Minutes of Proceedings

Session: Session currently unavailable

Date: 16 May 2025

Assembly Commission Audit and Risk Committee (ACARC) Minutes 16 May 2025.pdf (169.24 kb)

Assembly Commission Audit and Risk Committee (ACARC)

Friday 16 May 2025 at 2.00pm

 

Present:

  • David Murphy, Chairperson
  • Ivor Johnston, Independent Member
  • Andy Allen, MLA

 

In Attendance:

  • Lesley Hogg, Clerk/Chief Executive
  • Gareth McGrath, Director of Parliamentary Services
  • Tara Caul, Director of Legal Governance and Research Services
  • Paula McClintock, Head of Finance
  • Donna-Marie Clark, Data Protection and Governance Officer
  • Karl Hedley, Information Standards
  • Suzanne Jones, Northern Ireland Audit Office (NIAO)
  • Laura Murphy, NIAO
  • Helen Smith, EY

 

David Murphy commenced the meeting at 2.00pm and formally welcomed all those in attendance. David welcomed the Assembly Commission representative Andy Allen who was attending on behalf of Nuala McAllister MLA.

 

David expressed his gratitude to Maurice Keady, Independent Member on behalf of ACARC for his time and contribution to the Assembly Commission during his tenure.

 

1. Apologies

Apologies were received from Maurice Keady, Independent Member, Nuala McAllister (MLA), Steven Baxter, Director of Corporate Services and

Pauline Poots, EY.

 

2. Declaration of Interests

No interests were declared.

 

3. Minutes of Previous Meeting

The minutes of the previous meeting held on 19 February 2025, were agreed.

David noted an outstanding action to amend and circulate the ACARC Biennial Cyclical Plan and asked that this be completed in advance of the next meeting.

Action: Donna-Marie Clark to amend and circulate ACARC Biennial Cyclical Plan.

 

4. Matters Arising

Internal Audit Strategy and Value Charter

David queried the progress of the Internal Audit Strategy and Value Charter.

Helen Smyth confirmed that the draft Internal Audit Strategy and Value Charter and Internal Audit Plan for 2025-26 were currently with senior management and is expected to be presented to ACARC at the next meeting.

 

Fraud and Bribery Policy and Response Plan

David noted that, at the last meeting, ACARC members had agreed to consider the Fraud and Bribery Policy and Response Plan and submit feedback by correspondence to the Head of Finance. ACARC members confirmed that they had no comments.

Helen confirmed that some comments had been made by EY.

Paula McClintock stated that the comments would be considered, and the Fraud and Bribery Policy and Response Plan would be formally finalised.

 

ACARC discussed and noted the matters arising.

 

5. Internal Audit Activity Update

Helen provided a summary of the Internal Audit Update Report noting that ten audits had been completed and that the Review of Delegated Procurement was in draft form.

David queried whether there were any implications from the publication of the recent Global Internal Audit standards. Helen confirmed there were no significant changes to the Internal Audit approach and that EY remained compliant.

Helen summarised the findings of the Internal Audit Review of Information Services Office including Cyber Security Arrangements, noting that the audit took into account the recommendations set out in the Independent Cyber Security Assurance Review. She advised that a further eight recommendations had been made to supplement and strengthen the Cyber Security Action Plan that was in place.

Helen stated that this was a very complex area and that a specialist team had been used to undertake the work. She confirmed that some very good practices had been identified but that as the majority of actions in the Action Plan had not yet been implemented the assurance was therefore Limited.

Helen summarised the findings of the Internal Audit Review of Statutory Committees, the Internal Audit Review of Clerking and Member Support (CAMS) and the Internal Audit Review of Members' Costs. She advised that each area had achieved Satisfactory levels of assurance.

Ivor Johnston queried if the May 2027 timeframe for completion of the Cyber Security Assurance Review Action Plan was reasonable and whether it could be brought forward. David also queried whether sufficient resources were in place.

Gareth McGrath confirmed that considerable work was involved given the extent of the current legacy infrastructure and that the timeframe was reasonable. Lesley Hogg confirmed that the entire IT platform was being modernised.

Gareth stated that a temporary Information Technology Security Officer (ITSO) had been appointed, pending permanent recruitment, and that other IS staff were being upskilled to support the work in this area.

David queried why the Internal Audit Review of CAMS focused solely on the Parliamentary Excellence Programme and whether further work was required on CAMS. Helen confirmed the Parliamentary Excellence Programme was a major component of the CAMS remit and therefore a stand-alone audit was not required.

Helen went on to present the Internal Audit Follow up Review of Outstanding Recommendations. Helen noted that of twenty-nine recommendations, nineteen had been fully addressed and ten partially addressed.

Helen raised concerns regarding the volume of manual processes carried out by the Finance Office and the delay in implementing a new finance system.

David queried whether knowledge of the delay would have impacted the outcome of the prior year audit on Review of Budgeting and Key Financial Reporting. Helen confirmed that further considerations would have been given to strengthen controls as an interim measure.

Lesley outlined that due to supplier non-performance the contract for the delivery of the Systems Review Project had been terminated by the Assembly Commission and that options to deliver the project were being explored.

Lesley and Paula assured ACARC that, despite the manual nature of some of the processes, robust financial controls were in place.

David queried if the Internal Audit Review of Members Costs had replaced the review of Financial Assistance to Political Parties (FAPP).

Lesley explained that the FAPP audit was currently undertaken by an external supplier as part of a three-year contract, but that from 2027-28 it should be delivered by EY under the Internal Audit contract.

ACARC considered and noted the Internal Audit Progress Update Report, Internal Audit Follow-Up Report, and the Internal Audit Reports presented.

 

6. Internal Audit Annual Assurance Report

Helen summarised the Internal Audit Annual Assurance Report and advised that all reports had been completed except for the Review of Delegated Procurement. She advised that the draft Annual Assurance Report provided Satisfactory assurance which was unlikely to change when finalised and that she expected the final report to be presented at the next meeting.

ACARC considered and noted the Internal Audit End of Year Report.

 

7. Outstanding Audit Recommendations Monitor

Donna-Marie summarised the status of the outstanding audit recommendations.

David noted a variation between the Outstanding Audit Recommendations Monitor and the Internal Audit Follow Up of Outstanding Recommendations. Lesley advised any unlisted partially complete recommendations would be reinstated.

David sought updates on the overdue recommendations.

In relation to the review of key person dependencies within the Finance Office, Lesley noted that at the time of the initial audit, the two senior accountants had been seconded to the Corporate Systems Review Project; that they had since returned to their substantive posts in the Finance Office and that another agency senior accountant had been retained on a temporary basis. She advised that the report on the review of the Finance Office staff structure had recently been provided in draft form for management consideration. Paula concurred with the position as outlined.

In relation to the delivery of Strategic and Corporate Planning, Lesley noted that Steven Baxter had committed to working with SMT in relation to this matter and that a comparative exercise would be conducted by the Head of Human Resources.

Action: Review and reinstate partially implemented recommendations not currently listed to the Outstanding Audit Recommendations Monitor.

ACARC considered and noted the Outstanding Audit Recommendations Monitor.

 

8. Draft Annual Report and Accounts for the Year Ended 31 March 2025

Paula McClintock apologised for the late circulation of the Draft Annual Report and Accounts, highlighting the challenging timeframe faced by the Finance team. She then talked through the memo which contained an overview of the draft 2024-25 Annual Report and Accounts.

Paula provided a brief overview of the draft figures and advised there were no significant additional reporting requirements applied this year, nor were there any changes in accounting estimates or policies.

Paula also advised that information on some pension-related disclosures was awaited from the Government Actuary's Department. She asked that any comments on the draft Annual Report and Accounts be provided by 19 May 2025 to enable them to be considered prior to submission to NIAO.

ACARC noted the draft Annual Report and Accounts for the Year Ended 31 March 2025 and that any comments should be provided to Paula by 19 May 2025.

 

9. NIAO Update on the Audit of the Financial Statements for the Year Ended 31 March 2025

Suzanne Jones noted that NIAO had commenced its audit of the accounts and that there were currently no issues to raise with ACARC.

ACARC noted the update provided.

 

10. Corporate Risk Register (CRR)

Donna-Marie summarised the changes to the CRR presented.

David queried if the target score for the Cyber Security Incident risk was achievable, given the recommendations in progress. Gareth accepted that this target score may need increased as the wider inherent risk continues to evolve, however the residual risk score is appropriate.

David queried if the timeline for remedial roof repairs was achievable.

Lesley advised that the repairs would be broken into two phases and, based on the latest advice received from CPD, phase one is expected to be completed this calendar year and the procurement for phase two in January 2026.

ACARC considered and noted the CRR.

 

11. Directorate Risk Registers (DRR)

Donna-Marie presented the DRRs and summarised the changes set out in the DRR Risk Analysis.

ACARC considered and noted the DRRs and Risk Analysis.

 

12. Stewardship Statements

Directors presented their Stewardship Statements.

Gareth noted that there were still some agency staff in post and that the recruitment market was difficult for posts such as clerks and senior staff.

Tara Caul provided an overview of the work undertaken by the Directorate of Legal, Governance and Research Services. She noted that the staff complement in the Legal Services Office had been increased to deal with pressures and that a new Head of RaISe had been appointed.

Tara also noted that additional staff resources dedicated to governance administration and records management had been agreed in principle by SMT and confirmation of budget is awaited.

Tara advised that significant work has been undertaken by the Procurement Office to implement changes brought about by the Procurement Act 2023 and that new E-Sourcing software had now been implemented.

Lesley provided an update on the Corporate Services Directorate in Steven Baxter's absence. She highlighted that as discussed earlier in the meeting, a report on the Finance Office staff structure is now in draft form for management consideration, plans have been made to action remedial roof repairs, and the Head of Human Resources is conducting a comparative exercise in relation to resources for strategic planning, for SMT consideration.

ACARC noted the Stewardship Statements.

 

13. Draft ACARC Annual Report and Self-Assessment

David presented the draft ACARC Annual Report and Self-Assessment noting the early adoption of the new NIAO Good Practice Guide and Self-Assessment Checklist and the considerable work that had gone into completing the checklist, given its length and very recent publication. Subject to some minor amendments (to be agreed by correspondence), ACARC agreed that the Annual Report would remain in draft form until receipt of the final Internal Audit Annual Assurance Report.

ACARC considered and agreed the ACARC Annual Report and Self-Assessment, subject to finalisation following the receipt of Internal Audit's Annual Assurance Report.

 

14. NAO Cyber Security and Information Risk Action Plan Monitoring

Donna-Marie presented the Cyber Security and Information Risk Action Plan.

ACARC noted the Cyber Security and Information Risk Action Plan.

 

15. Fraud and Bribery Action Plan Monitoring

Donna-Marie presented the Fraud and Bribery Action Plan.

ACARC noted the Fraud and Bribery Action Plan Monitoring.

 

16. Fraud and Bribery

In Steven's absence, Paula confirmed that there had been no reports of Fraud or Bribery since the last meeting.

National Fraud Initiative

Paula noted that the National Fraud Initiative had been completed with no reported issues.

ACARC noted the update provided.

 

17. Whistleblowing

Lesley confirmed that there had been no incidents of Whistleblowing since the last meeting.

ACARC noted the update provided.

 

18. Key Guidance from the Department of Finance

Donna-Marie noted that since the last ACARC meeting there had been two DAO letters and one Finance Director (FD) letter issued by DoF, the impact of which had been outlined in the covering memo.

Paula advised that these were routine cyclical correspondence relating to the preparation of the year end accounts.

ACARC noted the update provided.

 

19. AOB

None.

 

20. Date of Next Meeting

David asked that a meeting date for October be circulated and agreed.

 

The meeting ended at 3.37pm.