Audit and Risk Committee minutes 12 November 2025

Minutes of the Meeting of The Cardiff University Audit and Risk Committee held on Wednesday 12 November 2025 at 09:30 via Microsoft Teams

Present:  Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Suzanne Rankin, Craig Watkins.

In Attendance:  Jonathan Brown (KPMG), Rachel Clarke [1417], Rhodri Evans [1416], Eleanor Hetenyi (KPMG), Owen Hadall [1411-1412], Victoria Holbrook, Professor Wendy Larner, Sian Marshall, Laura Sheridan, Natalie Stewart and Darren Xiberras.

1404 Welcome and preliminaries

All were welcomed to the meeting.

1405 Apologies for absence

Apologies were received from Dr Paula Sanderson. The meeting was confirmed as quorate.

1406 Declarations of Interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest.

Noted

1406.1 that Suzanne Rankin declared an interest in relation to any discussion of the Dental Hospital as part of the Strategic Risk Register item in the context of her role as Chief Executive of Cardiff and Vale University Health Board; that Suzanne Rankin would not be required to withdraw from the discussion of this item.

1407 Minutes of the previous meeting

The minutes of the meeting held on 24 September 2025 (25/110C) were confirmed as a true and accurate record.

1408 Matters arising from the minutes

Received and considered paper 25/115C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1286.6

1408.1 that the Risk Management Improvement Plan had been deferred to the March 2026 meeting to align with the next update on the Strategic Risk Register;

Minute 1332.7:

1408.2 that the update on the student support risk would be provided as part of a development session later in the year;

Minute 1382.6

1408.3 that the Committee would have an opportunity to undertake a deep dive of one or more of the entity level controls in more detail as part of the development session planned for March 2026;

1408.4 that an ongoing programme of work was underway to roll out the control framework; that there was not a final date for implementation as the framework formed part of the risk management arrangements and would be developed iteratively

Resolved

1408.5 for an update to be provided on the implementation of the internal control framework.

1409 Items from the Chair

The Chair spoke to this item.

Noted

1409.1 that there were no chair’s actions to report;

1409.2 that the Institute of Internal Audit guidance on culture and governance recommended that an audit of organisational behaviour be undertaken to consider how organisational behaviour is measured, any targets in place and progress against them;

1409.3 that the Director of People and Culture was taking forward work in this area as part of the development of the People and Culture Plan, with progress being overseen by the People, Cynefin and Governance Committee.

1410 Report on External Audit

Received and considered paper, 25/158C, ‘External Audit Report’. KPMG spoke to this item.

Noted

1410.1 that the audit was substantially complete with only a small number of matters currently outstanding; KPMG were confident the audit would be finalised to enable the University to submit the Annual Report and Financial Statements to Medr by the deadline of 30 November 2025;

1410.2 that three prior year control recommendations had been closed and one new control recommendation had been made; KPMG’s assessment of three further prior year control recommendations had not yet been completed; that despite the long list of recommendations, KPMG had seen evidence of progress in the control environment;

1410.3 [Part-Redacted]; that further adjustments could come from research income and annual leave accrual testing;

1410.4 that there were no material adjustments so far relating to research income; that £400k had been recognised where it had been identified that a funding milestone had not been reached;

1410.5 that there had been some delays in the provision of payroll data by HR to inform the annual leave accrual testing; that a control deficiency had been escalated to reflect the challenges in this area;

1410.6 that the HR Team had been challenged over the last 12-18 months with the scale of transformation activities; that it was a known issue that the HR function was not optimally configured and the Vice-Chancellor would follow up with the Director of People and Culture to reemphasise the importance of providing information in a timely manner;

1410.7 that a performance condition was not met in relation to capital expenditure unspent at year end;

1410.8 [Redacted]

1410.9 that no governance weakness had been identified through sample testing;

1410.10 that a new control recommendation had been raised in relation to related party disclosures; that KPMG had reviewed all related parties on the Companies House register and that this should properly be the role of Management; that there were no extra entities to consolidate.

Resolved

1410.11 for the internal control framework to map whether controls were automated or manual;

1410.12 for the Finance Team to work with HR to ensure that an appropriate audit trail is in place ahead of the next External Audit.

Owen Hadall, Director of IT, joined the meeting to speak to paper 25/145HC.

1411 Internal Audit– Data Security and Management

Received and considered paper, paper 25/145HC ‘Internal Audit – Data Security and Management’. The Director of IT joined the meeting to speak to this item.

Noted

1411.1 [Redacted]

1411.2 [Redacted]

1411.3 [Redacted]

1411.4 [Redacted]

1411.5 [Redacted]

Resolved

1411.6 for the Vice-Chancellor to facilitate Craig Watkins sharing good practice on embedding accountability with research staff;

1411.7 for the Head of Internal Audit to incorporate third parties within the audit actions,

1412 Cyber Security Update

Received and considered paper 25/114HC ‘Cyber Security Dashboard’.  The Director of IT spoke to this item.

Noted

1412.1 [Redacted]

1412.2 [Redacted]

1412.3 [Redacted]

1412.4 [Redacted]

1412.5 [Redacted]

Resolved

1412.6 for a deep dive to be undertaken to understand why data breaches were more common in certain areas of the University.

1412.7 for management put in place mechanisms for improving mandatory training completion rates; and that these mechanisms be brought back to the committee for a review of their adequacy.

Owen Hadall left the meeting at the conclusion of this item.

1413 Internal Audit Progress Report

Received and considered paper, 25/144HC, ‘IA Progress Report – November 2025’’. The Head of Internal Audit spoke to this item.

Noted

Business Continuity Planning

1413.1 [Redacted]

Student wellbeing

1413.2 [Redacted]

Estates Rationalisation

1413.3 [Redacted]

Procurement Act 2023

1413.4 [Redacted]

Student Recruitment

1413.5 [Redacted]

1414 Internal Audit Service Annual report 2024/25

Received and considered paper 25/146HC ‘Annual IA report and opinion’. The Head of Internal Audit spoke to this item.

Noted

1414.1 [Redacted]

1414.2 [Redacted]

1414.3  [Redacted]

Resolved

1414.4 to recommend the internal audit annual opinion and subsequent commentary on the University’s arrangements for risk management, governance, internal control and value for money to Council for approval.

1415 Audit and Risk Committee Annual Report 2024/25

Received and considered paper 25/116HC ‘Annual and Risk Committee Annual Report’. The Head of Internal Audit spoke to this item.

Noted

1415.1 [Redacted]

1415.2 [Redacted]

1415.3 [Redacted]

Resolved

1415.4 to approve the report and delegate to the Chair authority to finalise the remaining sections of the report following the meeting.

1416 Academic Assurance Framework

Received and considered paper 25/137 ‘Academic Assurance Framework 2024-25’.  The Head of Education Governance joined the meeting to speak to this item.

Noted

1416.1 the report provided assurance on the method and evidential base for the provision of annual assurance by the Senate to the Council on academic quality and standards;

1416.2 that the quality of education and student experience residual risk score had decreased primarily as a result of the improved NSS outcomes which provided evidence that the education and student experience programme enhancements and the actions taken by schools were having a positive impact; that the implementation of the Academic Moderation and Feedback Policy was anticipated to lead to further NSS improvements;

1416.3 that mitigations had been implemented to address the challenges experienced with the timetabling project and a lessons learnt exercise would be undertaken prior to the next academic year;

1416.4 that the risk score for academic standards was anticipated to be reduced once the Mark Processing Project is completed and has strengthened controls to reduce assessment mark errors;

1416.5 that the Committee commended the level of progress made.

Resolved

1416.6 to approve the Academic Assurance Framework 2024/25 as the basis for providing assurance to Council on academic quality and standards.

Rhodri Evans left the meeting at the conclusion of this item.

1417 Fee and Access Plan Monitoring report – 2024-25

Received and considered paper 25/113HC ‘Fee and Access Monitoring report 2024-25’. Rachel Clarke, Senior Planning Advisor, joined the meeting to speak to this item.

Noted

1417.1 [Redacted]

1417.2 [Redacted]

1417.3 [Redacted]

1417.4 [Redacted]

1417.5 [Redacted]

Resolved

1417.6   to confirm the statements relating to the Fee and Access Plan (FAP) in the Annual Assurance Statement (submitted to Medr by 31 December 2025):

i.   no regulated course fees have exceeded the applicable fee limit as set out in the Fee and Access Plan;

ii.   the institution has assurances in relation to the management of the provision of fee information across all recognised sources of the institution’s marketing;

iii.  the institution has taken all reasonable steps to comply with the general requirements of the Fee and Access Plan;

iv.  the institution has taken all reasonable steps to maintain previous levels of investment, including maintaining: the splits between investment to support equality of opportunity and promoting higher education, and investment to support the Reaching Wider partnership and student support investment;

1417.7 to recommend the report for submission to Council, to meet the requirements of a fifth assurance statement:

i.    the institution to provide documentation to support Fee and Access Plan sign off;

1417.8  for controls to be put in place to ensure the requirement to invest 15–20% of full-time Home Undergraduate tuition fee income in activities that widen participation and support student success is achieved in future.

Rachel Clarke left the meeting at the conclusion of this item

1418 Annual Complaints Report: Students, Staff and Third Parties

Received and considered paper 25/111HC ‘Annual Complaints Report: Students, Staff and Third Parties’.  The Director of Transforming Governance spoke to this item.

Noted

1418.1 [Redacted]

1418.2 [Redacted]

Resolved

1418.3 to approve that the report provides assurance over the degree to which adequate and effective complaint handling processes are in place.

1419 Any Other Business

No further business was discussed under this item.

1420 Major and Serious Incidents update

Received and considered paper 25/159HC ‘Major and Serious Incidents update’.  The Director of Transforming Governance spoke to this item.

Noted

1420.1 [Redacted]

Resolved

1420.2 to approve the report provides adequate assurance for risks in this area;

1420.3 for the Committee to receive an update on the management of the Dental School risk as a local incident, and for an update on all materialised risks to be reported back to the committee on a regular (e.g. annual) basis.

1421 Compliance Report: HEFCW Financial Management Code

Received and considered paper 25/112, ‘Compliance Report: HEFCW Financial Management Code and the HEFCW/Medr Terms and Conditions of Funding’.

Resolved

1421.1 to approve the report to support the inclusion of a statement of compliance within the Annual Report and Financial Statements.

1422  Litigation Report

Received and considered paper 25/147HC ‘Litigation Report’. The Director of Transforming Governance spoke to this item.

Noted

1422.1 [Redacted]

1423 Whistleblowing Reports

Noted

1423.1 that there had been no whistleblowing reports since the last meeting of the Committee.

All Officers apart from the Head of Internal Audit and the Secretary left the meeting for the reserved item.

1424 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camerameetingwas held. The members of the Audit and Risk Committee, the external auditors, the Head of Internal Audit and the Secretary were present.  There were no points that the Committee wished to bring to the attention of the Council.

The minutes of the meeting held on 12 November 2025 were confirmed as a true and accurate record and were approved by the Committee on 25 March 2026.