Audit and Risk Committee minutes 10 October 2024

Minutes of the meeting of the Cardiff University Audit and Risk Committee held on Thursday 10 October 2024 at 9.00 in room 1.22, Tŷ’r Wyddfa, Heath Park West and via Zoom.

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Dr Nick Starkey and Suzanne Rankin.

In Attendance: Ruth Davies, Clare Eveleigh, Daisy Gandy, Ellie Hetenyi (KPMG), Dr David Langley [minute 1276], Professor Wendy Larner, Sian Marshall, Alexander Middleton (KPMG), Carys Moreland, Laura Pendakis (KPMG) [minute 1291], Melanie Rimmer [minute 1285], Dr Paula Sanderson, Laura Sheridan, Natalie Stewart, Darren Xiberras.

1267 Welcome and preliminaries

1267.1 All were welcomed to the meeting, including the Chief Operating Officer and University Secretary attending her first meeting of the Committee.

1267.2 The Chair reminded members that the meeting was being recorded to assist with producing the minutes.

1268 Apologies for absence

Apologies were received from Agnes Xavier-Phillips and Jonathan Brown (KPMG). The meeting was confirmed as quorate.

1269 Declarations of Interest

1269.1 The Chair reminded Committee members of their duty to disclose any potential conflicts of interest.

Noted

1269.2 That Suzanne Rankin declared an interest in the Dental Hospital in her role as Chief Executive of Cardiff and Vale University Health Board; the Hospital was owned and managed by the Health Board.

1269.3 That Aneesa Ali worked for Audit Wales; there could be an indirect conflict of interest should the Committee receive any reports from Audit Wales as detailed in the Committee Constitution.

1270 Minutes of the previous meeting

The minutes of the meetings held on 20 June 2024 (23/839C) were confirmed as a true and accurate record.

1271 Matters arising from the minutes

Received and considered paper 24/73C ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1237.3

1271.1 That the Governance Advisor had been asked to act as Secretary to the Committee for the October meeting; a recommendation on the individual to be the Secretary to the Committee would be made once the Director of Corporate and Legal Services / Deputy Secretary was appointed; recruitment for the post was underway and the Chair would be updated in due course.

Resolved

1271.2 For estimated completion dates to be added for those actions with a planned completion date listed as “2024-25”.

1271.3 For any substantive actions with revised completion dates to be flagged up for discussion by the Committee at future meetings.

1272 Constitution and membership

Received and considered paper 24/74 ‘Constitution and Membership’. The Chair spoke to this item.

Noted

1272.1 That the Constitution had been reviewed and a number of minor changes were proposed; this included an increase to the reporting threshold for material errors to £100k.

1272.2 That there were exceptions to the reporting threshold such as termination payments and fraudulent or unethical activity.

Resolved

1272.3 To recommend to Council the revised Constitution for approval.

1272.4 For the Chair and the Chief Financial Officer to discuss the matters that should be reported to the Committee outside of the threshold for reporting errors.

Pers Aswani joined the meeting.

1273 Items from the Chair

Received and considered paper 24/75 ‘Report of Chair’s Action’. The Chair spoke to this item.

Noted

1273.1 That there was one report of chair’s action; the Chair had approved an amendment to align the reporting thresholds for audit misstatements and any material errors in tax and other returns at £100,000.

1273.2 That the Chair and other members of Council had attended a very successful Council development day during the previous week; topics included lessons learned from the encampment, delivery of the University Strategy and transformation programme, and transnational education.

1274 Risk management update

Received and considered paper 24/77 ‘Risk Management Update’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1274.1 That recent improvements made to risk management had developed a more structured approach to risk and a more risk-aware culture; there was a further need to develop this approach to reflect the new strategy and to ensure that the risk register did not remain static going forward.

1274.2 That a range of activities were planned, including a comprehensive horizon scanning exercise to be undertaken with UEB in the coming weeks; embedding risk into new Directorate Service Plans was a priority to ensure that risk becomes a mechanism through which threats to delivery are actively and routinely managed.

Resolved

1274.3 For an update to be provided on the risk management improvement plans at the March 2025 meeting.

1275 Strategic Risk Register

Received and considered paper 24/76HC ‘Strategic Risk Register’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1275.1 [Redacted]

1275.2 [Redacted]

1275.3 [Redacted]

1275.4 [Redacted]

1275.5 [Redacted]

1275.6 [Redacted]

Resolved

1275.7 To recommend to Council the Strategic Risk Register for approval.

1275.8 For a deep dive into progress with the league table project linked to the financial sustainability risk to be undertaken in 12 months time.

1276 Deep Dive: Transformation Programme Roadmap Formation

The Chief Transformation Officer joined the meeting to speak to this item.

Noted

1276.1 That financial sustainability was currently the biggest risk for the organisation; cultural transformation was imperative for delivering on the ambitions of the University Strategy and the transformation roadmap; the roadmap was structured across three horizons to enable sub-optimal processes, structures, behaviours and systems to be improved prior to creating growth and enabling future repositioning.

1276.2 That the roadmap would reference the Strategic Risk Register, including where delivery activity supports risk mitigation; a review of the mitigating actions for each strategic risk had been undertaken to identify roadmap projects listed as a mitigating action and risk owners would be prompted during future risk reviews to capture where actions were part of roadmap activity; a local risk register for overall roadmap delivery had also been developed.

1276.3  That it was imperative that staff were empowered to challenge poor processes, structures and behaviours and to enable innovation; that effective leadership was key to this.

1276.4 That the roadmap aims were intentionally ambitions and required delivery at pace; it would be a challenge to build staff capacity and capability and to get the messaging right to empower staff to deliver at pace, but the risks of not taking this approach were greater; staff would be supported through the process; a workshop would be held during the following week to consider how staff can work together in a one team approach.

1276.5 That staff in the Programme Management Office would be focused on transformation delivery and were experienced in a range of programme management approaches and methodologies and would use their considerable expertise to enable delivery.

1276.6 That governance structures for the transformation roadmap were considered sufficient; UEB would act as the delivery board and monitoring of progress would be against the Strategy, roadmap and KPIs through the wider, established governance structure.

1276.7 That it was imperative for any barriers to delivery to be highlighted to UEB and Council at the earliest opportunity; that the relationship with Council would be fundamental to progress, particularly during the first year of the programme.

Dr David Langley left the meeting at the conclusion of this item.

1277 Preliminary Financial Position 2023/24

Received and considered paper 24/78C ‘Preliminary Financial Position 2023/24’. The Chief Financial Officer spoke to this item.

Noted

1277.1 [Redacted]

1277.2 [Redacted]

1277.3 That the Investment and Banking Sub-Committee had oversight of the University’s investment portfolio; a range of investment management companies were used, each with a set risk profile and guideline return on investment; that a target of 6% annual return was in place to ensure full bond repayment by 2055; that the bond repayment fund was monitored regularly with the next full review planned for 2025.

1277.4 That cashflow was reviewed regularly and a £60m revolving credit facility had been put in place with HSBC as a buffer against any liquidity issues; that oversight was provided by the Investment and Banking Sub-Committee and the Finance and Resources Committee.

1278 External Audit Update Report and Technical Update

Received and considered paper 24/79C ‘External Audit Update Report and Technical Update’.  Eleanor Hetenyi (KPMG) spoke to this item.

Noted

1278.1 That the audit was progressing well; this had been helped by the continuity provided by the Finance Team; no issues with the timetable were currently anticipated.

1278.2 That a working group had been established to consider opportunities around artificial intelligence (AI); Daniel Lawrence, the new Chief Digital and Information Officer, was joining the University during the following week and would bring considerable experience in relation to digital transformation from the HE and private sector; staff were engaged in a range of sector-wide discussions around AI; an internal audit of AI readiness was included in the 2024-25 audit programme.

1279 Action Plan to address External Audit Recommendations: Update

Received and considered paper 24/79C ‘Action Plan to address External Audit Recommendations: Update’.  The Group Financial Controller spoke to this item.

Noted

1279.1 That during 2023-24 the focus had been on improving the University’s finance system, with the completion of an 8-month project to upgrade Oracle EBS; this would allow implementation of a system-based journal authorisation control; this enhancement would represent significant progress but would not be in place sufficiently early to ensure closure of the audit action in the next ISO260 report.

1279.2 That improvements had been made to the Finance Team; a strong financial reporting team was now in place; considerable work had been undertaken with Schools and Departments to prepare for year end; work to consider the overall structure of the Finance Team was being taken forward as part of the finance transformation business case including to address the key person/resilience risk highlighted in the Treasury Management internal audit; the Vice-Chancellor was clear that the Finance Team needed to be adequately resourced to support the transformation required and that achieving short term savings that would have medium-long term, negative consequences was not desirable.

1279.3 That recruitment was underway for a permanent Head of Financial Compliance to replace the Financial Compliance Manager role, which had been vacant since June; that interim resource would be considered if there was a further gap following recruitment.

1279.4 That the inclusion of key control framework activity within the finance transformation roadmap (as noted in the matters arising paper) indicated that there would be further delays to this work, which had been ongoing since the 2022 ISO260 report; there was concern from some members that the work had not been progressed sufficiently quickly; it was imperative that the University manages risks appropriately and it was an expectation from the Committee that key controls to manage and mitigate risk across the University are documented; that some progress had been made in documenting and testing key financial controls, but limited progress had been made with controls outside of Finance.

1279.5 That the draft internal audit annual report identified an over-reliance on manual processes and a failure to digitise or systematise; that this was a key priority of the transformation roadmap to address these issues; the work on process improvement and process review also aimed to embed key controls into all process improvements; that identifying and documenting key controls would form part of the work currently being undertaken.

1279.6 That the Committee acknowledged the scale of the challenge required to move staff away from manual processes and established work-arounds; it was imperative that an appropriate amount of time was taken to fix issues properly to ensure they did not reoccur and with automated, systems-based resolutions where possible; that the range of activity planned under the transformation roadmap provided assurance to the Committee that plans were in place to strengthen and improve the control environment.

Resolved

1279.7 For the Committee to be regularly kept updated on the:

1. identification of Key Controls and Key Control Gaps;
2. implementation of Key Controls; and
3. progress (% tracker) on the key control framework activity progress for all controls (not just Financial Controls).

1280 Internal Audit Progress Report

Received and considered paper 24/81HC ‘Internal Audit Progress Report’.  The Head of Internal Audit spoke to this item.

Noted

1280.1 [Redacted]

1280.2 [Redacted]

1280.3 [Redacted]

1280.4 [Redacted]

1281 Internal audit report: Financial Controls – Treasury Management

Received and considered paper 24/70HC ‘Internal audit report: Financial Controls – Treasury Management’.  The Head of Internal Audit and the Chief Financial Officer spoke to this item.

Noted

1281.1 [Redacted]

1281.2 [Redacted]

1281.3 [Redacted]

1281.4 [Redacted]

1281.5 [Redacted]

1282 Internal Audit Recommendations Tracker

Received and considered paper 24/82HC ‘Internal Audit Recommendations Tracker’.  The Head of Internal Audit spoke to this item.

Noted

1282.1 [Redacted]

1282.2 [Redacted]

1282.3 [Redacted]

1283 Draft Internal Audit Annual Report and Opinion 24-25

Received and considered paper 24/83HC ‘Draft Internal Audit Annual Report and Opinion 24-25’.  The Head of Internal Audit spoke to this item.

Noted

1283.1 [Redacted]

1283.2 [Redacted]

1283.3 [Redacted]

1283.4 [Redacted]

Resolved

1283.5 For the Head of Internal Audit to consider including some information within the report on the progress made during the past 12-18 months.

1284 Major and Serious Incidents Update

Received and considered paper 24/84HC ‘Major and Serious Incident Update Report’.  The Chief Operating Officer and University Secretary spoke to this item.

Noted

1284.1 [Redacted]

1284.2 [Redacted]

Resolved

1284.3 To approve that the report provides adequate assurance for the risks in this area.

1284.4 For a deep dive on the Staff Safety and Wellbeing risk to be added to the provisional schedule.

1285 Assurance of risk relating to data submitted externally

Received and considered paper 24/85C ‘Assurance of risk relating to data submitted externally’.  The Director of Strategic Planning joined the meeting for this item.

Noted

1285.1 That a number of process changes had been made in 2023-24; the External Returns Oversight Group (EROG) had monitored KPIs on student loan company data returns following an internal audit recommendation and confirmed all KPIs had been met.

1285.2 That the new student HESA return had been successfully submitted first time by the nationally extended deadline; this was commendable in the context of some institutions who submitted the return 4-5 months late or who had been asked to resubmit the return more than once.

Resolved

1285.3 To approve that the report provides an appropriate level of assurance in relation to data submitted externally.

Melanie Rimmer left the meeting at the conclusion of this item.

1286 Annual Risk Management Report and Improvement Plan

Received and considered paper 24/86HC ‘Annual Risk Management Report and Improvement Plan’.  The Senior Risk Manager spoke to this item.

Noted

1286.1 [Redacted]

1286.2 [Redacted]

1286.3 [Redacted]

1286.4 [Redacted]

Resolved

1286.5 To approve the Annual Risk Management Report 2024 and the Risk Management Improvement Plan.

1286.6 For the goals and objectives section of the report to include estimated dates in the next iteration of the report.

1287 Report of Financial Compliance Issues

The Group Financial Controller spoke to this item.

Noted

1287.1 That there were no financial compliance matters to report; three activity reports were under review and one Defence Against Money Laundering matter had been submitted for investigation.

1287.2 That reporting processes remained active whilst the Head of Financial Compliance post was vacant; once appointed, the Head of Financial Compliance would undertake a retrospective review of 2023-24 to determine if there were any issues not identified or reported.

1288 Any Other Business

No further items of business were discussed.

1289 Review of Risks identified in the Risk Register

Resolved

1289.1 That the risk register accurately represented the information that had been received by the Committee.

1290 Value For Money

Received and considered paper 24/89 ‘Value For Money’.

Noted

1290.1 That the report provided evidence of the work undertaken by the University during 2023/24 to ensure that value for money is delivered for students and funders.

1290.2 That the paper provided a useful summary of activity, but it was not clear whether value for money had been achieved; that the remit of the Committee was to receive assurance on the effectiveness of arrangements to deliver value for money rather than to make an assessment on whether value for money had been achieved; that guidance for the sector on how to evidence delivery of value for money was limited and it was a challenge for institutions to demonstrate this.

1290.3 That a value for money policy was being developed and would be shared with the Committee at a future meeting.

Resolved

1290.4 To recommend that an appropriate level of assurance around institutional arrangements for delivery of value for money has been provided to Council for approval.

1290.5 For the Committee to review the value for money policy at a future meeting.

1291 ESG Update from Laura Pendakis, KPMG ESG Specialist

Laura Pendakis from KPMG joined the meeting for this item.

Noted

1291.1 That stakeholder engagement was a key part of ESG investment decision-making.

1291.2 That the University’s ESG disclosures were in line with the sector based on benchmarking against four other universities, but there was scope to get ahead of the sector by disclosing more information; this could be beneficial in terms of the University’s reputation and could provide a competitive advantage.

1291.3 That Professor Monjur Mourshed had recently been appointed as Dean for Environmental Sustainability; one of his priorities would be reviewing disclosures and University league table performance on sustainability metrics.

1291.4 That the University’s Socially Responsible Investment Policy was reviewed during the previous year and the investment portfolio largely was well aligned to Policy; the Policy prohibited investment in fossil fuels, armaments, weapons and tobacco.

1291.5 That work was being undertaken to ensure alignment between due diligence processes and policies on research, development and alumni relations; this was in response to feedback from students seeking clarity on the ethics of the University’s investments, partnerships and relationships.

Resolved

1291.6 For the Chief Operating Officer and University Secretary to discuss ESG disclosures with the Provost and Deputy Vice-Chancellor and Dean for Environmental Sustainability.

Laura Pendakis left the meeting at the conclusion of this item.

1292 Compliance Report: HEFCW Financial Management Code and Terms and Conditions of Funding

Received and considered paper 24/87 ‘Compliance Report: HEFCW Financial Management Code and Terms and Conditions of Funding’.

Resolved

1292.1 To approve that an appropriate level of assurance has been provided of compliance with the CUC HE Audit Committees Code of Practice and the audit elements of the CUC HE Code of Governance, and therefore support the inclusion of a statement of compliance within the Annual Report and Financial Statements.

1293 Compliance Report: CUC HE Audit Code of Practice / CUC HE Code of Governance

Received and considered paper 24/88 ‘Compliance Report: CUC HE Audit Code of Practice / CUC HE Code of Governance’.

Resolved

1293.1 To approve that an appropriate level of assurance has been provided of compliance with the CUC HE Audit Committees Code of Practice and the audit elements of the CUC HE Code of Governance, and therefore support the inclusion of a statement of compliance within the Annual Report and Financial Statements.

1293.2 To approve the enhancement actions identified in the table to strengthen compliance.

1294 Whistleblowing reports

Noted

That no reports had been made under the Whistleblowing Policy since the last meeting of the Committee on 20 June 2024.

1295 Items received for information

Noted

1295.1 The following paper:

24/90C HEFCW Institutional Assurance Visit Action Plan Update

All Officers apart from the Head of Internal Audit and the Governance Advisor left the meeting for the reserved items.

1296 In-Camera meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, the Head of Internal Audit and the Governance Advisor were present.

The minutes of the meeting held on 10 October 2024 were confirmed as a true and accurate record and were approved by the Committee on 15 November 2024.