Audit Committee Minutes 25 September 2024

Audit Committee Minutes 25 September 2024

Corporation and Committee Minutes

Minutes of a meeting of the board of Leicester College Corporation:

Held on 25 September 2024

Present: Zubair Limbada (Chair), Neil McDougall, Tom Wilson, Roger Merchant

In Attendance: Louise Hazel - Director of Governance and Policy, Jane Parkinson - Acting CFO, Mark Dawson* - KPMG, Lisa Smith - RSM, Harshad Taylor** - Director of IT, Matt Widdowson (Minutes) - Governance and Policy Officer

*via MS Teams

**items 4 and 5

  1. Declaration of Interest

    • 1.1. There were no declarations of interest.

    • 1.2. The Director of Governance and Policy provided an update on the Principal. The following points were highlighted.

      • 1.2.1. The Principal was on long-term sick leave and would be away from the College for some time. Colleagues, including the Chair of the Corporation, were continuing to visit the Principal. 

      • 1.2.2. Interim arrangements were in place with Shabir Ismail as Acting Principal, Jane Parkinson as Acting Chief Financial Officer, and the Director of Governance and Policy assuming line management responsibility for the directors of IT, MIS, and Estates.

    • 1.3 The Audit Committee asked for their best wishes to be sent to the Principal.

  2. Apologies for absence

    • 2.1 Apologies were received from Louisa Poole

    • 2.2 The Acting Chief Financial Officer was welcome to the meeting and introductions were made.

  3. Minutes and matters arising from the last meeting held on 25 September 2024

    • 3.1 Minutes of the meeting held on 5 June 2024

      • 3.3.1 The minutes of 5 June 2024 were agreed as an accurate record and approved.

    • 3.2 Confidential minutes of the meeting held on 5 June 2024

      • 3.2.1. The Confidential Minutes of 5 June 2024 were agreed as an accurate record and approved.

    • 3.3 Action Record

      • 3.3.1. The Director of Governance and Policy presented the Action Record. The following points were highlighted.

        • 3.3.1.1. There were still two items from 20 September 2024 (6.2.4 and 6.2.17) which remained open on the Action record should they need re-visiting.

        • 3.3.1.2. The AI Working Group item had been moved to the Corporation workplan.

        • 3.3.1.3. A business continuity testing schedule had been included with the Action Plan for information.

      • 3.3.2 Governors asked the following questions.

        • 3.3.2.1. What was the lockdown test? The lockdown procedure was in place so that incidents, such as a dangerous individual being on site, could be managed. The College had installed a lockdown alarm system. While code 1 and code 2 tests had taken place, there had yet to be a test of the lockdown alarm system. 

        • 3.3.2.2. When considering whether there should be another risk register session for the whole governing body, the question for Corporation would be whether they were satisfied with their understanding of risk, and whether they were happy to leave the detailed work to the Audit Committee. The self-assessment feedback indicated that a refresher could be useful. It would be worth asking governors. This was something that could be done later in the year when the risks were considered for 2025/26 potentially at the  away day.

        • 3.3.2.3. It was good governance practice to refresh governors’ knowledge of fraud risk so that this could be kept in their minds when making plans. This could be something which was covered during at the special meeting in November 2024. Would it be possible for Roger Merchant to share some of the fraud risk work he was carrying out? Roger Merchant was happy to do this along with input from the External Auditors. The External Auditors highlighted that the Anti-Fraud Checklist, which was provided each spring, was a useful tool for fraud awareness.

        • 3.3.2.4. It was important that information was fed through from committees to the board. Delegating to the Audit Committee was fine, but important issues should not get lost in committees. There was an awareness of the potential for this issue to arise. All financial papers went before the Corporation for this reason. However, it was important to strike a balance and not duplicate work.

        • 3.3.2.5. It was good to see the business continuity testing schedule.

    • 3.4. Governors agreed for the first two items on the Action Record to be marked as complete and added into the agendas for the governor away day and the meeting of the Corporation in November 2024.

    • 3.5. Roger Merchant agreed to share some of the fraud risk work he was conducting elsewhere. The External Auditors would feed into this.

    • 3.6. Governors noted the Action Record.

      Harshad Taylor joined the meeting.

  4. IT Disaster Recovery Internal Audit Action Plan

    • 4.1. The Director of IT introduced himself and presented the IT Disaster Recovery Internal Audit Action Plan. The following points were highlighted.

      • 4.1.1. December was the right time to test the disaster recovery (DR) plan. The test would simulate losing servers at one of the sites and having to switch to working from just a single site. A couple of days would be set aside for this. Once the tests had been completed, the outcome could be shared with the Audit Committee.

      • 4.1.2. With regards to completing the BIA and finalising the Recovery Point Objectives for each critical function, the Director of IT had been working with system owners. The majority of the work had been completed and documents were being finalised.  The BIA was being reevaluated in light of the major overhaul of EBS.

      • 4.1.3. Further training was planned. In October 2024 there would be a tabletop exercise, followed by another session in 2025. This would use a ransomware attack as an example.

      • 4.1.4. The IT directorate had several staff who had become experts in certain areas. In addition to this being a possible single point of failure, this also put certain staff members under additional pressure. To ensure that there was knowledge transfer, the entire IT team had taken part in training, demonstrations, and implementations. However, MIS systems remained a concern of the Director of IT.

      • 4.1.5. The College was partnering with external agencies to bring the IT directorate up to speed following the departure of two members of staff.

      • 4.1.6. Backup procedures were in the process of being documented. Once the DR testing had been completed, the documentation would be presented to the Audit Committee.

      • 4.1.7. The October 2024 training session with Jisc would provide a good opportunity to review the IT Business Continuity Policy.

    • 4.2. Governors made the following comments.

      • 4.2.1. What were RTO and RPO? RTO was Recovery Time Objective and was how long a system owner could wait for a system to be restored – this differed between systems and could change depending on the time of year. RPO was Recovery Point Objective and was the time between backups.

      • 4.2.2. Was RTO and RPO negotiated with different departments? Different system users had different requirements. The IT team would present the best-case scenario. Cloud hosted systems would benefit RTOs and RPOs.

      • 4.2.3. Did system users understand RTOs and RPOs? The IT directorate would explain these to system owners. Difficulties occurred when a system had no ‘official’ owner, and a system owner had to be identified.

      • 4.2.4. Which were the most difficult systems with regards to RTOs and RPOs? HR and MIS were the most difficult. For example, MIS systems were recording attendance for every lesson so a log file was required which would note all transactions. This had to be backed up every 15 minutes.

      • 4.2.5. The fibre link had been highlighted as a potential single point of failure. The College would try to avoid a single provider, so would be using Jisc who could use services provided by different suppliers. This did not negate all points of failure; the only way to do this would be to have a separate line from a separate provider which would be an expensive option.

      • 4.2.6. The Internal Auditor highlighted that IT DR and business continuity planning always took a long time as there were lots of moving parts. Based on what the Director of IT had told the committee, it appeared that everything was in hand.

      • 4.2.7. The Director of IT was thanked for producing this action plan which included a good level of detail.

      • 4.2.8. Would these actions form part of the Internal Auditor’s follow-up? They would.

    • 4.3. Governors noted the IT Disaster Recovery Internal Audit Action Plan.

  5. Cyber Security and Data Breaches Annual Report (Including Cyber Essentials)

    • 5.1. The Director of Governance and Policy, and Director of IT presented the Cyber Security and Data Breaches Annual Report for 2023/24. The following points were highlighted.

      • 5.1.1. DDoS was a denial-of-service attack.  There had been four attacks on Leicester College, the longest of which lasted for 26 minutes. There had been no downtime resulting from these attacks due to services provided to the College by Jisc.

      • 5.1.2. Boxphish was the monthly cyber awareness training. Simulated phishing emails had been randomly sent to staff and the risk score reflected how they had been responded to. It was good to see that Boxphish had raised awareness among staff.

      • 5.1.3. 54.13% of staff had completed at least one Boxphish module. ELT would be notified of how many staff had not completed the training, and directorates would be asked to chase up members of staff. Boxphish could help identify staff who would benefit from further training.

      • 5.1.4. The system had quarantined seventeen emails and rejected 1,240.

      • 5.1.5. There had been a slight increase in data breaches from the previous year, although set against the overall number of emails sent by the College, this represented a very small number. Most errors were due to human error.

      • 5.1.6. A couple of data breaches had resulted in disciplinary action being taken.

      • 5.1.7. Student email addresses had been capitalised to help staff avoid sending emails to students in error. To further mitigate against data breaches, staff could be added to a group who were barred from emailing students. This would be for staff whose departments did not normally contact students.

      • 5.1.8. The College was also trying to reduce its attack surface by blocking USB sticks for most staff and students. Once new infrastructure was in place, the block would extend to all staff and students.

    • 5.2. The Director of Governance and Policy informed the Audit Committee of a phishing incident.

      • 5.2.1. In August 2024 there had been an incident when an email had been received requesting changes to a staff member’s bank details. This had gone to HR and the changes had been made. It was subsequently discovered that the email had been part of a phishing attack.

      • 5.2.2. A £2,300 payment had been made, of which £1,400 had been recovered by the bank.

      • 5.2.3. As a result, the Director of HR had put in place a two-stage process for authorising future changes.

    • 5.3. Governors made the following comments.

      • 5.3.1. With regards to the phishing incident where a request to change bank details had been received, did the new two-stage authorisation process also apply to supplier bank details? Finance already had a process in place and the Acting CFO received a report prior to payment runs. It was particularly important to make these checks when building projects were underway. 

      • 5.3.2. Were there any cases of emails being quarantined and then requested by a member of staff? Quarantined emails were not deleted and staff could contact IT to obtain them.

      • 5.3.3. Was the College aiming for CE+? The aim was for both CE and CE+.

        The latest iteration of CE+ mandated that all students were put on MFA.  Some work was needed to enable students with no other devices to use MFA. UB keys were perhaps an inexpensive option.  There would also need to be work on catering for students with additional needs.

      • 5.3.4. CE did not represent a very high bar, so CE+ would be better.

      • 5.3.5. Did having MFA in place for students have an impact on cyber insurance? No, although the insurers had asked whether it was in

        place for staff.

      • 5.3.6. Had any data breaches been reported to the Information Commissioner’s Office? No. All data breaches had been deemed to be low risk.

      • 5.3.7. Was there a time limit for how long staff could leave their laptops in their cars? There was not.

      • 5.3.8. Why had there been an increase in DDoS attack in March? It was usual for academic institutions to experience DDoS attacks during term time, as a lot of attacks were internal in origin. This increase was during Easter though.  The College used geofencing so that only VPN traffic from the United Kingdom was allowed.

      • 5.3.9. What percentage of staff had not completed any Boxphish training? The Director of IT would provide the exact figure.

      • 5.3.10. Could reminders for completing Boxphish modules be automated? This could be looked at.

      • 5.3.11. This report should probably be considered when the Audit Committee received the next risk update.  The External Auditor added that cyber was close to the top of the risk register for most educational institutions.

    • 5.4. Governors noted the Cyber Security and Data Breaches Annual Report for 2023/24.

      Harshad Taylor left the meeting.

  6. Internal Audit Reports

    • 6.1. Annual Report

      • 6.1.1. The Internal Auditor presented the Internal Audit Annual Summary for 2023/24. The following point were highlighted.

        • 6.1.1.1. In terms of conflicts of interest, the annual summary highlighted that work on LSIFs, and Turing had been carried out by a separate team, independent of the internal audit.

      • 6.1.2. Governors asked the following questions.

        • 6.1.2.1. Was the follow up action on page 3 important? This related to business continuity and was on the agenda for this meeting.

        • 6.1.2.2. Did anything come out of the LSIF and Turing reports that the committee should be aware of? These were purely factual reports, and no issues had been highlighted.

        • 6.1.2.3. The Internal Auditors were thanked for their work.

    • 6.2. Governors noted the Internal Audit Annual Report.

  7. Strategy for Internal Audit 2024/2025 Update

    • 7.1. The Internal Auditor provided an update on the Strategy for Internal Audit 2024/25. The following points were highlighted. 

      • 7.1.1. All dates for the audit had been agreed. The first one would be for student outcomes and completion, which would start towards the end of October 2024. The last date would be for the follow up in May 2025.

      • 7.1.2. The risk management deep dive and planning meeting had already taken place.

      • 7.1.3. Everything was within plan for delivering the reviews. If there were any changes to the risk profile, then the plan would be reviewed.

    • 7.2. Governors noted the Strategy for Internal Audit 2024/25 Update.

  8. Report from External Auditors

    • 8.1. The Quality Development Manager presented the Achievement Rates for 2023/24. The following points were highlighted.

      • 8.1.1. The overall achievement rate had decreased by 1.5% to 84.8% but was still above the 2022/23 NAR.

      • 8.1.2. There had been a 0.5% increase for 16-18 on the previous year. There had been year-on-year increases for the previous three years. It was still below the NAR by 2.5% and, although it was increasing, it may be increasing too slowly.

      • 8.1.3. The adult achievement rate decreased by 2.1% to 87% which was the same as the NAR. Adult numbers were significantly higher than 16-18 which was why this had a larger impact on the overall rates.

      • 8.1.4. There had been particular types of qualification which had seen declines, including certificates, ESOL and non-regulated. These were concentrated in particular programme areas such as Community Learning. There had been changes in Community Learning over the previous year which had meant moving away from ‘hobby courses’ towards tailored learning for adults.

      • 8.1.5. T Level pass rates had declined, and retention was below the NAR by 5%. This was most significant for on-site construction, building services and engineering manufacturing. There needed to be a conversation about whether T Levels were the right qualification for construction. There was also an issue around employers employing students during their work placements before they could finish their qualification.

      • 8.1.6. English GCSE declined by 6.4% from the previous years, while maths GCSE remained stable at 30.2%. When compared using MiDes, the College faired well in terms of English and maths outcomes.

      • 8.1.7. In terms of equality indicators, there were not any major variations, although, when broken down by age, mixed heritage students performed less well than other students. This would be in the QIP.

      • 8.1.8. Apprenticeship achievement was down by 3.2% to 52.4%, which was 5.4% below the NAR. When broken down by equality indicators, female apprentices were outperforming male apprentices. This was due to areas with predominately female apprentices such as Hair and Beauty seeing a significant increase in achievement compared to predominately male populated areas such as building, construction and engineering.

    • 8.2. Governors made the following comments.

      • 8.1. The External Auditor provided a verbal report. The following points were highlighted.

        • 8.1.1. The final fieldwork would commence in the coming week.

        • 8.1.2. There had been conversations with the Acting Principal and Acting CFO regarding planning.

        • 8.1.3. Since the plan had been presented to the Audit Committee in June 2024, there had been no changes in terms of the risk assessment.

        • 8.1.4. Work had been undertaken looking at teacher retention for the Teachers’ Pension Scheme. No significant issues had been identified.

      • 8.2. Governors asked the following question.

        • 8.2.1. Was the Finance Team ready for the audit? They were.

      • 8.3. Governors noted the report from the External Auditor.

  9. External Reviews

    • 9.1. ESFA Earnings Adjustment Statement Audit

      • 9.1.1. The Director of Governance and Policy presented the ESFA’s Earnings Adjustment Statement Audit. The following point was highlighted.

        • 9.1.1.1. This letter was regarding the online manual claim.  There were no issues highlighted.

      • 9.1.2. Governors made the following comments.

        • 9.1.2.1. Staff were thanked for their work on this.

        • 9.1.2.2. It was good to see this letter.

      • 9.1.3. Governors noted the ESFA Earnings Adjustment Statement Audit and approved the recommended risk rating of Green.

    • 9.2. Carers’ Federation Accreditation

      • 9.2.1. The Director of Governance and Policy presented the Carers’ Federation Accreditation. The following point was highlighted.

        • 9.2.1.1. The accreditation was not a requirement. Instead, it was a quality mark which the College had decided to apply for.

      • 9.2.2. Governors made the following comments.

        • 9.2.2.1. Why had accreditation been sought? The quality mark was sought as it was thought that it would help to encourage students to access support. Leicester College was the only college in Leicestershire to receive accreditation.

        • 9.2.2.2. The team was congratulated for their work on this.

        • 9.2.2.3. These were the kinds of reports which should be included in the annual report to provide a broader picture of the Audit Committee’s work.

      • 9.2.3. Governors noted the Carers’ Federation Accreditation and approved the recommended risk rating of Green.RSM Emerging Issues.

  10. Financial Statements: Regularity Self-assessment Questionnaire

    • 10.1. The Acting Chief Financial Officer presented the draft Regularity SelfAssessment Questionnaire. The following points were highlighted.

      • 10.1.1. The questionnaire was published annually by the ESFA and looked at the policies and procedures in place to fulfil the accountability requirements.

      • 10.1.2. There had been a lot of changes in the previous year following reclassification. This year’s questionnaire was similar to last year’s.

      • 10.1.3. The questionnaire was used to underpin the External Auditor’s work, and no concerns had been raised at this stage.

    • 10.2. Governors made the following comments.

      • 10.2.1. Did this form part of the audit work on regularity? The External Auditor provided a limited assurance opinion on regularity to state that nothing had come to their attention. The questionnaire was a key part of the evidence which helped form this opinion.

      • 10.2.2. It was noted that the declaration needed to be signed by the accounting officer and Corporation Chair.

      • 10.2.3. Regarding the approval of senior pay, the intent of the question appeared to be for control over all senior pay over £150,000. However, it appeared that the College’s interpretation was that this was only for new recruits. The DfE were looking to control all pay awards and recruits over £150,000. The guidance stated that pay awards could be made up to 9%.

      • 10.2.4. It sounded like senior pay was within the rules. However, the wording should be changed to make this clear. This could be amended to make it clear.

      • 10.2.5. From time to time there may be a change of responsibilities which meant that senior pay was increased for an individual which would need to be approved by the DfE. Agreed; this was currently in hand.

    • 10.3. Governors approved the draft Regularity Self-Assessment Questionnaire, subject to the agreed amendment.

  11. Audit Committee Self-assessment

    • 11.1. The Director of Governance and Policy presented the results of the Committee Self-Assessment. The following points were highlighted. 

      • 11.1.1. The Audit Committee were thanked for their comments.

      • 11.1.2. The feedback had been positive.

      • 11.1.3. One of the areas for improvement included the committee’s membership. A new governor had been recruited and would be joining the committee in time for the next meeting.

      • 11.1.4. The comment about rotating membership had been noted. In an ideal situation membership would rotate. However, due to the number of vacancies, the aim had been to provide stability for committees.

      • 11.1.5. The comment about providing updates between meetings had also been noted.

    • 11.2. Governors made the following comments.

      • 11.2.1. Could other governors observe the Audit Committee? This had been a helpful suggestion. One of the staff governors would be observing a meeting of the Audit Committee. It would also be useful for Finance and General Purposes Committee and Audit Committee members to observe each other’s meetings.

      • 11.2.2. Having updates between meetings would be useful for pressing issues. It might also help to ensure that issues were followed up on. Noted.

      • 11.2.3. It was important that the Audit Committee membership have a wide range of backgrounds and skills, and not just finance.

      • 11.3. Governors noted the outcome of the self-assessment process and commented on further actions which should be included in the Governance Improvement Action Plan and/or the Committee’ Workplan.

  12. Any other urgent business notified to the chair prior to the meeting

    • 12.1 There was no further business.

  13. Report on ELT Expenses

    • 13.1. Governors noted the Report on ELT Expenses.

      • 13.1.1. The expenses looked unreasonably low. The Acting CFO needed to be satisfied that all expenses were being captured. This had been raised at last year’s meeting. This year, travel and accommodation paid for on both card and invoice were included. It should also be highlighted that MS Teams had made travel less frequent.

      • 13.1.2. Could hotels be paid for without prior approval? Card holders are enabled to purchase up to a limit of £500. Finance then checked to ensure that accommodation was paid for in line with policy. This report had captured ELT expenses which had been paid for by card.

      • 13.1.3. ELT were senior people who needed flexibility.

      • 13.1.4. One of the risks which organisations faced was the potential for senior executives to use their influence to get more junior staff to use their cards. How could this be checked for? All staff’s travel costs were checked by Finance.

      • 13.1.5. How many card holders were there? The College had around a hundred card holders. However, there were certain categories of spend which were blocked, such as the withdrawal of cash.

  14. Report on Gifts/Goods Received by College Staff

    • 14.1. Governors noted the Report on Gifts/Goods Received by College Staff.

    • 14.1.1. A smaller number of gifts and goods had been received this year. The policy around receiving gifts/goods had been made clear to staff.

  15. Dates and Times of Future Meetings

    • 19 November 2024

    • 19 March 2025

    • 4 June 2025