Minutes of Proceedings
Session: Session currently unavailable
Date: 16 May 2018
ROOM 106, PARLIAMENT BUILDINGS
Jim Brooks, Chairperson
Lesley Hogg, NIA
Rodney Allen, NIAO
Tara Caul, NIA
Richard Stewart, NIA
Paula McClintock, NIA
Eddie Kelly, NIA
David Johnston, NIA, Secretary
The meeting commenced at 2.04 pm.
Apologies were received from Jim Wells MLA; Brian Moreland, Head of Internal Audit; and Dr Gareth McGrath, Director of Parliamentary Services, who is currently on secondment. SARC members again sent their best wishes to Brian.
2. Declarations of Interest
There were no declarations of interest.
3. Minutes of Previous Meeting
Minutes of the previous meeting held on 31 January 2018 were approved without amendment.
4. Matters arising
It was noted that both action points have been completed, with the draft Internal Audit Plan for 2018-19 on the agenda.
5. Internal Audit Activity / Assurance
Eddie Kelly gave SARC members an overview of the Internal Audit Reports and Follow-up Reports which had been issued since April 2017, focusing on the reports that had issued since the SARC meeting on 31 January 2018.
The final report on the Review of Usher Services was issued on 1 March 2018 with eight recommendations, seven of which were accepted. The unaccepted recommendation refers to responsibility for the management of the Security Management System budget. Usher Services management’s view is that this responsibility should remain with Building Services, given the latter’s role in approving hardware maintenance work and authorising its payment. Internal Audit is content with this assessment
The recommendations were in relation to Parliament Buildings Access; Control Room Key Database; Compliance with Lost Property Policy; VMS – Post-Contract Evaluation; Upper Car Park Permits issued to Assembly Members; and Operational Planning (Room Booking App).
The assurance rating for this audit is Satisfactory.
The final report on the Review of the Roof Project was issued on 21 March 2018 with three recommendations. Recommendations were made in respect of convening a Project Board meeting to formally close the project following the Defects Liability Period; recording Project Board approval in any instance where project methodology deviates from the requirements defined in the PID; and ensuring that all of the records relating to the roof project are systematically filed in order to provide a comprehensive management trail of the entire project.
The assurance rating for this audit is Satisfactory. SARC members stressed the importance of documentation being systematically filed and readily acknowledged that the Roof Project was a good project, delivered on time and within budget.
The follow-up report on the Review of Northern Ireland Assembly Commission Support to Politics Plus was issued on 12 February 2018. The successful implementation of the original recommendation resulted in the assurance level being raised to Substantial.
The follow-up report on the Voluntary Early Severance (VES) Scheme Administration was issued on 14 February 2018. Successful implementation of both recommendations resulted in the assurance level being raised to Substantial.
The follow-up report on the Review of Risk Management was issued on 7 February 2018. Successful implementation of the original recommendation resulted in the assurance level remaining Substantial.
The follow-up report on the review of iTrent (HR) was issued on 24 April 2018. Internal Audit noted successful implementation of 17 of the 18 original recommendations. As regards the remaining recommendation (risk rating 1), Internal Audit agreed an alternative approach proposed by management to control the risk of unauthorised HR staff access to recruitment scheme records. It was noted that procedures have been amended to reflect the new procedures; however, this cannot be demonstrated until the next relevant recruitment competition is held. The assurance level remains Satisfactory.
In relation to audits in progress, Eddie advised SARC that work on the review of Secretariat Travel has been completed. Internal Audit is in the process of clarifying several issues prior to publication of the draft report.
Fieldwork on the review of PECOS (purchase to pay system) has been completed. The draft report is at quality assurance stage and will be published following this stage.
The Review of Members’ Expenses has commenced, and testing has just been completed at constituency offices. Eddie confirmed to SARC that this is based on a 25% sample of Members, with all Members being audited at least once within the mandate.
Eddie reported that, in addition to the planned assurance and control-related consultancy activity carried out during the year, the Head of Internal Audit and Audit Manager provided assistance to the Houses of the Oireachtas during Quarter 3 of 2017-18 in respect of Internal Audit quality assessment and risk based planning.
An outturn of planned versus actual days for the 2017-18 Internal Audit plan was tabled, and it was noted that this did not include time spent concluding the 2016-17 plan or unplanned direct activity such as the provision of control-related consultancy services, and attendance at corporate groups and project boards. Other factors affecting the outturn for 2017-18 included the provision of assistance to the Houses of the Oireachtas, the temporary redeployment of a member of the audit team (since the beginning of January), and the impact of long-term leave on the unit. The SARC Chairperson noted that the budgeted days for 2017-18 appeared low for the number of staff in the unit and that while some progress had been on a resource plan he would like to see more.
A 2018/19 plan has been agreed by the Secretariat Management Group and tabled as a separate agenda item.
The Audit Manager informed SARC that the overall level of assurance for the period 1 April 2017 to 31 March 2018 is Satisfactory.
SARC members were pleased to note that there were no Audit Reports in 2017-18 resulting in Limited or Unacceptable assurance ratings.
No whistleblowing cases have been reported to Internal Audit to date this year, and no new cases of fraud have been identified by or reported to Internal Audit since the last SARC meeting.
The next meeting of the inter-parliamentary Head of Internal Audit group is due to be held in the National Assembly for Wales in late June 2018.
The Assembly’s Internal Audit function was rated as fully compliant in all aspects of the standards during its last Quality Assurance and Improvement Review (follow-up report dated September 2014). These reviews are required at least every five years. As previously reported, the Heads of Internal Audit of the Scottish and Welsh legislatures have agreed in principle that the three bodies engage in a review arrangement that would facilitate the requirements of the standards in a cost-effective manner. In preparation for the next external review, some planned time has been set aside for the current year to conduct an internal quality assessment of the Internal Audit function.
All members of the Internal Audit team monitor compliance with the Continuing Professional Education requirements of the Institute in order to maintain their certified status. Progress is discussed at team meetings throughout the year.
Rodney Allen noted that the Assembly Commission was continuing to use the Substantial assurance rating, and that this was contrary to the approach adopted by the Northern Ireland Civil Service and wider public sector. It was confirmed that SARC had made the conscious decision to retain the Substantial rating to provide an incentive to staff to achieve better than Satisfactory.
6. 2018-19 Internal Audit & Resource Plan
Eddie Kelly tabled the 2018-19 Internal Audit & Resource Plan, as agreed by SMG on 25 April 2018. The plan has been based on the final year of the current Internal Audit Strategy. Formulation of the plan has also included discussions with the Clerk/Chief Executive and members of SMG; discussions with Heads of Business, including the Head of Finance and the Head of IS; review of the Corporate Risk Register; consideration of the results of previous audits; assessment of the efficiency of delivery of assurance; and the identification of areas carried over from the 2017-18 periodic plan.
Rodney Allen highlighted that the audit of Business Continuity had been deferred from 2017-18 and queried why it was not on the 2018-19 plan. Eddie explained that resources were being prioritised in the current circumstances. Lesley advised that she had recently initiated a strategic review of business continuity with the Assembly Commission which would change current arrangements and that auditing current arrangements was likely to be of limited benefit.
Eddie presented the accompanying Resource Plan and outlined the resource pressures currently being experienced in Internal Audit as a result of staff absence and staff temporary redeployment. Eddie explained that the Resource Plan presented resource days for two scenarios, one based on a complement of 2.8 FTE staff which would enable the full plan to be delivered and a second scenario based on a complement of 1.9 FTE reflecting current resources in the unit. The inherent risk in limiting the scope of planned internal audit activity will be a consequently limited audit opinion at year end.
The SARC Independent Member requested that the Audit Manager critically look at the proposed audits and the time allocated to ensure that the Assembly Commission avoided a limited audit opinion at the end of the year. Lesley Hogg advised that SMG had already planned to consider resources when more clarity was received regarding the scope of the audits included in the plan and that resources may need to be reprioritised at that stage.
Action: 2018-19 Internal Audit & Resource Plan to be revisited once scope of planned audits has been considered.
SARC members acknowledged that a flow of activity and audit reports was needed to avoid a limited audit opinion. SARC members noted that the Audit Manager is to make recommendations to SMG at the end of June in relation to how best the plan can be delivered. SARC members welcomed the further development of Internal Audit resource planning as helpful and useful.
7. Audit Recommendations Schedule
SARC members considered the updates and noted the continuing high level of implementation of accepted Audit recommendations, with 13 recommendations currently “in progress”. SARC members continue to view implementation as very important and were pleased with the good progress that had been made and maintained in this area.
8. NIAO update on audit of 2017-18 Financial Statements
Rodney Allen informed SARC that no significant matters had arisen in NIAO’s interim audit work and that the final audit of the Financial Statements is to commence on 21 May 2018.
Rodney thanked the Assembly Secretariat for facilitating an NIAO intern as part of the audit process.
9. Draft Assembly Resource Accounts 2017-18
Paula McClintock apologised for the late circulation of the draft accounts the previous evening and explained that the timescale for preparation was extremely tight. She also acknowledged that SARC members would not have had sufficient time to read them in detail and indicated that comments could be provided up to the end of the week. Paula gave SARC members an overview of the draft Accounts and set out the background of Spring Supplementary Estimate assumptions that had resulted in underspends in the Resource and Capital outturns.
The SARC Chairperson and the Clerk/Chief Executive congratulated the Finance Office on the timely production and significant effort that had gone into the preparation of the draft Accounts, and the Head of Finance thanked her team for all their hard work.
Action: SARC members to contact the Head of Finance, by 18 May 2018, with any further comments or queries on the draft Accounts or Governance Statement.
10. Directorate Risk Registers
SARC members considered the contents of the Directorate Risk Registers and acknowledged the quality of the documents and the usefulness of reviewing them annually at SARC. Directors gave brief overviews of the key risks identified. All present recognised the need for the registers to be living documents with input from staff at all levels.
11. Corporate Risk Register
SARC members noted the changes made to the contents of the Corporate Risk Register since the January 2018 SARC meeting and the excellent correlation with the Directorate Risk Registers. The SARC Chairperson also noted that while the Assembly Commission had a number of high risks SMG actively amended the residual risk scores to reflect the mitigations put in place.
12. Stewardship Statements (at 31 March 2018)
SARC members noted the contents of the Stewardship Statements as at 31 March 2018. SARC members found the statements to be a valuable discipline in strengthening accountability and a useful resource for Internal Audit.
SARC members sought and received assurance on the Assembly Commission’s preparedness for the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018. It was noted that an Information Commissioner’s Office seminar had been held for MLAs and Party staff and that a comprehensive information note had been provided. The SARC Independent Member stated that he was very impressed with the Assembly Commission’s work on GDPR.
13. SARC Annual Report and Self-assessment
SARC members were content with the contents of the SARC Annual Report and the very positive self-assessment, subject to minor additions to the concluding paragraph of the report, and for the Annual Report to be presented to the Assembly Commission. The SARC Chairperson stated that the Secretariat had shown great strength and resilience in a very difficult year.
Action: David Johnston to circulate revised wording, by 18 May 2018, to reflect the overall Internal Audit Satisfactory assurance rating; the Substantial ratings achieved; and the fact that there had been no Limited or Unacceptable ratings during 2017-18.
14. National Audit Office: Cyber Security & Information Risk Checklist Action Plan monitoring
The Governance Officer advised SARC that the National Audit Office’s good practice guide “Cyber Security and Information Risk Guidance for Audit Committees” checklist had been completed in January 2018 and an action plan put in place to improve and strengthen a small number of areas where potential weaknesses were identified. SARC members noted the high level of implementation to date.
15. NI Audit Office’s Managing Fraud Risk and British Standards Institution’s Anti-Bribery Self-assessment Checklist Action Plan monitoring
The Governance Officer informed SARC that the Northern Ireland Audit Office’s Managing Fraud Risk Self-assessment Checklist and the British Standards Institution’s Anti-bribery Self-assessment Questionnaire were completed in September 2017, confirming a very high level of compliance. An action plan was put in place to improve and strengthen a small number of areas where potential weaknesses were identified. SARC members noted the latest implementation position.
16. NI Audit Office: Bribery & Corruption Checklist Action Log monitoring
The Governance Officer advised SARC members that the Northern Ireland Audit Office’s “Managing the Risk of Bribery and Corruption: A Good Practice Guide for the Northern Ireland Public Sector” organisation checklist had been completed in January 2018 and the assessment had confirmed a very high level of compliance. A short Action Log to further enhance compliance had been compiled. SARC members noted the latest implementation position.
In relation to fraud prevention and detection, it was confirmed to SARC members that the Assembly Secretariat participates in the National Fraud Initiative.
SARC members thanked the Governance Officer for the considerable amount of work that had gone into completing and monitoring the various checklists throughout 2017-18.
17. Key Guidance from Department of Finance
SARC members noted the three DAO letters and three FD letters that had been issued by the Department of Finance since the January 2018 SARC meeting.
18. Department of Finance Audit and Risk Assurance Committee Handbook (NI) 2018
The Governance Officer informed SARC that the Department of Finance had issued its Audit and Risk Assurance Committee Handbook (NI) 2018 on 30 March 2018. The contents are almost identical to those of the HM Treasury Audit and Risk Assurance Committee Guidance, issued in April 2016, but without the full HM Treasury annexes on Whistleblowing and Cyber Security. A Gap Analysis has been carried out and this has confirmed a high level of compliance within the NI Assembly Secretariat.
SARC members were grateful for the analysis and were pleased to note the high level of compliance.
There was no other business.
20. Date of Next Meeting
The date of the next meeting is Wednesday 20 June 2018.
The meeting ended at 3.35 pm.