Audit and Risk Committee Minutes 08.10.2020

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Thursday 8 October 2020 by Zoom, at 10:00

Present: Michael Hampson (Chair), Dónall Curtin, Dr Janet Wademan and Agnes Xavier-Phillips.

In Attendance: Professor Colin Riordan [up to Minute 836], Jason Clarke, Ian Davies, David Edwards [Minute 838], Clare Eveleigh, Rashi Jain, Alison Jarvis, Vari Jenkins (Minute-taker), Karl Jones [Minute 838] Faye Lloyd, Paul Merison [Minute 838], Ruth Robertson, Claire Sanders, Robert Williams, and Wendy Wright.

831  Preliminaries

Noted

830.1 that apologies were received from Paul Benjamin;

830.2 that Jason Clarke and Ian Davies, representatives from PricewaterhouseCoopers were welcomed to the meeting;

830.3 that Ruth Robertson, Head of Corporate Governance, and Vari Jenkins, Governance Advisor, were welcomed to their first meeting of the Committee;

830.4 that members of the Internal Audit team were welcomed to the meeting.

831 Matters arising from the minutes

Received and considered for information paper 20/60, ‘Matters Arising from the previous meeting’.

Noted

831.1 that the Committee terms of reference, 7 lenses framework and key performance indicators would be reviewed at the Review of Risk session in January 2021;

831.2 that the question posed to the lawyers in relation to the CIC project and the response, had been discussed with the University’s solicitors who were supporting the University through the process.

Resolved

831.3 University Secretary to follow up in response to CIC internal audit report.

832  Declarations of interest

832.1 There were no declarations of interest received.

833 Risk Register

Received and considered for debate paper 20/67C, ‘Risk Register’. The Vice-Chancellor was invited to speak to this item.

Noted

833.1 that the Coronavirus testing centre is completing 440 tests a day at the Hadyn Ellis Building, which is close to capacity and demonstrates that communications with students are effective;

833.2 that the University had taken legal advice on the University Coronavirus Testing Service with respect to the risks associated with establishing a new service. Provided that the University complied with provision for trained staff, safe working environments, working regulations for procurement, and that the supply of equipment and training underwent regular checks, this would mitigate the risks;

833.3 that there was concern that students could receive a negative result and go on to contract the virus.  It is outlined in the consent form that the result is indicative of that day, and therefore the level of risk of successful complaints as a result of this scenario is low;

833.4 [Redacted]

833.5 that there were 2 periods of industrial action during 2019/20 which had also impacted on students in addition to COVID-19.  The Pro Vice-Chancellor for Education and Students was reviewing the consistency of treatment for students;

833.6 that the Senior Risk Advisor attends each meeting of IOG (silver) to ensure that information is regularly reflected in the risk register;

833.7 that an Estates Workshop was held at the end of September to discuss the various portfolios of risks for capital programmes.  The emerging themes will be presented to the Estates and Infrastructure Committee;

833.8 [Redacted]

833.9 that a Brexit Insight paper will be presented to UEB;

833.10 that a package has been developed by the UK government Department of Business, Innovation and Skills to offer loans and grants to cover UK research activity, and recognising loss of student income, which has cross subsidised deficits.  It is hoped that applications can be made from November and that the UK Government are looking to confirm decisions and commitments by March 2021;

833.11 [Redacted]

833.12 that there will be a Review of Risk meeting for members of the Committee in January 2021, to include the tracking of changes in risk levels and action being taken to prevent risks reappearing in the future.

Resolved

833.13 University Secretary to share the Brexit Insight paper with Audit and Risk Committee once it has been considered by UEB;

833.14 Programme for Review of Risk to be circulated to the Committee for their suggestions for agenda items;

833.15 The Review of Risk in January 2021 will consider how risk is embedded in the work of the University.

834 Live incidents

Received and considered for debate paper 20/76HC, ‘Live Incidents’.

835 COVID-19 & HEFCW regulatory reporting

Noted

835.1 that the University is awaiting information from HEFCW regarding any further changes to the regulatory requirements.

836 Annual Risk Management Report 2019/20

Received and considered for debate paper 20/68C, ‘Annual Risk Management Report 2019/20.’ Rashi Jain, University Secretary, was invited to speak to this item.

Noted

836.1 that the Committee welcomed the inclusion of subsidiaries and third party arrangements in the revised Risk Management framework;

836.2 [Redacted]

836.3 The Vice Chancellor left the meeting at end of this item.

Resolved

836.4 The risk appetite for the coming year is to be reviewed at the Review of Risk in January 2021 in light of COVID-19;

836.5 The Annual Risk Management Report 2019/20 presented to Council, should remind members that ownership of risk is their responsibility;

836.6 The Committee supported the report, subject to the inclusion of the information in minute 836.5 above;

837 Progress report 2019-2020 audit programme

Received and considered for decision paper 20/62, ‘Progress Report 2019-2020 Audit Programme’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Noted

837.1 that the full audit programme of 422 days, revised in response to COVID-19 and the need to reallocate resources, had been delivered.

837.2  that the KPIs are largely on target, but that there are some challenges with management responses being returned in the agreed timeframe;

837.3 that a form of assurance mapping is required to clearly articulate lines of defence in critical areas.

Resolved

837.4 the Review of Risk in January is to consider assurance mapping;

837.5 the University Secretary and Head of Internal Audit are to consider priority areas for progression of recommendations, to be considered by the Committee.

837.6 that the key performance indicator for the completion of management responses to internal audit reports would remain at 10 days.

837.7 that internal audit reports with limited or no assurance should be communicated to the Committee at the earliest opportunity and given priority for discussion.

838 Discussion points for internal audit reports

Received and considered for debate paper 20/61, ‘Discussion Points for Internal Audit Reports’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

IT - Leveraging Technology Post COVID-19

Noted

838.1 David Edwards, Karl Jones and Paul Merison joined the meeting for this item only;

838.2 that the report highlighted the importance of IT and how it underpins the whole operation across the University.  Learning for a digital strategy, must consider how we need to invest in technology, as well as how we operate in future, and identify legacy applications that do not lend themselves to remote working;

838.3 that there are opportunities for how the University can manage space, and realise income, as working ways change;

838.4 that there are risks and opportunities around recruitment.  Retention is a consideration now that staff can access other opportunities that wouldn’t have been available prior to remote working;

838.5 that the IT Services teams had managed the quick transition to home working very well;

838.6 [Redacted]

838.7 [Redacted]

Resolved

838.8 The Committee would like to hear about the developments within the People Strategy to consider IT recruitment challenges and opportunities;

838.9 the Committee would like to have an open discussion to understand the areas of operational risk associated with cyber security and how mature the University’s system of mitigation is to be able to respond;

838.10 the Committee wish to review the internal controls and risk register to identify the strategy around key areas of IT related risk;

838.11 that a group, lead by the Chief Operating Officer, and with input from the Data Information Management Oversight Group, give consideration to an update to the Audit and Risk Committee to address issues around Cyber Security and how we can inform the Committee of related issues.  The proposal should consider the current position, weaknesses, exposures and current activity in progress, along with planned responses to a cyber attack and prevention.

838.12 David Edwards, Karl Jones and Paul Merison left the meeting.

CIC

Noted

838.13 that all actions are progressing at various stages and delivery of the project is going well in the current climate;

838.14 that the University’s culture remains an issue which should be reviewed in due course.

Risk Management

Noted

838.15 that UEB have formally taken on responsibility for overseeing risk management;

838.16 that the University Secretary is the University’s Chief Risk Officer;

838.17 that the University has one full time member of staff supporting risk reporting, which posed a risk if they were unavailable;

838.18 that work has started on identifying University policies and a schedule for review. This work links with work on the Scheme of Delegation and the Policy Framework;

Resolved

838.19 A list of all University policies would be shared with the Committee.

CSC

838.20 that lessons learnt and areas for improvement had been identified;

838.21 that the Report highlights the need to review projects before they get to the approval stage.  There needs to be visibility of activities so that risks are identified and mitigated early on;

838.22 that the Committee needs to be confident that a policy is appropriate and applied to identify risk and mitigation;

838.23 that the Camm Review and subsequent Governance Charter Commitment to Action highlights the need for adequate strategic oversight at board level.  This piece of work will look at where decisions are made, how these are reported and where, and monitoring going forward.

Resolved

838.24 that consideration be given to including an audit on Policy Framework as part of the 2021/22 Internal Audit Programme.

839 Revised Internal Audit Annual Plan 2020/21

Received and considered for debate paper 20/64, ‘Revised Internal Audit Annual Plan 2020/21’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Resolved

839.1 The Committee recommended the revised Internal Audit Annual Plan 2020/21 to Council.

840 Tracker

Received and considered for decision, paper 20/63, ‘Tracker’. Wendy Wright, Senior Internal Auditor, was invited to speak to this item.

841 Finance Development Strategy & Financial Regulations Review – Update

Received and considered for debate paper 20/145C, ‘Finance Development Strategy & Financial Regulations Review – Update’. Alison Jarvis, Director for Financial Operations, was invited to speak to this item.

842 Internal Audit Annual Report 2019/20

Received for information paper 20/66, ‘Internal Audit Annual Report 2019/20’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Resolved

842.1 The Committee agreed to recommend the report to Council.

843 HEFCW Accounts Direction to HEIS/Presentation of Accounts

Received for information paper 20/70C, ‘HEFCW Accounts Direction to HEIs/Presentation of Accounts’. Alison Jarvis, Director of Financial Operations, was available to speak to this item.

844 2019/20 External Audit Progress

Received for information paper 20/71C, ‘2019/20 External Audit Progress’. Jason Clarke, PricewaterhouseCoopers, was available to speak to this item.

Noted

844.1 that work is needed to finalise pensions, going concern and some areas on balance sheet;

844.2 that there weren’t any areas which would be problematic or cause adjustments;

845 Financial Health Report

Received for information paper 20/72C, ‘Financial Health Report’. Alison Jarvis, Director of Financial Operations, was available to speak to this item.

Noted

845.1 that the focus of the paper is on the 2019/20 results.  A going concern paper will be presented at the extraordinary meeting on 28 October 2020;

845.2 that the surplus for 2019/20 that had been forecast to be £3.1m was now currently forecast to be £15.4m.

845.3 that £1.7m of additional costs were incurred as a result of COVID-19. These included: spend to support the move to remote learning, teaching and assessment; equipment to support remote working; hardship funds; repatriation travel costs; and the cost of cancelled field trips and study visits;

845.4 that the share of the forecast draft Operating Deficit in the year for CSC joint venture created a £2.9m deficit.

846 Judgement paper

Received for information paper 20/73C, ‘Judgement Paper’. Alison Jarvis, Director of Financial Operations, was available to speak to this item.

Noted

846.1 that Transforming Cardiff will need to deliver if we are to be able to return to balance;

846.2 that the Committee would like to receive further information on the progress of Transforming Cardiff (Academic Review) as it is key to the financial performance.

Resolved

846.3 that Council will receive an update on the progress of Transforming Cardiff (Academic Review) in November 2020.

847 Financial Irregularities Report

Received for information paper 20/74C, ‘Financial Irregularities Report’. Alison Jarvis, Director of Financial Operations, was available to speak to this item.

Noted

847.1 that there are none to report.

848 Any Other Business

Noted

848.1 that there were no items to be considered under any other business.

849  Discussion on External Audit Questionnaire

Noted

849.1 that the representatives from PricewaterhouseCoopers were not present for this item.

849.2 that members of the Committee had received the survey results of the July 2020 External Audit questionnaire.

Resolved

849.3 that representatives from PricewaterhouseCoopers will be sent a summary of the feedback for their comments.

850 Review of Business for the year 2020/2021

Received and considered for debate papers 20/75, ‘Review of Business for the Year 2020/2021’

Resolved

850.1 that the committee approved the proposed schedule of business for the year 2020/21.

851 Minutes from the previous meeting

Received and considered for debate papers 19/824B, ‘2020-06-20 Minutes of the Audit Committee’. The Chair spoke to this item.

Resolved

851.1 the minutes of the meeting held on 20 June 2020 were approved as a true and accurate record.

852 Internal Audit Service Charter

Received and considered for debate papers 20/65, ‘Internal Audit Service Charter’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Resolved

852.1 that the Charter is recommended to Council for approval and publication on the external facing website.

853 Internal Audit Quality Assurance & Improvement Programme

Received and considered for debate paper 20/69, ‘Quality Assurance & Improvement Programme’. Faye Lloyd, Head of Internal Audit, was invited to speak to this item.

Resolved

853.1 that the annual appraisal required as part of the Audit and Risk Committee Terms of Reference will be considered at the Review of Risk session in January;

853.2 the Governance Committee should consider the remit of the audit review for 2021/22 as part of the planned effectiveness review of Council and its Committees;

853.3 The Chair of Audit and Risk Committee is to be involved in the questionnaire for review of the Audit and Risk Committee.

854 Receipt of Governance Committee Minutes (19/5/20) and PRC Minutes (30/6/20)

854.1 that the minutes of the Governance Committee on 19 May 2020 had been received by the Committee;

854.2 that the minutes of the Policy and Resources Committee on 30 June 2020 had been received by the Committee.

855 CUC HE Audit Committee Code of Practice (May 2020)

855.1 The Code of Practice has been circulated to the Committee for information.

856 2019/20 Annual Report – Fraud Bribery and other Financial Compliance

Received and considered for debate papers 20/121C, ‘2019/20 Annual Report – Fraud Bribery and other Financial Compliance’. Rashi Jain, University Secretary, was invited to speak to this item.

Noted

856.1 that the University’s highest risk regarding the Criminal Finances Act 2017 surrounds the IR35 payroll as there is high consultancy spend but very low IR35 payroll staff.  There are very stringent controls and checks in place, which are completed by University procurement and HR, before appointments are made;

856.2 that work is underway to ensure that policies map onto regulations correctly.

Resolved

856.3 Finance and the Senior Risk Advisor to amend wording under risks to reflect that mapping of policies to regulations is in train;

856.4 the Committee endorsed the paper for submission to Council for approval.

857 Effectiveness of the University’s Public Interest Disclosure Policy

Received and considered for debate papers 20/77, ‘Effectiveness of the University’s Public Interest Disclosure Policy. Rashi Jain, University Secretary, was invited to speak to this item.

Noted

857.1 that future reports should include themes of disclosures.

Resolved

857.2 the Committee wish to receive clarification of the two reported themes in 2019/20.

858 Information Security Training – Content and Statistics

Received and considered for debate papers 20/78C, ‘Information Security Training – Content and Statistics.

Noted

858.1 that the statistics for training completion rates are disappointing;

858.2 that there is a higher take up for Professional Services staff and that the Chief Operating Officer is working with College Registrars to encourage uptake from academics;

858.3 that it would be helpful to review best practice and identify opportunities to increase completion.  There is currently no clear sanction for staff who have not completed the training.

858.4 that the University Secretary has every support of the committee to ensure training is completed.

Resolved

858.5 the University Secretary and Chief Operating Officer to raise non-compliance with information security training with UEB, to consider what sanction could be imposed;

858.6 to confirm the implications for the University if compliance with information security training is not achieved;

858.7 an update on information security training compliance would be provided at the next meeting.

859 In-Camera

Following the meeting of the Audit and Risk Committee, an in-camera was held. Only the members of the Audit and Risk Committee, Head of Internal Audit and the External Auditors were present.