Minutes of the Meeting of the Audit Committee of the Council, Thursday, 12Thnovember2015

AUDIT COMMITTEE

Minutes of the meeting of the Audit Committee of the Council, Thursday, 12thNovember2015

PRESENT:Mr Rob Perrins (Chair)

Ms Amanda Allen Mr Sanjay Khullar

Mr David NewcombeMr Surinder Sharma

IN ATTENDANCE:Mr Andrew Bush Mr Alan Charters

Mr Rob Fekete Mr Tony Felthouse

Mr Alan HawkesworthProfessor Helen Higson

Ms Geraldine RutterMr Neil Scott

Mr John Walter (Secretary)Mr Neil Ward

APOLOGIES:Mr Stuart DoughtyMr Adam Richards

GOVERNANCE MATTERS

Declarations of Interest

15/92NOTED:

That there were no new declarations of interest from members, or from those in attendance, with respect to any agenda items.

Welcome

15/93RESOLVED:

To welcome Mr Neil Ward,Senior Manager, PWC, to the meeting.

Minutes

15/94RESOLVED:

That the Minutes of the meeting of the Committee held on 29th September 2015 be approved and that they be signed by the Chair.

Matters Arising from the Minutes

15/95RECEIVED:

A summary of matters arising from the minutes of the previous meeting in paper AU/15/42.

Aston University Pension Scheme (AUPS) and the Universities Superannuation Scheme (USS) (minute 15/72)

15/96RECEIVED:

An oral report from the Chief Financial Officer on the ongoing review of AUPS, noting that, following an informal consultation process, proposed changes to the scheme would be submitted to the next meetings of the Finance and Major Projects Committee and Council for approval, which if approved would be subject to formal consultation with the AUPS Trustees and the staff and Trades Unions.

Student Recruitment and Retention 2015/16

15/96RECEIVED:

The Deputy Vice-Chancellor presented Paper AU/15/72 being a report on student applications and recruitment for 2015/16, noting that:

• The University had achieved the target of 300 additional Home/EU undergraduates compared to 2014/15 entry and had exceed this by almost a further 300.
• This growth had been achieved without a significant decrease in the average A-Level tariff score.
• There were fewer than target Home/EU postgraduate students reflecting a national decline linked to the growing number of undergraduate students graduating with large student loans.
• International student recruitment, whether at undergraduate or postgraduate level, was very challenging in the face of visa restrictions and growing global competition.
• It appeared that ongoing efforts to improve the retention and progression of existing students were being effective and should improve the financial position.
• It was anticipated that the University would at least achieve its overall tuition fee target, provided that planned mid-year intake targets were achieved. The level of HEFCE grant income could be affected by the forthcoming Autumn Statement 2015.

Organisation of the University’s Conference Business (minute 15/76)

15/97NOTED:

The Chief Financial Officer reported that the review of the University’s conference business was ongoing.

Strategic Risk Management Policy and the Institutional Strategic Risk Register (Minutes 15/51-52)

15/98NOTED:

That the University Executive had reviewed the Strategic Risk Register at this year’s Senior Management Advance and were in the process of considering a number of proposed changes. The revised Risk Register would be presented to the January meeting of the Committee for consideration.

Information Technology and Security (Minutes 15/82)

15/99RECEIVED:

i)An oral progress report from the Chief of Operations and Estates and the Director of Library and Information Services. The draft IT Security Policy had been reviewed by the Internal Auditors who had provided feedback and a revised version was scheduled to be considered, as part of the new Library and IT Strategy,by the Executive on the 30th November. The draft policy included a requirement that no personal data should be transferred outside of the European Union as the "safe harbour" protocol could no longer be relied upon. All University systems that were hosted in the cloud were held within the European Union (ie Core, Aston’s human resources system, in Ireland; Blackboard, Aston’s virtual learning environment, in Holland; and Agresso, Aston’s finance system, plannedto be held externally in the UK). The procurement process involved measures to ensure that such hosted environments met industry best security practice and guidance (normally a site visit to the relevant datacentrewas undertaken to review security arrangements). The draft policy also included a requirement for suppliers to reconfirm regularly that they continued to meet best practice, and to provide information on penetration testing that they undertake or accreditation that they hold. Core had agreed to the University carrying out penetration testing on the Aston’s cloud-hosted HR information.

ii)Paper AU/15/43, a report from PWC, the Internal Auditors, on a follow-up review of two IT high risk findings from its 2014/15 information security review. One high risk area, removal of IT access to systems, was now considered closed, as the issues identified during the original audit had been resolved and a process was in place automatically to remove sensitive access for leavers. However, whilst the Executive had made some progress to improve vulnerability management, until detailed remediation plans were completed and implemented there remained a high level of risk in relation to the University being exposed to service disruption for business critical applications or the loss or modification of sensitive data that could result in regulatory fines and reputational damage.Whilst not currently the responsibility of Library and IT Services, there were servers on the University network that were not being managed by the central IT management team, where security arrangements and patches might not be up-to-date. Many universities were in the process of bringing the management of the security of such systems under the responsibility of their central IT teams.

15/100NOTED:

• That the penetration testingrecently undertaken by the University had been limited to external penetration. The Internal and External Auditors confirmed that internal penetration (eg inappropriate use/hacking by internal users) presented a much higher risk in the HE sector and until the vulnerability of Aston’s internal security systems were tested, this remained a high risk area. It was noted that internal penetration testing was being planned.
• That the Internal and External Auditors felt that Aston’s progress in relation to vulnerability management was significantly below that of most other universities, although it should be possible to take action to address this position over a relatively short period of time.
• That Audit Committee felt strongly that Aston should seek external accreditation of its information security management arrangements, as the process of achieving this would highlight any weaknesses and vulnerabilities which the University could address and its achievement would demonstrate that all had reasonably been done to ensure the security of personal and sensitive data. Areas likely to be particularly vulnerable included internal security arrangements, mobile devices, ITC equipment taken off campus,and arrangements for any personal/sensitive data shared with collaborative partners and other third parties.

15/101RESOLVED:

That the University should develop an action plan to: address the information security issues raised by the Internal and External Auditors and external penetration testing; complete the scoping and implementation of internal penetration testing;and seekinformation security management accreditation from an appropriate body. The University should review whether appropriate management resources and capability were in place to oversee the increasingly complex and demanding information security management function.

ACTION: Chief of Operations and Estates to prepare a paper for the next meeting of the Committee.

Value for Money Annual Report 2014/15 (M15/86)

15/102NOTED:

That a revised version of the Value for Money Annual Report 2014/15 would be submitted to Council and HEFCE which included the University’s excellent recent performance in terms of sustainability.

BUSINESS FOR DECISION/APPROVAL

External Audit Annual report, Audit Highlights Memorandum and Management Letter 2014/15

15/103CONSIDERED:

Paper AU/15/44, comprising a report, prepared by KPMG, the University’s External Auditors, on their audit findings for the year ended 31st July 2015.

15/104NOTED:

i)That this year’s audit had been conducted professionally and efficiently with good communication and working relationships between the Auditors and the Finance Team. The University had made good progress in implementing the 2013/14 recommendations and also in relation to its control arrangements for research grants and contracts.The number and level of recommendations arising from the audit had continued to reduce compared to previous years. There were two amber recommendations (ie student data control and the IT control environment) and one green recommendation (ie staff establishment checks).

ii)That the draft accounts incorporated an impairment charge of approximately £2.7 million in relation to the GostaGreen (former BCU) buildings. During the latter part of 2014/15, the University’s masterplan had been revised such that a number of the GostaGreen buildings (excluding the ‘main’ building) had once again been earmarked for disposal. The University commissioned GVA to undertake a valuation exercise to value the elements being retained on a Depreciated Replacement Cost basis. The Auditors understood that the decision to demolish these buildings had not been formally documented via a Council minute prior to 31 July 2015, but it was intended to do so before the financial statements were approved. The Auditors were satisfied therefore that on this basis, the impairment could be recognised as an adjusted post balance sheet event in the 2014/15 financial statements.

iii)That members queried whether the University had sufficient management resource and capability to cover the area of VAT and taxationgiven the increasing complexity of government regulation, to ensure that the University properly meets its obligations in the most efficient way and benefited from any tax advantages and exemptions.

iv)That the University’s redundancy policy and payments were under review to ensure that they remained affordable

15/105RESOLVED:

i)That the External Auditors be thanked for their Report, and that the Report be approved for submission to Council, subject to the resolution of any detailed outstanding audit points by the finance team and the Auditors, and approval of the final version by the Audit Committee Chair.

ii)That the University should review the management resource and support for the area of VAT and taxation.

Action: CFO/FD

University Accounts

15/106RECEIVED:

i)Paper AU/15/45, comprising the Report and draft audited Financial Statements for Aston University for the year ended 31st July 2015.

ii)Paper AU/15/46, comprising a draft letter of representation to KPMG.

iii)Paper AU/15/47 for information, being the draft audited Financial Statements and letter of representation for Conference Aston Limited for the year ended 31st July 2015 and Paper AU/15/48 a letter of support from Aston University in respect of Conference Aston. It was noted that Conference Aston had improved its year on year performance with an operating profit of £289k to 31 July 2015, compared to an operating loss of £371k to 31 July 2014. This was as a result of the new Conference Aston Meeting Suites driving up sales along with the positive impact of having no refurbishment closures in the year to 31 July 2015.

iv)Paper AU/15/49 for information, being the draft audited Financial Statements and letter of representation for Optimus Energy Limited for the periods ending 31 July 2015 and Paper AU/15/50, a letter of support from Aston University in respect of Optimus Energy Ltd. It was noted that a decision would need to be made next year as to whether Optimus Energy Limited was really a going concern.

15/107RESOLVED:

i)To recommend that the Financial Statements for 2014/15 be approved by the Council, subject to any final adjustments to be made in the light of discussions between the University and KPMG and the inclusion in the Operating and Financial Review section of a brief explanation for the various exceptional items.

ii)To recommend that the letter of representation be approved by the Council and signed by the Pro-Chancellor, subject to any final adjustments to be made in the light of discussions between the University and KPMG.

Annual Report of the Audit Committee 2014/15

15/108CONSIDERED:

Paper AU/15/37(v2), being a revised draft of the Annual Report of the Audit Committee for 2014/15, which incorporated comments received from members.

15/109RESOLVED:

That the Annual Report, revised in the light of further comments made at the meeting, be submitted to Council for onward transmission to HEFCE.

ACTION: Secretary and Chair

Matters referred from HEFCE

15/110RECEIVED:

i)Paper AU/15/51, the Accountable Officer’s Annual Assurance Return 2014/15.

ii)Paper AU/15/52, the Memorandum of Assurance and Accountability between HEFCE and Institutions and paper AU/15/53, being an updated action plan showing executive responsibility for monitoring and ensuring compliance with the various components of the Memorandum that hadbeen approved by the Executive Operations Group.

15/111RESOLVED:

i)To recommend that the Accountable Officer’s Assurance Return for 2014/15 be approved by the University Council prior to its submission to HEFCE.

Adoption of New Financial Reporting Standards (FRS 102)

15/112RECEIVED:

An oral progress report on the adoption of FRS 102 by the University from the Director of Finance, noting that preparations were progressing well with support and advice from KPMG and that FRS 102 training would be provided to members of the Finance and Major Projects Committee at its next meeting.

ACTION: FD to report on progress at the next meeting of the Audit Committee

BUSINESS FOR INFORMATION

Reports and Schedules

15/113RECEIVED:

Paper AU/15/54 for information, the draft audited Financial Statements for Aston University Pension Scheme (AUPS) for the year ended 31st July 2015. Members noted the scheme’s impressive performance whereby the net appreciation in the value of investments held at the year-end had been £11.276 million compared with a net appreciation of £4.956 million in the previous year.

ACTION: CFO to report on the forthcoming AUPS revaluation at the next Audit Committee meeting.

Date of Meetings in 2015/16

15/114NOTED:

That a pre-meeting of independent members would be held at 1:00 pm, prior to the formal meetings with University Officers and Internal and External Auditors present which commence at 1:30 pm:

Thursday, 21st January 2016

Thursday, 12th May 2016.

Signed ………………………………………… Dated 21st January2015
Mr Rob Perrins,
Chair of the Audit Committee

1