Minutes of Proceedings
Session: Session currently unavailable
Date: 18 October 2017
SECRETARIAT AUDIT AND RISK COMMITTEE (SARC)
WEDNESDAY 18 OCTOBER 2017
ROOM 21, PARLIAMENT BUILDINGS
Jim Brooks, Chairperson
Jim Wells MLA
Lesley Hogg, NIA
Louise Mason, NIAO
Tara Caul, NIA
Paula McClintock, NIA
Brian Moreland, NIA
Eddie Kelly, NIA
David Johnston, NIA, Secretary
1.1 Apologies were received from Dr Gareth McGrath, Director of Parliamentary Services, and Richard Stewart, Director of Corporate Services.
2. DECLARATION OF INTERESTS
2.1 There were no declarations of interest.
3. MINUTES OF THE PREVIOUS MEETINGS
3.1 The minutes of the SARC meeting held on 20 June 2017 were approved without amendment.
4. MATTERS ARISING
4.1 SARC members noted the two completed action points.
5. INTERNAL AUDIT ACTIVITY / ASSURANCE, INCLUDING REVIEW OF THE INTERNAL AUDIT PLAN
5.1 Brian Moreland, Head of Internal Audit, informed SARC that final reports have been issued in respect of the scoping review of Cyber Security and Members’ Expenses.
5.2 The scoping review will be used primarily to inform the allocation of Internal Audit resources in respect of audits where systems are in use that are web/cloud-based. Three recommendations were made relating to best practice in respect of third party providers, clarity of roles and responsibilities, and social media accounts.
5.3 The Members’ Expenses audit resulted in a Satisfactory level of assurance with recommendations made regarding office signage, Members’ signatures, landlords’ details, declarations and travel.
5.4 Mr Moreland advised SARC of audits in progress. A draft report has been sent for management review in respect of the Internal Audit of the Roof Project. Fieldwork on the RaISe and Security & Usher Services audits is also complete, and draft reports have been submitted for Internal Audit management review.
5.5 Terms of Reference in respect of Secretariat Travel and PECOS have been issued and fieldwork is expected to begin in October.
5.6 Since the Internal Audit Plan for 2017-18 was originally agreed at the May SARC meeting, several additional factors have emerged which will impact on the extent to which the plan may be completed. The Head of Internal Audit has met with the Clerk/Chief Executive and Director of Legal, Governance & Research Services to determine the impact that temporary redeployment of Assembly staff could have. It was agreed that some degree of prioritisation could be implemented and that certain audits would be re-scheduled to the final quarter of the plan. A suggested revised plan was presented to SARC.
5.7 As Internal Audit staff (approximately 50%) have now been included in plans for temporary re-deployment, a more radical change to the plan would seem appropriate. It has been suggested that the audits of Procurement, Legal Services, the Standards & Privileges Committee and Business Continuity move to the end of the plan. This would facilitate completion of the audits already in progress and allow for prioritisation of Secretariat travel and PECOS while there are sufficient staff in place to permit these assignments to be completed. The Head of Internal Audit also intends to proceed to audit the Secretariat’s preparedness for the General Data Protection Regulation early in 2018.
5.8 SARC members sought reassurance that there were sufficient audit resources to maintain an audit programme with reasonable coverage. The SARC Chairperson stated that the absence of an Internal Audit resource plan made the impact of temporary redeployment hard to gauge and asked that one was produced in future to aid the Committee’s deliberations. In response, the Head of Internal Audit provided assurance that his staff were fully occupied. SARC members were content with the proposed changes to the plan.
5.9 Brian Moreland reported that the overall level of assurance for the period 1 April 2017 to 31 September 2017 is Satisfactory. Internal Audit will continue to base the level of assurance for the year on the outcomes of the assignments that can be completed, but the annual opinion from the Head of Internal Audit may consequently be drawn from a narrower view.
5.10 Mr Moreland explained that Internal Audit will be prepared to work with management in order to identify innovative solutions to emerging risk management issues that may manifest themselves as a consequence of reducing staffing levels.
5.11 Mr Moreland informed SARC that no whistleblowing cases have been reported to Internal Audit to date this year, and no new cases of fraud have been identified by, or reported to, Internal Audit since the June SARC meeting.
5.12 The Head of Internal Audit and the Head of Finance have been invited to participate in the Fraud Investigator Practitioner Forum. This group has been established to consider the practical issues facing public sector bodies when leading or assisting in fraud investigations. The group will be directly involved in re-drafting the Memorandum of Understanding between public sector bodies and the PSNI in respect of such investigations. There may also be training opportunities for Secretariat staff as the group develops and explores the options available for those directly engaged in investigatory work.
5.13 Brian Moreland informed SARC that one member of the Internal Audit team is due to begin a short-term re-deployment to a Northern Ireland Civil Service Internal Audit unit. This has initially been scheduled to last for between three to six months. The Head of Internal Audit has been in discussion with officials from the Oireachtas to begin work on scoping the Internal Audit function. In addition, the Audit Manager may be involved in assisting with an Internal Quality Assurance Review for the same body. The timing of this work is due to be agreed in October 2017 and the scoping exercise is likely to begin in November 2017.
5.14 Mr Moreland reported that a meeting of the inter-parliamentary Head of Internal Audit group was held in Parliament Buildings on 16 June 2017. Items on the agenda included Cyber Security, the General Data Protection Regulation (GDPR), external reviews and possible Brexit impacts. The increasing focus on Cyber Security has placed additional demands on Internal Audit resources in each of the bodies represented. The approach has been similar, with all spending some time on identifying the systems in place and the assurances currently available. All had a broadly similar view on the GDPR, with audits of each organisation’s preparedness scheduled to take place in the 2017-18 year. The nature and extent to which Brexit is perceived to impact on audit plans was variable, but all agreed that additional guidance from HM Treasury would be useful.
5.15 There was agreement from all in attendance that it would be a cost-effective approach to participate in External Quality Assurance reviews with other legislatures but care should be exercised to avoid conflicts of interest.
5.16 All members of the Internal Audit unit have identified relevant generic and specialist training for the year ahead. The Head of Internal Audit and the Audit Manager attended the annual Chartered Institute of Internal Auditors Conference in London in October 2017. All have attended the mandatory in-house GDPR training sessions and both Internal Auditors have also been to an external event on the same subject. Each member of the unit is expected to monitor their compliance with the Continuing Professional Education (CPE) requirements of the Institute in order to maintain their certified status. Progress will be discussed at team meetings throughout the year and the Institute has produced a template to facilitate recording of CPE.
6. REVIEW OF FINANCIAL ASSISTANCE FOR POLITICAL PARTIES SCHEME 2016
6.1 The Head of Finance gave an overview of the independent audit of the Financial Assistance to Political Parties Scheme 2016 carried out by PricewaterhouseCoopers. One Low priority recommendation had been made relating to providing clarification in respect of redundancy and bonus payments. In response, the Finance Office has undertaken to review and issue revised guidance.
6.2 SARC members sought and received clarification on the definition of a “Party”. It was also confirmed that payments under the scheme are continuing during the current political situation.
7. AUDIT RECOMMENDATIONS SCHEDULE
7.1 SARC members considered the updates and noted the continuing high level of implementation of accepted Audit recommendations, with 13 recommendations currently “in progress”. SARC members again stressed the importance of reviewing implementation progress, as happens at each SARC meeting. The Clerk/Chief Executive pointed out that a number of existing recommendations are awaiting political developments before they can be fully implemented.
8. FINAL REPORT TO THOSE CHARGED WITH GOVERNANCE
8.1 Louise Mason advised SARC that the NI Assembly Accounts had been certified prior to the Summer Recess. The Report to those charged with Governance was now finalised and contained only one recommendation, at Priority 2, in relation to the monitoring of contract costs. The SARC Chairperson welcomed the helpful landmark of a cleared set of accounts with no significant issues of concern. Jim Wells MLA paid tribute to the Clerk/Chief Executive, the Finance team and other staff involved in the production of the accounts.
9. CORPORATE RISK REGISTER
9.1 SARC members noted the changes made to the contents of the Corporate Risk Register since the June SARC meeting. The contents were discussed and SARC members were content. In particular, SARC welcomed identification of risks relating to Member confidence, Business Continuity and Brexit.
10. SARC TERMS OF REFERENCE (ANNUAL REVIEW)
10.1 SARC members reviewed the Terms of Reference for SARC and were content with the current wording, which is largely based on the HM Treasury Audit and Risk Assurance Committee Handbook of March 2016. SARC members expressed their appreciation of the timely circulation of SARC papers and minutes.
11. FRAUD AND BRIBERY ASSESSMENTS
11.1 The Governance Officer advised SARC that the Northern Ireland Audit Office’s Managing Fraud Risk Self-assessment Checklist and the British Standards Institution’s Anti-bribery Self-assessment Questionnaire had been completed in September 2017, together with narrative detailing compliance.
These assessments confirmed a very high level of compliance and an action plan has been put in place to improve and strengthen a small number of areas where potential weaknesses were identified. The Assembly’s Bribery Risk Assessment, in place since June 2013 and subject to annual review, was reviewed, strengthened and formatted in line with the Risk Registers.
All of these documents have been brought together in the one document, which was approved by SMG on 27 September 2017.
11.2 The SARC Chairperson welcomed the document and offered his assistance, as part of his existing role as Chairperson, in raising the profile of fraud and bribery issues should a suitable occasion be identified. All present recognised the need for robust management of any allegations of fraud and bribery against Assembly staff. The Clerk/Chief Executive thanked the Governance Officer and relevant Heads of Business for their excellent work on the assessments and action plan.
12. KEY GUIDANCE FROM DEPARTMENT OF FINANCE
12.1. SARC members noted the one DAO letter that had been issued by the Department of Finance since the June SARC meeting. SARC members confirmed that they found the ongoing circulation of guidance from the Department of Finance helpful.
13. REVISED ORGANISATIONAL STRUCTURE
13.1 The Clerk/Chief Executive updated SARC on the revised organisation structure that had come into effect on 1 October 2017. The resignation of the Director of Facilities had provided an opportunity to revise the structure, and, following consultation with the Commission and discussions with the Senior Management Group, the Director of Facilities post has been suppressed. In conjunction with this, SMG reviewed the organisational structure and decided to reposition some areas of work.
13.2 SARC members regarded the restructuring as sensible, advising that it would take time to embed and would be tested in practice in a restored, fully functioning Assembly.
14.1 SARC members were informed that, as Louise Mason was due to leave the NI Audit Office in January 2018, this was her last SARC meeting. All present appreciated Louise’s input to SARC meetings over the years and wished her well for the future.
15. DATE OF NEXT MEETING
15.1 The next meeting of SARC will be held in late January / early February 2018.