Shrewsbury Colleges Group
Group Minutes of the Audit Committee
Location HELD BY REMOTE ACCESS THROUGH MICROSOFT TEAMS
Date 16th June 21
Time 6.05 p.m.
Minutes Membership In attendance by electronic device and contributing towards the meeting quorum, in accordance with Instrument 12. (Members may count towards the quorum if they are able to be present by electronic or digital communication (including attendance by video conferencing or telephone conferencing).
Dr J Barratt (co-opted committee member), N. Merchant (Chair), R. Sartain, C. Sharp (co-opted committee member) and M. Thompson.
In Attendance In attendance by electronic device
Principal/CEO, J. Staniforth
Member of the Senior Leadership Team: P. Partridge, Finance Director (FD)
Group Vice Principal, Information & Strategic Development (GVP, I&SD)
Clerk to the Board, T. Cottee

BY INVITATION:

In attendance by electronic device
W. Devitt, Engagement Lead, Grant Thornton, Financial Statement Auditors (FSA)
J. Flowers, Manager, PWC, for Minute Number 12/21
C. Parkes, TIAA, College Internal Audit Service (IAS)

PRESENT FOR PRE-MEETING BRIEFING

A Allen, A. Benghiat, N. Merchant, G, Mills, D. Pulford, J. Rowe, R. Sartain, C. Sharp, J. Sharrock, J. Staniforth, M. Thompson and P. Tucker.
Apologies N. Coombe, Grant Thornton, Financial Statement Auditors (FSA) and Raj Vitish, Senior Manager, PWC

Prior to the meeting of the Audit Committee, the GVP, I&SD gave a presentation to the Audit Committee members and other invited governors on the College’s arrangements for Teacher Assessed Grades.

The GVP explained –

    • That Teacher Assessed Grades (TAGs) were similar to the Centre Assessed Grades (CAGs) used in 2020, but with no algorithm;
    • TAGs affected A levels, GCSEs, most Level 3 vocational qualifications and some Level 1 & 2 vocational qualifications, including all academic second year students and a large proportion of levels 1,2, & 3 students, about 1,900 students in all;
    • Guidance on how to apply the grading process had been issued by OFQUAL, the Joint Council for Qualifications (JCQ) and each awarding organisation (AO). Whilst the underlying principle was consistent, each awarding organisation had interpreted them differently, which had presented a challenge for the College;
    • The key risks associated with TAGs, including –
      • Extremely tight submission timescales. The College was on track to submit all grades by the deadlines set;
      • Expectation that grade profiles would be comparable with the prior three years of data.
      • Reputational damage to the College; and
      • Poor or unreliable outcomes when viewed by external stakeholders and the judgements made by those stakeholders about the College. To maintain the College’s reputation, it had provided transparent communication throughout, explaining that the College had undertaken careful consideration of grade profiles, including the use of ALPS and Six Dimensions, understanding the students at group level, implementing several stages of checking and maintaining high quality evidence;
    • The mitigating actions taken by the College to address the key risks, including –
      • Planning and pro-actively gathering evidence to support the process, in anticipation of the likelihood of some form of assessment being implemented;
      • Effective and pro-active communications with staff, students and parents, setting out clearly who would be affected and how the College would approach TAGs. The College also gave early consideration of mitigation and access arrangements, with a clear framework for application evidenced;
      • Regarding the comparable grade profile, there was early communication of and agreement to the College’s agreed Policy. The College also created and implemented a detailed Assessment Record, including historic data and implemented a Quality Assurance Loop which would stand up to scrutiny;
      • Detailed training and guidance for staff;
      • Effective use of systems including thorough evidence and rationale to support the assessment process; and
      • Facilitating the appeals process, including that students could access systems and processes during the Summer.

In response to a question, it was confirmed that there was no national algorithm for TAGs

The P/CEO concluded the briefing with a thanks to the GVPs, the Director of A Level Services and to all their teams that had undertaken this process.

10/21. Declarations of Interest

There were no declarations of interest.

11/21. Draft Minutes of the Meeting Held 17 March 2021 (Appendix Agenda Item 3)

The Minutes of the meeting held on 17 March 2021, were agreed as a true record.

12/21. Funding Audit (Confidential Appendix Agenda item 4)

J. Flowers, Manager, PWC, attended the meeting for this presentation.

The College had received a full funding audit, undertaken by PWC, on behalf of the Education & Skills Funding Agency (ESFA) and had produced an assurance report for the College (previously circulated).

The Committee received a detailed briefing on the Audit’s findings and that, overall, the audit reflected a good performance for a College of its size, with 31k being clawed-back.

RESOLVED: That the report be noted.

J. Flowers left the meeting at this point.

13/21. Cyber Security – College Position Update (Appendix Agenda item 5)

The Committee had been circulated with a copy of a presentation on cyber security in the further education sector recently by D. Corke of the Association of Colleges (AoC).

To provide assurance to the Committee on the security of the College’s arrangements, the GVP, I&SD gave a presentation and included that –

      • The College had received the Cyber Essentials Accreditation on 18 September 2020;
      • The College had implemented Enhanced login Validation, including Login Location Tracking and Login Plausibility Tracking;
      • The College had also implemented Multi-Factor Authentication (MFA) for staff and governors;
      • The College had removed its remote desktop (RDP) servers, replacing them with a system to filter and manage remote access. The College, additionally, did not externally advertise its URL;
      • The College had introduced Sophos Interceptor X for each device, which provided immediate alerts and would shut down suspicious activity, alerting the IT Team, to remove the device from the network. The College had recently been able to respond to a recent ‘false positive’ virus alert incident in under 10 minutes, through this Interceptor process;
      • The I.T. Team was well connected with external agencies and discussed cyber security issues in its weekly meeting. The College’s I.T. Manager was a member of the Cyber Information Security Partnership – one of its first further education members;
      • The College had recently reviewed its Cyber Security Insurance, and the College’s approach had been validated by the insurer;
      • This year, the College had received no cyber-attacks. There had been 388 Impossible Travel Activities captured since 01 January 2021, with the average attempts per day doubling in May and June. There had been 35 Infrequent Country login attempts since 01 January 2021; with some being legitimate so not automatically blocked.

In answer to a question on the use of VPNs, the GVP explained that there were a limited number of staff had VPN access and all of them used a College device; the College was considering undertaking third person penetration testing to gain further assurance and if needed to mitigate the remaining risk.

The Committee sought and received assurance that the College had in place effective processes with respect to system recovery

The Committee considered that, whilst the College was effective in identifying and mitigating risks with respect to cyber security, it observed that threats to cyber security were ever evolving and becoming more sophisticated and that the College should remain vigilant to this serious threat. The Committee observed that maintaining awareness of the issues to students, staff and governors was of paramount importance, as human error was a risk as penetration to the College’s systems through emails. Therefore, the Committee observed that the College should continue to review the Risk Register and development materials with respect to cyber.

14/21. Internal Audit Reports (Appendices Agenda Item 4)

Ms Parkes presented the following –

Audit Strategy and Annual Internal Audit Plan 2021 – 2022

The Committee considered the report (previously circulated), which set out the proposed Audit Plan for 2021/22; this had been informed by a risk assessment carried out across education clients and by an updated audit risk assessment to ensure that planned coverage for the year was focussed on the key audit risks, and that the coverage would enable a robust annual Head of Internal Audit Opinion to be provided.

The Committee acknowledged that this year would continue to be another challenging year for FE colleges in terms of funding pressures, viability and the on-going impact of COVID-19. The IAS had identified a number of key areas which required consideration when planning internal audit coverage, including Cyber Security and Information Governance, the FE White Paper published in January 2021, Covid-19 and the impact of the Covid-19 pandemic on a College’s ability to deliver its business and Mental Wellbeing

      • The initial Plan had been considered by the FD and Senior Leadership Team;
      • 4 days had been left in contingency, to respond to any issues arising.

RESOLVED: That the Audit Strategy and Annual Internal Audit Plan 2021 – 2022, be RECOMMENDED TO BOARD.

ACTION: Report to Board

Assurance Review of Apprenticeships (previously circulated)

The Review had considered the processes in place to identify and engage with employers seeking apprenticeship training, how the College provided employers and their potential apprentices with appropriate advice and guidance taking into account course availability, how off the job training requirements were managed and monitored; and how apprenticeship demand was balanced with existing and required assessor capacity.

The Review had concluded that the College had comprehensive documented processes in place which outlined the relevant regulatory guidance. The College had recently been the subject of a funding audit, with no major no errors identified. The College was considering implementing a CRM system to track and monitor apprenticeships to enhance monitoring of targets and income. With 1 routine and 1 operational recommendation, the Report had given Substantial Assurance.

Resolved: That the report be noted.

Assurance Review of Safeguarding (previously circulated).

The Review had considered safeguarding communication and information to students to ensure they knew how to keep themselves safe and who to go to for help, that safeguarding student referrals were accurately recorded and identified, that the required support was then followed up and in place; that reporting against trends of safeguarding cases were accurately identified and that safeguarding processes supported students to stay in education and achieve.

The Review had concluded that the College had a Safeguarding Policy and Procedure in place supported by a number of other policies. The Report had made a number of suggestions to further improve processes, for example, the SLT carrying out spot checks of the Single Central Record (SCR) and maintain a log of these checks as evidence of this process. It was observed that the Safeguarding Link Governor had undertaken a spot check of the SCR since her appointment in January 2021 and would continue to do so on a termly basis.

The Review had also identified examples of good practice including that the College had reviewed and increased its Safeguarding Team structure, employed security guards across the campuses and introduced door entry systems. The College also had a number of external links and a presence on many panels, groups and committees; it had clearly communicated safeguarding awareness to staff and students.

With only 2 routine and 2 operational recommendations, the Report had given Substantial Assurance. The Committee passed on its congratulations on a Substantial Assurance outcome to all staff involved in the audit.

Resolved: That the report be noted.

ICT Review of Network / Cyber Security (previously circulated)

The Review had assessed the arrangements in place for maintaining the integrity of the College’s computer network, including server configuration and patching, threat detection, change control, remote access, user administration and desktop control policies as well as examining supporting policy and procedural documentation.

The Review had identified two instances of good practice in that the Technical Services Team adopted a proactive approach to Cyber Security and that processes were in place for monitoring and receiving alerts to zero day and emerging threats and vulnerabilities. Additionally, strong user account control was in place including restricting privileged accounts to a minimum, the use of an Identity Management system and compliance with Cyber Essentials guidelines. There were two important recommendations and thus had Reasonable Assurance. There were no urgent Action Points and all recommendations had been accepted by College management.

Resolved: That the report be noted.

15/21. Financial Statement Auditors Reports (Appendices Agenda Item. 7a & 7b)

Mr Devitt introduced the Financial Statement Auditor Audit Plan and Report (previously circulated) for the year ended 30 July 2021.

The Plan and Strategy set out –

      • Grant Thornton’s (GT) understanding of the principal business issues relating to Shrewsbury Colleges Group (SCG) and the overall impact on the audit approach – financial position and Going Concern;
      • The Company’s risk-based approach;
      • Significant risks identified. These risks included –
        • Significant risks, such as the risk of fraud and the Covid-19 pandemic; and
        • Reasonably possible risks (income and expenditure);
      • The Company’s approach to materiality and regularity assurance;
      • The Team;
      • Fees; and
      • Communications of audit matters with the Committee.

In addition, Mr Devitt advised of new requirements for financial statements auditors to undertake additional work on the Financial Statements, including the testing of underlying records, which would involve the selecting and testing of the College’s ILR records. This would present a challenge and GT already had a team working on this.

Mr Devitt referred to the significant increase in fees set out in the report and explained that they reflected the additional workload required as a result of the extra pressure from regulators to undertake more assurance work, as well as the additional auditing work required this year.

In response to a question on whether the College challenged the assumptions provided in the Statement’s actuarial report, the FD explained that, whilst this was assessed, the College did not consider it appropriate to override or amend the independent expert’s assumptions and that the movements were inherently variable did not represent a cash risk to the College. The more important matter was ongoing cash contributions which are known and planned for.

Mr Devitt also referred to the report (previously circulated) that covered some important areas of the auditor risk assessment and that Grant Thornton was required to make enquiries under accounting standards which now included meeting new auditing standards on going concern and estimates.

Resolved: That the External Audit Plan and Strategy BE RECOMMENDED TO BOARD.

ACTION: Report to Board

16/21. Risk Register and Board Assurance Framework 2020 – 2021 (Appendix Agenda Item 8)

As recommended by the Committee (Audit Committee Min. No. 26/20 refers), the format of the Risk Register had been revised in line with the proposals subsequently approved by Board (Board Min. No. 94/20 refers) to incorporate a new set of definitions and working methodology.

Whilst there are no risks identified with a current assurance level of Red, the following identified risk was rated with a Major Impact and Very High (Almost Certain) Likelihood – Board 1 - Risk of disruption to learning from strike action.

The P/CEO undertook to review the wording of the risk, in response to an observation from a governor on the language used.

Resolved: That it be RECOMMENDED TO BOARD that the Risk Register, be approved.


ACTION: Report to Board

17/21. Audit Recommendation Tracking Report (Appendix Agenda Item 9)

The Committee received the Audit Recommendation Tracking Report (previously circulated).

The FD explained that the Report to the next meeting would include the recommendations arising from the Financial Statements Audit.

18/21. Post-16 Audit Code of Practice – Update (Appendix: Agenda Item 10)

The report (previously circulated) set out the changes in the Post-16 Audit Code of Practice 2020 – 2021, which applied to all financial periods commencing on or after 1 August 2020, and the funding year 2020 to 2021.

The Committee reviewed the changes and sought assurance that the necessary procedures were in place to meet the Code’s requirements and noted particularly –

      • that colleges that had registered with Office for Students (OfS) would be required to comply with the OfS accounts direction including the provision of an audit opinion on the appropriate use of funds;
      • there was an increased importance in ensuring the declarations of interest register was continually updated, with this issue of the ACOP focusing on personal benefit and related party transactions. Currently, the Clerk required all governors and senior post holders to undertake an annual review of their declarations and governors were made aware, through the Declaration, of the need to advise the Clerk of any changes throughout the year. In addition, all Budget Holders were required to sign an Annual Declaration. The Clerk would liaise with the IAS on whether there were any additional measures should be taken;
      • The new Code stated that external auditors must present their findings annually at a meeting of the board of governors, which could be a joint meeting with the audit committee. It was acknowledged that a representative of the Financial Statement auditors would attend the relevant Board meeting going forward.

19/21. Irregularity and Fraud

None reported.

20/21. Risk

The Committee concluded that it had sufficiently examined areas of risk under its remit at this meeting.

21/21. Committee Self-Assessment 2020 - 2021 (Appendix No. 11)

At the end of the 2020 - 2021 governance cycle, the Board and each committee were invited to complete an evaluation exercise. This evaluation would supplement the Education & Training Foundation (ETF) Board Review Self-Assessment undertaken in November 2020. These would inform the Board’s self-assessment return and improvement action plan 2021 – 2022.

The Committee Chair directed members to consider the Committee’s performance during 2020 – 2021 and submit the outcome to the Clerk. The Evaluation would also include an assessment of how effectively the Committee had carried out its responsibilities and a compliance audit against the Audit and Accountability Annexe to the Foundation Code of Government.

22/21. Date of Next Meeting – Venue and date – TBC.

The Finance Director, the Principal/CEO, Mr Devitt, and Ms Parkes left the meeting at this point.

23/21. Tender for Audit Services

Following a confidential discussion, the Committee instructed the Clerk to communicate to the FD its conclusions on the Committee’s approach going forward.

The meeting concluded at 8.06 p.m.