Audit and Risk Committee minutes 21 March 2024

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Thursday 21 March 2024 at 10:00 via Zoom.

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Suzanne Rankin, Dr Nick Starkey and Agnes Xavier-Phillips.

In attendance:  Jonathan Brown (KPMG), Rhodri Evans [minute 1236], Clare Eveleigh, Ellie Hetenyi (KPMG), Professor Wendy Larner, Sian Marshall, Alice Milanese [minute 1225], Carys Moreland, Gemma Pezzack [minute 1233], TJ Rawlinson [minute 1225], Claire Sanders, Laura Sheridan, Natalie Stewart, Professor Damian Walford Davies [minute 1225], Professor Roger Whitaker [minute 1225], Darren Xiberras.

1218 Welcome and preliminaries

1218.1 All were welcomed to the meeting, including Aneesa Ali and Dr Nick Starkey who were attending their first meeting of the Committee following their appointment in January 2024.

1218.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1219 Apologies for absence

No apologies were received.

1219 Declarations of interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were received.

1220 Minutes of the previous meeting

The minutes of the meetings held on 14 November 2023 (23/488C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1221 Matters Arising from the Minutes

Received and considered paper 23/484C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1109.3 Anti-Money Laundering Policy

1221.1 That the policy had been reviewed and was due to be considered at UEB on 30 April 2024.

Minute 1177: Internal Control Framework

1221.2 That the deadline for the three internal control framework actions had been revised to June 2024 as an internal audit was planned to test the effectiveness of the operating controls identified; that a single report would be presented to the Committee in June 2024 covering both the work undertaken to map the internal control framework and the outcome of the audit.

1221.3 That the internal audit would review the controls identified as part of the initial work, identify any gaps, any issues with the effectiveness of controls and any control improvements required; that once the audit had been completed it would be possible to identify any next steps and for the Committee to consider whether any deep dives were required.

1221.4 That the name of the Consultant engaged on the project had remained on the action as the Committee had originally requested they return to present the final report; that it had now been agreed with the Chair that this would no longer be required; that ownership of the actions remained with the Chief Financial Officer.

1221.5 That it was desirable for a key control framework to be established across the University, rather than just in Finance, with some degree of automation to identify where controls were not operating effectively; that it was also desirable for deep dives and control testing to be undertaken periodically; that the Committee would like to better understand how control testing would be taken forward in future and who would be responsible for this.

Resolved

1221.6 For the report to the Committee in June 2024 to detail any next steps required from the work undertaken to develop the internal control framework, including any plans to further document and test key controls in place across the University.

1222 Items from the Chair

Received and considered paper 23/488C ‘Report of Chair's Action Since Last Meeting’.

Noted

1222.1 The action taken by the Chair since the last meeting as detailed in the paper.

1223 Strategic Risk Register

Received and considered paper 23/483C ‘Strategic Risk Register’.  The Vice-Chancellor spoke to this item.

Noted

1223.1 That thirteen risks were presented in the new risk register; that three risks had not been fully completed at the time of reporting and were excluded (Quality of Education, Student Welfare and Wellbeing and Financial Sustainability); that work to finalise these risks was in progress and would be reported within the next cycle in June 2024.

1223.2 That engagement from staff had been good despite the challenge of competing deadlines; that the introduction of risk leads and secondary risk leads in addition to risk owners was a positive enhancement to the University’s approach; that the lessons learnt identified indicated an improvement in the University’s risk maturity.

1223.3 That the Executive acknowledged the considerable work undertaken in refreshing the University’s approach to risk management and establishing the new system; that the Committee commended the Risk Manager for the work undertaken.

1223.4 That the Vice-Chancellor remained concerned regarding the University’s student recruitment targets owing to the increasingly challenging external environment.

1223.5 [Redacted]

1223.6 That the Committee wished to understand any contingency plans being put in place should actions to improve the building infrastructure not be taken forward.

1223.7 That consideration had been given to disaggregating the regulatory compliance risk in order to provide greater detail, accountability and transparency of the mitigations; that the development of the regulatory compliance heat map would include identifying local areas of compliance, assigning owners for each area and developing the mitigation plan; that this would be brought to the Committee in due course once completed.

1223.8 That the paper requested the de-escalation from the risk register of the “Recruitment/retention in key areas of professional services” risk; that staff turnover was generally low across Professional Services; that mitigations were in place to address the staff turnover at a senior level; that the senior staff recruitment currently underway was progressing well with many good candidates having applied, which indicated that the mitigations were effective and the residual risk was therefore low.

1223.9 That the target scoring for each risk was a new concept that had was being developed; that there were a number of risks for which the target score was outside of the acceptable target tolerance; that a deadline had been set of the end of the year for risk owners and leads to build additional treatment plans for these risks; that further discussion could be required as to whether any risks would need to be tolerated where they could not be treated.

Resolved

1223.10 To recommend to Council the Lessons Learnt and the Strategic Risk Summary and the Risk Register.

1223.11 For members to contact the Risk Manager or Governance Advisor if they would like further information on the University’s new approach to risk management or the new 4Risk system.

1223.12 For the Committee to receive further information at a future meeting regarding the contingency plans for the Dental School.

1224 Risk Maturity Report

Received and considered paper 23/478HC ‘Risk Maturity Report’.  The Interim Head of Internal Audit spoke to this item.

Noted

1224.1 [Redacted]

1225 Update on Carbon Net Zero action plan

Received and considered paper 23/486 ‘Update on Carbon Net Zero action plan’.  The Deputy Vice-Chancellor, the Net Zero Programme Manager and the Director of Development and Alumni joined the meeting for this item.

Noted

1225.1 That a draft roadmap for Net Zero scopes 1 and 2 would be considered by UEB after Easter and subsequently by the Environmental Sustainability Sub-Committee, Finance and Resources Committee and Council in July 2024.

1225.2 That it would be challenging for the University to achieve Net Zero scopes 1 and 2 by 2030 without a high scale of investment, which had been reflected in the risk register; that the University may need to reconsider either the date, or the nature of the commitment made in the context of wider, strategic decisions; that the University remained committed to environmental sustainability; that Welsh Government was committed to achieving Net Zero scopes 1 and 2 by 2030.

1225.3 That good progress had been made in addressing the recommendations from the internal audit of Net Zero; that progress with the actions would be reported as part of the internal audit recommendations follow-up item.

1225.4 That the achievement of Net Zero scope 3 by 2050 presented a significant challenge, which would required different skills and experience to meet.

Resolved

1225.5 For the Committee to continue to receive an annual update on Net Zero progress.

Professor Damian Walford Davies, Alice Milanese and TJ Rawlinson left the meeting at the conclusion of this item.

1226 Internal Audit review

Received and considered paper 23/489C ‘Internal Audit Review’.  The Chief Operating Officer spoke to this item.

Noted

1226.1 That the report and recommendations were welcomed by the Executive; that the report highlighted the need to appoint a permanent Head of Internal Audit to stabilise the Service and continue improvements; that the recommendation regarding clarifying the role and responsibilities of Internal Audit to stakeholders was key to the effectiveness of the Service.

1226.2  That the importance of resourcing the Service to risk rather than budget was acknowledged; that the recommendation of considering the appointment of an apprentice was welcomed.

1226.3 That the report provided assurance to the Committee on the effectiveness of the Internal Audit Service and the commitment to continuous improvement; that the Committee was supportive of the recommendations; that it would be helpful for an action plan to be developed in response to the recommendations.

Resolved

1226.4 To recommend the report to Council with the Committee’s support.

1226.5  For an action plan be developed setting out timelines for addressing the recommendations.

1227 Internal Audit Progress report

Received and considered paper 23/481HC ‘Internal Audit Progress Report’.  The Interim Head of Internal Audit spoke to this item.

Noted

UUK Code of Practice for the Management of Student Accommodation

1227.1 [Redacted]

1228 Research Commercialisation Internal Audit report

Received and considered paper 23/482HC ‘Research Commercialisation Internal Audit Report’.  The Pro Vice-Chancellor Research, Innovation and Enterprise joined the meeting for this item.

Noted

1228.1 [Redacted]

1228.2 [Redacted]

Professor Roger Whitaker left the meeting at the conclusion of this item.

1229 Internal Audit Recommendations Tracker report

Received and considered paper 23/480HC ‘Internal Audit Recommendations Tracker Report’.  The Interim Head of Internal Audit spoke to this item.

Noted

1229.1 [Redacted]

1229.2 [Redacted]

1229.3 [Redacted]

1229.4 [Redacted]

Resolved

1229.5 For a closure report to be provided for the actions identified as closed within the report to be circulated to the Committee after the meeting.

Claire Sanders left the meeting.

1230 Updated Internal Audit Strategy and Annual Plan for 2023-24

Received and considered paper 23/479HC ‘Updated Internal Audit Strategy and Annual Plan for 2023-24’.  The Interim Head of Internal Audit spoke to this item.

Noted

1230.1 [Redacted]

1230.2 [Redacted]

1230.3 [Redacted]

1230.4  [Redacted]

Resolved

1230.5 To approve the proposed changes to the risk-based internal audit programme for 2023/24.

1231 Internal Audit Charter

Received and considered paper 23/494HC ‘Internal Audit Charter’.  The Interim Head of Internal Audit spoke to this item.

Noted

1231.1 [Redacted]

Resolved

1231.2  To recommend to Council the Internal Audit Charter.

Claire Everleigh left the meeting at the conclusion of this item.

1232 Major and Serious Incident update report

Received and considered paper 23/490HC ‘Major and Serious Incident Update Report’.  The Head of Corporate Governance spoke to this item.

Noted

1232.1 [Redacted]

1232.2 [Redacted]

1232.3 [Redacted]

1232.4 [Redacted]

Resolved

1232.5 To approve that the report provides adequate assurance for the risks in this area.

1233 Financial Compliance update

Received and considered paper 23/492C ‘Financial Compliance Update’.  The Interim Financial Compliance Manager joined the meeting for this item.

Noted

1233.1 That staff had been very open about the risks that were present and had demonstrated a willingness to address the risks efficiently and effectively; that the risk maturity in this area was in its infancy.

1233.2  That the Anti-Money Laundering Regulations did not apply to the University and some of its processes had been established as though the Regulations did apply; that there was a need to review a number of the University’s policies and procedures in light of this; that there was a growing focus on financial crime in higher education.

1233.3  That a proposed reporting template had been developed to identify the University’s risk exposure, any emerging trends and mitigations; that during the build stage of the function it was proposed that the first and second lines of defence be executed by the same person as there was not the level of knowledge within operational areas to introduce immediately a three lines of defence model.

Claire Sanders rejoined the meeting.

1233.4 That the proposals had been reviewed by the Chief Financial Officer and Chief Operating Officer but had not been reviewed by the Vice-Chancellor.

1233.5 That it was intended that financial compliance training would be mandatory and mechanisms for monitoring completion of mandatory training were in place.

Resolved

1233.6 To approve the proposal on how to build and develop the financial compliance function.

1233.7 For the Interim Financial Compliance Manager to meet with the Vice-Chancellor to ensure their support for the proposed approach given the importance of financial compliance for the University.

Gemma Pezzack and Claire Sanders left the meeting at the conclusion of this item.

1234 Lessons learnt from purchasing card misuse incident

Received and considered paper 23/492C ‘Lessons learnt from purchasing card misuse incident’.  The Chief Financial Officer spoke to this item.

Noted

1234.1  That the key lessons learned were:

a. ensuring purchase card reviews are undertaken in a timely manner; that this issue had arisen due to resourcing issues within the newly established team responsible for the reviews; that assurance had been given that all reviews were now up-to-date;

b. ensuring that the decision to report matters to the Police is independent;

c. ensuring that we make sure we know the sources of funds before we accept any repayment.

1234.2 That the Committee wished to receive confirmation that the University’s approach to reporting criminal matters to the Police was appropriate.

Resolved

1234.3 For the Chief Financial Officer to seek advice from the Legal Services Team on the University’s approach to reporting criminal matters to the Police.

1235 Whistleblowing reports

The Head of Corporate Governance spoke to this item.

Noted

1235.1 That one case was being reviewed to determine whether it would be considered under the Policy; that the Committee would receive an update at the next meeting.

Resolved

1235.2 For the Committee to receive an update on the potential whistleblowing case at the next meeting.

Claire Sanders re-joined the meeting.

1236 Academic Assurance Framework

Received and considered paper 23/493 ‘Academic Assurance Framework’.  The Head of Education Governance joined the meeting for this item.

Noted

1236.1 That the academic assurance framework had been developed to demonstrate the evidence used by the University to support the assurance statements provided to HEFCW annually.

1236.2  That the report identified activities to ensure the quality and academic standards of the University’s awards; that the report provided an evaluation of the risks relating to quality and standards; that the overall risk was red owing to the regulatory oversight introduced by HEFCW of student satisfaction; that mechanisms were in place to address this risk including oversight of school action plans; that the risk remained red as evidence had not yet been provided that the actions taken were improving student satisfaction.

1236.3 That it would be helpful for the Committee to understand the magnitude and order of risk in future reports.

Resolved

1236.4 For the next report to include more detail on the magnitude and order of risk.

Rhodri Evans left the meeting at the conclusion of this item.

1237 Any other business

The Chair spoke to this item.

Noted

1237.1 That recruitment was currently underway for a combined Chief Operating Officer and University Secretary role; that a new post of Director of Legal and Corporate Services had been created and an appointment would be made in due course.

1237.2 That the Committee wished to receive confirmation as to who would be Secretary to the Committee and would be in attendance at in camera meetings.

Resolved

1237.3 For confirmation to be provided as to who would undertake the role of Secretary to the Committee and who would be in attendance at in camera meetings.

Noted

1237.4 That a useful presentation had been given to Council on University finances.

Resolved

1237.5 For the recording of the presentation on University finances to be shared with members.

1238 Review of risks identified in the Risk Register

Resolved

1238.1 That the risk register accurately represented the information that had been received by the Committee.

1239 Items received for approval

Resolved

1239.1 To approve the following paper:

23/485 Changes to Scheme of Delegation

1240 Items received for information

Noted

1240.1 The following paper:

23/495C HEFCW IAR action plan Update

All Officers apart from the Chief Operating Officer and Interim University Secretary, Governance Advisor and Head of Corporate Governance left the meeting for the reserved items.

1241 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, the Chief Operating Officer and Interim University Secretary, Governance Advisor and Head of Corporate Governance were present.

Head of Internal Audit Appointment

The Chief Operating Officer spoke to this item.

1241.1 [Redacted]

1241.2 [Redacted]

1241.3 [Redacted]

1241.4 [Redacted]

1241.5  [Redacted]

1241.6  [Redacted]

1241.7  [Redacted]

Resolved

1241.8  To recommend to Council that Laura Sheridan be appointed as the permanent Head of Internal Audit.