RSH ARAC minutes - 23 January 2023
Updated 8 February 2024
Applies to England
Public minutes of the Audit and Risk Assurance Committee meeting
on Monday 23 January 2023 at 10am
Hybrid meeting MS Teams and room FG47, 2 Marsham Street, London
8.Remote and virtual participation
8.1 Any member may validly participate in a meeting through the medium of conference telephone, video conferencing or similar form of communication equipment, provided that all persons participating in the meeting are able to hear and speak to each other throughout such meeting, or relevant part thereof. A member so participating shall be deemed to be present in person at the meeting, and shall accordingly be counted in a quorum and entitled to vote.
8.2 A meeting shall be deemed to take place where the largest group of those members participating is assembled or, if there is no group which is larger than any other group, where the Chair of the meeting is.
Members
- Liz Butler - Chair
- Richard Hughes
- Kalpesh Brahmbhatt
Invited officers
- Jonathan Walters - Deputy Chief Executive
- Richard Peden - Director, Finance and Corporate Services
- Emma Tarran - Senior Assistant Director: Head of Legal and Company Secretary
- Mike Newbury - NAO, Audit Director
- Emily Nardini - NAO, Audit Manager
- Lisa Harvey - Head of Internal Audit, Government Internal Audit Agency
- Jenny Obee - Engagement Lead, GIAA
- Kashif Zaman - Social Housing Finance Business Partner, DLUHC
In attendance
- John O’Mahony - Assistant Director, Services and Performance - item 8
- Christine Kitchen - Company Secretary - minutes
1. Welcome and apologies
01/01/23 The Chair welcomed everyone to the meeting. KZ joined the meeting at 11.15am.
2. Declarations of Interest
02/01/23 There were no new declarations of interest.
3. Minutes of the last meeting
03/01/23 The minutes from the previous meeting on 07 November 2022 were reviewed and approved.
4. Matters Arising
04/01/23 All actions were noted.
-
RBP asked the NAO for an update on the assurance letter to NAO from Grant Thornton in respect of the City of Westminster Local Government Pension Scheme audit for the 2021-22 accounts. MN advised that he had been advised by Grant Thornton that they have now completed their review of the pensions and are planning on submitting the letter to the NAO. Once received, NAO will finalise, certify, and submit it to the RSH.
-
RBP asked if there are likely to be any changes to the figures on LGPS and MN and EN both responded saying that they had not been advised that any changes will be required, but cannot confirm until they receive the letter from GT.
5. NAO Methodology change
05/01/23 MN introduced the paper which set out the NAO’s changed approach to audits. The changes related to the type and amount of audit work they will be undertaking and are based on revisions to ISA 315 -Identifying and Assessing the Risk of Material Misstatement, and ISA (UK) 240 -The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.
06/01/23 EN continued with the presentation to outline other aspects of their proposed approach.
07/01/23 Members noted there would be no change to the scope of the audit of response to fraud on which the NAO provide reasonable assurance that the financial statements are free from material misstatement. Management retain responsibility for the detection and prevention of fraud.
08/09/23 The NAO will be adopting a different approach to address risk, working from an understanding of the business and how business risks translate into the accounts. This will make audits more specific to areas and the response to risk will be more targeted to the actual risk. The audit response will relate to where the identified risk sits on the spectrum of inherent risk.
09/01/23 The members thanked the NAO for the report.
10/01/23 The chair also issued caution and asked for proportionality when planning audits. The RSH is a small organisation and staff are extremely busy, and there should be no added workloads for staff to accommodate time intensive audits.
11/01/23 MN acknowledged that NAO have a lot of planning and training to work with the new systems. He said that the new methodology will offer a more nuanced approach depending on where on the spectrum of inherent risk the audit area falls. MN advised that a recent practice note, gives auditors the ability to reflect on materiality in a different way than they have been able to before and as a result RSH might want to consider accepting a qualified audit opinion, which will reduce the time lag currently experienced between producing final accounts and getting signoff following review of pensions.
12/01/23 On the point of accepting qualified accounts, the Chair put on record that this would be highly unacceptable to the Regulator and strongly rejected that option. MN thanked the Chair for her clarity on the points discussed. He stated that when planning the audits, they will aim to achieve minimum disruption to workloads and will liaise with the DF&CS to ensure staff are not being put under undue pressure during audits.
13/01/23 RBP asked MN when we can expect to receive the NAO’s management planning memo which was due to be presented at this meeting. The April meeting of ARAC would usually receive the interim audit report, so we are not going to meet the reporting cycle, and this will impact on the production of our reports. MN advised that the NAO planning work has been completed, and a draft plan is near completion. He suggested that an additional meeting of the ARAC is scheduled to discuss and agree the plan, the Chair conceded to having an informal MS Teams meeting (not a formal meeting of the ARAC) scheduled. She asked the NAO to liaise with the GIAA to ensure there is not overlap of audits. MN to liaise with RBP to confirm a date for the programme planning meeting. Action: MN/RBP
6. Internal Audit Progress report
14/01/23 LH presented the progress report which set out the audit plan which is taking a risk-based approach and forward looking to link into preparation for the 2023-24 audit plan. At the November meeting the Committee had asked for GIAA to carry out a sense check of the audit plan for the year ahead. This has been completed and they are in a good place to complete the follow-up work. They have also carried out their own review of the SRR. They have factored in changes to pick up consumer regulation in 2024 to map out coverage and flag any gaps. Capacity and capability will be the areas of focus on consumer regulation for the 2024-25 plan. GIAA have reviewed the audits completed by HE IA and acknowledge the assurance ratings, but they did not conduct any of their own testing in this area. GIAA will review the risks that are above appetite.
15/01/23 Since the last meeting, GIAA have met with AO, DCE and DF&CS to check assurance and have made a few suggestions for the next audit plans and they intend to develop a three-year rolling plan to pick up on visibility of key governance/risk management and control audits for the annual opinion. Next steps were to agree priority audits, timescales and bring a draft plan and show how the risks have been mapped. Progress against the current plan is 20% completed, with the SLA Transition audit completed. The ToR for IT security and managing expectations is to be agreed. GIAA are on track to have audits to draft stage by the end of March. None of the audit actions from the last meeting are overdue and there are likely to be low priority recommendations which will be fed into the next report.
16/01/23 The Chair thanked LH for the overview and whilst pleased to hear that GIAA are working on a three-year plan, she issued caution that some flexibility is built into the planning so anything outside of the agreed plan that might come up can be addressed, and LH gave assurance that there will be some flex in the planning. GIAA are also thinking of ways to get different types of value from standard audit areas, focussing perhaps on medium to long term plan.
17/01/23 LH advised that they had hoping to be able to share the MOU, but it was not ready in time for this meeting, so it will be shared with RBP.
7. SLA Final Audit Report
18/01/23 JO presented the findings of the audit on the SLA Transition which was given an overall Substantial rating with one minor recommendation. The project had been well and effectively managed with good cost management and few risks. A number of functions have transferred successfully whilst there are some still in progress and progressing well. RSH had a lot of proactive engagement with HE throughout the project. The only low priority recommendation related to the consistency of application of project management methodology.
19/01/23 The Chair thanked LH and JO for their reports and the audit of the SLA transition was very reassuring.
8. RSH Strategic Risk Register
20/01/23 JOM joined the meeting and RBP introduced the report which reflects the latest update which has been updated and reviewed by each risk owner and discussed and reviewed by the Executive Group. JW picked up a point made at the last meeting where the executive was challenged on why the SRR does not reference specific case work. JW advised that this had been discussed and after reflection, it was considered that information on relevant controls and their effectiveness information was included appropriately for a risk register and individual case work is picked up through other reports. It was also suggested that some serious I&E casework is only separately reported on for short periods of time, so therefore it was not suitable to be included on the SRR.
21/01/23 KP stated that whilst this rationale could apply to current cases, he challenged that it does not apply to the list of older cases which could be a reputational risk.
22/01/23 JW responded that long term non-compliance is an area of risk for the RSH and is on the radar for both the I&E and Strategy directorates, and the Executive Team, to review and consider if it needs to be on SRR.
23/01/23 The Committee thanked management for the discussion and agreed to recommend the revised SRR to the Board, and JW confirmed that management will continue to consider how to best to reflect long term non-compliant cases on the SRR. Action: RPB/JOM.
9. Annual Update on Counter Fraud, Bribery and Corruption
24/01/23 RBP presented the report which is the annual report for 20211/22 and included the plan and the policy. Payment fraud was the highest risk area; however, we have good controls including various levels of sign-off. We have considered the risk of bribery of staff to influence our regulatory decision making and can conclude the internal independent review mechanisms which work to calibrate the consistency of our judgements make the possibility of bribery very low. Our biggest area of spend is payroll and we have had a positive audit of this area and are still small enough that management knowledge of teams would pick up any fraudulent activity. Expenses could be another potential area for fraud, however our staff do not have high expense claims and only a small group of staff incur travel costs, so again we would easily identify unusual activity in these areas. As we have now transferred the financial controls from, HE to DLUHC, we will be bound by their processes.
25/01/23 RH asked if there was any cross over between this policy and cyber fraud and whether the two policies should tie in with each other. RBP advised that this policy covers fraud by an individual, cyber fraud is aimed more at organisations, and we do have information security and data protection policies, but we could consider the strategic link between the two. LH queried whether GIAA should pick this up as a potential audit area however RBP advised that currently our IT service is provided by HE who have increased their security, so any audit would only be for 12 months. He suggested that March 2024, when we have our own IT structure would be a better time for an audit but did agree that we could build this into the procurement process for IT services. MD stated that the NAO also have good practice guides on cyber fraud, and it was agreed that this will be further discussed with the two auditors and RBP. Action: NAO/RBP/GIAA
10. In-depth assurance – Organisational Development Controls
26/01/23 JOM presented the paper the context of which was capacity and staffing. Our proposals for consumer regulation will see an increase in our staffing levels and current recruitment issues have taken this risk score above appetite on the risk register.
27/01/23 Controls – these relate to structure and staff in place, which currently is c210. Recruitment is proving difficult, and this is generally being found to be more challenging in the public sector due to pay constraints. However staff turnover continues to be low although there is a degree of churn within the organisation where staff have moved between roles, which has allowed us to keep talent. Some areas are disproportionally affected especially Financial Analysts and we are doing what we can to manage those impacts on our operations. Future recruitment will try to emphasise the overall Employee Value Proposition in terms of salary, pensions, annual leave, and social purpose to attract candidates. We are also updating our recruitment strategy and have appointed a recruitment and resourcing manager. Capacity issues can be mitigated with buying in resources, although this comes with its own problems, but could be useful in some cases. We are using recruitment consultants for areas that have been proving difficult to recruit to and could roll this out wider if successful, within our strategy and spending guidelines. The Executive also have regular operational meetings where resourcing is discussed and also strategy/horizon scanning meetings each month. We also overbear in some cases where candidates are good, and look to reprioritise work and move resources around.
28/01/23 Resourcing and OD – this sets out how we are managing the consumer regulation programme and the impact on the organisation so we can split out the work between operational and strategic. This will help focus the work and we have developed a management development programme to achieve consistency across managers in the organisation.
29/01/23 Equality Objectives – we have not made many appointments to senior roles as there have not been any vacancies at these levels, however we are getting more capacity to pick up the EDI strategy and will report on this in the next quarter.
30/01/23 RBP advised that we are looking to recruit 4 - 6 graduate apprentices on a 3-year programme, who will work towards ACCA qualifications with the aim of being able to appoint them as G16 FAs. We will not restrict their training to just Operations, they will be moved around the organisation and work in different areas so they will be rounded regulators and be able to work anywhere in the organisation. Currently we are looking to base these in Manchester. It was suggested that we should not restrict ourselves to financial graduates, but also consider A Level students and business graduates too. It was also suggested that we might want to consider return to work paths, which will play into our EDI objectives.
31/01/23 The Committee agreed this has been a very useful and informative paper and the Chair suggested it be shared with the other members of the Board who might find it helpful. Action: JOM
11. Forward planner
32/01/23
The forward planner was considered and the following confirmed:
April
- NAO audit plan – the Chair requested that members see this when ready ahead of the meeting if possible.
- NAO interim findings
- Whistleblowing – In-depth assurance. Clarity was sought from members as to the scope of the brief . Members were interested in both angles –whistleblowing to and about the RSH. The Chair requested that a paper setting out our approach and providing assurance would be appreciated.
June
- Self-assessment – the external review assessors will observe the April ARAC, the April and May Board meeting and report to June Board. Therefore, the internally facilitated self-assessment will not be required.
- IA internal audit review – feeds into accounts LH/RBP discuss
October
Oct deep-dive – it was agreed that we will need to consider this further as last year the October meeting was combined with the sign off of the accounts, so a decision will be deferred until we know the situation with Grant Thornton and the accounts again this year.
12. Any other business
33/01/23 There were no other matters of business. The Chair thanked the auditors, management, and committee members for their input.
Date of next meeting: 24 April 2023