Minutes of Proceedings

Session: Session currently unavailable

Date: 18 February 2026

Assembly Commission Audit and Risk Committee (ACARC) Wednesday 18 February 2026 at 3.00pm.pdf (172.86 kb)

Assembly Commission Audit and Risk Committee (ACARC)

Wednesday 18 February 2026 at 3.00pm

Room 106

 

Present:                

David Murphy, Chairperson

Ivor Johnston, Independent Member

Donall Curtin, Independent Member

In Attendance:      

Lesley Hogg, Clerk/Chief Executive

Gareth McGrath, Director of Parliamentary Services

Tara Caul, Director of Legal, Governance and Research Services

Steven Baxter, Director of Corporate Services

Donna-Marie Clark, Data Protection and Governance Officer

Nathan Lynch, Information Standards

Conor McGeown, NIAO

Stephanie McKevitt, NIAO

Beth Lyttle, NIAO

Pauline Poots, EY

Helen Smyth, EY                                                                                                                                                             

David Murphy commenced the meeting at 3.05pm and formally welcomed all those

in attendance including the new representatives from the NIAO, Conor McGeown, Stephanie McKevitt and Beth Lyttle.


1. Apologies

Apologies were received from Nuala McAllister, MLA and Paula McClintock, Head of Finance.


2. Declaration of Interests

No interests were declared.


3. Minutes of Previous Meeting

The minutes of the previous meeting, held on 22 October 2025, were agreed.


4. Matters Arising

There were no matters arising.


5. Internal Audit Activity Update

Pauline Poots provided a summary of the Internal Audit Activity noting that two of eight audits, the Standing Committee Review and Review of the Administration of the Office of the Official Report have been completed, with a satisfactory rating achieved in both.

Pauline added that a further two reports, Review of the Management and Administration of Roof Remediation Works and Review of the Office of the Examiner of Statutory Rules had been issued in draft form and are awaiting management responses. She said that the review of Information Management including FOI and Data Protection is at closeout stage and a preliminary debrief has been issued.

David queried whether all outstanding reports would be completed by the May meeting and noted that, at the last meeting, ACARC had been assured that all audits were on track for completion.

Pauline advised that the remaining fieldwork has been scheduled and, while the completion of some audits had taken longer than expected, she is content all outstanding reports will be finalised for the next meeting.

David noted that he had expected the Review of the Office of the Examiner of Statutory Rules to be completed, but that it was still awaiting management responses.

Tara Caul advised that there had been detailed discussion around the accuracy of the narrative relating to the precise nature of the work undertaken by the Office of the Examiner of Statutory Rules in the report that required revision before the final report could be issued. This has now been settled and progress has been made.

Donall Curtin highlighted the importance of the independence of Internal Audit and that timelines are met, but also that management have the opportunity to provide clarification to the auditors as required.

David queried why the reviews of Equality and Good Relations and Staff Pensions, which had been included in the initial 3-Year Internal Audit Plan, were no longer included.

Helen Smyth advised that she thought that the pensions audit had been deprioritised based on the work done by the NIAO. Pauline agreed to look up the rationale for deprioritisation of the reviews and inform ACARC.

Helen provided an update on the two completed reports within Parliamentary Services, noting the Standing Committee Review found that strong controls and processes were in place and therefore no recommendations were made. She outlined that the Review of the Administration of the Office of the Official Report had identified two priority three recommendations.

Action EY to advise of the rationale for deprioritisation of the Reviews of Equality and Good Relations and Staff Pensions.

ACARC considered and noted the Internal Audit Activity Update.


6. Outstanding Audit Recommendations Schedule

Donna-Marie Clark summarised the status of the outstanding audit recommendations.

Donall queried if officials had any comments on the overdue recommendations.

Donna-Marie advised that the governance training was scheduled for 4 March 2026, and invites would issue shortly.

Gareth McGrath provided a detailed update on the status of the IT Modernisation Project.

In relation to cyber security training, Gareth highlighted that training is available to all Members, including the Home Office’s Personal Cyber Advisory Service which aims to increase cyber security awareness and best practice for both Members and Assembly Commission staff. He advised that further cyber security training would be implemented soon and that the recommendations relating to cyber security are nearing completion.

Donall asked if cyber security training was compulsory.

Gareth advised that training is compulsory for Assembly Commission staff and, while there is no mechanism to make this compulsory for Members, there has been a good uptake for the training among Members.

Lesley Hogg highlighted that physical security measures, such as multifactor authentication and the prohibited use of external devices are mandatory, for Members.

Tara highlighted that good progress had been made in relation to the recommendations relating to delegated procurement and that these should be completed before the end of the financial year.

David noted that he had not seen a copy of the Letter of Delegation from the Assembly Commission to the Clerk/Chief Executive and asked for a copy.

Lesley advised that an updated Letter of Delegation was with the Speaker and when signed, would provide a copy. She also drew attention to the fact that a copy of her Letter of Delegation is included in the annual report and accounts.

Action: Lesley Hogg to provide a copy of her updated Letter of Delegation from the Assembly Commission to the Clerk/Chief Executive when signed by the Speaker.

ACARC considered and noted the Outstanding Audit Recommendations Schedule.


7. NIAO Audit Strategy for the Year End 2025-26

Conor McGeown summarised the strands of the Audit Strategy 2025-26 and outlined the proposed audit timetable.

Conor highlighted that it was a completely new NIAO audit team this year, in line with the NIAO policy of periodically rotating the audit team. He noted that his team had already had meaningful engagement and cooperation with the Finance team to support each other in the transition.

David asked if work had begun on the interim audit.

Beth Lyttle confirmed that interim audit testing had started that week.

ACARC noted the NIAO Audit Strategy for the Year End 2025-26.


8. NIAO Correspondence

Lesley noted the new Letter of Understanding between the NIAO and the Assembly Commission reflecting the change in audit personnel.

David noted the second correspondence item relating to International Standards on Auditing Inquiries of Those Charged with Governance, sent to him in his capacity as chair of ACARC, and that a copy of his return was included in the pack for information.

ACARC considered and noted the NIAO Correspondence.


9. ACARC Objectives 2026-27

Donna-Marie presented the draft ACARC Objectives 2026-27.

Donall suggested a slight change to the wording of the first objective to; “ensure the effective implementation of audit recommendations, including External and Internal Audit Assurance recommendations”.

ACARC agreed with this change of wording.

Action: Information Standards to update the ACARC Key Objectives for 2026-27.

ACARC agreed its Key Objectives for 2026-27.


10. ACARC Terms of Reference 2026-27

Donna-Marie noted the ACARC reviewed its Terms of Reference annually and considered whether it wished to propose any amendments to the Assembly Commission.

ACARC confirmed that it was content with its Terms of Reference and did not wish to propose any amendments to the Assembly Commission.


11. ACARC Cyclical Work Plan

Donna-Marie presented the ACARC Cyclical Work Plan for the period May

2026 to February 2028.

ACARC considered and agreed its Cyclical Work Plan.


12. Corporate Risk Register

Donna-Marie summarised the changes to the Corporate Risk Register (CRR) presented.

Donall asked how regularly the CRR was reviewed and if if there was ever discussion about directorate level risks that were not included in the CRR.

Lesley advised that lower-level risks are included on individual Directorate Risk Registers (DRRs) and that if an individual risk achieves a red risk score, it will be considered by SMT for inclusion on the CRR. She noted that the CRR and DRRs were reviewed quarterly.

Steven Baxter advised that, by way of example, Directorate Team Meetings in the Corporate Services Directorate regularly discuss perceived and possible future risks not currently included, as well as discussing current risks and mitigations.

David asked, in relation to CR1, a major incident impacting building security, whether installation of the partial electronic access control system had commenced.

Steven advised that the contract had been signed with a supplier, with the requisite equipment hopefully in place by the end of the financial year.  

Donall asked if consideration had been given to best practice elsewhere, for instance in other parliaments.

Steven advised that there was ongoing consultation with the PSNI on security matters and an interparliamentary working group, but noted that each operate within unique landscapes with their own challenges.    

ACARC considered and noted the Corporate Risk Register


13. Risk Management Self-Assessment Checklist and Action Plan

Donna-Marie presented the Risk Management Self-Assessment Checklist and Action Plan, noting that the status of IT Disaster Recovery Plan had been amended from green to amber, reflecting ongoing changes to the plan following upgrades to the technical environment.

Donall commended the quality of the Self-Assessment and welcomed the inclusion of, and transparency around, the IT Disaster Recovery Plan but reflected that he would prefer the testing to take place on a plenary sitting day, rather than during the Easter recess as currently scheduled.

ACARC considered and noted the Risk Management Self-Assessment Checklist and Action Plan


14. NAO Cyber Security and Information Risk Action Plan Monitoring

Donna-Marie presented the Cyber Security and Information Risk Action Plan.

ACARC considered and noted the NAO Cyber Security and Information Risk Action Plan Monitoring


15. Fraud and Bribery Action Plan Monitoring

Donna-Marie presented the Fraud and Bribery Self-Assessment Action Plan

Monitoring.

ACARC considered and noted the Fraud and Bribery Action Plan Monitoring.


16. Fraud and Bribery

Steven confirmed that there had been no incidents of Fraud and Bribery since

the last meeting but that he was conducting a fact-finding exercise in relation to a matter that had recently been brought to his attention, to establish if it was a suspected fraud, and that he would provide an update at the next meeting.

ACARC noted the update provided.


17. Whistleblowing

Steven confirmed that there had been no incidents of Whistleblowing since the last meeting.

Donall queried if training has been delivered and if there was a role for the chairperson of ACARC in the whistleblowing process.

Lesley advised that the chairperson is one of the people who can be approached with concerns, but that they do not have a role in investigating instances of whistleblowing.

ACARC noted the update provided.


18. Key Guidance from the Department of Finance

Donna-Marie noted that since the last meeting there had been two DAO letters and one FD letter issued by DoF of relevance to the Assembly Commission, the impact of which were outlined in the covering memo.

Donall queried if there had been any actions arising from these letters.

Steven confirmed that all correspondence is reviewed and discussed with the Finance team and any significant changes arising are adopted.

Lesley confirmed that all letters are also reviewed and discussed as part of the year end accounts checklist.

David queried if changes in capital accounting relating to property, plant and equipment has had an effect.

Steven noted that the impact is still being assessed.

ACARC noted the update provided.

Pauline Poots and Helen Smyth left the meeting at 3:55 pm


19. Any Other Business

David noted that the Internal Audit contract was due to expire soon and queried what the next steps were regarding this.

Steven confirmed that, while the contract end date is 27 July 2026, it provides for two extension options and that initial discussions had taken place with EY.

Donall asked how long the process to procure new internal auditors would take.

Tara advised that the procurement process could be up to six months.

David noted that ACARC has no role in the appointment of Internal Audit apart from advising on any proposals for tendering.

David asked as an action for the upcoming May ACARC meeting, if an update could be provided on the proposals regarding the Internal Audit arrangements.

Action: Steven Baxter to provide update on the Internal Audit contract status at the next meeting.


20. Date and time of next meeting

A meeting date and time was agreed for the afternoon of 13 May 2026

The meeting ended at 4.09pm.