and Risk Committee’s annual report to the Council and the Vice-Chancellor as the accountable officer for the University; the sections in yellow referred to papers considered at the meeting today and would be finalised after the meeting.

1314.2 That the Committee had seen improvements in control and governance over the past 12 months; this reflected a positive trajectory towards a more stable position of good governance and control despite the period of transformation and change.

1314.3 That it would be useful to develop a mechanism to document the governance gaps and progress highlighted in the report, which could be RAG rated and presented in graphical form; this would enable oversight of progress (or otherwise) by the Committee.

1314.4 That the Executive Team acknowledged the hard work support, and advice provided by the Chair and Committee members in achieving the improvements in governance.

1314.5 That there had been improvements in trust, cooperation and support between the Committee and the Executive Team; this had had a positive impact on culture and behaviours; the efforts of the Executive Team and other stakeholders in achieving this were acknowledged.

Resolved

1314.6 To approve the Audit and Risk Committee Annual Report 2023-24.

1314.7 For the Chair to finalise the sections highlighted in yellow on behalf of the Committee following the meeting.

1314.8  For a mechanism of documenting governance gaps and progress made to be developed, which might take the form of a RAG-rated dashboard in graphical form.

1315 Strategic Deep Dive: Estates Repairs and Maintenance

The Director of Estates and Campus Facilities joined the meeting to speak to this item.

Noted

1315.1 That Suzanne Rankin declared an interest in this item in the context of her role as Chief Executive Officer for Cardiff and Vale Health Board.

1315.2 That the risk impact and likelihood were currently both high owing to the poor repair of the estate; the risk was not currently within tolerance owing to the high cost of improving the estate.

1315.3 That a range of controls had already been implemented; and further controls had been identified and were in progress; progress was reviewed on a monthly basis within the Estates and Campus Facilities Team and as part of the quarterly risk review meetings to enable any barriers to the implementation of controls to be identified.

1315.4 That the format of the report and presentation was welcomed by the Committee.

1316 Estates Repairs and Maintenance Internal Audit Report

Received and considered paper 24/230HC ‘Estates Repairs and Maintenance Internal Audit Report’.  The Head of Internal Audit spoke to this item.

Noted

1316.1 [Redacted]

1316.2 [Redacted]

1316.3 [Redacted]

1316.4 [Redacted]

1316.5 [Redacted]

1316.6 [Redacted]

Anita Edson left the meeting at the conclusion of this item.

1317 Any Other Business

No further items of business were discussed.

1318 Items Received for Information

Noted

1318.1 The paper: 24/227HC ‘Litigation Report’.

1319 Whistleblowing reports

Noted

That one report had been made under the Whistleblowing Policy since the last meeting of the Committee on 10 October 2024 and would be investigated under the Anti-Fraud/Bribery Procedure due to the nature of the allegation.

All Officers apart from the Head of Internal Audit and the Governance Advisor left the meeting for the reserved item.

1320 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, the Head of Internal Audit and the Governance Advisor were present. There were no points that the Committee wished to bring to the attention of the Council.

The minutes of the meeting held on 15 November 2024 were confirmed as a true and accurate record and were approved by the Committee on 28 March 2025.