Audit and Risk Committee DRAFT Minutes –June 2025

The Chair welcomed AM to the meeting and led a round of introductions.

AM provided an overview presentation on Consumer Scotland’s functions and outlined the provisions of the Consumer Duty. AM took questions from the Committee on the Duty and related requirements of public authorities.

The Committee thanked AM for the presentation.

[At this point AM and the ESS team left the meeting].

The members of the Audit and Risk Committee (‘the Committee’), internal audit and external audit attended a private session.

[At this point the ESS team rejoined the meeting].

The Chair welcomed the Audit and Risk Committee (‘the Committee’) members and attendees to the formal meeting, officially welcoming CS as a new Committee member.

There were apologies from LQ and KM.

The minutes of the previous meeting on 07 April 2025 were approved.

The running list of matters arising was provided for the Committee’s information

RP provided a summary of expenditure to date for the financial year 2025/26. In discussion, the Committee:

• considered the staff costs and contingency update, alongside the due diligence being carried out in relation to recruitment timescales
• noted third-party procurement for key projects is underway, including the new HR advice supplier and keeping pace stocktake review
• considered the potential impact of the anticipated 2025/26 pay award

The Committee noted the paper and that the revised budget will be brought to the Committee meeting of 22 September 2025 for consideration.

Action: to bring the revised budget to the Committee meeting of 22 September 2025 for review.

CL presented the updated corporate risk register, including recommendations from the 07 April 2025 meeting.

In discussion, the Committee:

• considered the control environment around the new Oracle finance system, highlighting work being undertaken by the Scottish Government, Audit Scotland and Deloitte to provide more comprehensive assurances in due course
• discussed cyber risk, noting the three related phases and potential actions to be considered as part of the operational cyber risk register (vs tolerating the current risk)
• noted financial risk appetite, highlighting ESS still has no risk appetite for being inadequately resourced

CL presented outcomes from the April Audit and Risk development session. In discussion, the Committee:

• noted the positive outcome of the development session, highlighting the key risks that were discussed by attendees
• highlighted the suggested increase in risk appetite in areas such as ‘operational’ and ‘reputational’ risk, noting confidence with innovation and using ESS’ broad range of powers
• reiterated the importance of using the risk management framework effectively to improve decision-making and planning

Action: to bring the revised risk-register to the Committee meeting of 22 September 2025 for review.

CL provided an update on corporate reporting duties, highlighting no new duties have been placed on ESS since the June 2024 update and that ESS has met 100% of its reporting duties within deadline. The Committee noted the paper and received further assurance on continuity where there are staffing changes.

RP presented the draft Annual Report and Accounts 2024/25, highlighting updates, improvements and new requirements. In discussion, the Committee:

• noted the return of £100k to the Scottish Government in January 2025 was not recorded publicly, therefore has not been included in the ESS 2025/26 Accounts
• considered the due diligence carried out by the team to provide accurate accounts during the transition of financial software from SEAS to Oracle

The Committee approved the draft Annual Report and Accounts for submission to the Board on 4 July 2025, subject to minor amendments.

RP presented the Audit and Risk Committee’s draft annual report to the Board. The Committee approved the paper to be presented to the Board, subject to an additional note related to the Oracle finance system.

CL presented the Committee forward work plan and audit action tracker, including information on Internal Audit activity and upcoming key milestones. The Committee noted the updates and timelines for the coming year.

IB presented Internal Audit’s annual assurance opinion for 2024/25, summarising the key factors, such as organisational maturity, that led to the ‘reasonable’ assurance opinion provided.

IB updated the Committee on the Internal Audit progress report 2025/26, noting work is underway for the review of ESS’ legal procedures. The Committee noted the Terms of Reference provided, including relevant information sharing provisions.

IB shared the draft Memorandum of Understanding between ESS and Scottish Government’s (SG) Directorate for Internal Audit and Assurance (DIAA) and DIAA’s annual performance report for the Committee’s information.

RZ gave an update on the progress of ESS’ annual audit, highlighting the recent review of business processes and upcoming wider scope meetings.

The Committee noted the proposed schedule for the Audit and Risk Committee and Board meetings for 2026/27 and considered possible arrangements for the July 2026 Board meeting, when the next annual report and accounts is due for approval.

The Committee acknowledged IB and DF’s attendance at their final Committee meeting with ESS and thanked them for their advice and support over the early years of ESS’ operations.

Marie Fallon

Chair, Audit and Risk Committee
Environmental Standards Scotland

[DATE]