Corporate report

Minutes of the Audit Risk Assurance Committee: 12 June 2024

Updated 26 November 2024

Applies to England

Present

Martin Spencer, Chair

Laura Wyld, Board member

Ian Looker, Co-opted member

Also in attendance

Martyn Oliver, His Majesty’s Chief Inspector (HMCI)

Matthew Coffey, Deputy His Majesty’s Chief Inspector (DHMCI)

Louise Grainger, Director, Finance, Planning and Commercial

Board Secretary

Khadija Qidwai, National Audit Office (NAO)

Hassan Rohimun, EY

Tony Smith, Government Internal Audit Agency (GIAA)

Ivan Cheary, GIAA

Lucia Wilde, Director, People (item 5)

Rory Gribbell, Director, Strategy and Engagement (items 8 and 9)

Head of the Strategy Delivery Unit (item 11)

Head of Security and Information Management (item 14)

Neil Greenwood, Deputy Chief Operating Officer, Operations (item 14)

Status

Approved at the ARAC meeting 11 September 2024.

1. Chair’s introduction, declarations of interest, minutes, actions and matters arising

Apologies were received from Jo Moran and Jon Yates.

The minutes of the last meeting were approved as a correct record.

Laura Wyld declared that her service as an independent panel member for the recruitment of non-executive directors at the Foreign, Commonwealth & Development Office, was currently frozen due to the upcoming election.

2. Verbal report from HMCI

HMCI provided an update on the progress of various priorities including the achievements of HMCI’s first 100 days in post, the Big Listen, and plans for delivery of organisational priorities for the next year through the ‘Ofsted 2025’ programme (programme for delivery of inspection and organisational priorities for the next year).

HMCI thanked the committee and chair, auditors, DHMCI, and the Director, Finance, Planning and Commercial for their work this year.

3. Progress against audit recommendations

The committee noted progress made on implementing audit recommendations. The committee noted that 3 actions have been closed, 5 actions have been completed, and 8 audit actions are on track to meet the target completion date.

4. Internal audit progress report

Delivery of the 2023-24 audit plan is complete.

The committee noted that work had progressed on planning the delivery of the 2024-25 audit plan since the report was written, and that work has now begun on 60% of the planned activity.

The committee discussed potential options for getting earlier sight on the scope of planned audits.

Action: the final scope for each planned audit be circulated to the committee once it is agreed.

5. Issued internal audit reports

Two engagements have been completed since last meeting.

Moderate assurance was provided in respect of the payroll-configuration and controls audit. The committee was assured that action has been taken by management to implement the recommendations.

The advisory coverage of Ofsted’s programme to oversee delivery of supported accommodation registration and inspection readiness found no areas of concern.

6. Internal audit annual plan 2024-25

The committee noted the changes to the plan since the last meeting, and noted that the planned activity on outcomes of the change programme covering HMCI’s first 100 days in post, and the ‘Ofsted 2025’ programme is still being scoped.

The committee approved the audit plan. It was agreed the plan would be subject to ongoing review and the committee would be sighted on any proposed changes.

Action: the findings of the report on the outcomes of the change programme covering HMCI’s first 100 days in post will be shared with the Ofsted board for consideration of alignment with organisational strategy.

7. Head of internal audit annual opinion and report 2023-24

The committee noted that this year, the Head of Internal Audit gave a ‘moderate’ opinion, stating that overall Ofsted’s framework of governance, risk management and control was largely adequate and effective. However, this ‘moderate’ opinion reflects the impact of external factors, such as the significant criticism of the education inspection system and adverse media coverage that Ofsted has received in the past year, in addition to an assessment of Ofsted’s internal policies and procedures.

The committee discussed the need for the report to differentiate between changes implemented by HMCI included in his first 100 days programme, such as the Big Listen, and the actions in response to the Prevention of Future Deaths report, where possible.

Action: GIAA to review drafting to ensure that the report accurately distinguishes between these activities.

8. Value for money and insight work

The committee noted the update, including that some activity had been paused due to pre-election silence.

9. Draft annual report of the Audit and Risk Assurance Committee (ARAC)

The committee reviewed its draft annual report, which provided an overview of ARAC’s activity during the financial year 2023-24 and was content for the report to be submitted to the board.

10. Annual report and accounts 2023-24

The committee reviewed the draft annual report and accounts.

The committee was content to recommend that the board approve the annual report and accounts 2023-24 prior to certification of Ofsted’s Accounting Officer.

11. Plans for Ofsted’s new strategic risk register

The committee was briefed on the proposed changes on the design and commissioning process for the strategic risk register. The committee endorsed the approach and recommended that the changes be implemented as soon as possible to ensure sustained oversight of strategic risk.

The committee was assured of risk management processes in place on both the executive and HMCI’s first 100 days programme risk registers.

An assurance review of the revised strategic risk management processes was proposed for Q1 of 2025-2026.

12. Finance report

The committee noted Ofsted’s financial position as of the end of period 1.

13. Counter fraud, bribery and corruption update – for discussion

The committee noted that Ofsted continue to meet required standards in this area.

The policy is currently under review and will be shared with ARAC once this review is complete to scrutinise any changes.

Action: When the renewed counter fraud policy is brought back to ARAC, it will also include indication of how we get assurance that the processes are being adhered to by Ofsted colleagues.

14. Annual information assurance and cyber security report

The committee received an annual briefing on information and cyber security in Ofsted. The following areas were of note:

The Government Security Group feedback for the 2023-2024 Departmental Security Health Check gave assurance that Ofsted continues to meet the Government Security 007 Standard and exceeds the minimum standards required for personnel and incident management.

GIAA gave an overall assurance rating of ‘substantial’ on an audit of Ofsted’s hardware/software configuration, patch management and supplier risk in Q3 of 2023.

The end-to-end security incident process has been reviewed and updated, and new incident taxonomy has also been incorporated into the process to align with central government incident reporting.

Supplier security assurance has been improved by embedding security requirements into the procurement process, and a supplier risk assessment and ongoing audit process has been implemented.

Penetration testing of Ofsted systems/services has been carried out by Ofsted’s supplier, and all critical and high vulnerabilities identified were remediated. The committee were assured that penetration testing is carried out before systems go live, and no systems go live with vulnerabilities.

The committee was assured that Ofsted continues to actively manage its information and cyber security risks and that there are appropriate mitigations in place.

Action: The committee will be provided with statistics on the volume and origin of attacks identified by Ofsted’s monitoring systems.

Action: ARAC chair to meet with GIAA to discuss GIAA’s coverage of Ofsted’s cyber security arrangements, both work already undertaken and planned.

15.AOB

There was no other business.