Minutes of Proceedings

Session: Session currently unavailable

Date: 20 November 2024

Assembly Commission Audit and Risk Committee (ACARC)

Wednesday 20 November 2024 at 4pm Microsoft Teams

Present:

  • David Murphy, Chairperson
  • Ivor Johnston, Independent Member Nuala McAllister, MLA

In Attendance:

  • Lesley Hogg, Clerk/Chief Executive
  • Gareth McGrath, Director of Parliamentary Services
  • Tara Caul, Director of Legal Governance and Research Services
  • Paula McClintock, Head of Finance
  • Donna-Marie Clark, Data Protection and Governance Officer
  • Karl Hedley, Information Standards
  • Suzanne Jones, Northern Ireland Audit Office (NIAO)
  • Laura Murphy, NIAO
  • Pauline Poots, EY
  • Karl De Luna, EY

David Murphy commenced the meeting at 4pm and formally welcomed all those in attendance. In particular, David welcomed the new Assembly Commission representative Nuala McAllister MLA and the Independent Member Ivor Johnston.

 

1. Apologies

Apologies were received from Maurice Keady, Independent Member and Steven Baxter, Director of Corporate Services.

 

2. Declaration of Interests

No interests were declared.

 

3. Minutes of Previous Meeting

The minutes of the previous meeting held on 28 June 2024, were agreed.

 

4. Matters Arising

Lesley Hogg provided an update on the two actions relating to the draft Annual Report and Accounts for the Year Ended 31 March 2024. She advised that she had informed the Assembly Commission of the Excess Vote position on 1 July 2024 and that she had signed the Annual Report and Accounts on 28 June 2024.

 

David sought an update on the status of the Internal Audit Annual Assurance Report. Lesley explained that the Annual Assurance Report remained in draft pending finalisation of the Internal Audit Review of Corporate Governance Arrangements. She outlined that the final draft of the Review of Corporate Governance Arrangements had been presented to the Assembly Commission for consideration of the relevant recommendations at its meetings on 16 October 2024 and 20 November 2024, that the Assembly Commission had agreed its responses to the recommendations and that management responses were being collated.

 

5. Internal Audit Activity Update

Pauline Poots noted that the draft Internal Audit Review of Corporate Governance Arrangements was with the Assembly Commission for comment and that it was expected to be finalised and presented at the next ACARC meeting.

Pauline provided a background summary of the Internal Audit 2024/25 Progress Update Report to the new ACARC members, in addition to outlining the structure of the Internal Audit reports.

Pauline summarised the findings of the Internal Audit Review of HR and the Internal Audit Review of Payroll. She advised that both areas had achieved Satisfactory levels of assurance, that in terms of Payroll, there were two Priority 3 recommendations and in relation to HR, there was one Priority 3 recommendation. Nuala McAllister sought and received clarification of the nature of the Internal Audit work.

Pauline added that a further two reviews were underway in relation to Retention and Disposal and the Review of Building Services, which would be presented at the next meeting.

Ivor Johnston sought assurance that EY and the Assembly Commission had the capacity to complete the audits as laid out in the Internal Audit Plan.

Pauline confirmed that this was the case. As a number of the scheduled audits were in the Parliamentary Services Directorate, Gareth McGrath also confirmed that the schedule would be achievable.

ACARC considered and noted the Internal Audit 2024/25 Progress Update Report and the Internal Audit Reports presented.

 

6. Outstanding Audit Recommendations Monitor

Donna-Marie Clark summarised the status of the outstanding audit recommendations.

David sought updates on all red recommendations. Paula McClintock advised that the review of the Finance staff structure was scheduled to be completed by the end of the year and that further training for some budget holders was being sourced by the Learning and Development team.

Lesley advised that the Safeguarding and Child Protection Policy and Security Clearance Policy had been updated and approved by SMT at its meeting in October 2024 and that these were awaiting circulation to staff.

ACARC considered and noted the Outstanding Audit Recommendations Monitor.

 

7. NIAO Final Report to Those Charged with Governance

Suzanne Jones presented the Final Report to Those Charged with Governance (RTTCWG) and provided a brief background summary to new ACARC members. She thanked Assembly Commission staff for their assistance in conducting the audit before outlining each of the findings in detail.

Suzanne reiterated that the Comptroller and Auditor General certified her qualified opinion based on regularity. She highlighted that the Excess Vote related to a technical issue concerning a new provision for a potential future liability regarding the costs of remedial works to repair the roof of Parliament Buildings, which had breached the control total and led to the accounts being qualified.

Suzanne stated that the Comptroller and Auditor General had certified the 2023-24 financial statements with an unqualified 'true and fair' opinion and qualified regularity opinion.

Suzanne advised that the NIAO had identified three significant risks at the start of the audit and outlined how these had been addressed. She said that the first related to management override of controls and that the NIAO had made one recommendation to improve the audit trail and processing of journals, that the second risk was in relation to accounting for Parliament Buildings roof repair cost and that the final risk was in relation to Governance Arrangements within the Assembly Commission.

Suzanne added that there were other recommendations made during the course of the audit to improve disclosures in the governance statement, with five findings in total, three Priority 1 and two Priority 2 ratings.

Suzanne noted that assurances had been provided by the Assembly Commission regarding a confidential fact-finding report and that the NIAO was therefore content that the findings of the report would not impact on the audit opinion.

Suzanne noted concern that the Internal Audit Review of Corporate Governance Arrangements had not yet been finalised, although accepted the update provided. Suzanne also noted that the NIAO had experienced some difficulty obtaining documentation during the audit process this year, with several versions of the draft accounts being provided throughout the audit.

She confirmed that she had discussed a way forward with Steven Baxter in relation to these issues.

David asked what would happen in relation to the recommendations that were partially accepted and not accepted.

Suzanne informed him that an approach had been agreed in relation to the partially accepted recommendations. In respect of the recommendation in relation to FAPP, which had not been accepted, Suzanne advised that the NIAO would generally be guided by the audited body in such cases as to the best approach to take.

ACARC noted the Final Report to Those Charged with Governance.

 

8. Corporate Risk Register (CRR)

Donna-Marie Clark summarised the changes to the CRR presented.

Ivor Johnston asked whether the budget risk at CR5 should be removed.

Lesley advised that this particular risk related to ensuring that the Assembly Commission received enough budget to deliver the Corporate Strategy. She stated that it remained a risk until the Assembly Commission's budget requirement was formally approved by the Assembly. Lesley explained that the 2025/26 budget had now been agreed by the Assembly Commission and the Assembly Audit Committee and that it would be debated by the Assembly in Plenary in December 2024.

Lesley noted that the Assembly Commission took a dynamic approach to the CRR, adding and removing risks as necessary.

David sought clarification on the passage of the CRR. Lesley explained that it was agreed quarterly by SMT, then considered by ACARC and also considered by the Assembly Commission biannually.

ACARC considered and noted the CRR.

 

9. Stewardship Statements

Directors presented their Stewardship Statements.

Gareth noted that significant investment had been made across staffing, devices and infrastructure within the Information Systems Office, which is expected to be delivered over the next 12 to 18 months. He outlined that the Assembly Commission had committed further resourcing throughout the 2025/26 financial year to address the increased pressures on delivering sufficient parliamentary scrutiny.

Lesley provided an update on the Corporate Services Directorate in Steven Baxter's absence. She noted that two senior accountants had been returned to the Finance Office to relieve staff pressures following the termination of the Corporate Systems Project and that this had also allowed work to progress on the Fraud and Bribery Policy, which is currently under review and expected to be included in the next meeting of ACARC. She also advised that Steven was leading a process with Directors to develop proposals in relation to resources for strategic planning, for SMT consideration.

Tara Caul provided an overview of the team structures and work undertaken by the Directorate of Legal, Governance and Research Services. She noted that the staff complement of the Legal Services Office had been increased to support the work of the Windsor Framework Committee. She also noted that SMT discussions were ongoing in relation to the need for additional staff resources dedicated to governance administration, records management and the implementation of a new electronic file management system.

Tara advised that implementation of the Procurement Act 2023 had been delayed until February 2025, but that a complete review was underway and that the team continued to make preparations for implementation.

ACARC noted the Stewardship Statements.

 

10. Risk Management Self-Assessment Action Plan Monitoring

Donna-Marie summarised the process and findings of the Risk Management Self-Assessment Action Plan Monitoring.

David inquired as to whether the Plan would now be blank, following the completion of all outstanding actions.

Donna-Marie advised that this would be the case, but that if there were significant findings from NIAO or Internal Audit reports, officials would be content to revisit the biennial review at an earlier date.

ACARC noted the Risk Management Action Plan Monitoring.

 

11. Biennial Review of Cyber Security and Information Risk Self- Assessment and Action Plan

Donna-Marie summarised the process and findings of the biennial review of the Cyber Security and Information Risk Self-Assessment, which had been completed in October 2024, and the subsequent Action Plan that had been developed.

David inquired if the Assembly Commission held particularly sensitive data.

Lesley confirmed that there was little in the way of confidential information held by the Assembly Commission and that the main sensitive data held would be personal data relating to Members and staff. She advised that the business of the Assembly Commission was largely conducted in the public domain.

Lesley also noted that a Cyber Security Technical Review had been undertaken and that recommendations were being implemented.

ACARC noted the Cyber Security and Information Risk Self-Assessment and Action Plan.

 

12. Fraud and Bribery Self-Assessment and Action Plan

Donna-Marie summarised the process and findings of the biennial review of Fraud and Bribery Self-Assessment, which had been undertaken in September 2024, and the subsequent Action Plan that had been developed.

David queried the nature of Internal Audit's work in relation to fraud and bribery. Pauline confirmed that matters relating to fraud and bribery policies and procedures would usually fall into a generic Governance Review. David asked Pauline to consider for the next meeting where these matters would fall within the Internal Audit plan. Lesley Hogg confirmed that there had only ever been one minor instance of fraud in the Assembly Commission as far as she was aware.

ACTION: Pauline Poots to consider how Fraud and Bribery is addressed within the Internal Audit Plan.

ACARC noted the Fraud and Bribery Self-Assessment and Action Plan.

 

13. Key Guidance from the Department of Finance

David noted that since the last ACARC meeting there had been two DAO letters and three Finance Director (FD) letters issued by DoF, the impact of which had been outlined in the covering memo.

Lesley sought confirmation on whether the new ACARC members wished to be notified of all DAO and FD that were issued or only those that were of relevance. ACARC members confirmed that they only needed to be informed of those that were of relevance to the Assembly Commission.

ACARC noted the update provided.

 

14. Fraud and Bribery

In Steven's absence, Paula confirmed that there had been no reports of Fraud and Bribery since the last meeting.

ACARC noted the update provided.

 

15. Whistleblowing

In Steven's absence, Paula confirmed that there had been no reports of Whistleblowing since the last meeting.

ACARC noted the update provided.

 

16. AOB

David sought clarification on a press release noting an internal review by the Assembly Commission of certain matters relating to Members' expenses.

Lesley noted that from time to time the Assembly Commission conducts reviews to consider whether any breaches of the Assembly Members (Salaries and Expenses) Determination (Northern Ireland) 2016 (the Determination) have occurred and to identify any control weaknesses. She also advised that there was provision in the Determination for the recoupment of monies, where necessary.

 

17. Date of Next Meeting

David asked that Donna-Marie Clark circulate and agree the date of the next meeting in February.

 

The meeting ended at 17:15 pm.