Audit and Risk Committee minutes – April 2024

Neil Prior (NP) – Chair

Samina Ali (SA)

John-Mark Frost (JMF)

Andrea Gale (AG)

Ben Summers (BS)

Guests:

Lucy Dean (LD) – Azets

John Maddock (JMa) – TIAA

CDPS staff:

Harriet Green (HG) – CEO

Myra Hunt (MH) – CEO

Phillipa Knowles (PK)

Kath Morgan (KM)

Jon Morris (JM)

Secretariat:

Michaella Henderson (SMH)

The meeting opened at 14:00

1.1. The Chair welcomed members to the meeting. No apologies for absence were received. The Chair noted a quorum had been achieved.

1.2. The ARC approved the minutes of the meeting held on 24 January 2024 as a true and accurate record.

1.3. The action log was received, and members noted the progress on actions and the actions that had been closed. There were no matters arising not dealt with elsewhere on the agenda.

2.1. Members noted the 2023 to 2024 draft financial year end accounts.

LD noted it was the first time the ARC had received such a report. 

2.2. Members noted that CDPS made a final quarter drawdown in January 2024 and LD reported that the projected quarter 4 spend of £1,819.312 was delivered with a small variance of £9,000. LD drew members attention to contractor versus permanent staff spend and noted that CDPS had no further recruitment plans moving into 2024 to 2025 with contractor costs only being incurred when deemed necessary for delivery of future projects where specialist skills would be required.

ACTION: It was agreed the contractor versus permanent staff spend section would be removed from the report in future.

2.3. LD reported that, because of the way forecasting had been using a rolling budget method, there was no budget figure for the start of the 2024 to 2025 financial year but that she and KM had looked at adjustments to be made going forward and quarter by quarter variances would be reported. 

2.4. LD drew members attention to the bank account balance of £512,710 as at the end March 2024 but noted that that was not indicative of any carry over and that trade creditors of £233,000 pensions, PAYE and several accruals would need to be taken into account and be adjusted for in the final year end accounts. 

2.5. LD drew out the main changes in the 2024 to 2025 costs compared to the budget approved in March 2024 including increase in staff cost, reduction in costs for contractors and moving the finance function in-house. 

2.6. LD reported new external auditors, HSJ Accountants, had been appointed and that the audit would commence at the end of May 2024. 

2.7. KM updated members on the finance team’s plans for quarter 1 including the completion of the statutory accounts, the improved use of Xero and a review of a new banking provider.

2.8. Members agreed the report was comprehensive and easy to read and thanked KM and LD for their work on producing the report.

2.9. In response to a query from BS, KM and LD noted that the transition to in-house had worked well particularly with Gemma Wale joining the CDPS team from Azets. PK noted that agreeing a new contract with Azets to allow for their departure had been challenging but had been successful. PK further noted that KM had grown into her role so well that it allowed for the bringing of the finance function in-house and thank LD for her contributions in getting CDPS this far.

ACTION: Final accounts to be presented at the October ARC meeting.

2.10. In response to a query from NP, MH reported that the £45k knowledge hub spend related to the discovery that was required to evidence the need for a knowledge hub and that she and Welsh Government (‘WG’) and local government (‘LG’) would meet to evaluate the evidence in due course. MH further noted NP had been named as an important stakeholder in that work.

ACTION: Knowledge hub link to be provided to members when appropriate.

2.11. HG noted that AI spend had increased in the year as CDPS was able to deliver on a couple of the recommendations within the financial year, including setting up a pan-sector AI/automation steering group to govern the activity of CDPS and its collaboration with both WG and LG and to take follow up action to ask them to support CDPS creating a community of practice, and had sufficient funding remaining to do so.

2.12. NP drew members’ attention to the knowledge hub show and tell on the CDPS YouTube channel.

ACTION: PT to follow up with the discovery material going to the ARC and NP and BS to be briefed on the cross sectorial work on the next steps following HG’s meeting with Lindsay Phillips.

2.13. Members resolved to note the report.

3.1. HG introduced the risk report noting that a discussion on risk appetite had been scheduled with the board and that the senior leadership team had held several discussions and a workshop with the purpose of reviewing and updating the risk register, creating risks more relevant to the CDPS current structure and portfolio.

3.2. Members noted the six strategic risks set out in the paper:

2.1. Portfolio delivery

2.2. Financial pressures

2.3. Reputation and impact

2.4. Collaboration and ecosystem

2.5. Staffing/skills/succession planning 

2.6. Workload and stress

3.3. AG noted that the new risks were more strategic than previous versions and further noted that pinning down actual definitions and scoring, controls and mitigations would be interesting to see. AG noted that the workload and stress risk was one that CDPS should be in control of rather than a risk and suggested that all the risk CDPS face should be included in an emerging risk piece of work.

3.4. In terms of the strategic risks, JMF noted that:

2.1. (Portfolio delivery) – the risk was defined quite broadly and felt the need for specific risks to be articulated.

2.2. The risk was that CDPS would not be able to achieve everything it would like to because of a reduced budget.

2.3. JMF recommended only one risk owner.

2.4. Should the risk be that CDPS would not be able to have an impact on public services.

2.6. Generally a concern but need to ensure CDPS is able to do something about it.

JMF then flagged the risk that possible changes in political priorities that could result in less interest and engagement from other public sector organisations.

ACTION: JMF to send his notes on the risk register to PK.

3.5. BS agreed that the workload and stress risk should be managed within CDPS and suggested it should not be on the risk register. BS also suggested that risk 2.4 should be rolled into risk 2.1 as part of the failure to deliver risk and the risk of delivering things that don’t create systemic change. BS queried what the output of the risk register should look like and how CDPS would propose to score the risks. 

3.6. NP noted there should be something on the risk register around risks to the wider public sector that could affect the ability and resources within wider public sector organisations to commit to digital change programmes. NP also noted that 2.5 should also include reference to the board as all members terms of appointment end at the same time so succession planning would be a risk.

3.7. HG agreed additional work needed to be undertaken on wording and clarifying the risks further particularly risk 2.1. HG noted that CDPS intends the new risk register in such a way that the risks are appropriate to CDPS ambitions and that the mitigations are practical, actionable and understandable and that the impact of those mitigations can be tracked and adjusted if necessary.

3.8. PK set out the next steps in the process: 

• SLT to reflect on the feedback and rework on the strategic priorities.

• Simpler, more user friendly risk register that maps out inherent risk, residual risk and mitigation to be produced.

• Ensure staff are aware of the risks CDPS faces.

• Bring the risk register back to the July board meeting for discussion as well as a discussion on the board’s risk appetite.

• Sign off of risk register October 2024. 

3.9. BS queried the outcome of the information architecture work and PK reported a working group had been formed to carry the work forward and was tasked with mapping out the priorities, what the outputs are from the work done and looking at the tools that would be necessary to report back and provide assurance and that it was hoped to report to the board at their July meeting. MH reported that the work had been fundamental for CDPS efficiency, wellbeing and productivity and for the quality of the information that was being provided to the board.

ACTION: HG to share the original work with BS and arrange to meet to discuss to get BS’s insight.

4.1. Members noted the ARC draft Terms of Reference. JM noted the Terms of Reference had been updated to reflect the fact finance scrutiny had moved from the main board to the ARC as reflected in new section 8.3. JM flagged the other minor changes made through the document.

4.2. In response to a query from BS recognising that ARC members were not financial experts, JM provided assurance that the finance reports provided would be completely open and transparent and would highlight any areas of concern providing ARC members with all the information they need to provide adequate scrutiny. JM noted that the statutory and administrative requirements were set out by HM Treasury and that the finance advisor was being recruited to provide financial expertise to the ARC.

ACTION: It was agreed to present the draft Terms of Reference to the CDPS board for approval at their meeting on 16 May 2024.

5.1. Members received the Summary Internal Controls Assurance Report (‘SICA’) providing members with an update on the emerging governance, risk and internal control related issues and the progress of work at CDPS as at 10 April 2024, together with the Assurance Review of Recruitment and Training, Compliance Review of Key Financial Controls, Follow Up Review, Draft Financial Regulations, Indicative Audit Strategy 2024 to 2027 and Annual Plan 2024 tp 2025 and Internal Audit Recommendations Tracker.

5.2. JMa presented a summary of the SICA. JMF asked for clarity around point 5 - Changes to the Annual Plans 2023 to 2024 and 2024 to 2025. JMa clarified that there had been no major concerns raised since the last audit had been carried out. JMa also clarified that point 6 on the paper should read ‘we have made no Priority 1 recommendations’ instead of ‘we have made one new Priority 1 recommendation’. Members agreed the Root Cause Indicator table was confusing and not useful.

ACTION: It was agreed the Root Cause Indicator table would be removed from future summary reports.

5.3. JMa introduced the Assurance Review of Recruitment and Training, noting the two Priority 2 and three routine recommendations set out in the paper.

5.4. AG queried whether the information being held impacted on CDPS’ ability to understand EDI. PK noted that CDPS has been able to track EDI job applications for the past four months. PK also noted that CDPS was in a transition stage when the audit was undertaken and that improvements had been made since.

5.5. JMa introduced the Compliance Review of Key Financial Controls paper, noting the two Priority 2 recommendations and two routine recommendations set out in the paper. JMA noted that CDPS’ budget was reforecast every month which could raise concerns about tracking variances and the importance of independently verifying or approving bank reconciliations. KM confirmed that in future the finance team would be forecasting monthly against an agreed budget and any variances noted. CDPS would no longer be reforecasting monthly which led to the use of a rolling budget.

5.6. JMa introduced the Follow Up Audit paper and noted the seven recommendations set out in the paper, five of which had already been implemented. JM assured ARC Members that all items on the Recommendations Tracker were being monitored and updated monthly and that completion dates has been set for the two outstanding recommendations. JMF noted that one high priority recommendation around a HR strategy had been on the tracker since November 2022 with no revised implementation date or status update and members agreed the matter need to be treated with urgency at board level or bought back to the ARC to deal with if it couldn’t be presented to board at their May or July meeting.

5.7. JM introduced the Draft Financial Regulations and noted the amendments including the monthly banking reconciliation. JM noted the Financial Regulations had been updated, not just to reflect the outcomes of the key financial controls audit but also to reflect the move of the finance function in-house and the off boarding of Azets by the end of quarter 4 2024 to 2025. In response to a query from JMa, JM reported that CDPS had an Anti-Fraud Policy in place, approved by the ARC last year, which was why fraud was not included in the Financial Regulations.

ACTION: It was agreed a link to the Fraud Policy would be included in the Financial Regulations.

5.8. JM noted that the Financial Regulations would be reviewed again in 12 months following the Azets off-boarding.

5.9. Members resolved to approve the updated Financial Regulations for immediate adoption.

5.10. JMa introduced the Indicative Audit Strategy 2024 to 2027 and Annual Plan 2024 to 2025. JM noted that the ICT section on page 3 mentioned an ICT project support audit that was not due to be carried out in any of the four-year cycles and that he and JMa had discussed the matter and agreed there would be more value in having cybersecurity and ICT infrastructure audits on a rolling biannual schedule. 

ACTION: Members agreed it would be useful to have an audit on the risk framework in quarter 4 2024 to 2025.

5.11. JMF queried the need for the five additional audit days over last year and JM noted that it was a function of how the audit schedule fell.

ACTION: Members expressed strong support for the cybersecurity audit and a review of the quality of the Risk Register in quarter 4 2024 to 2025. 

5.12. JMa introduced the Recommendations Tracker.

ACTION: It was agreed the original target dates for items would be included in the Recommendations Tracker.

6.1. JM introduced the Procurement Departures paper and reported that the decision had been made, outside the CDPS Procurement Policy and Procurement Guidelines, to extend the contract with Azets and that it had been decided that there was no need to go out to tender for a 12-month period contract extension covering the transition period given that finance services were being brought in-house. JM noted that the maximum additional was expenditure was capped at £30k plus VAT which was within the remit of the CEOs to agree under the Procurement Policy. JM noted that going out to tender would potentially have involved onboarding another company under a 12-month contract whilst also off boarding Azets and therefore the Azets contact extension would minimise operational risk and ensure continuity of business within the scheme of delegation.

ACTION: JMF queried whether NP, as the Chair of the ARC, should be consulted on divergences from policy in future to provide assurance and support to PK/MH/HG and NP agreed that should be an action in future.

6.2. BS queried the support to be provided by Azets for the £30k plus VAT and PK reported that there was a detailed contract in place that included LD’s support in presenting reports to the ARC, supporting KM on a weekly basis and assisting in preparation of the external accounts. PK also reported it was the intention to move payroll services in-house during the 12-month period and use Azets to facilitate that move, capped at £7.2k. PK noted that a reasonable day-rate had been approved was capped at £30k plus VAT.

6.3. Members resolved that they had considered the appropriateness of CDPS’s actions and were satisfied that CDPS had acted reasonably to ensure value for money, reduced risks to the business and preserved the reputation of the company.

7.1. There were no new items identified in the Fraud Register for discussion and consideration by the ARC.

8.1. Members were invited to suggest future agenda items to PK.

8.2. ARC contact: SMH asked members how they preferred to be contacted to maximise response especially to urgent emails.

8.3. Members noted good IT governance would require the use of CDPS emails not personal or other business emails.

ACTION: It was agreed SMH would set up an ARC Whatsapp group for ARC members to use to prompt members to login to their CDPS email to address emails and calendar invitations.

8.4. Board coaching with Emma Haddleton: NP reminded members to send Emma Haddleton details of one thing that they thought went well during the meeting and one thing that didn’t go so well for use during the board coaching session with Emma on 25 April 2024.

9.1. The committee acknowledged that this was NP’s final meeting, and that he is standing down from his position as NED and Chair of ARC after three years of service on 16 August.

9.2. As the post of ARC Chair may not be vacant due to their responsibilities to the company, the committee agreed to confer with the board’s chair and each other to select a new chair prior to 16 August.

9.3. All Committee members and CDPS staff present thanked NP for his dedication to CDPS over the last three years, noting the positive impact he has made both in board and subcommittee.

10.1. In-camera session between ARC members and JMa. No CDPS staff attended, and the discussion was not noted. 

The meeting closed at 15:50.