Audit Committee Minutes 24 September 2025

Audit Committee Minutes 24 September 2025

pkhambhaita@leicestercollege.ac.uk

Minutes of a meeting of the board of Leicester College Corporation:

Held on 4 June 2025

Present: Zubair Limbada (Chair), Neil McDougall*, Tom Wilson, Roger Merchant, Vipal Karavadra

In Attendance: Louise Hazel (Director of Governance and Policy), Jane Parkinson (Acting CFO), Harshad Taylor† (Director of IT), Lindsay Jones†† (Director of MIS), Shabir Ismail‡ (Principal and CEO), Mark Dawson*§ (KPMG), Lisa Smith*§ (RSM), Matt Widdowson (Minutes) (Governance and Policy Officer)

*by Teams

†present for item 4

†† present for item 8

‡ present for item 9

§ present for all items except for item 12

  1. Declaration of Interest

    • 1.1 KPMG and RSM declared an interest in item 12 and would be leaving the meeting while this was discussed.

    • 1.2 Vipal Karavadra noted his recent appointment as a trustee of Leicester Riders.

  2. Apologies For Absence

    • 2.1 No apologies had been received.

  3. Minutes and matters arising from the meeting held on 4 June 2025

    • 3.1 Minutes of the meeting held on 4 June 2025

      • 3.1.1 The Minutes of 4 June 2025 were agreed as an accurate record and approved.

    • 3.2 Confidential minutes of the meeting held on 4 June 2025

      • 3.2.1 The Confidential Minutes of 4 June 2025 were agreed as an accurate record and approved.

    • 3.3 Action Record

      • 3.3.1 Governors made the following comments.

        • 3.3.1.1 Action 4.2.6: Consideration to be given to an escalation process. Each committee would be provided with details of their own risks which was, in effect, an escalation process.

        • 3.3.1.2 It would be useful to add a RAG rating to items such as green for complete, and amber for in progress. Dates could also be added where relevant. Noted.

        • 3.3.1.3 Action 4.2.7: Clarification around CE+. The Director of IT would be able to provide an update to this meeting.

        • 3.3.1.4 Action 6.2.2: Consideration of a review of mental health and wellbeing. This was not yet in the current year’s plan, but once the staff survey was complete this could be included.

        • 3.3.1.5 Did completed items drop off the next Action Record? Yes.

        • 3.3.1.6 In the previous meeting there had been an action to make an explicit statement around going concern. This will be added to the finance reforecasts.

        • 3.3.1.7 ECCTA

          • 3.3.1.7.1 Action 13.1.2: Review of Fraud Policy to ensure it is in line with ECCTA. This had been taken to Corporation for approval. Additionally, there had recently been some new ECCTA guidance for colleges which would need to be reviewed.

          • 3.3.1.7.2 A key aspect of ECCTA had been the focus on ‘associated persons’. The College needed to look at this to find out who could be in this category.

          • 3.3.1.7.3 ECCTA also raised issues around fraudulent activity where the organisation was the beneficiary. This needed to be understood from the College’s perspective and policies updated to protect against this type of fraud. It would be useful to look at each of ECCTA’s six principles and reflect on what mitigations might already be in place and whether the College had taken all reasonable steps. A fraud review was in the internal audit plan and scheduled for January 2026. This would provide some further assurance. It was important to note that having reasonable procedures in place was the only legal defence available for an organisation. It would be important to read the guidance.

      • 3.3.2 Governors noted the Action Record.

  4. Cyber and Data Security Annual Report

    • 4.1 The Director of IT and Director of Governance and Policy presented the Cyber and Data Security Annual Report.

      • 4.1.1 Over the last twelve months there had been no attempted DDoS attacks.

      • 4.1.2 There had also been work undertaken to strengthen the College’s cyber security posture.

        • 4.1.2.1 Geofencing had been introduced to reduce attempts from people outside the country from logging into Office 365.

        • 4.1.2.2 Multifactor authentication had also been introduced for students which had been received positive feedback. Staff using a VPN at home also used multifactor authentication and work was underway to push more third-party users to follow suit.

        • 4.1.2.3 The College was looking at using a security operations centre which would monitor the College’s IT around the clock.

      • 4.1.3 Boxphish uptake had risen. However, since the previous report the average risk score was now in amber. Information would be provided to SLT on staff who had been identified as requiring more training and support.

      • 4.1.4 Regarding the issue of the College’s Dell infrastructure not being supported, the equipment was at the end of its life and the last security patch had been received in June 2024. The College was still CE compliant as there were no live loopholes. However, if the hardware failed there would be no off-the-shelf replacement parts available.

      • 4.1.5 The College continued to have a number of data breaches, which, when compared to the overall volume of emails was minimal. Two breaches had been reportable due to the sensitivity of the data. The ICO had been satisfied with the College’s response to the data breaches.

      • 4.1.6 The Director of Governance and Policy continued to provide data protection training to teams.

      • 4.1.7 A new Office 365 rule would require approval for sensitive information being emailed out. A trial of this rule had taken place in SAIL.

    • 4.2 Governors made the following comments.

      • 4.2.1 Was there a risk around parts for the Dell infrastructure not being available off-the-shelf? There were vendors who had said that they would be able to support us, but there were no agreements in place. Some of the new equipment was already on site and the transfer would begin during the half term break and would be completed by the end of the year. The mitigations were that this was only temporary and, while maybe expensive, parts could be sourced.

      • 4.2.2 It appeared that suppliers’ access to systems had been a common vector for ransomware attacks elsewhere. This was on the IT team’s radar. Suppliers were currently sent a questionnaire prior to being given access to seek assurance. This included confirming they were CE compliant. CE was not an acceptable standard; it should be CE+. Agreed.

      • 4.2.3 The 94% completion of data protection training was good to see. The figures were always skewed by agency staff and staff who did not use a computer as part of their daily work.

      • 4.2.4 Did agency staff receive a College account and was there a system for closing these accounts when they left? The IT team relied on HR informing them that someone had left the College. When an account was requested, the expectation was that HR would provide an expected end date although this was not always the case. The team were looking at a system which would identify users who had not logged in for a period of time, so that their accounts could be closed. Additionally, JISC would also notify the College of any accounts being sold on the dark web. Perhaps a list of users who did not use their account for a period of time could be sent to HR to check whether they were still at the College.

      • 4.3 Governors noted the Cyber and Data Security Annual Report.

  5. Internal Audit

    • 5.1. Annual Summary Report

      • 5.1.1 The Internal Auditor presented the Annual Summary Report. The following points were highlighted.

        • 5.1.1.1 The Audit Committee had rated four issues as green and two issues as amber. The issues rated amber were ESFA funding compliance and the Follow Up.

        • 5.1.1.2 The Internal Auditors had not provided a formal audit opinion.

      • 5.1.2 Governors made the following comments.

        • 5.1.2.1 Could the colours green and amber be added into the report? Noted.

        • 5.1.2.2 It would be useful to know the reason why an action was not implemented. The action was superseded by events. This would be confirmed.

        • 5.1.2.3 It was important to highlight that this was a summary and that, although this report could look superficial, these issues had already been discussed in detail by the Audit Committee.

      • 5.1.3 Governors noted the Annual Summary Report and agreed the recommended risk rating of Green.

    • 5.2 2025/26 UPDATE

      • 5.2.1 The Internal Auditor provided a verbal update. The following points were highlighted.

        • 5.2.1.1 The fieldwork dates had been agreed.

        • 5.2.1.2 There would be two reviews before the end of the calendar year including a review of safeguarding and a review around compliance with the Financial Handbook.

        • 5.2.1.3 Everything was on track.

      • 5.2.2 Governors noted the verbal update on 2025/26.

  6. Report from the External Auditors

    • 6.1 The External Auditor provided a verbal report. The following points were highlighted.

      • 6.1.1 Preparations were underway for commencing fieldwork and dates had been agreed with the Acting CFO.

      • 6.1.2 No issues had arisen from the early testing of ESFA funding which had taken place over the summer.

      • 6.1.3 There were no changes to the audit plan as presented at the June 2025 meeting.

      • 6.1.4 Publication of the SORP was due by the end of September 2025 although it would not be effective until 2026/27.

    • 6.2 Governors made the following comments.

      • 6.2.1 Was the Acting CFO happy with the updates to SORP? Yes.

      • 6.2.2 Were there any emerging issues in the sector? Nothing new was coming through from audits. Financial sustainability, changes to government policy and pensions continued to be strong themes.

    • 6.3 Governors noted the Report from the External Auditors.

  7. Confidential Item - Whistleblowing

    • 7.1 The Acting Chief Financial Officer presented the Regularity Self-Assessment Questionnaire. The following points were highlighted.

      • 7.1.1 This questionnaire was published annually by the DfE and asked about the policies and procedures in place to ensure compliance with accountancy standards and the Financial Handbook.

    • 7.2 Governors made the following comments.

      • 7.2.1 Who would read this? Although the questionnaire did not need submitting to the DfE, the External Auditors would read it.

      • 7.2.2 Was the questionnaire in the same format every year? The questionnaire changed when FE colleges were reclassified as being in the public sector but it had not changed since.

      • 7.2.3 Would the internal auditors look at this? Their review would be around compliance with the financial elements rather than governance elements.

      • 7.2.4 Next year’s questionnaire might see the additional of some of the elements of ECCTA.

      • 7.2.5 Where would this questionnaire go next? It would go before the F&GP Committee for approval.

    • 7.3 Governors approved the Regularity Self-Assessment Questionnaire.

  8. External Reviews

    Lindsay Jones joined the meeting.

    • 8.1 NCFE INVESTIGATIONS REPORT

      • 8.1.1 The Director of MIS presented the NCFE Investigations Report. The following points were highlighted.

        • 8.1.1.1 MIS had been working with the Quality Team and curriculum area following two incidents in 2025/26.

        • 8.1.1.2 The Exams Team had notified the individuals concerned.

        • 8.1.1.3 The Quality Team had updated policies as per the required actions.

        • 8.1.1.4 Work with the IT team was underway to rework student accounts to ensure that they were secure.

      • 8.1.2 Governors made the following comments.

        • 8.1.2.1 The appendix suggested that the date by which compliance should be evidenced was Friday 26 September 2025. The new policies were being finalised before being sent to NCFE before the deadline. Governors requested an update on the outcome of this.

        • 8.1.2.2 Had these errors occurred before? No. These were the first instances.

        • 8.1.2.3 One of the incidents involved a student at an employers’ workplace. It would be necessary to strengthen communications with employers around the expectations when handling assessment papers.

        • 8.1.2.4 Had this been the only instance of an employer losing papers? Yes, and fortunately special considerations were taken into account for the student.

        • 8.1.2.5 How did the IT incident occur? The curriculum area had been invigilating and there had been an administrative oversight by a member of staff. An investigation found that no plagiarism had occurred, so the papers were allowed to go through.

        • 8.1.2.6 Would the 12-month sanction stay in place? The sanction would be in place until 26 August 2026.

      • 8.1.3 Governors noted the NCFE Investigations Report.

      • 8.1.4 Governors requested an update on the outcome of the revised policies being submitted to NCFE.

      • 8.1.5 Governors requested further updates throughout the academic year. Lindsay Jones left the meeting

  9. Whistleblowing Report - Confidential

  10. Gifts and Hospitality Policy

    • 10.1 The Director of Governance and Policy presented the draft Gifts and Hospitality Policy. The following points were highlighted.

      • 10.1.1 References to ex-gratia payments had been removed.

      • 10.1.2 The reportable limit had been set to £25.

    • 10.2 Governors approved the Gifts and Hospitality Policy

  11. Committee self-assessment

    • 11.1 The Director of Governance and Policy presented the results of the Committee Self-Assessment. The following points were highlighted.

      • 11.1.1 The self-assessment had many positive responses, and it was good that the committee was able to see changes being made.

      • 11.1.2 Two new governors would be joining the Audit Committee, one who used to be the Chair of an Audit Committee at another FE college.

      • 11.1.3 A member of the Audit Committee was now also a member of the CSQI Committee, but another member may also need to join to ensure overlap.

    • 11.2 Governors made the following comments.

      • 11.2.1 The feedback was really useful.

      • 11.2.2 It was good news about the new governors being appointed.

      • 11.2.3 How long would the current chair be in post? Until the end of this academic year.

      • 11.2.4 Would the specific points be added to the action plan? They would.

    • 11.3 Governors noted the outcome of the Committee Self-Assessment.

  12. Appointment Of External Auditors - Confidential

  13. Any Other Business

    • 13.1 There was no further business

  14. Report on ELT Expenses

    • 14.1 Governors made the following comment.

      • 14.1.1 These figures felt more comfortable than in previous years.

    • 14.2 Governors noted the report on ELT Expenses.

  15. Report on Gifts/Goods Received by College Staff

    • 15.1 Governors made the following comment.

      • 15.1.1 Could the names of the departments be included in these reports.

    • 15.2 Governors noted the report on Gifts/Goods Received by College Staff.

  16. Dates and Times of Future Meetings

    •19 November 2025

    •26 November – Special meeting of the Audit Committee

    •18 March 2026

    •3 June 2026