Audit and Risk Committee minutes 20 June 2024

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Thursday 20 June 2024 at 10.00 via Zoom

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Dr Nick Starkey and Agnes Xavier-Phillips.

In Attendance: Jonathan Brown (KPMG), Clare Eveleigh, Ellie Hetenyi (KPMG), Professor Wendy Larner, Sian Marshall, Carys Moreland, Claire Sanders, Laura Sheridan, Natalie Stewart, Simon Wright [minutes 1252-1253], Darren Xiberras.

1242 Welcome and preliminaries

1242.1 All were welcomed to the meeting.

1242.2 The Chair reminded members that the meeting was being recorded to assist with the production of the minutes.

1242.3 The Chair informed the Committee that the Chief Transformation Officer’s presentation had been deferred to a subsequent meeting to enable them to focus on finalising the roadmap to support the new University Strategy for review by Finance and Resources Committee and Council.

1243 Apologies for absence

Apologies were received from Suzanne Rankin. The meeting was confirmed as quorate.

1244 Declarations of interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. No declarations of interest were received.

1245 Minutes of the previous meeting

The minutes of the meetings held on 21 March 2024 (23/548C) were confirmed as a true and accurate record and were approved to be signed by the Chair.

1246 Matters arising from the minutes

Received and considered paper 23/699C ‘Matters Arising’. The Chair spoke to this item.

Noted

1246.1 Minute 1209.3: That the deadline for the risk improvement plan had been pushed back to October 2024 to align with the timing of the Annual Risk Management Report.

Resolved

1246.2 For actions 1223.12, 1226.5 and 1235.2 to be closed as they were covered by items on the agenda.

1247 Items from the Chair

The Chair spoke to this item.

Noted

1247.1 That the Interim Financial Compliance Manager had now left the University.

1248 Strategic Risk Register

Received and considered paper 23/684HC ‘Strategic Risk Register’.  The Vice-Chancellor spoke to this item.

Noted

1248.1 [Redacted]

1248.2 [Redacted]

1248.3 [Redacted]

1248.4 [Redacted]

1248.5 [Redacted]

1248.6 [Redacted]

1248.7 [Redacted]

Resolved

1248.8 To recommend to Council the Strategic Risk Register Summary and the Risk Register.

1249 External Audit Progress Report

Received and considered paper 23/685C ‘External Audit Progress Report’.  KPMG spoke to this item.

Noted

1249.1 That planning and risk assessment procedures had been completed; that the audit plan had been prepared and dates for the interim and final visits had been agreed.

1249.2 That it was anticipated that the audit process would be improved this year as the KPMG team had not changed and good working relationships had been built with the University Finance team.

1249.3 That feedback from the annual review of internal audit was broadly positive and KPMG had set out within their report how the two lower scoring questions would be addressed.

1249.4 That the higher education sector update highlighted ESG reporting requirements and oversight of generation AI; that these were two areas upon which it would be beneficial to have input from KPMG in future.

Resolved

1249.5 For the Committee to receive further information from KPMG on ESG reporting requirements and oversight of generation AI in future, potentially as part of a development session.

1250 External Audit Plan

Received and considered paper 23/686C ‘External Audit Plan’.  KPMG spoke to this item.

Noted

1250.1 That group materiality had been set at £6.3m based on 1% of forecast total revenue and would be reviewed at year-end; that performance materiality was maintained at 65% and could be increased to 75-85% in line with the risk profile.

1250.2 That the threshold for reporting misstatements to the Committee was set at £310k based on 5% of revenue; that there were different thresholds in place for reporting material errors in relation to tax and other returns to the Committee (£50k) and matters to HEFCW; that there would not be a cost implication of setting the misstatement reporting threshold at a lower level, but it would be helpful for KPMG to be notified of any request to lower the threshold at an early stage to inform the audit work.

1250.3 That KPMG’s risk assessment had identified the significant audit risks as:

• valuation of post retirement defined benefit obligations relating to the Cardiff University Pension Fund owing to the gross liability and the degree of subjective estimation applied; this did not include the Universities Superannuation Scheme (USS) as the recent changes to the scheme meant that there would be no USS provision on the balance sheet;
• research income revenue recognition owing to the level of judgement involved in this area and the risk of non-compliance with grant terms and conditions;
• management override of controls.

1250.4 That going concern was identified as another audit risk; that the University’s cost cutting measures and severance scheme had been notified after the report had been prepared, but did not impact the risk assessment at the current time; that going concern represented an increasing risk position given the University’s financial position.

1250.5 That valuation of property, plant and equipment had not been identified as an audit risk as assets were held at cost less depreciation rather than revaluation and so were not subject to external effects; that there had been previous process and control findings in relation to capital expenditure, but controls were now in place and the level of capital expenditure was much lower than in previous years, which had led to a lower risk assessment; that the review of the estate had identified RAAC as a minor issue for the University.

1250.6 That the new FRC ethical standard would come into effect in December 2024 and would be applied to the 2024-25 audit.

Resolved

1250.7 To approve the external audit plan for 2023/24.

1250.8 For the Chair and Chief Financial Officer to review the thresholds for reporting misstatements, material errors and other matters to ensure alignment, including giving authority to the Chair to determine the appropriate misstatement reporting threshold prior to the Committee’s next meeting.

1251 Key Control Framework Update

Received and considered paper 23/687C ‘Key Control Framework Update’.  The Chief Financial Officer spoke to this item.

Noted

1251.1  That the report provided a progress update on the work to identify, document and review key financial controls, other organisational controls and regulatory controls; that the report identified further areas where the documentation of financial controls was planned; that a review of the operation of key controls was included in the Internal Audit Plan for next year.

1251.2  That a business case was being developed for the Finance Transformation Programme, which included a workstream dedicated to the documentation and review of processes and controls in priority areas; that a plan to replace the Finance system at a cost of £40m had been stopped and the Chief Financial Officer had committed to reviewing system needs over a 3-5 year time period; that the new Chief Digital and Information Officer was to lead a review of the University’s digital needs and the Finance system would be considered as part of this work in relation to other priorities and available funds.

1251.3  That the Chief Financial Officer planned to work with the new Chief Operating Officer and University Secretary to consider how controls are identified, documented and reviewed as part of the Target Operating Model (TOM).

1251.4 That work would need to be undertaken to summarise regulatory controls overseen by the Compliance and Risk Team into a framework.

1251.5 That the transformation programme provided an opportunity to identify key controls as structures, processes and procedures were reviewed; that it was desirable for key controls to be monitored via a management information system where possible, which would automatically flag up control failures.

1251.6 That the documentation of key controls project had been ongoing since June 2023 and progress was perceived to have been slow; that in some areas operational responsibility for further work required was held by posts that were currently vacant and would need to be recruited to; that there was a desire from the Committee for progress to be made more quickly; that there was not spare capacity readily available within the Finance team; that the capacity within the team would need to be reviewed if the planned work was to be undertaken more quickly.

Resolved

1251.7 For the Chief Financial Officer to review the Finance team’s capacity to progress the further work required more quickly and to report back to the Committee.

1251.8  For the Compliance and Risk Team to summarise into a framework the regulatory controls overseen by the team.

1252 Major and Serious Incident Update Report, including closure reports

Received and considered paper 23/688HC ‘Major and Serious Incident Update Report’.  The Chief Operating Officer and University Secretary spoke to this item. The Academic Registrar joined the meeting for this item.

Noted

1252.1 [Redacted]

1252.2 [Redacted]

1252.3 [Redacted]

1252.4  [Redacted]

1252.5  [Redacted]

1252.6 [Redacted]

1252.7 [Redacted]

Resolved

1252.8  To approve that the report provides adequate assurance for the risks in this area.

1252.9 For a deep dive to be undertaken at a future meeting on the Student Welfare and Wellbeing risk, including an update on whether mitigating actions have been assessed as fully embedded.

1252.10 For data on student suicides relative to the general population to be shared with the Committee.

1253 Internal Audit Progress Report

Received and considered paper 23/689HC ‘Internal Audit Progress Report’.  The Head of Internal Audit spoke to this item.

Noted

HE Data Returns

1253.1 [Redacted]

Transparent Approach to Costing (TRAC)

1253.2 [Redacted]

1254 UKVI Readiness Assessment Internal Audit Report

Received and considered paper 23/714HC ‘UKVI Readiness Assessment Internal Audit Report’.  The Academic Registrar spoke to this item.

Noted

1254.1 [Redacted]

1254.2  [Redacted]

1254.3  [Redacted]

1254.4  [Redacted]

The Committee asked all Officers apart from the Governance Advisor and Head of Internal Audit to leave the meeting temporarily in order for members to have a private discussion; there were no actions arising from this discussion.

Simon Wright left the meeting at the conclusion of this item.

1255 Internal Audit Recommendations Tracker Report

Received and considered paper 23/690HC ‘Internal Audit Recommendations Tracker Report’.  The Head of Internal Audit spoke to this item.

Noted

1255.1 [Redacted]

1255.2 [Redacted]

1255.3 [Redacted]

1255.4 [Redacted]

1255.5 [Redacted]

1255.6 [Redacted]

1255.7 [Redacted]

1255.8 [Redacted]

Resolved

1255.9 For a report to be provided to the Committee on how the 10 priority 1 overdue actions would be progressed to completion.

1255.10 For Management to consider inviting action owners for recommendations overdue by a year or more to attend the Committee to provide progress updates.

1256 Internal Audit Strategy 2024-25

Received and considered paper 23/691HC ‘Internal Audit Strategy 2024-25’.  The Head of Internal Audit spoke to this item.

Noted

1256.1 [Redacted]

1256.2 [Redacted]

Resolved

1256.3 To approve the Internal Audit Strategy 2024-25.

1257 Internal Audit Plan 2024-25

Received and considered paper 23/713HC ‘Internal Audit Plan 2024-25’.  The Head of Internal Audit spoke to this item.

Noted

1257.1 [Redacted]

1257.2 [Redacted]

1257.3 [Redacted]

1257.4 [Redacted]

1257.5 [Redacted]

Resolved

1257.6 To approve the risk-based internal audit programme for 2024/25.

1258 Review of Internal Audit: Action Plan

Received and considered paper 23/692HC ‘Review of Internal Audit: Action Plan’.  The Head of Internal Audit spoke to this item.

Noted

1258.1 [Redacted]

1258.2 [Redacted]

Ellie Hetenyi left the meeting at the conclusion of this item.

1259 Financial Compliance update

Received and considered paper 23/693C ‘Financial Compliance Update’.  The Chief Financial Officer spoke to this item.

Noted

1259.1 [Redacted]

1259.2 That a business case for the recruitment of a permanent Head of Financial Compliance was to be reviewed by the recruitment control panel; that information requests were being managed by the Compliance and Risk Team with input from the Income Team in Finance; that the Interim Financial Compliance Manager had undertaken a detailed handover; that the reactive elements of the role were being picked up in the short term but the more proactive work was paused pending recruitment.

1259.3 That the new Anti-Money Laundering, Counter Terrorist Financing, Financial Sanction and Tax Evasion policy had been approved and circulated to the Committee for awareness.

1260 Litigation Report

Received and considered paper 23/695HC ‘Litigation Report’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1260.1 [Redacted]

1260.2 [Redacted]

1260.3 [Redacted]

1260.4 [Redacted]

Resolved

1260.5 For the next iteration of the report to detail where provisions had been made and where cases were covered by insurance policies.

1261 Whistleblowing Reports

The Chief Operating Officer and Interim University Secretary spoke to this item.

Noted

1261.1 That it had been reported to the last meeting that one case was being reviewed to determine whether it would be considered under the Policy; that the review undertaken by the University Secretary and General Counsel, and the Head of Compliance and Risk had led to the case being referred for action under the University’s Counter-Fraud and Anti-Bribery Policy.

1262 Annual Audit and Risk Committee self-evaluation of effectiveness

Received and considered paper 23/696C ‘Annual Audit and Risk Committee self-evaluation of effectiveness’.  The Chair spoke to this item.

Noted

1262.1 That the survey results were positive for the majority of areas; that less positive responses were received in relation to the following two questions:

• 3.5 When a decision has been made or action agreed, members feel confident that it will be implemented as agreed and in line with the timescale set down.
• 7.2 The Committee is clear about the complementary relationship it has with the other governing body or Senate Committees.

1262.2  That the timeliness of completing actions had been discussed earlier in the meeting and no further action was required; that there was scope for Committee members to develop a better understanding of the wider governance structure and the role and responsibilities of other University committees.

1262.3 That the survey had provided very positive feedback on the Chair and the effective chairing of the Committee.

Resolved

1262.4 For a development session to be provided for members on the wider governance structure and the role and responsibilities of other University committees.

1262.5 For the Committee’s next annual review of effectiveness to include external input, the nature of this would be determined but potentially could be from the Audit Chair or the Head of Audit from another institution, or from an independent reviewer.

1263 Any Other Business

The Chair spoke to this item.

Noted

1263.1 That the Chief Operating Officer and Interim University Secretary was attending her last meeting after 10 years service to the University; that the Committee expressed its thanks for their contribution and the support provided to the Committee.

1264 Review of risks identified in the Risk Register

Resolved

1264.1 That the risk register accurately represented the information that had been received by the Committee.

1265 Items received for information

Noted

1265.1 The following papers:

• 23/697C Annual Review of the External Audit Service
• 23/698 Schedule of Committee Business for the year ahead

All Officers apart from the Head of Internal Audit and the Governance Advisor left the meeting for the reserved items.

1266 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, and the Governance Advisor were present.

Resolved

1266.1  For periodic deep dives to be undertaken of specific legal and regulatory compliance risks.

The minutes of the meeting held on 20 June 2024 were confirmed as a true and accurate record and were approved by the Committee on 10 October 2024.