Committee Members and Attendees
DRAFT Minutes of the Audit and Risk Committee Meeting held on Monday 26 January 2026, 14:00 – 15:30 via Microsoft Teams
DRAFT SUBJECT TO APPROVAL AT THE 23 MARCH 2026 COMMITTEE MEETING
Audit and Risk Committee:
Marie Fallon (MF), Chair
Neil Oakley (NO)
Morag Sheppard (MS)
Chris Spray (CS)
Attendees:
Internal Audit (IA)
Iain Burns (IB), Lead Senior Internal Audit Manager
External Audit (EA)
Simba Jana (SJ), Director, Deloitte LLP
ESS Team
Mark Roberts (MR), Chief Executive
Rebecca Liu (RL), Financial Accountant
Rebecca Peppiette (RP), Head of Corporate Services and Communications
Calum Ross (CR), In-house Solicitor
Alisdair Stapley (AS), Governance Lead
Kirsty Laing (KL), Business Support Officer (Minutes)
Apologies:
Kate Moffat (KM), Lead Senior Internal Audit Manager
Marketa Andrews (MA), Internal Audit Manager
Rashid Zaman (RZ), Manager, Deloitte LLP
1. Private session
The members of the Audit and Risk Committee (‘the Committee’), internal audit and external audit attended a private session.
2. Welcome
The Chair welcomed the Committee members and attendees to the formal meeting.
There were apologies from RZ. EA noted RZ will no longer attend the Committee and confirmed a new EA team representative for future meeting attendance. The Committee thanked RZ for his past contribution.
There were also apologies from KM and MA with the Chair noting the attendance of IB in their place.
2. Minutes and matters arising
The minutes of the previous meeting on 24 November 2025 were approved.
The running list of matters arising and audit tracker were provided for the Committee’s information.
In discussion, the Committee:
- noted ESS’ meeting with EA to reflect on the 2025/26 annual external audit process, and plan for 2026/27
- discussed the additional EA audit fee and ways to mitigate additional fees in future
- highlighted IA’s cyber thematic review report which will be shared at the next Committee meeting
- noted the update from IA regarding the Public Service Reform (PSR) gateway review
- agreed that the cyber risk register will constitute a standing item while the register is still formative
Action: IA to share the outcome of the Public Service Reform (PSR) gateway review with the Committee.
Action: IA to share the cyber thematic review report at the next Committee meeting.
Action: RP to present the cyber risk register as a standing item and update background policy and procedure information to reflect this change in process.
4. Finance
RP provided an update on expenditure against the 2025/26 budget for information.
RP presented the draft ESS budget for 2026/27, referencing the Scottish Government’s 2026/27 draft budget published in January 2026.
RP outlined the proposed budget plan to support ESS’ new duties, noting the careful consideration given to recruitment timelines and the onboarding process.
In discussion, the Committee:
- considered the proposed recruitment process for the new duties, discussing the pre-emptive measures in place to mitigate the risk of delays
- noted the proposed new organisational structure and the recommended ways of ensuring cross-departmental flexibility
- highlighted the importance of tracking any potential underspend in the 2026/27 budget
The Committee approved the core budget along with the budget for the new duties. The posts recommended were approved in principle, subject to further discussion by the Board in a private session before final approval.
Action: RP to bring a quarterly update on new duties recruitment, alongside any associated budget updates, to the Committee.
9. AOB
The Committee thanked attendees for the work associated with both the 2025/26 and 2026/27 finance requirements.
Minutes to be approved
Marie Fallon
Chair, Audit and Risk Committee
Environmental Standards Scotland
[DATE]
