Audit and Risk Committee minutes 28 March 2025

Minutes of the Meeting of the Cardiff University Audit and Risk Committee held on Friday 28 March 2025 at 09:00 in Rooms 2.25/2.26, 2nd floor, Centre for Student Life and via Teams

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Dr Nick Starkey, and Suzanne Rankin.

In Attendance: Rhodri Evans [minute 1333], Clare Eveleigh, Matthew Fulford [minute 1337],  Owen Hadall [minute 1338], Victoria Holbrook, Professor Wendy Larner, Sian Marshall, Alexander Middleton (KPMG), Carys Moreland, Catrin Morgan [minute 1328-1332], Tukiya Mutupa, Helen Shaw [minute 1337], Laura Sheridan, Natalie Stewart, Julie Walkling [minute 1332], and Darren Xiberras.

1321 Welcome and preliminaries

1321.1 All were welcomed to the meeting, including Victoria Holbrook, Director of Transforming Governance, who was attending her first meeting following her appointment as Secretary to the Committee, and Tukiya Mutupa, Apprentice Governor, who was observing the meeting.

1321.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1322 Apologies for absence

Apologies were received from Jonathan Brown (KPMG), Eleanor Hetenyi (KPMG), Dr Paula Sanderson, and Agnes Xavier-Phillips. The meeting was confirmed as quorate.

1323 Declarations of Interest

1323.1 The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. Suzanne Rankin declared an interest in relation to item 15i. Update on Risk of Service Level Agreement with Cardiff and Vale University Health Board.

1323.2 A slide from a KPMG sector briefing had been included in paper ‘24/432C’ Consultation on the new Higher Education SORP; it was confirmed that KPMG had not been contracted to provide any services in relation to the new SORP nor did this impact the independence of the External Auditors.

1324 Minutes of the previous meeting

The minutes of the meeting held on 15 November 2024 (24/266C) was confirmed as a true and accurate record subject to amendment of a typographical error in minute 1302.1.

1325 Matters arising from the minutes

Received and considered paper 24/417C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1249.5

1325.1 that the update on artificial intelligence had been postponed by the Chair owing to a busy agenda;

Minute 1260.5

1325.2 that the next iteration of the litigation report would include detail of any provision made in the accounts for the potential financial impact of any cases;

Minute 1262.5

1325.3 that the Committee’s next effectiveness review had been postponed in light of the ongoing review of the committee structure;

Minute 1290.5

1325.4 that UEB had given feedback on the draft Value for Money Policy that needed further consideration before the final version could be brought to the Committee.

Resolved

1325.5 for more time to be set aside in future meetings for reviewing any actions that had been delayed.

1326 Action Plan from the Audit and Risk Committee Development Session on 10 October 2024

Received and considered paper 24/434 ‘Action Plan from the Audit and Risk Committee Development Session on 10 October 2024’.

1327 Items from the Chair

The Chair spoke to this item.

Noted

1327.1 that there were no reports of chair’s action since the last meeting;

1327.2 that the Chair had discussed with members during a pre-meeting the key decisions taken by Council since the Committee’s last meeting;

1327.3 that there was much disinformation in the media about some of the University’s initiatives at the current time.

1328 Risk Management Report

Received and considered paper 24/418HC ‘Risk Management Report’. The Head of Compliance and Risk joined the meeting for this item.

Noted

1328.1 [Redacted]

1328.2 [Redacted]

1328.3 [Redacted]

1328.4 [Redacted]

1328.5 [Redacted]

1328.6 [Redacted]

1328.7 [Redacted]

1328.8 [Redacted]

1328.9 [Redacted]

1328.10 [Redacted]

Resolved

1328.11 to recommend the Risk Management Report and Risk Register update to Council for approval;

1328.12 for the receipt of the revised strategic risk register to be delayed until October 2025 to enable a paper to be drafted setting out how each risk had been reviewed against the University’s risk appetite;

1328.13 for a deep dive of TNE risks to be included on the agenda for a future meeting.

1329 Business Continuity Planning

Received and considered paper 24/419HC ‘Business Continuity Planning’. The Head of Compliance and Risk spoke to this item.

Noted

1329.1  [Redacted]

1329.2  [Redacted]

1330 Whistleblowing reports

Received and considered paper 24/435HC ‘Whistleblowing reports’. The Head of Compliance and Risk spoke to this item.

Noted

1330.1 [Redacted]

1330.2 [Redacted]

Resolved

1330.3 for a dashboard of all complaints to be developed.

1331 Development of Internal Controls Framework

Received and considered paper 24/420HC ‘Development of Internal Controls Framework’. The Director of Transforming Governance spoke to this item.

Noted

1331.1 [Redacted]

1331.2 [Redacted]

1331.3 [Redacted]

1331.4 [Redacted]

1331.5 [Redacted]

Professor Wendy Larner left the meeting.

1332 Student Welfare and Wellbeing Risk Deep Dive

Received and considered paper 24/421C ‘Student Welfare and Wellbeing Risk Deep Dive’, The Interim Director of Student Life joined the meeting for this item.

Noted

1332.1 that it was an ongoing challenge to support students experiencing mental health and wellbeing issues, to support students to be resilient, achieve their best and to feel supported; there had been a rise in the number of students seeking wellbeing support, particularly post-Covid-19, arising from a wider range of concerns including the digital shift, climate change, world conflict and the cost of living crisis;

1332.2 that a range of actions were in progress including projects around student transitions and personalised support; as part of the transformation programme further plans were being developed, which were not yet articulated in the risk register, this included developing a wellbeing hub to provide a standardised approach to support;

1332.3 that waiting lists had recently risen sharply to 20 weeks and were an issue across the sector; improvements were being made but had been impacted by staff absence and recruitment challenges; a plan was being developed to provide a rapid triage service followed by an appointment within 24-48 hours and it was anticipated that this would be in place for the start of the new academic year;

1332.4 that there was no written plan in place setting out the challenges, actions and KPIs, which could be monitored by UEB; actions were being captured in the risk register and would move to controls once implemented; the risk tolerance was articulated in the risk register with mitigations in progress to reduce the risk to within appetite;

1332.5 that financial support was currently being provided to students; the budget for financial support in 2025-26 would need to be reviewed according to the level of risk and against other University priorities, but there was an expectation that financial support would continue;

1332.6 the Committee’s view that it had not received the level of assurance required that the risk was being effectively managed to ensure that the University was meeting its obligations in relation to student support; there was a need for greater clarity around the position that the University was aiming to reach and whether plans were in place to achieve it.

Resolved

1332.7 for an update to be provided to the Committee in six months’ time on the student support risk appetite from a statutory perspective, including RAG-rated information about the delivery action plans and key strategies in place.

Julie Walkling and Catrin Morgan left the meeting at the conclusion of this item.

1333 Academic Standards and Quality Assurances

Received and considered paper 24/422HC ‘Academic Standards and Quality Assurances’. The Head of Education Governance joined the meeting for this item.

Noted

1333.1 [Redacted]

1333.2 [Redacted]

1333.3 [Redacted]

1333.4 [Redacted]

1333.5 [Redacted]

1333.6 [Redacted]

Resolved

1333.7 to approve that an appropriate level of assurance has been provided in relation to academic standards and quality.

Rhodri Evans left the meeting at the conclusion of this item. Professor Wendy Larner rejoined the meeting.

1334 Financial Compliance Annual Report

Received and Considered Paper 24/423HC ‘Financial Compliance Annual Report’. The Group Financial Controller spoke to this item.

Noted

1334.1 [Redacted]

1334.2 [Redacted]

1334.3 [Redacted]

1334.4 [Redacted]

1334.5 [Redacted]

1334.6 [Redacted]

1334.7 [Redacted]

1334.8 [Redacted]

1334.9 [Redacted]

1334.10 [Redacted]

1335 Retrospective Purchase Orders

Received and considered paper 24/424HC ‘Retrospective Purchase Orders’. The Chief Financial Officer spoke to this item.

Noted

1335.1 [Redacted]

1335.2 [Redacted]

1335.3 [Redacted]

1335.4 [Redacted]

1336 Internal Audit Progress Report

Received and considered paper 24/425HC ‘Internal Audit progress report’.  The Head of Internal Audit spoke to this item.

Noted

1336.1 [Redacted]

1336.2 [Redacted]

1336.3 [Redacted]

1336.4 [Redacted]

1336.5 [Redacted]

1336.6 [Redacted]

1336.7 [Redacted]

1336.8 [Redacted]

Resolved

1336.9 to approve the proposed changes to the Internal Audit Plan including:

(i)   postponement of the audits on AI Readiness and Civic Mission;

(ii)   inclusion of an audit of Business Continuity

(iii)  an increase in days for the HE Data Audit;

1336.10 to approve a further amendment to the Internal Audit Plan to replace the audit of Financial Controls (Tuition Fees) with an audit of the Procurement Act 2023.

1337 Estate Commercialisation Report

Received and considered paper 24/426HC ‘Estate Commercialisation Report’. The Deputy Director of Estates and the Head of Space and Asset Management joined the meeting for this item.

Noted

1337.1 [Redacted]

1337.2 [Redacted]

1337.3 [Redacted]

1337.4 [Redacted]

Resolved

1337.5 for confirmation to be provided that insurance coverage is in place for all activities undertaken on University premises.

Helen Shaw and Matthew Fullford left the meeting at the conclusion of this item.

1338 IT Identity Access Management Report

Received and considered paper 24/427HC ‘IT Identity Access Management Report’.  The Head of Internal Audit spoke to this item. Owen Hadall, Assistant IT Director, joined the meeting for this item.

Noted

1338.1 [Redacted]

1338.2 [Redacted]

1338.3 [Redacted]

1338.4 [Redacted]

Resolved

1338.5 for a progress update to be provided on the SIMS risk assessment recommendation once the planned completion date is reached in light of the significant, potential financial and reputational risks associated.

Owen Hadall left the meeting at the conclusion of this item.

1339 Internal Audit Recommendations Tracker

Received and considered paper 24/82HC ‘Internal Audit Recommendations Tracker’.  The Head of Internal Audit spoke to this item.

Noted

1339.1 [Redacted]

1339.2 [Redacted]

1339.3 [Redacted]

Resolved

1339.4 for time to be set aside at the next meeting for action owners to attend where progress was not being made with high priority, overdue actions.

1340 Update on Risk of Service Level Agreement with Cardiff and Vale University Health Board

Received and considered paper 24/429C ‘Update on Risk of Service Level Agreement with Cardiff and Vale University Health Board’.

Noted

1340.1 that that Director of Estates and Campus Facilities had been unable to join the meeting owing to a personal matter;

1340.2 that Suzanne Rankin intended to discuss the issues raised in the paper with colleagues to seek an update on progress.

1341 New Internal Audit Standards Briefing

Received and considered paper 24/430HC ‘New Internal Audit Standards Briefing’.

Resolved

1341.1 to schedule a briefing session for members outside of the formal meetings for the Head of Internal Audit to brief members on the new Global Internal Audit Standards.

1342 External Audit Report

Alexander Middleton from KPMG spoke to this item.

Noted

1342.1 that work on the group and subsidiary accounts had been completed on time;

1342.2 that a debrief meeting had been held to identify lessons learnt and actions to improve the audit process for 2024-25; this had identified two key actions:

(i)      for KPMG to work directly with staff outside of the core financial accounting team; a workshop had been held with staff on audit evidence and secure sharing, which would be repeated later in the year;

(ii)    for journals work to be brought forward as this was an area that had been incomplete at the time of the Committee’s meeting in November during the past two years;

1342.3 that prior to the Committee’s meeting in June, the audit plan would be finalised and progress with the open control recommendations reviewed.

1343 Any Other Business

Noted

1343.1 the Committee’s thanks and best wishes to Carys Moreland who would soon be commencing maternity leave.

1344 Review of Risks identified in the risk register

Resolved

1344.1 for the risk register to be updated to reflect the significant data protection and cyber security risk arising from the lack of effective SIMS access controls identified as part of the Internal Audit Report into IT Identity and Access Management.

1345 Major and Serious Incidents Update

Received and considered paper 24/431HC ‘Major and Serious Incident Update Report’.

Resolved

1345.1 to approve that the report provides adequate assurance for the risks in this area.

1346 Action plan from SUMS review: progress update

Received and considered paper ‘24/433HC’ Action plan from SUMS review: progress update

Noted

1346.1 the view of the Vice-Chancellor that the Head of Internal Audit and the team had worked hard to make significant improvements to the service with the support of the Committee.

1347 Items Received for Information

Noted

1347.1 The papers:

24/432C Consultation on the new Higher Education SORP

All Officers apart from the Head of Internal Audit and the Secretary left the meeting for the reserved item.

1348 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, the Head of Internal Audit and the Secretary were present.  There were no points that the Committee wished to bring to the attention of the Council.

The minutes of the meeting held on 28 March 2025 were confirmed as a true and accurate record and were approved by the Committee on 19 June 2025.