Transparency data

RSH ARAC minutes - 24 April 2023

Updated 8 February 2024

Applies to England

Public minutes of the Audit and Risk Assurance Committee meeting

on Monday 24 April 2023 at 10am
Hybrid meeting MS Teams and room FG47, 2 Marsham Street, London

8.Remote and virtual participation

8.1 Any member may validly participate in a meeting through the medium of conference telephone, video conferencing or similar form of communication equipment, provided that all persons participating in the meeting are able to hear and speak to each other throughout such meeting, or relevant part thereof. A member so participating shall be deemed to be present in person at the meeting, and shall accordingly be counted in a quorum and entitled to vote.

8.2 A meeting shall be deemed to take place where the largest group of those members participating is assembled or, if there is no group which is larger than any other group, where the Chair of the meeting is.

Members

• Liz Butler - Chair
• Richard Hughes

In attendance

• Fiona MacGregor - Chief Executive (via MS Teams)
• Jonathan Walters - Deputy Chief Executive
• Richard Peden - Director, Finance and Corporate Services
• Emma Tarran - Senior Assistant Director: Head of Legal and Company Secretary
• Mike Newbury - NAO, Audit Director (via MS Teams)
• Lisa Harvey - Head of Internal Audit, Government Internal Audit Agency
• Jenny Obee - Engagement Lead, GIAA
• Mike Weaver - Good Governance Institute - observer - via MS Teams
• John O’Mahony - Assistant Director, Corporate Services and Performance - item 9
• Christine Kitchen - Company Secretary - minutes

1. Welcome and apologies

01/04/23 The Chair welcomed everyone to the meeting. There were apologies from committee member Kalpesh Brahmbhatt and there was no representative from DLUHC. The Chair welcomed Mike Weaver of Good Governance Institute who was observing the meeting as part of a commissioned external board effectiveness review.

2. Declarations of Interest

02/04/23 There were no new declarations of interest.

3. Minutes of the last meeting

03/04/23 LH requested clarification in the minutes in 14/01/23 that GIAA had reviewed the reports HE produced and acknowledge their assurance ratings, but they did not conduct any of their own testing in this area, and in 15/01/23, that the audits will be to draft report stage by end of March, not final report stage.

04/04/23 Subject to the changes noted above, the minutes from 23 January 2023 were approved.

4. Matters Arising

05/04/23 The actions were noted

5. NAO Audit Plan

06/04/23 MN apologised and advised the committee that the NAO were still not in a position to confirm their audit planning programme. He and the new team have started work on the plan for the RSH audit and he committed to being in a position to share this with the Chair and RBP by the end of the week.

07/04/23 Next step is that the June ARAC meeting will receive a planning document setting out the audit areas and risk landscape and MN will liaise with RBP further on this. MN advised that it is their intention that they will conduct a single visit which will cover the interim and final audit in the autumn, in the hope that this will be less disruptive to other work pressures for the RSH staff involved in the audits and production of the annual report. MN also confirmed that they will work around GIAA timetables and plans.

08/04/23 RH queried whether there is likely to be impacts to the audit of pension funds due to Autumn fiscal events. MN said it was difficult to confirm, but there was some residual impact on audit work in previous years work due to triannual valuations.

09/04/23 RBP stressed the point that there is a pressing need for clarity around the timescales for the planning meeting at which the audit plan can be agreed and LB added that her term with the RSH ends in the summer, so there is also a risk that she will not be in post to sign off the final audit. MN accepted both points and said that he will do everything to ensure dates and timelines are agreed very soon.

10/04/23 The Chair thanked MN for the update and asked RBP to keep her updated.

6. Internal Audit Plan

11/04/23 LH introduced audit plan 23/24 and sought the views of the committee. She introduced the papers that were to be presented. She explained that it was a risk-based plan which would be reviewed periodically to ensure that it remained fit for purpose. They have consulted with senior staff, carried out a risk assessment ensuring priority areas of the business plan are covered and all strategic risk areas set out in the RSH SRR. Members noted the areas of audit planned for Q1-4.

12/04/23 LB queried whether the GIAA was appropriately resourced, and LH confirmed it was, without the need to sub-contract any work.

13/04/23 LB queried whether the audit of the DCSR might be too soon. RBP advised that the first round of data collection has been successfully completed and in addition to us doing a lessons learned, it would be helpful to get additional assurance from GIAA on what was a big project. We could take away the learning as we embark on the next big procurement/implementation project – digital service procurement. LH said that they could be flexible with the timing if necessary. LB was content for RBP to liaise with GIAA. JO added that they could also engage their data analyst team to provide further assurance on the data transferred from NROSH+ should that be deemed necessary.

14/04/23 Annex 3 to the document set out the three-year plan and LB said that she had found that document very helpful.

7. MOU and Charter

15/04/23 LH noted that the members had received the two documents and asked if there were any queries on either. LB asked that the MOU be reviewed to include a clause confirming the continuity of GIAA staff with the requisite knowledge of the sector for our audits and confirmation that we expect our information to be treated as confidential. LH agreed to review these two areas, and LB confirmed that subject to these two points the committee was content with the documents.

8. Internal Audit progress reports

16/04/23 JO reported on the audits in the 2022/23 plan and confirmed that the draft reports had all been completed as at end of March and confirmed that 100% are now at final stage. JO confirmed that the recommendations are also on track. The outstanding actions relating to HE audits are also closed.

17/04/23 Members noted the ratings for the completed audits:

• Functional Standards Implementation received a substantial assurance rating. One medium and two low recommendations were made; one low action has been completed, and the remaining two are not yet due.
• IT Controls received a substantial assurance rating. One low recommendation was made but this is not yet due.
• Managing Stakeholder Expectations has been given a substantial assurance rating
• Management has agreed to extend the due date for 4 actions (2 moderate,2 low) relating to the Procurement of the Data Collection System audit from 31 March 2023 to 31 May 2023 due to pressures on the Finance team. Management agreed that until these actions are complete they would ensure that any procurement activity complies with the agreed actions.

18/04/23 JO provided some additional background to the Financial Standards audit and the recommendation in relation to FS001, which following further investigation, does need to be complied with by the RSH and is due for completion in June. RBP confirmed that we will be able to reach compliance.

19/04/23 For the IT controls review audit, GIAA reported they had engaged with their IT specialist team who had high praise for all three areas covered in the audit. The low-level recommendation was in relation to the completion of the IT strategy which has progressed and again the quality of the IT training materials, training, raising awareness on cyber fraud and evidence of educating staff on their roles to protect the organisation were of a very high standard.

20/04/23 LB thanked JO for the updates and asked RBP to pass on the very positive comments to the IT team. RBP confirmed that he would.

21/04/23 LB thanked LH and JO for the very comprehensive and well-structured reports.

9. Review of Strategic Risk Register

22/04/23 RBP introduced the paper, flagging the report on cyber fraud, which has been requested in light of the number of organisations recently targeted. The report provides reasonable assurance across the board that our systems are in a good place.

24/04/23 JOM joined the meeting and provided members with an overview of the SRR, which is reviewed regularly by ARAC. Reviews had been undertaken with risk owners and the Executive team and scores were based on the risk appetite set by the Board. Currently seven risks are above appetite. JOM gave an update on some areas noted in the report.

25/04/23 Inadequate powers or remit The overall position with the risk is unchanged.

26/04/23 Implementation of proactive consumer regulation.

27/04/23 Security risk.

28/04/23 LB asked for confirmation that the SRR goes to DLUHC on a six-monthly reporting cycle and asked that future reports include any feedback received on our SRR from them. JOM to action and LB thanked him for the report which shows there has been a lot of work done to review the register. LB asked that the annex paper on cyber fraud is shared with the Board. Action: CK

10. Forward Planner

29/04/23 The planner was discussed, and it was agreed that it will be reviewed when we have the NAO plan in order to decide when the ARA will be presented to ARAC. RBP advised that notwithstanding that the June meeting will not now review the ARA, he suggested we kept the meeting in diaries, and pick up other matters, including the deep dive into whistleblowing that had been deferred from this meeting.

11. Any other business

30/04/23 There were no other matters of business. LB thanked everyone for their attendance and contributions to the discussions.

Date of next meeting: 26 June 2023