Minutes of Proceedings
Session: Session currently unavailable
Date: 17 October 2018
SECRETARIAT AUDIT AND RISK COMMITTEE (SARC)
WEDNESDAY, 17 October 2018 at 2.00 PM
ROOM 106, PARLIAMENT BUILDINGS
Jim Brooks, Chairperson
Jim Wells MLA
Lesley Hogg, NIA
Rodney Allen, NIAO
Christine Burns, NIAO
Tara Caul, NIA
Richard Stewart, NIA
Paula McClintock, NIA
Eddie Kelly, NIA
Ashleigh Mitford, NIA
Opening / Review
The meeting commenced at 2.05 pm.
The SARC Chairperson welcomed Ashleigh Mitford to her first SARC meeting.
Apologies were received from Brian Moreland, Head of Internal Audit and Dr Gareth McGrath, Director of Parliamentary Services, who is currently on secondment.
2. Declarations of Interest
There were no Declarations of Interest made at this point in the meeting. Jim Wells MLA declared an interest during item 5.
3. Minutes of Previous Meeting
Minutes of the previous meeting, held on 20 June 2018, were approved without amendment.
Rodney Allen and Christine Burns joined the meeting at 2.08 pm.
4. Matters arising
Action points from the previous meeting have been completed and no points were raised.
5. Internal Audit Activity / Assurance
Eddie Kelly gave SARC members an update on Internal Audit activity since the SARC meeting on 20 June 2018.
The final Report on the Review of PECOS issued on 26 July 2018 with two recommendations, both of which were accepted. The assurance level for this audit is satisfactory.
The final Report on the Review of Members’ Expenses issued on 23 July 2018. Two recommendations were made, both of which were accepted. The assurance level for this audit is satisfactory.
The final Report on the Review of Secretariat Travel issued on 29 August 2018. The Report contained five recommendations, four of which were fully accepted. The assurance level for this audit is satisfactory.
The SARC Chairperson considered that all three audits had been well carried out and welcomed the fact that audit recommendations were accepted.
Jim Wells MLA asked if the Review of Secretariat Travel had identified any abuse. Eddie advised Mr Wells that the audit sample covered travel undertaken in 2016/17 and 2017/18 and that this timespan covered a period of normal parliamentary business and the current period of reduced Secretariat activity. No abuse was detected in the course of the audit.
The SARC Chairperson asked if there had been any findings around information security. Eddie advised that the report included recommendations relating to a review of the information held to ensure that it is compliant with General Data Protection Regulation (GDPR); and appropriate encryption to ensure the security of electronically transmitted payment details.
The Follow-up Report on the Review of the Provision of Hardware and Software issued on 1 August 2018.
Of the five recommendations made in the original report, four have been fully implemented and one has been partially implemented. The full development of the asset management reporting functionality remains outstanding. The assurance level remains satisfactory.
Jim Wells MLA referred to discussions at the Assembly Commission meeting on Thursday 11 October 2018 in relation to the Assembly Commission’s ability to attract and retain specialist IS staff. He asked if any concerns raised in the Review of the Provision of Hardware and Software were due to any inability to attract/retain staff.
Eddie clarified that the Terms of Reference (ToR) of the Review related specifically to controls around hardware and software provision, and that resources were not included in the ToR.
Paula McClintock joined the meeting at 2.18 pm.
Eddie provided an update on the status of audits in progress, including: the Review of Public Engagement; the Review of Support Services; a follow-up exercise in relation to the recent Review of Members’ Expenses; and a Review of Administrative Support to the Assembly Members Pension Scheme. Jim Wells MLA declared an interest as a member of the Pension Trustees for the Assembly Members Pension Scheme.
Eddie provided an update on a number of recommendations that were presented to, and accepted by, SMG in relation to the Internal Audit Plan. The revised audit plan is included in the papers and Eddie confirmed that delivery of this plan represents sufficient coverage to enable the provision of a robust opinion on the framework of control, governance and risk management at the end of the current financial year.
SARC members are of the view that the scope and rigour of Internal Audit Reports provide a valuable insight into the internal control environment. Thus far there have been no significant issues however the Chairperson emphasised that maintaining this position relies on continuous review and the ongoing high rate of acceptance and implementation of internal audit recommendations.
Lesley Hogg advised SARC members that SMG will keep the Internal Audit Plan under review, with the Head of Internal Audit bringing any issues to its attention.
The SARC Chairperson observed that the current staff temporary redeployment situation provides the opportunity to look at areas that would be difficult to consider at other times. Conversely, some audits would be less useful in the current circumstances. The SARC Chairperson further observed that entries in Risk Registers around keeping in touch with temporarily redeployed staff provide good assurance regarding the specific risks associated with the high level of voluntary redeployment.
SARC members were advised that delivery of the audit plan is on target and that there have been no significant deviations from the Internal Audit Plan in the appendix of the paper presented.
The SARC Chairperson noted that the planned external review of Internal Audit should prove useful, given the current circumstances. It is anticipated that the external review will take place in 2019/20.
Eddie advised SARC members that the overall level of assurance is Satisfactory. This is based on work by Internal Audit and management’s implementation of recommendations.
Eddie advised that there have been no incidences of Whistleblowing reported to Internal Audit since the SARC meeting of 20 June 2018. He went on to brief SARC members on an attempted case of Fraud.
There was an attempted use of a Group Procurement Card (GPC), held by the Assembly Commission, that was flagged as an unusual merchant transaction in August 2018. The attempted misuse of the GPC did not result in any financial loss. Action under the terms of the Fraud Prevention and Anti-Bribery Response Plan was instigated and, following detailed consideration of the available information, it was agreed that Finance Office management would conduct a number of internal reviews of the GPC policies and procedures. It was further agreed that the revised policy and procedures would be forwarded to Internal Audit for quality assurance purposes.
The SARC Chairperson agreed that the indications were that this was an incident of cloning rather than physical misuse of a procurement card. This is an important distinction.
Lesley Hogg expressed that it is reassuring that the issue was picked up so quickly by Barclaycard. The SARC Chairperson agreed, stating that there are inherent safeguards in using procurement cards.
Eddie advised SARC members that he attended the Inter-Parliamentary Heads of Audit Group meeting in Cardiff on 28 – 29 June 2018. The meeting included a particularly useful discussion regarding the audit of GDPR arrangements which will inform Internal Audit’s approach to this area later in the year. Other items covered included Members’ expenses, resourcing issues, annual reports and reporting formats. The next meeting is scheduled to be jointly hosted by the House of Lords and the House of Commons in early 2019.
The SARC Chairperson advised the meeting that an instructive and high quality presentation was made to the Assembly Commission, at its October 2018 meeting, on the implementation of GDPR in the organisation.
Eddie advised that, as the acting Head of Internal Audit, he is carrying out an External Quality Assessment of the Scottish Parliament’s internal audit function, as per the inter-parliamentary arrangement previously discussed with SARC.
6. Audit Recommendations Schedule
SARC members considered the updated schedule. It was noted that the implementation of four recommendations is dependent upon political developments, leaving nine recommendations currently ‘in progress’. There was a discussion around the two audit recommendations that have been changed to ‘red’ (overdue) status.
The first ‘red’ recommendation relates to a review of how gifts and hospitality are reported. This has moved to ‘red’ status because work on this review has been delayed. Paula McClintock assured SARC that there are robust Gifts & Hospitality policy and procedures in place, and clarified that the review being undertaken aims to integrate how the Assembly Commission currently records gifts and hospitality, offered to others, with the Assembly Commission’s purchasing system.
The second audit recommendation with a red status relates to the Review of the Roof Project. The draft Post Project Evaluation and Project Closure documentation has been produced. Richard Stewart confirmed that a final Project Board meeting will take place by 31 October 2018.
Officials advised SARC members that recommendations with a ‘red’ status were expected to be ‘green’ by the next meeting.
SARC members continue to view implementation of audit recommendations as very important and were assured by the good progress demonstrated in the schedule.
7. NIAO Report to those charged with Governance
Rodney Allen spoke to the final version of the NIAO Report to those charged with Governance, the draft of which was considered by SARC on 20 June 2018. The final version of the Report includes management’s responses to the recommendations.
The SARC Chairperson was impressed with the Report both in terms of completing it within such a tight timescale and in terms of how well the financial control environment is operating.
Rodney Allen also advised the meeting that NIAO are reporting to the Pension Trustees for the Assembly Members Pension Schemeon related audit work next week.
8. Corporate Risk Register
SARC members noted and welcomed the changes made to the contents of the Corporate Risk Register (CRR) since the June 2018 SARC meeting.
In relation to Corporate Risk 5 – “Obligations arising from the United Kingdom leaving the EU are placed on the Assembly”, the SARC Chairperson was supportive of the revisions made to this Risk, which include an upwards revision of Inherent and Residual Risk Scores. Lesley Hogg spoke to some of the Risk Responses being implemented to manage the Risk such as the EU Working Group; Brexit Response Plan; and consideration of procedural implications.
In relation to Corporate Risk 2 - Major Incident / Breakdown (including security incident), the SARC chair queried whether the PSNI presence at Parliament Buildings is at the same level as it was previously, given the reduced parliamentary activity. Lesley Hogg confirmed that it has not changed.
The SARC member then asked whether there had been a review of security undertaken recently. Lesley Hogg confirmed that, as stated in Corporate Risk 2, certain measures had been recommended within previous reports by the PSNI and Internal Audit in relation to physical security in Parliament Buildings. The Assembly Commission has, however, decided not to accept the recommendations of officials to implement outstanding recommended physical security measures. The Assembly Commission’s decision was on the basis, in part, of keeping Parliament Buildings as open as possible. Jim Wells MLA confirmed that the Assembly Commission’s decision did not reflect the view of the Chief Executive.
Lesley Hogg advised that a further internal review of security measures had been undertaken following the attack in Westminster and that stab vests had been introduced for security staff as a result of this review.
SARC members welcomed the revisions to the Corporate Risk Register.
9. SARC Terms of Reference
SARC considered its Terms of Reference and agreed these, subject to two amendments.
Action: Governance Officer to amend the draft Terms of Reference to provide for another Assembly Commission Member to attend on behalf of the nominated Member, if required.
Action: Governance Officer to amend the draft Terms of Reference to reflect the fact that NIAO are charged by statute to carry out the external audit of the Northern Ireland Assembly.
10. NAO Cyber Security & Information Risk checklist Action Plan monitoring
The NAO Cyber Security & Information Risk Checklist was completed in January 2018 and an Action Plan put in place. SARC considered the latest implementation position.
SARC members felt that the approach taken by the Assembly Secretariat was very reassuring. They observed that the review of IS Capacity being undertaken by the Head of Digital in the Scottish Parliament is well timed, given discussions that took place at the October 2018 Assembly Commission meeting regarding the difficulty in attracting and retaining IS staff. There was a discussion around the Assembly Commission’s plans to address IS staffing going forward, adopting a twin-track approach of growing skills internally, through apprenticeships, and through external recruitment. There was further discussion around the competitive nature of the IS recruitment market in terms of salary and benefits, and indeed the challenges faced in the qualified accountant recruitment market.
11. NIAO Fraud and BSI Bribery self-assessment checklist Action Plan monitoring
12. NIAO Bribery & Corruption checklist Action Log monitoring
The Governance Officer spoke to the Action Plans together and confirmed that all action points bar one have been completed. The outstanding action is in progress and relates to provision of possible additional training, if required, for those identified as being at most risk of Fraud and Bribery.
SARC members commended the comprehensive approach taken and the Chairperson emphasised the effectiveness of training in reducing fraud. Rodney Allen welcomed the identification, completion and reporting of actions and informed SARC that he referenced the Assembly Secretariat as an exemplar of best practice to other organisations in adopting this approach to checklist completion and ongoing review. The Chairperson welcomed the internal vigilance shown in the self-assessment approach adopted.
13. Key Guidance from Department of Finance
SARC members noted the three DAO/FD letters and one FD letter issued by the Department of Finance since the June 2018 SARC meeting.
14. Stewardship Statements - at 30 September 2018
SARC members noted the contents of the Stewardship Statements for the six months to 30 September 2018. Directors were invited to comment on the Stewardship Statement(s) provided for their Directorate.
Richard Stewart drew the attention of SARC members to the final section of the Corporate Services Stewardship Statement, which relates to physical security. Richard stated that physical security continues to be a risk.
The Chairperson remarked that Tara Caul has been heavily involved in GDPR implementation. Tara confirmed this and advised that she had nothing further to add to what is set out in the Stewardship Statement for Legal, Governance and Research Services Directorate.
Lesley Hogg reminded those present that she is managing the Parliamentary Services Directorate in Gareth McGrath’s absence. She stated that, other than the IS staffing position discussed earlier in the meeting, there was nothing else she wished to draw to SARC’s attention.
The Chairperson was of the view that assurance provided through Stewardship Statements is a good practice and is helpful to SARC in its review and identification of any pressure spots.
No items were raised
16. Date of Next Meeting
The next SARC meeting will take place on Wednesday 6 February 2019.
The meeting ended at 3.05 pm.