Audit and Risk Committee DRAFT Minutes – March 2026

The members of the Audit and Risk Committee (‘the Committee’), internal audit and external audit attended a private session.

The Chair welcomed Committee members and attendees to the formal meeting, in particular welcoming DJR as a new member of the Internal Audit (IA) team. There were apologies from NO, CR and PM.

The minutes of the previous meeting held on 26 January 2026 were approved, subject to minor amendments.

The running list of matters arising and the audit tracker were provided for the Committee’s information.

The Committee noted the updates and agreed that the Terms of Reference and Board Standing Orders would be reviewed at the June 2026 meeting.

RP provided an update on 2025/26 expenditure, noting that ESS’ forward five‑year expenditure profile would be presented at the June 2026 meeting. In discussion, the Committee:

• noted the substantial progress on new duties planning and recruitment
• considered the proposed management structure and discussed best practice in the development of team structures
• noted the proposed long-term strategic development of ESS

The Committee approved the paper, subject to further consideration of the new management structure.

Action: RP to present the five‑year expenditure profile at the June 2026 meeting.

MR presented the Corporate Risk Register, highlighting changes to scoring, appetite, controls and assurances. In discussion, the Committee:

• considered the risks relating to data storage and the number of complex representations and discussed further mitigations
• suggested including a controllability assessment as part of departmental risk registers to support spotlighting / escalation to the Committee
• discussed the risk relating to ESS assimilating its new duties and recommended changes to scoring and appetite

The Committee approved the paper, subject to amendments to scores.

Action: RP to work with departmental Risk Leads to include a controllability assessment within risk registers. Thereafter, items outwith ESS’ direct control will be spotlighted to Committee and Board meetings as per the current schedule.

AS presented the draft year‑end figures for ESS’ Performance and Management Indicators (PMIs) for 2025/26, alongside next steps for future analysis. In discussion, the Committee:

• considered the current set of PMIs, discussing reasoning behind any variances in figures from 2024/25
• highlighted the need for added context around PMI figures, noting that an accompanying narrative would be included in ESS’ annual report and accounts, and that a new set of more contextual PMIs would be in place for 2026/27

The Committee approved the paper and noted that it looked forward to reviewing the new set of PMIs at future meetings.

AS then presented the review of ESS’ delegation schemes, highlighting minor updates to the Scheme of Internal Delegation and Specific Scheme of Delegation.

The Committee approved the proposed changes, subject to amendments to the Specific Scheme of Delegation regarding delegated powers in the event of long-term staff absence.

Action: AS to amend wording in Specific Scheme of Delegation in relation to delegated powers.

IB presented the proposed Internal Audit Plan for 2026/27, outlining the timeline of planned activities throughout the year. IA will focus on providing advisory support to ESS due to the substantial work involved in preparing for its new duties and will retain a placeholder for assurance work at the end of the financial year. IB concluded by noting that ESS is a well-controlled organisation.

The Committee approved the plan, subject to further discussion on the details of the Terms of Reference (ToR) for IA’s advisory support role during 2026/27.

Action: IA to provide more detail to the Committee on the ToR for its advisory support role in 2026/27.

DJR presented the Internal Audit progress report for 2025/26, noting the inclusion of the information security report and the timelines for the risk management and legal procedures follow-up.

The Committee approved the report, noting the helpfulness of the insights paper, and suggesting information on organisations of a similar size to ESS would be provided in future updates.

DJR introduced the Information Security Review, noting the reasonable assurance outcome and the recommendations in place. DJR highlighted the positive reflections on ESS’ governance arrangements and compliance with policies and procedures. In discussion, the Committee:

• noted the recommendations and positive reflections from IA
• considered the recommendations from the review and the timelines for actions
• noted the importance of evidencing staff understanding, and ensuring there are mechanisms in place to support completion of mandatory training

The Committee approved the paper, requesting detail on the completion of recommended actions at the next meeting.

DJR provided the cyber thematic insights update, explaining trends across organisations and outlining best practice for Board and Committee meetings.

The Committee noted the helpfulness of the cyber insights update and suggested that findings are presented at ESS’ upcoming Cyber Champions meeting.

SJ presented the 2026/27 External Audit Plan, outlining the audit timetable and key final fieldwork dates. SJ explained that the final sign‑off date is still to be confirmed. However, the external audit team will align with Committee requirements.

The Committee approved the paper, subject to agreed amendments to the External Audit Plan 2026/27 boilerplate text.

Action: EA to amend the text on the External Audit Plan 2026/27 boilerplate.

RP noted her absence for the June 2026 Committee meeting, with MR to cover on her behalf.

Marie Fallon

Chair, Audit and Risk Committee
Environmental Standards Scotland

[DATE]