Audit Committee Minutes 5 June 2024

Audit Committee Minutes 5 June 2024

Corporation and Committee Minutes

Minutes of a meeting of the board of Leicester College Corporation:

Held on 5 June 2024

Present: Zubair Limbada (Chair), Neil McDougall, Tom Wilson, Roger Merchant, Louisa Poole

In Attendance: Shabir Ismail* - Deputy Principal, Louise Hazel - Director of Governance and Policy, Mark Dawson - KPMG, Lisa Smith - RSM, Deborah Donnarumma** - Vice Principal, Harshad Taylor** - Director of IT, Matt Widdowson (Minutes)* - Governance and Policy Officer

*item 4 onwards

**item 5

***item 8

  1. Declaration of Interest

    • 1.1 There were no declarations of interest.

  2. Apologies for absence

    • 2.1 No apologies were received.

  3. Confidential - pre-meeting with auditors

  4. Minutes and matters arising from the last meeting held on 20 March 2024

    Shabir Ismail and Matt Widdowson joined the meeting.

    • 4.1 Minutes of the meeting held on 20 March 2024

      • 4.1.1 The Minutes of 20 March 2024 were agreed as an accurate record and approved.

    • 4.2 Confidential Minutes of the meeting held on 20 March 2024

      • 4.2.1 The Confidential Minutes of 20 March 2024 were agreed as an accurate record and approved.

    • 4.3 Action Record

      • 4.3.1 Governors made the following commet:

        • 4.3.1.1 Many of the action have “...to follow up later in the year” written in the progress column. For actions 6.2.4 and 6.2.17, it was for governors to decide whether these were required. Actions 10.2.6 and 11.2.3 were included in the workplan.

    • 4.4 Governors noted the Action Record.

      Debi Donnarumma joined the meeting.

  5. Apprenticeships Update

    • 5.1. The Vice Principal, Study Programmes and Apprenticeships, presented an update on apprenticeships. The following points were highlighted.

      • 5.1.1.  The College had completed an internal audit and further audits would be taking place biannually to test compliance.

      • 5.1.2.  Testing had been based on the findings of the Internal Auditor’s audit. One of the main issues had been that progress reviews had not been taking place within the specified 12-week period. This had been due to staffing issues. Overall, the staffing situation had improved, but there were still issues in some areas.

      • 5.1.3.  Another issue was that there was a need for a single-source automated system. The College used several different systems which required staff to manually collate and enter data. This meant that there was the potential for data errors and was time consuming for staff. A new single system would provide more confidence in the College’s ability to internally track and monitor all the elements for which there was the potential for clawback.

    • 5.2. Governors made the following comments.

      • 5.2.1.  Was an internal system currently being used, or did the College rely on applications such as Excel? The College used an external system called Smart Assessor for which data from other sources was currently required. The aim would be to dump all data in a data lake and use Power BI for reporting. There had already been some progress with the funding data. The sources of data were being mapped out.

      • 5.2.2.  This should enable to the quality of the data to be checked.

      • 5.2.3.  Would the new system have enough flexibility to adapt to future changes? There would be changes in the future. The DfE was reviewing the whole apprenticeships process as it had recognised that the level of complexity had led some providers and employers to pull out of offering apprenticeships.

      • 5.2.4. It was good to see that the College was able to do its own tests against the criteria and that no further issues were identified was reassuring. RSM commented that progress reviews did not result in funding error clawback unless it could not be demonstrated that they had not been planned, however, the accountability framework did include progress reviews.

      • 5.2.5.  It was important to first ensure that systems were robust before focusing on the human element in processes. Ultimately, this was not about the money, but, instead, about providing students with the best experience. Agreed. There were differing opinions over assigning a funding value to progress reviews; but this did not mean that they were not important. This would be an issue that Ofsted would pick up on.

      • 5.2.6.  Was the incorrect draw down of funding mentioned in paragraph 4.1.2 a data quality issue or a training issue? This was due to data coming from different sources. The sample included two or three examples of where the incorrect date had been entered when the data had been transferred from the original source.

    • 5.3 Governors noted the Apprenticeships Update.

      Debi Donnarumma left the meeting.

  6. External Reviews

    • 6.1 Article 127 ESF co-financing

      • 6.1.1. The Deputy Principal presented the A127 16-18 Match Funding Audit. The following points were highlighted.

      • 6.1.1.1. This was one of the several ad-hoc audits carried out by the ESFA. 16-18 Apprenticeships Match Funding had been selected for an audit for the period of 2015/16 through to 2018/19.

      • 6.1.1.2. The audit required all the evidence for each sample. One enrolment form had not been signed. The College had been able to demonstrate that this particular student had participated and completed. In usual circumstances, alternative evidence would be provided, but this was not acceptable for the A127 audit. The College had attempted to contact the student, but this had not been possible.

      • 6.1.1.3. The ESFA attributed £7,199.42 in funding error to this sample from which it extrapolated a clawback of £24,657.26.

      • 6.1.1.4. This was raised with the ESFA and, although the agency had been sympathetic, it was decided that this would not be challenged any further..

      • 6.2.1 Governors made the following comments.

        • 6.1.2.1. Had the outcome and implications of the audit been communicated to staff? This error was from a period when the process had been paper-based. The College had since gone electronic which meant that this error should no longer arise.

        • 6.1.2.2. Could the sample size be expanded to cover a four-year period with in-scope funding of around £8 million? Correct. The sample size could have been expanded if the ESFA had been more concerned about their findings. The figure of £24k had been extrapolated from the £8m figure.

        • 6.1.2.3. Had this money been clawed back? The amount had been taken out of the allocation.

        • 6.1.2.4. How long could the audits go back for? The ESFA was able go as far back as it wished.

        • 6.1.2.5 Communication was important. £24k would be a lot of money in terms of a single member of staff or a student. There had been a material impact on the College from this one document not being signed. Noted.

      • 6.1.3 Governors noted the Article 127 ESF co-financing audit and agreed the risk rating of Green.

  7. External audit plan for year ending 31 July 2024

    • 7.1. The External Auditor presented the audit plan for year ending 31 July 2024. The following points were highlighted.

      • 7.1.1.  The approach would be consistent with the previous year. There would be no change in scope and the updates to the Accounts Direction had been minimal.

      • 7.1.2.  There would be the same significant risks as last year: local government pension scheme, management override of controls, and revenue recognition.

      • 7.1.3.  Going Concern would continue to be included. There would also be a risk around environmental sector wide pressures on incomes and costs.

      • 7.1.4.  There would also be a risk around the breach of bank covenants.

      • 7.1.5.  As with previous years, there would be a hybrid of onsite and remote working.

      • 7.1.6.  The External Auditor was fully independent.

    • 7.2.  The Deputy Principal confirmed that the College had received a covenant waiver from the bank.

    • 7.3.  Governors made the following comments.

      • 7.3.1.  The materiality limit of £1.2m seemed high. This was based on the formula for non-commercial organisations and calculated from the total revenue. A benchmark had been set and between 1-3% was taken based on a risk assessment of factors such as previous errors, the control framework, stakeholder interest in the accounts and environmental factors. This number would influence the sample size.

      • 7.3.2.  It was good to see that the College was not expecting a clawback.

      • 7.3.3.  The news about the covenant waiver was welcome.

      • 7.3.4.  On the point about the Local Government Pension Scheme, one on the Accounts Directions was around the recognition of surplus. This effectively meant that no surplus would be recognised.

      • 7.3.5.  Were there new tests for the Management of Public Money? This had not had a significant impact on regularity testing. There were certain transactions which the College might undertake which would require DfE approval which would be checked during the audit.

      • 7.3.6.  Was there any overlap with the Financial Regulations? These had already been updated.

      • 7.3.7.  The fees were around 6% higher than last year. This had been agreed some year ago and reflected inflationary pressures while being cognisant of the pressures on the College.

      • 7.3.8.  There had previously been follow through on observations from the previous year. There had been none this year. This was correct.

      • 7.3.9.  Page 22 discussed the impact of uncertainty. Was this something that would be expected of an FE College? This was just an encouragement in the direction of transparency.

      • 7.3.10.  Was the use of IT becoming a major element in the approach taken? A range of software underpinned the approach including new data mining tools and AI.

    • 7.4. Governors approved the External Audit Plan for Year Ended 31July 2024.

  8. Internal Audit Reports

    Harshad Taylor joined the meeting.

    • 8.1 IT disaster recovery and business continuity

      • 8.1.1.  The Internal Auditor presented the internal audit report on IT disaster recovery and business continuity. The following points were highlighted.

        • 8.1.1.1. This audit had been carried out by RSM’s Technology Risk Assurance Team.

        • 8.1.1.2. It had been good to see that the College had carried out a wholesale review of the Business Continuity Plan (BCP) and that there were several documented strategies.

        • 8.1.1.3. The audit had also confirmed that insurance was in place.

        • 8.1.1.4. The strategies in the BCP had not yet been tested so there was the possibility that these might need to be reviewed.

        • 8.1.1.5. There had also been single points of failure which had been identified such as reliance on a single member of staff and the need to monitor backups. There was also the need to have documented backup procedures.

      • 8.1.2.  The Deputy Principal and Director of IT responded to the audit. The following points were highlighted.

        • 8.1.2.1. Testing had been carried out in December 2023 and coincided with estates works. This had been successful. However, detailed documentation of plans for this could not be provided to the auditors.

        • 8.1.2.2. Testing would take place again in December 2024 and step- by-step notes would be taken.

          8.1.2.3. Although this report indicated that there was room for improvement, it was not saying that the College would not be able to recover from a IT business continuity event.

      • 8.1.3. Governors made the following comments:

        • 8.1.3.1. Why could this testing not take place over the summer? Summer was one of the busiest periods for back-office staff and the IT team and it was not possible to take down the whole system. Annual testing would take place over the Christmas period.

        • 8.1.3.2. The paper did not mention the test carried out in December 2023. Clarification of what ‘regular’ testing meant. This would be annual.

        • 8.1.3.3. There were a lot of moving parts and it was important to be clear about how elements such as the BCP and IT BCP lined up. An update on the business continuity testing schedule would be brought back to the Audit Committee.

        • 8.1.3.4. This paper did not align with the other assurances received regarding IT. Some of the management responses appeared to be non-descriptive. There must be a plan in place. The Audit Committee would be provided with an action plan for each of the findings along with details of the progress made.

        • 8.1.3.5. It was important to have the processes written down. Agreed.

        • 8.1.3.6. The planning was also important as it could influence the strategic view of what needed to be done with IT.

        • 8.1.3.7. Was the Director of IT comfortable with the next steps which needed to be taken? This report was a snapshot and action had been taken during the intervening period.

      • 8.1.4 Members:

        • 8.1.4.1. Noted the Internal Audit Report on IT Disaster Recovery and Business Continuity and approved the recommended risk rating of Amber.

        • 8.1.4.2. Requested an action plan be brought back reporting on the actions identified in the audit.

          Harshad Taylor left the meeting.

    • 8.2 Governance

      • 8.2.1. The Internal Auditor presented the internal audit report on governance.The following points were highlighted.

        • 8.2.1.1. This year’s deep dive used the new Association of College’s (AoC) Code of Good Governance.

        • 8.2.1.2. There were no management action to be agreed and the internal auditors were satisfied that evidence was available.

      • 8.2.2. Governors ask the following question.

        • 8.2.2.1. Had the AoC Code of Good Governance been adopted?  Corporation had agreed to adopt the Code from the beginning of the next academic year.

        • 8.2.3. Governors noted the Internal Audit Report on Governance and approved the recommended risk rating of Green.

    • 8.2 Follow up

      • 8.3.1. The Internal Auditor presented the follow up report.  The following points were highlighted.

        • 8.3.1.1. This was a follow up on the four reports from 2022/23.

        • 8.3.1.2. Seven actions had been fully implemented and one medium priority action for IT had been restated.

      • 8.3.2. Governors asked the following question:

        • 8.3.2.1. Was the one outstanding item linked to BCP?  This was part of the documenting process.

      • 8.3.3. Members noted the Follow Up Report and approved the recommended risk rating of Green.

  9. Risk Management Progress Report

    • 9.1. The Director of Governance and Policy presented the Risk Management Progress Report.  The following points were highlighted.

      • 9.1.1. This report showed some movement:

        • 9.1.1.1. Risk 1: this had moved as the College had now been through an Ofsted inspection and it was towards the end of the year.  The risk was now below appetite.

        • 9.1.1.2. Risk 3: this had not moved as there was still some actions around cyber security that needed be resolved.

        • 9.1.1.3. Risk 5: this was now within appetite.  Actions around increasing the number of first aiders and fire wardens had been implemented.

    • 9.2. Governors made the following comments.

      • 9.2.1. It was useful to be able to map the movement.

      • 9.2.2. On page 33 both ongoing actions were in different colours.  The first action was nearly complete, while for the second action, the budget had not been agreed for next year.  This was the reason why the actions were in different colours.

      • 9.2.3. Was there a resource question around the IT team?  The directorate had been restructured and given more resources including a new post below the director.  The team was now fully staffed and catching up.

      • 9.2.4. One of the effects of risk 2 was inconsistent service provision.  Based on the discussions at this meeting about staffing and single points of failure in IT, was this risk still set at the right rating?  The single points of failure had been one of the reasons why the EBS project had been started.  There had also been conversations with Apprenticeships to identity pockets of risk.

      • 9.2.5. Has there been any thought given to what the single points of failure were?  Key posts in the organisation were regularly reviewed and backup plans were considered.

      • 9.2.6. Could Risk 6 be lower as all the action have been completed.  It was currently fairly low.  Safeguarding risks could never be removed completely as impacts could be significant.

    •  9.3. Governors noted the Risk Management Progress Report.Internal audit strategy for 2022/23

  10. Risk Management 2024/2025

    • 10.1 RSM Briefing: Emerging Risk Radar

      • 10.1.1. The Internal Auditors presented the emerging risk radar. The following points were highlighted.

        • 10.1.1.1. The Risk Radar was based on the results of a questionnaire sent to RSM clients and was not sector specific.

        • 10.1.2. Governors noted the Emerging Risk Radar.

    • 10.2 RSM Briefing: FE Risks and Opportunities

      • 10.2.1. Governors made the following comments:

        • 10.2.1.1. This provided a barometer which helped the Audit Committee to be aware of what had not been thought of before.

        • 10.2.1.2. The Search and Governance Committee would consider issues around maintaining board member capacity.

        • 10.2.1.3. The issue around changing weather patterns had been quite interesting.

        • 10.2.1.4. As the Audit Committee did not score risk, to what extent did the committee need to worry about this?  This committee was the forum for challenging the risk scoring.  These documents would also provide assurance that ELT were considering the correct issues.

      • 10.2.2. Governors noted the briefing on FE Risks and Opportunities

    • 10.3 Risk Management 2024/2025

      • 10.3.1. The Director of Governance and Policy presented the approach to risk management for 2024/25.  The following points were highlighted.

        • 10.3.1.1. ELT had reviewed the strategic risks and considered that these were still correct.  There was no themes that were considered to be missing. There were some emerging risks and subtleties within the strategic risks which were further highlighted.

        • 10.3.1.2. The impact of climate change on costs and access to services were covered by other risks such as business continuity and financial risks.  The Audit Committee would need to decide if they were satisfied by this being weaved into existing risks.

        • 10.3.1.3. Artificial Intelligence was covered both in terms of potential negative and positive impacts.

        • 10.3.1.4. Qualification Reform had the potential to be a significant issue over the next few years.

        • 10.3.1.5. Geopolitical issues were picked up under Risks 4 and 7.

        • 10.3.1.6. A potential merger would be covered by Risk 8, although should the College decide to go down this route, a separate risk register might be necessary.

        • 10.3.1.7. There was no change to the Risk Policy.

        • 10.3.1.8. There was no change to the Risk Appetite Statement.

      • 10.3.2. Governors made the following comments.

        • 10.3.2.1. This was a key piece of work and governors needed to be comfortable with it.  There needed to be three lines of assurance and it was important that there were not any gaps. The Audit Committee also needed to be aware of what assurances should be requested.

        • 10.3.2.2. This was the right set of strategic risks, although they could be revisited.

        • 10.3.2.3. With regards to Risk 7, would there be a benefit from conducting an internal audit review of the financial planning and forecasting process?  With a potential merger there would be the need to ensure financial stability.  However, it might not be the right time to do this, and this suggestion could be revisited in 12 months.  During the Corporation meeting which would review the accounts, a management presentation could be given on the assessment of the current position and forecast.

      • 10.3.3. Governors agreed to recommend the Risk Appetite Statement, Risk Assurance Map and Risk Register to Corporation for approval. 

  11. Internal Audit Plan 2024/2025

    • 11.1. The Internal Auditors presented the Internal Audit Plan for 2024/25.  The following points were highlighted.

      • 11.1.1. The Estates Project Management work would be looking at all the projects which were underway.

      • 11.1.2. 2024/25 would be a light touch year for the governance processes.

      • 11.1.3. The Risk Management Deep Dive would look at the embedding of the risk management framework and conduct a deep dive into health and safety risk.  The internal auditors would seek to confirm that the controls and sources of assurance were in place for health and safety.

      • 11.1.4. ESFA funding rule compliance was a key risk for all colleges.  A funding stream had not yet been identified for an internal audit although it may be that the focus is on the adult skills fund.  This would be confirmed to the Audit Committee.

      • 11.1.5. There was a delay in drawing down funds for apprenticeships due to a delay in EPAs.  This would be the focus of the work around student outcomes and completions.

      • 11.1.6. The fee for 2024/25 would be £28.5k and the plan would be flexible.

    • 11.2. Governors asked the following questions:

      • 11.2.1. Would procurement and contracting form part of the estates work?  The tendering process and contract management could be included.

      • 11.2.2. Why would there be a focus on health and safety?  This had not been looked at recently.

      • 11.2.3. Would the internal auditors be looking at general IT controls?  This was not usually done as part of the reviews.  However, there was a wholesale look at IT.

      • 11.3. Governors approved the Internal Audit Plan for 2024/2025.

         

  12. Terms of Reference and Workplan 2024/2025

    • 12.1. The Director of Governance and Policy presented the Terms of Reference and Workplan for 2024/25. The following points were highlighted.

      • 12.1.1. There were no changes to the Terms of Reference.

      • 12.1.2. The workplan was flexible and could be changed throughout the year.

    • 12.2. Governors approved the Terms of Reference and Workplan for 2024/25.

  13. Any other urgent business notified to the Chair prior to the meeting

    • 13.1. There was no further business.

  14. DFE Guidance: Post 16 Audit Code of Practice, Accounts Directions and Financial Handbook.

    • 14.1 Governors noted the Post 16 Audit Code of Practice, the Accounts Direction and the Financial Handbook.

  15. Dates and times of future meetings

    • 25 September 2024

    • 19 November 2024

    • 19 March 2025

    • 4 June 2025