Bournemouth and Poole College Senior Management Team (SMT)

The Bournemouth and Poole College

MINUTES OF THE MEETING OF THE AUDIT COMMITTEE HELD ON

21 JUNE 2017

Members Present:

Roger Blaber / Chair / In attendance:
John Taylor / Apologies / Michael Johnson / Vice Principal
Martin Lucas / Co-opted Member / Vicky Davies / TIAA – Apologies
Guy Spencer / Co-opted Member / Mark Stabb / TIAA
Victoria Sewell / KPMG
Alex Nash / KPMG
Marianne Barnard / Clerk to the Corporation

PART A

Actions
16/17 / APOLOGIES FOR ABSENCE
Apologies were received from John Taylor & Vicky Davies.
The Chair welcomed Mark Stabb from TIAA and Victoria Sewell and Alex Nash from KPMG.
17/17 / DECLARATIONS OF INTEREST
There were no declarations of interest noted.
18/17 / MINUTES OF THE LAST MEETING
The minutes of the meeting held on 9 March 2017 were confirmed as an accurate record and signed by the Chair.
RESOLVED: To approve the minutes.
19/17 / MATTERS ARISING
1/17 - it was noted that the Approach to the Risk Register was on the agenda for the meeting.
RESOLVED: To note the matters arising.
20/17 / FORWARD PLANNING
The Calendar of Business for the Audit Committee for 2017-18 and the Tracker were both reviewed and agreed.
RESOLVED: To note and agree the Calendar of Business for 2017-18 and the latest Tracker.
21/17 / CYBER SECURITY & GENERAL DATA PROTECTION REGULATIONS
The Head of Media & IT Services joined the meeting at 09.50.
The Chair welcomed the Head of Media & IT Services, who had joined the meeting to discuss further a number of recommendations from the Assurance Review of ICT - Cyber Security Arrangements, which had been reviewed in detail at the previous meeting and gave a final overall assurance assessment of Reasonable Assurance. The Committee noted that they wished to explore further a number of recommendations linked to encrypting laptops, sensitive data, firewall logs and data loss prevention software.
It was explained that most staff would not have a college laptop and whilst encrypting laptops remains a risk the greater concern is around local records and personal data potentially being held by teaching staff on their own personal computers, including personal student data and assessment results. It was acknowledged that there were some issues with the use of central systems as the single or primary record, and it was this issue that had resulted in staff retaining duplicate local records.
It was noted that TIAA would be undertaking a programme of work next year to look at the central systems and to spend time with staff to understand the nature and requirements of the local records being kept. It was anticipated that following the work by TIAA, a range of compulsory workshops would be delivered to all staff, along with a range of awareness campaigns on the requirements associated with General Data Protection Regulations which come into force in May 2018.
The committee discussed whether any immediate actions were needed and it was agreed that the VP Finance & CD would instruct staff that data is not to be kept or sent off site unless encrypted. Further actions would then follow throughout the summer months as TIAA completed their review.
RESOLVED: To note the update from the Head of Media & IT Services.
The Head of Media & IT Services left the meeting at 10.10. / VP F&CD
22/17 / RISK MANAGEMENT POLICY
The VP Finance & CD presented the updated Risk Management Policy. Two changes had been made, the first related to the widening of the responsibility for the identification of risks to include the Senior Leadership Team, and second was the inclusion in the policy a section on the articulation of risk. The Chair noted it was positive that this had been discussed at SLT and was being embedded across the college.
Committee members noted that the identification of risks along with the potential impacts were crucial and supported this being rolled out beyond the Executive.
RESOLVED: To note the updated Risk Management Policy.
23/17 / RISK REGISTER
The VP Finance & CD presented the latest Risk Register. Feedback on the format and the content included strategic risk needing to be given more focus, some detail still being very operational and the need for the significant risks to be articulated, rather than the issue itself.
Comments were also noted on the link between KPI’s and the Risk Register, it was agreed that risks should be picked up in a timely manner and reported to Board where appropriate. The VP Finance & CD noted that the college had been working with TIAA all year to build a more robust risk management process (including the revised risk register) and that emerging risks were now included in the Principal’s Report to Board.
It was agreed that the VP Finance & CD would continue to develop the Risk Register following the comments received.
RESOLVED: The Risk Register and areas for development were noted. / VP F&CD
24/17 / POST-16 AUDIT CODE OF PRACTICE 2016 to 2017
RESOLVED: The updated Post-16 Audit Code of Practice 2016 to 2017 was noted by the Committee.
25/17 / INTERNAL AUDIT REPORT
Internal Audit Report Block 2 – Final Report
TIAA presented the Block 2 Final Report, it was noted that all management comments had been included and actions were being followed up.
Internal Audit Report Block 3 – Draft Report
TIAA presented the Block 3 Draft Report, this recent report had focused on Learner Number compliance testing and Key Financial Controls. Substantial assurance was recorded. It was noted that all management comments had been included and actions were being followed up.
Assurance Review of the Subcontracting Arrangements – Final Report
TIAA presented the Assurance Review of Subcontracting Arrangements Final Report, the purpose of the review had been to provide a report and certificate in accordance with the requirements of the Skills Funding Agency (SFA) that the College had satisfactory assurance arrangements in place to manage and control their subcontractors. No urgent or important recommendations were made and Committee members noted the positive report.
RESOLVED: To note the internal audit reports.
26/17 / IMMIGRATION COMPLIANCE REVIEW
The VP Finance & CD presented the report and confirmed that this had been undertaken to review the College’s compliance with its duties as a Tier 4 sponsor. The review was completed by Veristat Immigration Consultancy, who visited the College in May 2017. The report concluded that the College appeared to have a good awareness of the importance of UKVI compliance within its central functions, in particular there was good evidence that was working to ensure that the College met its requirements as a Tier 4 sponsor. A number of recommendations were presented in the report and the VP Finance & CD noted that he would benefit from some discussion with Committee members on a number of these, it was agreed that the report would be brought back to the next Audit Committee meeting in the Autumn term for further discussion. The Chair however supported the VP Finance & CD to progress actions in the interim where it was possible to.
RESOLVED: To note the Immigration Compliance Review. / Clerk
VP F&CD
27/17 / COLLEGE FOLLOW-UP
The Committee noted the latest position on the College Follow-up. The document is now automated on TIAA’s portal and we have the ability to add recommendations from other audits – such as the Veristat report referred to above.
Mark agreed to review the portal as he believed the report was not completely up to date.
RESOLVED: To note the College Follow-up. / Mark Stabb (TIAA)
28/17 / INTERNAL AUDIT PLAN 2017/18
The VP Finance & CD had recently met with TIAA to discuss the plan for 2017/18, it was noted that ten days had been set aside for the IT systems review.
It was queried whether looking at a number of the other suggested operational areas were the best use of the internal auditors time? This included UKVI, Residential Provision, & Subcontracting. The VP Finance & CD responded that subcontracting was an annual requirement by the ESFA and that the UKVI and Residential Provision were considered by the Executive as worthy of regular review due to the associated risks.
RESOLVED: To note the Internal Audit Plan 2017/18.
29/17 / YEAR-END FINANCIAL ACCOUNTS AUDIT PLAN AND REGULATORY PLAN
Victoria Sewell from KPMG noted that in accordance with the ISA 260 “Communication of audit matters with those charged with governance” and the APB Ethical Standards, it was necessary to communicate that KPMG were independent.
The Audit cycle and timetable for the year ending 31 July 2017 was presented, the initial planning meetings with the finance team had taken place and dates had been agreed for interim and final audits. The final audit would take place in October 2017 and the report presented to the Audit Committee in November 2017.
It was reported that all individual errors in excess of £25,000 would be reported to the Audit Committee.
The significant risks and areas of focus were noted as:
Fraud risk in relation to revenue recognition
Management override of controls
Pensions
Overall financial position, loan covenant compliance, and going concern.
Regularity
RESOLVED: To note the Year-end Financial Accounts Audit Plan and Regulatory Plan.
30/17 / ANY OTHER BUSINESS
There were no items of AOB discussed.
31/17 / DATE OF NEXT MEETING:
The next Audit Committee meeting would be held on 22 November 2017, 10.00-12.30.
32/17 / EVALUATION
It was agreed that the committee had undertaken the required activities.
33/17 / CONFIDENTIALITY
No items were noted as confidential.