Audit and Risk Committee DRAFT Minutes – November 2025

The members of the Audit and Risk Committee (‘the Committee’), internal audit and external audit attended a private session.

The Chair welcomed the Committee members and attendees to the formal meeting, as well as the new Governance Lead, AS.

The Committee noted the Chair and two members attending the Government Internal Audit Agency (GIAA) meeting in November 2025. In discussion, the Committee members that attended found the session helpful and will be exploring links with other smaller Non-Governmental Organisations on lessons learnt.

There were apologies from KM and MA with the Chair noting the attendance of IB in their place.

The minutes of the previous meeting on 22 September 2025 were approved.

The running list of matters arising and audit tracker were provided for the Committee’s information.

RL presented an update to the 2025/26 expenditure to date. In discussion, the Committee:

• noted the longer-term financial resilience planning, such as utilising office space and flexible meeting solutions
• noted new items of expenditure, including the expansion of the current occupational health offer and third-party support for external audit recommendations
• discussed 2026/27 planning in the context of the delay to 2026/27 budget announcements, now expected on 13 January 2026

The Committee noted the expenditure to date.

MR presented departmental and cyber risk registers in development as part of the wider Risk Management Review. In discussion, the Committee:

• noted the positive structure of the registers, in particular highlighting the bottom-up approach to risk management
• discussed the structure of the cyber risk register, recommending the addition of an overarching cyber risk rating
• highlighted further amendments in presentation and overall moderation across the registers

The Committee noted the paper.

AS presented a six-monthly update on the progress against ESS’ Performance and Management Indicators (PMIs). In discussion, the Committee:

• noted the general trends reflected in the PMI figures
• considered the distribution of work between departments based on the update

The Committee noted the update.

RP presented a refreshed set of PMIs alongside an updated methodology for describing and evidencing ESS’ work each year. In discussion, the Committee;

• considered the differences between PMIs which delivered against strategic and operational objectives
• discussed how the new PMIs feed into Key Performance Indicators (KPIs) approach
• noted the importance of providing a robust picture of delivery against statutory functions
• reflected on the spread of new PMIs across the draft 2026 – 2031 strategic objectives

The Committee noted and approved the updated set of PMIs and report approach, subject to amendments that were discussed at the meeting, for onward approval for the Board.

IB presented the November 2025 Audit Committee Progress report 2025/26. The report included the initial planning for the assurance review of information security arrangements and further assurance work that will take place throughout 2025/26.

IB noted there will be changes to the Internal Audit team due to recent staff changes.

Action: IB to provide an update to ESS’ when the details of the IA team are confirmed.

External Audit (EA) gave a verbal update on the planning stages and interim work for ESS’ 2026/27 annual audit.

Action: EA to meet with ESS’ to reflect on the 2025/26 annual external audit process.

Marie Fallon

Chair, Audit and Risk Committee
Environmental Standards Scotland

[DATE]