Minutes of Proceedings

Assembly Commission Audit and Risk Committee (ACARC) minutes 22 October 2025.pdf (153.63 kb)

Assembly Commission Audit and Risk Committee (ACARC)

Wednesday 22 October 2025 at 3.00pm

Room 106

Present:                

David Murphy, Chairperson

Ivor Johnston, Independent Member

Donall Curtin, Independent Member

Nuala McAllister, MLA

In Attendance:      

Lesley Hogg, Clerk/Chief Executive

Gareth McGrath, Director of Parliamentary Services

Tara Caul, Director of Legal, Governance and Research Services

Steven Baxter, Director of Corporate Services

Paula McClintock, Head of Finance

Donna-Marie Clark, Data Protection and Governance Officer

Nathan Lynch, Information Standards

Suzanne Jones, Northern Ireland Audit Office (NIAO)

Laura Murphy, NIAO

Helen Smyth, EY

Gerda Visinskaite, EY

David Murphy commenced the meeting at 3.05pm and formally welcomed all those in attendance. David welcomed the new Independent Member Donall Curtin, in addition to Nathan Lynch and Gerda Visinskaite.

1. Apologies

Apology was received from Pauline Poots, EY.

2. Declaration of Interests

Donall Curtin advised that he had been appointed as a member of the Audit and Risk Committee for the Equality and Human Rights Commission.

Action: Donall Curtin to write to the Clerk/Chief Executive with details of his appointment.

3. Minutes of Previous Meeting

The minutes of the previous meeting, held on 25 June 2025, were agreed.

4. Matters Arising

There were no matters arising.

5. Internal Audit Activity Update

Helen Smyth provided a summary of the Internal Audit Activity noting that the 2025-26 Internal Audit Plan was on course for completion within the agreed timeframe.

David Murphy queried if the four scheduled audits would be completed for presentation at the February ACARC meeting.

Helen confirmed that the audits were expected to be completed by Christmas with draft reports issued for management response.  

Donall queried if EY had encountered any blocks or difficulties accessing information when undertaking internal audit work.

Helen advised that EY had not encountered any difficulties, that EY received full cooperation from staff and that audits have been scheduled accordingly.

Donall requested a copy of the Internal Audit 3-year Cyclical Plan.

Action: EY to provide copy of the Internal Audit 3-year Cyclical Plan to Donall Curtin.

ACARC considered and noted the Internal Audit Activity Update.

6. Outstanding Audit Recommendations Schedule

Donna-Marie Clark summarised the status of the outstanding audit recommendations.

Donall queried if target dates were set for any overdue recommendations.

Lesley Hogg advised that new target dates are included in the position column of the monitor.

David Murphy asked if there had been any changes to the staffing structure within the Finance Team considering the Key Person Dependencies recommendation.

Lesley stated that the review of the Finance Office recommended that the services and processes in the Finance Office needed to be reviewed and a service catalogue developed before staffing needs can be identified.

Steven Baxter reiterated this point but stated that the Finance Team was stretched by routine business which is delaying the creation of the service catalogue. Steven noted that while this recommendation has been marked complete, the risk has not been mitigated and will continue to be tracked on the Corporate Services Directorate Risk Register.

ACARC considered and noted the Outstanding Audit Recommendations Schedule.

7. Report to Those Charged with Governance 2024-25

Suzanne Jones presented the updated Report to Those Charged with Governance considered by ACARC at its meeting on 25 June 2025, noting that management comments had now been included in relation to the recommendations made.

ACARC noted the Report to Those Charged with Governance.

8. Corporate Risk Register

Donna-Marie summarised the changes to the Corporate Risk Register (CRR) presented.

Donall noted that he was impressed by the level of detail outlined in the CRR and found this to provide a great level of assurance. However, he queried the timeframe for implementation of the Cyber Security Assurance Review recommendations and if there were plans to test the Cyber Incident Management Plan.

Gareth McGrath advised that SMT was due to meet in November to discuss and agree the implementation and testing of the Cyber Security Incident Plan.

Donall emphasised that unannounced testing was important to provide practical insight to inform revisions and improvements to the plan.

Steven recognised this and advised that a test of the Business Continuity Plan had taken place the previous year which focused on a cyber security incident occurring on a plenary sitting day and that this had provided clear lessons to take forward. He also advised that the Head of IS is working with external consultants to consider a variety of approaches to testing the robustness of systems.

Lesley also highlighted that annual penetration testing is carried out in addition to socially engineered phishing tests.

Gareth noted that there was a high level of investment and recruitment of specialist staff in this area, all of which address the cyber security recommendations.

David queried what steps were being taken to mitigate the risk of a major incident impacting building security.

Steven noted that given the small number of incidents to date, this risk had been included in the Corporate Services Directorate Risk Register, rather than at a Corporate Level. Steven outlined the current processes and noted the ongoing partnership with the PSNI.

Donall asked if there were plans to consult other parliaments on their approach to building security.

Steven outlined the Assembly Commission’s ongoing relationship with interparliamentary working groups but noted that each operate within unique landscapes with their own challenges.

Lesley advised that Usher Services regularly prepare and train for different types of incidents and scenarios.

Nuala McAllister stated that MLAs welcomed the focus on security matters, given the abuse many MLAs faced, and highlighted the good work of Usher Services.

ACARC considered and noted the Corporate Risk Register

9. Stewardship Statements

Directors presented their Stewardship Statements.

Gareth noted that upcoming recruitment competitions will complete the Parliamentary Services staff complement and that additional staff had been recruited to enhance legislative scrutiny.

Donall queried the number of vacant posts.

Gareth advised that approximately 10-15 permanent posts, out of around 200 in his directorate, were currently vacant, mostly in the new Visitor Experience Team, but that they were filled by agency staff.

Tara Caul noted that the key risk for the Legal Governance and Research Services directorate continued to be maintaining skills and staffing levels. She advised that a new AG7 governance post had been added to the staff complement within Information Standards and that while a number of vacancies in RaISe were filled by agency staff, permanent recruitment was imminent.

Steven noted that the key risks within Corporate Services were resource related, particularly in relation to the Finance Team as previously discussed. He added that there was limited capacity to deliver beyond routine business and that there was work to be done to mitigate the staffing risk. Steven also noted that modernisation was required within Building Services, and a project management office was needed to manage longer term improvement projects.

David queried the timescale for the review of resources in the Finance Office.

Steven advised that it was difficult to determine as the creation of a service catalogue is a significant piece of work and it would not be prudent to commit to a timeframe until this work was completed, but that he and Paula McClintock were considering.

Donall asked if a survey had been carried out on the building to inform a maintenance plan. Steven noted that work was in progress. Lesley outlined that maintenance plans were in place for standard and statutory maintenance works, however a business case will need to be made for additional funding if large scale maintenance projects are identified.

ACARC considered and noted the Stewardship Statements.

10. Risk Management Strategy

Donna-Marie summarised the updated Risk Management Strategy, stating that the strategy had been brought in line with the revised HM Government The Orange Book Management of Risk – Principles and Concepts.

David asked if the strategy complied with the revised guidance.

Donna-Marie confirmed that SMT had reviewed the revised guidance and considered the appropriateness of the proposed changes. She noted that the Assembly Commission provided greater detail around areas such as risk identification, and that these practical elements had been retained for ease of use.

Tara agreed this was important and considerable time had been taken to review the strategy and make the terminology more accessible.

Donall asked if this was an opportunity to remind staff on the importance of embedding risk management.

Donna-Marie highlighted that training is provided for Heads of Business on a bi-annual basis; that, following the launch of the revised strategy, she will be available for Q&A sessions or business specific advice and assistance; and that the updated strategy is pending publication on the staff intranet.

David acknowledged that the update had involved a substantial amount of work.

ACARC considered and noted the Risk Management Strategy

11. NAO Cyber Security and Information Risk Action Plan Monitoring

Donna-Marie presented the Cyber Security and Information Risk Action Plan.

Donall queried the role of AI, noting that it provided both opportunities and risks.

Lesley advised that an AI Steering Group had been established along with an inter-parliamentary forum on AI, but there is more that the Assembly Commission wishes to explore in relation to AI.

David noted that some overdue actions on the Action Plan were due to be progressed before the next meeting and asked if there was any concern that the IT Security Officer (ITSO) post was not filled on a permanent basis.

Lesley advised that the current temporary post holder is making excellent progress on policies and risks related to Cyber Security.

Gareth concurred, advising that there had been significant investment in modernising systems and training. He also noted that permanent recruitment of the ITSO is on the recruitment schedule.

ACARC considered and noted the NAO Cyber Security and Information Risk Action Plan Monitoring.

12. Fraud and Bribery Self-Assessment Action Plan Monitoring

Donna-Marie presented the Fraud and Bribery Self-Assessment Action Plan Monitoring.

Donal queried the update regarding the ongoing training programme.

Lesley outlined that staff receive mandatory Fraud and Bribery training on a two-year cycle.

ACARC considered and noted the Fraud and Bribery Self-Assessment Action Plan Monitoring.

13. Fraud and Bribery

Steven confirmed that there had been no incidents of Fraud and Bribery since the last meeting.

ACARC noted the update provided.

14.Whistleblowing

Steven confirmed that there had been no incidents of Whistleblowing since the last meeting.

Donall asked how training on whistleblowing is rolled out to staff and how staff understanding of the policy is tested.

Lesley stated that a reminder is issued to staff on an annual basis, signposting is included in the staff handbook, changes to the policy are communicated and that the Behaviour Code is posted throughout the building.

Steven advised that whistleblowing is not explicitly covered in the staff survey but the more general theme of raising issues is, with results showing room for improvement.  

Donall said that the Assembly Commission seems to be compliant on the policy front but hoped that staff felt empowered to raise concerns.

Steven said that a lot of work is being done following the results of the staff survey, including themes of improving leadership culture. He offered to share the staff survey results with Donall.

Action: Steven Baxter to share results of the staff survey with Donall Curtin.

ACARC noted the update provided.

15. Key Guidance from the Department of Finance

Steven noted that since the last meeting there had been one DAO letter and one FD letter issued by DoF of relevance to the Assembly Commission, the impact of which had been outlined in the covering memo.

ACARC noted the update provided.

16. Any Other Business

David asked that meeting papers be provided one week in advance of the next meeting.

17. Date and time of next meeting

A meeting date and time was agreed for the afternoon of 18 February 2026.

The meeting ended at 4.06pm.