Audit Committee Minutes 20 September 2023

Audit Committee Minutes 20 September 2023

Corporation and Committee Minutes

Minutes of a meeting of the board of Leicester College Corporation:

Held on 20 September 2023

Present: Zubair Limbada (Chair – items 7-15)*, Louisa Poole (Chair – items 1-6), Zoe Allman, Neil McDougall, Tom Wilson

In Attendance: Shabir Ismail, Louise Hazel, Mark Dawson, Timothy Wakefield, Lisa Smith, Harshad Taylor**, Matt Widdowson (Minutes)

*Zubair Limbada joined the meeting during Item 6

** Harshad Taylor was present for Item 10 only

  1. Declarations of interest

    • 1.1 There were no changes to the declarations of interest.

  2. Apologies for absence

    • 2.1 Apologies were received from Roger Merchant.

  3. Minutes and matters arising from the previous meetings

    • 3.1 Governors made the following comments:

      • 3.1.1 6.1.2.6 asked about the internal audit of apprenticeships and how many of the 30 learners in the sample were from 1 August 2022. All 30 learners had started after 1 August 2022.

      • 3.1.2 Governors had requested that the Vice Principals provide further action points to address the issues raised in the internal audit of apprenticeships. This would be added to the action record and brought before the committee in the November 2023 meeting.

    • 3.2 The Minutes of 7 June 2023 were agreed as an accurate record and approved.

    • 3.3 Confidential minutes from the meetings held on 7 June 2023

      • 3.3.1 The confidential minutes of 7 June 2023 were agreed as an accurate record and approved.

    • 3.4 Action record

      • 3.4.1 The Director of Governance and Policy provided an update on the Action Record.

        • 3.4.1.1 All actions had been completed except the action relating to the internal audit of apprenticeships mentioned above.

      • 3.4.2 Governors noted the Action Record.

  4. Internal audit reports

    • 4.1 Follow up report

      • 4.1.1 The Internal Auditor presented the follow up report. The following points were highlighted.

        • 4.1.1.1 Three audits were followed up from 2021/22. Three audits were not followed up as there were no actions and there was no follow-up of the funding compliance reviews.

        • 4.1.1.2 The opinion of the Internal Auditors was that the College had made reasonable progress in implementing actions. 10 actions had been fully implemented and, of the three remaining, 2 had not been implemented and one was in progress.

      • 4.1.2 Governors noted the report and approved the recommended risk rating of Green.

    • 4.2 Annual report 2022/23

      • 4.2.1 The Internal Auditor presented the annual report for 2022/23. The following points were highlighted.

        • 4.2.1.1 This report was a summary of work undertaken during 2022/23. It did not include a Head of Internal Audit conclusion.

        • 4.2.1.2 The committee was reminded that this was just one source of assurance for the College.

        • 4.2.1.3 A series of workshops had been facilitated to look at risk management. These had been led by someone independent of the Internal Audit team to avoid conflicts of interest.

      • 4.2.2 Governors noted the report and approved the recommended risk rating of Green.

  5. Internal audit plan 2023/24 update

    • 5.1 The Internal Auditors provided an update on the Internal Audit Plan for 2023/24. The following points were highlighted.

      • 5.1.1 All dates had been agreed and the internal auditors would begin the following month by reviewing financial regulations to ensure that they had been amended in light of the ONS reclassification.

      • 5.1.2 It would also look at training for staff on the new ONS reclassification expectations.

    • 5.2 Governors if it would it be appropriate for members of the Audit Committee to undertake the reclassification training? Corporation had been briefed on the key changes. Governors would need to carefully consider the new College handbook. A session would be scheduled to look at this.

    • 5.3 Governors approved Internal Audit Plan for 2023/24.

    Neil McDougall joined the meeting.

  6. Risk management: proposed strategic risk register reporting format

    • 6.1 The Director of Governance and Policy presented a proposed strategic risk register format. The following points were highlighted.

      • 6.1.1 The Audit Committee had previously considered the revised format including the heatmap. This had been approved by Corporation in July 2023.

      • 6.1.2 Consideration had also been given to how the risk register was reported on and how the Audit Committee monitored it. The Audit Committee had asked for something comprehensive but straightforward. There had also been discussion around whether the multiplication factor should be included and the Committee had said that it was required.

      • 6.1.3 The frontpage included a heat map and multiplication factor. These could be tracked over time. The heat map showed whether a risk was in or out of appetite and whether there had been any movement. This would allow the committee to focus on which risks were outside of appetite.

      • 6.1.4 The frontpage also included a key detailing how risk scores were calculated and what the thresholds were for red/amber/green ratings.

      • 6.1.5 There was then a page per risk which detailed the risk, identified the risk owner, and detailed the appetite and inherent risk. It would also detail the residual risk once controls had been applied.

      • 6.1.6 Each page would then list actions and status report on these, followed by details of the three lines of assurance and additional actions.

      Zubair Limbada joined the meeting during this item.

    • 6.2 Governors made the following comments:

      • 6.2.1 It was important for all governors to understand the risks and how to use the risk register. A one-page guide could be drafted.

      • 6.2.2 It was not immediately obvious what the first page was; perhaps Coversheet or Dashboard could be written on it? This would be actioned.

      • 6.2.3 The planned actions had been difficult to find as the headings were shaded in grey. This would be actioned.

      • 6.2.4 The greatest risk appeared to be that partnerships and collaboration would not be leveraged but this would not have the greatest impact on the College. The Risk Register not only now considered adverse effects but lost opportunity risks.

      • 6.2.5 Governors might have to ask different questions and there might have to be a culture shift around what governors should be concerned about and who questions should be directed at. Not all the risk owners attended Audit Committee meetings. How would questions be answered in a timely way? The Internal Auditor explained that other clients carried out internal deep dives around risk and invited risk owners to their committee meetings. This involved planning for the next meeting. The Deputy Principal added that the Operational Risk Plan was discussed by ELT and this would make it easier for some questions to be answered at the Audit Committee. This new approach required different thinking around risk. For example, cyber security had always been rated red but now it was green as many of the risks were mitigated by good controls. Safeguarding had also changed. All this would be subject to an ongoing discussion.

      • 6.2.6 Where should governors be focusing? Was partnerships and collaborations really a top priority for challenge? From the outside it would be questionable as to whether this was the top risk. The Internal Auditor commented that it was risks which sat outside of the risk appetite which should be the most concerning and required challenge; the risks in pink and purple, rather than the risks in blue.

      • 6.2.7 It was noted that it was difficult to immediately understand the change in methodology. There was concern that should Ofsted ask governors about risks, there may be several different answers and all governors might benefit from a reminder of how the new approach worked. Noted.

      • 6.2.8 Was cyber security outside of the risk appetite and should governors be most concerned about the Green Agenda? The Internal Auditor replied that, to some extent, this was the case. Governors would need to focus on where the residual risk was not in line with the stated risk appetite. There were seven risks outside of appetite. Governors needed to remain concerned about Cyber Security, Business Continuity and Health and Safety as there were still outstanding actions. As for the risks which were below the risk appetite, governors needed challenge the management about why additional controls were in place, or why opportunities were being missed. While the Committee could challenge on the risk scores assigned by management, it was important that the Audit Committee did not itself set the scores.

      • 6.2.9 The layout and proposed approach set things out clearly on one page. It was also easy to see whether things were moving in the expected way.

      • 6.2.10 The paper’s appendix discussed the scoring of impacts. In terms of likelihood, was there scoring associated with probabilities? It was difficult to quantify and there was an element of judgement involved in assessing likelihood.

      • 6.2.11 Did the Operational Risk Register follow the same format? It was similar in terms of identifying cause and effect, risk owners and controls although it looked more like the old risk register. The Operational Risk Register linked through to the strategic risks.

      • 6.2.12 Looking at the three risks which should be of most concern, most of the actions were things that should be happening anyway. How would these actions bring down the risk level? Management would need to be challenged on this. The planned actions would be reviewed for the next meeting.

      • 6.2.13 Compared to twelve months ago, there had been a real step change to get to this position. The Audit Committee would have to see how this evolved. It was a step in the right direction.

      • 6.2.14 Would short presentation for governors be useful? This could also include a reminder that governors did not score risks but were there to ask whether the correct risks were being focused on and whether the proposed actions were adequate. A presentation could be looked at with the assistance of the Internal Auditor.

      • 6.2.15 The Director of Governance and Policy thanked everyone for their comments. The suggested changes would be made, and the Risk Register would be brought before the November meeting.

      • 6.2.16 The Deputy Principal highlighted that all eleven of the risks on the Risk Register were the College’s top risks.

    • 6.3 Governors approved the proposed strategic risk register format with suggested amendments.

  7. External reviews

    • 7.1 IELTS

      • 7.1.1 The Deputy Principal presented the external review of IELTS. The following points were highlighted.

        • 7.1.1.1 84% compliance was high but further information would be sought from EMES regarding the recommendations. Governors would be updated on this.

      • 7.1.2 Governors made the following comments:

        • 7.1.2.1 The recommended risk rating was Green. However, the paper itself was rated Amber. It was not known how the review had been rated but overall, it was felt that there were no areas of concern which was why the recommendation was that the report be risk assessed as green. More information would be sought regarding this.

      • 7.1.3 Governors noted the external review of IELTS and approved the recommended risk rating of Green.

    • 7.2 City and Guilds T Level inspection

      • 7.2.1 The Deputy Principal presented the external review of City and Guilds T Levels. The following points were highlighted.

        • 7.2.1.1 Forty-one observation checks had been done.

        • 7.2.1.2 The only recommendation was around accommodation. It had been an exceptionally hot day when the observation took place. One of the rooms used was the GP Hall and consideration was being given to installing air conditioning.

      • 7.2.2 Governors made the following comments:

        • 7.2.2.1 The observation appeared very detailed. Overall, the external review appeared to be fine.

        • 7.2.2.2 Was the room used every year? Yes. The GP Hall had large windows which let in the afternoon sun. There was another room at APC which had a similar problem. Although this was not a problem most of the time, the College might have to expect more of these exceptionally hot days.

        • 7.2.2.3 Were there any complaints from students? No. Water had been provided. Fans could not be used as they could blow papers around.

        • 7.2.2.4 Had the results of the exams been announced? Yes.

      • 7.2.3 Governors noted the external review of City and Guilds T Levels and approved the recommended risk rating of Green.

    • 7.3 JCQ inspection

      • 7.3.1 The Deputy Principal presented the report on the assessment of centre compliance with JCQ regulations. The following points were highlighted:

        • 7.3.1.1 There were no accommodation issues highlighted during this inspection.

      • 7.3.2 Governors noted the report on the assessment of centre compliance with JCQ regulations and approved the recommended risk rating of Green.

  8. Financial statements: regularity self-assessment questionnaire

    • 8.1 The Deputy Principal presented the draft Regularity Self-Assessment Questionnaire. The following points were highlighted:

      • 8.1.1 The new requirements stemming from the ONS reclassification had been included and addressed including Managing Public Money.

      • 8.1.2 This was not a new process as it was included in the Audit Code of Practice.

    • 8.2 Governors asked the following questions:

      • 8.2.1 Was there any additional scrutiny needed due to ISO315? ISO315 covered the processes and there was no increased risk assessment.

      • 8.2.2 In terms of evidence, was this consistent with the previous year? There were no significant changes, and nothing had been identified which would require additional evidence. However, further information following reclassification was still being released which meant that this was an evolving document.

    • 8.3 Governors noted the Regularity Self-Assessment Questionnaire.

  9. Report from external auditors

    • 9.1 The External Auditors provided a verbal update. The following points were highlighted.

      • 9.1.1 Everything was in place for the External Auditors to commence with field work. The planning work had been completed and there were no major issues.

      • 9.1.2 The External Auditors were engaged on pensions as the local government scheme was showing a reasonably sized surplus. The College’s Director of Finance was considering what approach should be taken to this.

      • 9.1.3 With regards to the ONS reclassification there had been some new questions included in the regularity questionnaire. This would also be included in the External Auditors work on regularity for the first time.

    • 9.2 Governors asked for more details on pensions. There was a material surplus on the pension fund and there were technical considerations around the implications of this. This was a part of a pattern seen for other colleges. It was likely that the surplus would not be fully recognised as it was difficult to recognise this for multi-employer pension funds.

    • 9.3 Governors noted the update from the External Auditors.

      Harshad Taylor joined the meeting.

  10. Cyber security and data breaches annual report (including cyber essentials)

    • 10.1 The Director of IT and Director of Governance and Policy presented the Cyber Security and Data Breaches Annual Report. The following points were highlighted:

      • 10.1.1 The College was in a good position regarding cyber security.

      • 10.1.2 NCSC recommended steps and application best practices were followed. The College also kept up to date with what was going on in the industry.

      • 10.1.3 The College received additional support from JANET.

      • 10.1.4 JISC provided DDoS protection by monitoring traffic and blocking anything suspicious.

      • 10.1.5 The College also received alerts around cyber-attacks.

      • 10.1.6 The external process had been strengthened with Multifactor Authentication being introduced for cloud and external services.

      • 10.1.7 The College made full use of the Office 365 security stack. There had also been a trial with Khipu who introduced a 24/7 service to provide alerts and block internal attacks on the server infrastructure. There had only been one alert during the trial which was due to malware in an email.

      • 10.1.8 Boxphish was a monthly training package for staff. It also sent out random phishing emails to staff for training purposes.

      • 10.1.9 By making use of the Office 365 security stack the College could identify the sources of emails and automatically decide what was from a trusted source.

      • 10.1.10 The annual penetration testing had taken place and no major weaknesses had been discovered.

      • 10.1.11 ESFA guidance was followed and the College had achieved Cyber Essentials and CE+. The aim was to achieve CE+ again in 2023/24, however there was a no requirement around introducing MFA for students. Work was underway to find out how this could be done in a way which supported student, especially adults and those with additional learning needs, without affecting teaching and learning.

      • 10.1.12 The College had invested in encrypted back-ups.

      • 10.1.13 Going forward, the College would be looking to strengthen in-house data such as MIS data and data on i-Trent.

    • 10.2 Governors made the following comments:

      • 10.2.1 Cyber Security was one of the top eleven risks for the College. It was good to see such a detailed report.

      • 10.2.2 What was the update on Boxphish training? It was over 90%. The exact figure could be provided to the Audit Committee. A monthly report would be going to directors with details of staff who had not completed the training. This was also monitored by the Digital Strategy Committee.

      • 10.2.3 Student data had been found on a freelance lecturer’s OneDrive. How was it known that this was not happening elsewhere? It was difficult to know, and it was important for everyone who worked for the College to complete data protection training. It was also in their contracts.

      • 10.2.4 The Boxphish learning was a life skill that could be applied in everyday life. Could it be sold to staff as a benefit for their personal lives as well as work? When the Director of IT spoke with staff this was always mentioned.

      • 10.2.5 Was there a timeframe for rolling out MFA to students? There were no action plans yet. The College was talking with other colleges about how this could be implemented. Consideration had been given to offering some students special devices or using conditional access depending on whether a student was on campus or not.

      • 10.2.6 Had the insurers reduced their limit due to students not being required to use MFA? No.

      • 10.2.7 MFA used to require a dongle or similar device. Would this be something that could be considered for some students? This had already been considered and costed.

      • 10.2.8 Data was sent out in a spreadsheet to an incorrect email. What actions were taken? In cases like this the recipient was asked to delete the email which, in this case, they did. A lot of data breaches were down to human error and there were lessons to be learned for the individual and College. Changes had been made to the email system meaning that student names now appeared in capitals to help avoid data being incorrectly sent to students. Staff could also opt into a group which was barred from emailing students to further help avoid this happening.

      • 10.2.9 Why were attachments not encrypted with passwords? This was something worth considering. The College was trying to move away from attachments and towards sending links although with external organisations this could be difficult. The College was also trying to promote sending links to cut down on its carbon footprint.

    • 10.3 Governors noted the Cyber Security and Data Breaches Annual Report.

      Harshad Taylor left the meeting.

  11. Committee Self-Assessment

    • 11.1 The Director of Governance and Policy presented the Committee Self Assessment. The following points were highlighted:

      • 11.1.1 The areas for improvement were around how the committee developed and made use of the new Risk Register.

      • 11.1.2 It was also important to continue to horizon scan. There had not been any recent reports from the FE Commissioner, but these would be brought to the committee when they were available along with other useful documents.

      • 11.1.3 Ofsted would expect governors to be able to identify the College’s strengths and weakness. There was a briefing paper for governors which would be updated following the self-assessment process.

      • 11.1.4 Achievement data would be brought back to the next meeting.

      • 11.1.5 Some more development sessions would take place in 2023/24. The first one would be a Finance Masterclass followed by a session on T Levels and a safeguarding session. Governors were invited to suggest other development session ideas.

    • 11.2 Governors asked the following question:

      • 11.2.1 What was happening with the Governance Improvement Action Plan? This was being monitored by the Search and Governance Committee. Corporation had looked at it at the end of the last year.

    • 11.3 Governors noted the Committee Self-Assessment.

  12. Any other business

    • 12.1 There was no further business.

  13. Report on gift/goods received by college staff

    • 13.1 Governors noted the report on Gift/Goods Received by College Staff.

  14. Report on ELT expenses

    • 14.1 Governors commented that the amounts seemed very low. Travel tickets might be paid for on purchasing cards; however, ELT expenses had historically been quite low.

    • 14.2 Governors noted the report on ELT Expenses.

  15. Dates and times of future meetings

    • 22 November 2023

    • 20 March 2024

    • 5 June 2024