Minutes of the Meeting of the Audit Committee - 18 June 2025

J. Godsmark joined the meeting.

Prior to the meeting, the VP, Q, A & I provided a risk management briefing on risks associated with the risk of cyber security incidents occurring at the college.

The briefing provided an update on the potential risks identified and assurance through mitigating actions being taken by the college to manage the risks. The Committee discussed the impact of the recent cyber-attack on Marks & Spencer, the probable causes leading to the attack and the implications for the college. The Committee also discussed the college’s progress towards achieving full compliance with ‘cyber essentials’. The VP, Q, A & I explained that to further enhance the security of the college’s digital systems, the college would be introducing Multi-Factor Authentication (MFA) for all new Year 1 and returning students from 16 June 2025. Once implemented, the college would be fully compliant.

A. Rao left the meeting.

M. Munro joined the meeting

10/25. Declarations of Interest

There were no pecuniary declarations of interest.

11/25. Draft Minutes of the Meeting Held 12 March 2025 (Appendix, Agenda Item 3)

The Minutes of the meeting held on 12 March 2025, were agreed as a true record.

12/25. Reports from Internal Audit Service (Appendices a & bi and ii, Agenda item 5)

Mr Godsmark presented the following reports (all previously circulated) –

1. 1. 1. Follow Up of Audit Recommendations

The Committee reviewed progress at set out in the report.

2. 1. 2. Internal Audit Progress Report – June 2025
         The Committee reviewed the Report, highlighting the following:
         
         • Validera had recently formed a joint venture with HB&O Accountants, creating Validera HB&O to provide external audit services specifically for the education sector.
         • The Internal Audit Strategy (IAS) and Audit Plan remained "Live" documents, with ongoing dialogue to ensure they meet assurance needs.
         • The Core Financial Controls (Procurement) review had been deferred to 2025/26, due to resource availability. The Committee agreed this deferral.
         • Two audits (Budgetary Control and Capital Projects) were complete with Final Reports agreed and an "Adequate" overall assurance rating issued.
         • Three audits (Financial System Implementation, Student Records, and Follow Up) were in progress or had agreed start times.
         • 20.25 actual days had been spent on audits against 32 planned days. In response to a question, it was confirmed that all Audit Briefs for the remainder of the 2024/25 year had been issued and start dates and timeframes agreed with management. It was expected that all audits would be completed in accordance with the agreed budgeted days.
         • A total of 9 findings had been raised across the completed and in-progress audits: 2 red, 2 amber, and 5 green.
         • Mr Godsmark explained that Client Satisfaction Surveys were issued after each review. However, to date, no completed surveys had been received and he encouraged the college to complete the survey.
         • The report concluded that, currently, no individual findings were considered significant enough to negatively impact the overall Annual Opinion on the organisation's risk management, governance, and control processes. The final opinion would be provided at the end of the financial year.

3. 1. 3. Internal Audit – Budgetary Control
         The Committee reviewed the report (previously circulated), seeking assurance that the college’s system of financial controls was adequate to arrive at financial budgets, monitor actual performance against those budgets and inform timely decision-making and corrective actions when needed.

• • • • The following areas of good practice were identified -
        • Financial Procedures defined budget holder responsibilities.
        • Budget holders had access to live budget reports via the college’s newly installed finance system.
      • The report had made several recommendations with respect to -
        • Budget Monitoring
        • Formal Training. In response to a question, the EDoF explained that a new Budget Holder briefing cycle was being developed and an annual refresher training would be provided going forward.

The audit provided an "Adequate" assurance level regarding the design and application of controls for budgetary management. The Committee therefore accepted the report as assurance that that controls were suitably designed and applied to manage risks material to achieving objectives.

4. 1. 4. Internal Audit – Capital Projects

The Committee reviewed the report (previously circulated), seeking assurance that the college had in place effective systems of control to ensure that the capital projects including the Renewable Training Centre at the London Road Campus and the Post-16 Capacity funding projects at the Welsh Bridge Campus were suitably managed costs controlled and accurately recorded.

• • • The following areas of good practice were identified –
      • Contracts clearly specified deliverables, specification and payment terms
      • Professional support was utilised when required
      • Project costs and spend were appropriately monitored
    • The report made several recommendations for improvement with respect to –
      • Procurement. In response to a question, the EDoF explained that a formal tender exercise had been conducted for the appointment of the main contractors on the capital projects, with one providing significant additional project support. This supplier was initially appointed following a competitive tender process to deliver the Estates Strategy. However, no further procurement exercise was conducted for the additional project support services subsequently commissioned. The additional engagements totalled less than Public Procurement regulations thresholds hence there had been no risk of a breach of these regulations. Additional engagements in this case had been made via direct award based on the contractor’s prior knowledge and experience of the project as the provider was inherently familiar with the projects’ scope, design and technical requirements. In these circumstances, it had been considered appropriate not to seek to tender for these services separately given the inherent advantage in terms of reduced risk and continuity of services available. The Committee accepted this approach.
      • Post-Project ‘Lessons learnt’ exercise. In response to a question, the EDOF explained that in the case of the projects in question formal “lessons learned” exercises were not undertaken. However, to provide assurance to the Committee, the EDoF and campus team leaders had routinely interacted with stakeholders at all levels during the projects and discussed any learning as part of the project completion. As a result, the college had worked closely with contractors to value engineer project costs, securing value for money whilst still meeting project objectives.

The audit provided an "Adequate" assurance level regarding the design and application of controls for budgetary management. The Committee therefore accepted the report as assurance that that controls were suitably designed and applied to manage risks material to achieving objectives.

Resolved: That the reports be accepted.

13/25 Financial Statement Auditors (FSA) Report (Appendix Agenda Item 5)

M. Munro introduced the Financial Statement Auditor Audit Plan and Report (previously circulated) for the year ended 31 July 2025, which provided an overview of the nature and scope of the audit work and key aspects of the audit.

The Audit Plan set out -

• • • Bishop Fleming’s understanding of the principal business issues relating to the college and the overall impact on the audit approach – financial position and Going Concern;
    • The company’s risk-based approach;
    • Risks identified. These risks had not materially changed since the previous year and included:
      • Management override of controls;
      • Fraud in income recognition; and
      • Pension assumptions.
    • The company’s approach to materiality and regularity assurance;
    • The Team;
    • Fees; and
    • Communications of audit matters with the Committee.

In response to a question, Mr Munro confirmed that the testing regime would accommodate the newly installed Finance system.

The Committee noted that, for the accounting periods ending July 31, 2025, colleges would be guided by three updated financial reporting documents.

1. 1. 1. The Auditor Framework and Guide, released in March 2025, which replaced the previous Post-16 Audit Code of Practice (ACoP) for colleges. This new framework incorporated existing audit and regularity requirements while expanding and updating guidance for reporting accountants on regularity testing.
      2. Published in March 2024, the College Financial Handbook provided guidance for colleges, now classified under the central government sector since 2022. It consolidated previous guidance and regulations, focusing on financial responsibilities, governance, and compliance. Colleges must comply with the Handbook as part of their accountability agreements.
      3. The College Accounts Direction 2024/25, issued in March 2025, outlined the Department for Education's (DfE) financial reporting requirements. However, changes from the previous year were minor.

In addition, a new Statement of Recommended Practice (SORP) for Further and Higher Education was being developed following amendments to FRS 102. Expected to be published in August 2025, its adoption would generally be for the 2026/27 financial year.

In response to a question on the impact of the new Handbook and requirements on compliance, the Clerk to the Board confirmed that work to provide assurance to the auditors had already started.

Resolved: That the External Audit Plan and Strategy BE RECOMMENDED TO BOARD.

ACTION: Report to Board 07/07/2025

Mr Munro left the meeting.

14/25. Audit Recommendation Tracking Report (Appendix Agenda Item 07)

The Committee reviewed the Audit Recommendation Tracking Report (previously circulated), noting progress of recommendations against target achievement dates and seeking assurance from the P/CEO where actions had revised target completion dates. In response to questions, the EDoF explained that, regarding the progress of audit recommendations regarding core financial controls, a full review of assets would be undertaken as part of the migration of the Asset Register from the legacy Resource Finance System to the new CIVICA Financials system.

The Committee was assured as to the reasons for these changes and that they did not present any material risk to completion of the recommendations.

15/25. Risk Register and Board Assurance Framework (Appendix, Agenda Item 08)

The Committee reviewed the 2024 – 2025 Risk Register (previously circulated).

The EDoF explained the risks identified and mitigating actions being undertaken. Whilst no risks were rated ‘red’, the following strategic risk (FBO26 - Planned defunding of AGQs) remained ‘high amber’ at this point.

In addition, the following risks scores remained under close scrutiny:

• • • Board 13 (Risk that campuses are not sufficient to meet demand: teaching/workshop space is systematically or significantly insufficient to meet demand by more than 2 groups of students in September 2025), the college continued to plan to mitigate the impact of a continued high level of enrolments for the 2025 – 26 year.
    • ARC02 - (Risk of material Data Breach as a result of poor Information security or successful malicious attack). In view of recent high profile cyber-attacks in the retail sector, the college remained vigilant with ongoing active monitoring and staff engagement.
    • FBO29 (Risk of failure to recruit planned HE learner numbers to meet planned targets for 2024-25 and beyond). Target Enrolments now need to be met in any one of 3 years ending in 2027. Whilst the clawback risk was deferred to 2028/29, the risk of clawback remained significant.

The Committee concluded that the risks have been appropriately identified and the management actions reported were effectively mitigating these risks.

Resolved: RECOMMENDED TO BOARD that the Risk Register be approved.
ACTION: Report to Board 07/07/2025

16/25. Committee Self-Assessment 2024 - 2025 (Appendix, Agenda Item 8)

At the end of the 2024 - 2025 governance cycle, the Board and each committee were invited to complete an evaluation exercise. These would inform the Board’s self-assessment return and improvement action plan 2025 – 2026.

The Committee Chair would consider the Committee’s performance during 2024 – 2025 and complete a draft evaluation, which the Committee would review and contribute to.

17/25. Irregularity and Fraud

None reported.

18/25. Governance Pack – Department for Education (DfE) College Guidance and Framework for 2024/25 Audits

The Department for Education (DfE) had released updated guidance for colleges, which included a new College Accounts Direction, revised self-assessment requirements and an audit framework that replaced the Post-16 Audit Code of Practice. These changes were intended to streamline compliance and clarify the roles of Accounting Officers, Governors, and auditors.

ACTION: Report to Board 07/07/2025

19/25. Date of Next Meeting – Wednesday, 19 or 26 November 2025 at 5.30 p.m. TO BE CONFIRMED

The meeting concluded at 6.27 p.m.