Audit and Risk Assurance Committee meeting: 29 May 2024

• Mike Usher, Non-Executive Director and Chair of WG ARAC
• Angus Muirhead, Chair - LGHCCRA ARAC
• Nigel Reader, Chair - HSCEY ARAC
• Phil Sharman, Chair - ECWL ARAC

Officials

• Andrew Goodall, Permanent Secretary
• David Richards, Director of Propriety and Ethics
• Tim Moss, Chief Operating Officer
• Gawain Evans, Director of Finance
• Kim Jenkins, Deputy Director Accounts, Governance & Grants
• Clare James, Audit Wales
• Helen Morris, Deputy Director Audit, Assurance & Counter Fraud
• Kath Jenkins, Chief Security Officer (agenda item 3.3)
• Stephanie Howarth, Chief Statistician (agenda item 3.1)
• Tracey Breheny, Director, Strategy and Corporate Business HSCEY Group
• Jamie Powell, Deputy Director, Finance LGHCCRA Group LGHCCRA Group
• Steve Hudson, Deputy Director, Finance and Economy, EET Group

Also present

• Head of Corporate Governance Centre of Excellence
• Deputy Head of Internal Audit
• ARAC Secretariat
• Head of Public Bodies Unit
• Head of Counter Fraud

1.1 There were no declarations of interest raised by Members.

2.1 The committee agreed the minutes of the previous meeting.

2.2 The committee noted the good progress made in implementing the agreed actions.

3.1 The Permanent Secretary provided the Committee with an update on a number of key areas, including:

• Machinery of Government changes following the appointment of the new First Minister including the restructuring of group arrangements to better support ministers.
• The issuing of pre-general election guidance to all staff.
• Progress in implementing the Voluntary Exit Scheme.
• Budgetary pressures being faced in 2024/2025 and the need to maintain robust financial disciplines.
• An update on the Public Accounts and Public Administration Committee’s scrutiny session into Welsh Government’s 2023/2024 accounts.

4.1 The committee scrutinised a number of documents that underpin and provide assurances to support Welsh Government’s Annual Governance Statement:

• Public Bodies Unit Annual Report
• Framework for Analytical Modelling
• Data Protection Officer Annual Report
• Head of Counter Fraud Annual Report

Public Bodies Unit Annual Report

4.2 The Head of the Public Bodies Unit provided the committee with an update on the work of the Public Bodies Unit and noted the focus on improving the leadership both internally and externally with stakeholders as well as undertaking a restructure of the team.

4.3 The committee received confirmation that there had been a systematic follow-up of recommendations from the previously undertaken internal review of the Unit and an action was taken to provide a summary of progress to the committee.

4.4 The Permanent Secretary outlined the importance of ensuring there is a clear understanding of the role and core purpose of the Public Bodies Unit, especially when undertaking the external engagement exercise. The Permanent Secretary also outlined the need to ensure:

• There is sufficient focus on diversity and inclusion within public bodies that is reflected in the appointments process.
• Processes are reviewed if the desired outcomes are not being achieved.
• The Public Bodies Unit focuses on providing clear, central advice, guidance and frameworks/ standards to allow bodies to develop ways of working with appropriate oversight from Welsh Government.

4.5 The Chair outlined the importance of the Public Bodies Unit supporting Welsh Government partnership teams to be able to undertake intelligent sponsorship and deploy the appropriate levels of oversight and scrutiny, with trust between all parties a key element in the relationship.

4.6 Consideration is also being given to introducing the self-assessment model that has been rolled-out by UK government.

4.7 The committee noted the annual report submitted by the Head of the Public Bodies Unit.

Framework for Analytical Modelling within the Welsh Government

4.8 The Chief Statistician provided the committee with a summary of the outcomes of the annual assurance exercise that considers the management and control of business critical models that are driving key financial or funding decisions or are key to the achievement of business objectives. A key theme from the exercise was stability with no models seeing an increase in their risk ratings during the year.

4.9 Due to the increasing use of models within WG, there will be a focus during 24/25 on ensuring that staff understand the best practices when commissioning models and how to use the outputs. In addition, there will be moves to improve the transparency of the use of business critical modelling and alignment with the recommendation within the Aqua Book on Analytical Assurance that a register of business critical models is published.

4.10 The committee noted the good levels of assurance provided within the Analytical Models Annual Assurance Review but recognised the risks around capacity and succession planning especially as the number of models and their complexity increases. The committee outlined the importance of ensuring they are properly documented to avoid risks around single points of failure and to increase resilience in the event of workforce churn.

4.11  The committee made 2 suggestions to enhance future reports:

• There could be specific reference to capacity and single points of failure as part of the risk assessment process.
• Owners of models are provided with feedback as part of the annual review process but this is informal and generally not documented. Capturing any remedial actions as part of a formal action plan would enhance accountability and the dissemination of best practice.

Data Protection Officer Annual Report

4.12 The committee received a summary of the key points contained within the Data Protection Officer’s Annual Report.

4.13 The metrics show it has been a fairly consistent year of low-level incidents. Where there has been increases in non-conformance, most can be tracked back to improvements in training and awareness and a greater understanding of the type of incidents that need to be reported.

4.14 The committee recognised the lack of specialist information knowledge management support resource and were assured that a recruitment exercise is currently underway with the expectation that gaps at Group level will be filled.

4.15 The committee noted the Annual Report submitted by the Data Protection Officer and endorsed the areas for improvement contained within it.

Head of Counter Fraud Annual Report

4.16 The committee received a summary of counter-fraud activity during the year and a summary of outcomes of investigations.

4.17 The Head of Counter-Fraud noted that Welsh Government continues to identify ways in which enhanced use of data analytics and artificial intelligence can improve levels of fraud detection. There is regular interaction with UK government, other devolved administrations and the Public Sector Fraud Authority to consider matters of common interest including the increased use of technology and collaborative working.

4.18 The committee noted the Annual Report submitted by the Head of Counter Fraud but recognised the need to consider resilience and succession planning given that he is the only full-time resource in this area.

Corporate Risk Register

4.19 The Head of the Corporate Governance Centre of Excellence provided the committee with a summary of the corporate risk register and the outcomes of recent discussions by the Finance and Corporate Services Committee and the Executive Committee. There was particular discussion around the horizon scanning aspect of the register and it was felt it could be enhanced by the introduction of time frames and reference to other information sources such as the Statutory Future Trends Report and the Chief Science Officer’s Report.

4.20 The committee were informed that in June 2024 the Board will consider the process for updating the Welsh Government’s Risk Appetite Statement. There will be a process change in that the risk appetite statement will be separated from the risk management policy to ensure it is a stand-alone document that informs the policy.

4.21 The committee noted the risk register and endorsed the moves to improve the approach to horizon scanning and review the risk appetite statement.

Outstanding Audit recommendations

4.22  The committee received an update on the implementation of recommendations raised by Audit Wales and the Public Affairs and Public Administration Committee. Work is underway to record all recommendations on the Business and Information Reporting Tool to facilitate standard reporting and progress updates.

4.23  The committee noted the good progress being made in addressing recommendations and the importance of acknowledging where recommendations were no longer appropriate.

Quarterly reports from Group ARAC Chairs

4.24 The committee noted the quarterly reports tabled by each of the Group ARAC Chairs.

5.1 The Head of Internal Audit provided the committee with a summary of the work of internal audit and outlined progress against the internal audit plan for 2023/2024.

5.2 Attendance at programme and project boards continues to be a significant aspect of audit activity to provide real-time assurance to Senior Responsible Officers. Summary reports will be produced and will inform the Head of Internal Audit’s annual opinion.

5.3 The Deputy Head of Internal Audit presented the draft internal audit plan for 24/25 to the committee. It has received endorsement from the Permanent Secretary and Directors General, been considered by each Group Audit and Risk Assurance Committee and has been revisited following the recent machinery of government changes.

5.4 The committee noted the shortfall in days but were assured that additional resources would become available when 4 staff (with governance and compliance skills) transferred from WEFO in August and September when their current roles come to an end.

5.5 The committee approved the internal audit annual plan for 2024/2025.

6.1 The committee received an update on the work of Audit Wales.

6.2 Audit Wales’ Annual plan for 2024/2025 has been published and one of the key aims for 2024/2025 (and future years) is to bring accounts audit work around central government, NHS and local authorities closer to pre-Covid timetables and to bring forward the timeframe for the completion of local performance work. This was endorsed by the committee.

6.3 Audit Wales has been developing its audit approach for the Welsh Government Consolidated Account with key changes being the increase in the materiality threshold from 1% to 2% and a modification to their approach to Group work in anticipation of ISA600 implementation for 2024-2025. A detailed audit plan in relation to the review of Welsh Government’s consolidated accounts for 2023/2024 will be presented at the July ARAC meeting.

6.4 Audit Wales are in the process of updating their Value for Money update report with a view to presenting it at the July round of Group ARAC meetings.

ARAC Secretariat