- Audit and Risk Committee Minutes
- 24 September 2024
Committee Members and Attendees
Audit and Risk Committee Meeting held on Monday 2 September 2024, 14:00 – 16:00, via Microsoft Teams
Committee Members:
Marie Fallon (MF), Chair
Richard Dixon (RD)
Neil Oakley (NO)
Morag Sheppard (MS)
Attendees:
ESS Team
Mark Roberts (MR), Chief Executive
Rebecca Peppiette (RP), Head of Corporate Services and Communications
Rebecca Liu (RL), Interim Finance and Accountancy Advisor
Charlotte Lowe (CL), Governance Lead (Minutes)
Internal Audit (IA)
Iain Burns (IB), Lead Senior Internal Audit Manager
External Audit (EA)
Liam McHugh (LM), Assistant Manager, Deloitte LLP
Rashid Zaman (RZ), Manager, Deloitte LLP
Apologies:
Douglas Falconer (DF), Internal Audit Manager
1. Private session
Members of the Committee, internal audit and external audit attended a private session.
2. Welcome
The Chair welcomed Audit and Risk Committee (‘the Committee’) members and attendees to the meeting. There were apologies from Douglas Falconer.
The Committee members declared their interests in relation to an update on Board fees at item 4.
3. Minutes and matters arising
The minutes of the previous meeting were approved by the Committee.
On the running list of actions and matters arising the Committee noted a follow-up meeting regarding assurances from the Scottish Government’s iTECS service is yet to take place. The Committee requested sight of the Corporate Services and Communications (CSC) Team’s risk register in relation to cyber risk.
Action: to share the CSC risk register relating to cyber risk.
RP presented the audit action tracker, which provides an overview of recommendations made by internal and external audit and their status. The Committee noted the tracker is helpful but requested completion dates be updated where missing.
Action: to review completion dates of audit action tracker.
4. Finance
RP provided an update on the 2024/25 budget and expenditure to date, highlighting that ESS has returned funds to the Scottish Government as part of the Autumn Budget Review. ESS may consider voluntarily returning additional funds, where feasible, following the announcement of emergency spending measures by the Scottish Government. In light of these wider public sector financial pressures, ESS’ medium to long term financial plan will be reviewed by the Board as part of the Strategic Plan development work.
RP updated the Committee on the progress of ESS’ annual audit, noting the delay with Cabinet Office issuing pension-related information. The ESS team continues to work with external auditors to finalise the Annual Report and Accounts and ISA 260 to schedule. RP thanked the ESS and Deloitte teams for their work on this.
RP highlighted that the move to a new Oracle finance system is progressing and the team remains positive about implementation in October, while putting in place mitigations for any teething problems that may occur. The Committee noted that the Chair of the Committee and Acting Chair of the Board had been briefed on planned mitigations involving movement of funds and recommended maintaining a thorough audit trail of any manual fixes required during the changeover.
Action: to implement process for maintaining audit trail of any manual fixes required during the changeover.
RP provided an update on new members’ annual fee limits issued by Scottish Ministers, which will decrease annually in a schedule set out to 2026/27. Board and Committee fees will be monitored at regular points during the financial year to
ensure that the new recommended limits will not affect ESS’ ability to perform its functions.
RP provided an update on the re-let process following the Committee’s deep dive into third-party contracts, highlighting the inclusion of sustainability considerations in the scoring process.
5. Risk management and assurance
CL presented the corporate risk register, providing an update on mitigations relating to ESS’ systems, including the move to the new Oracle finance system and a ‘real-life’ test of ESS’ Business Continuity Plan (BCP) during the July 2024 global IT outage. In discussion, the Committee:
• noted the lessons learned during implementation of the BCP
• discussed the definitions of the risk headings (inherent vs residual)
• noted the risk register and approach would be reviewed during the development of ESS’ next Strategic Plan
The Committee approved the risk register.
6. Governance
CL presented the review of ESS’ Framework Document with the Scottish Ministers, noting that the draft is based on the new model framework but that the Committee may want to consider specific points and overall tone to ensure ESS’ independence as a non-ministerial office. The Committee agreed the importance of this point and made a number of recommendations for inclusion and onward Board approval.
RP presented the Committee’s forward work plan, and noted that due to the postponement of the Committee development session into the new year, the self-assessment exercise would also be delayed into the winter. This will also allow incorporation of feedback from workshops on drafting the next Strategic Plan.
7. Internal Audit
IB presented the internal audit progress report, updating on forthcoming reviews of ESS’ risk and performance management approaches and noting that the terms of reference for the risk review would be circulated soon. The Committee requested that ESS and internal audit’s action trackers are aligned.
Action: to align the two audit action trackers.
IB updated on revisions to the Global Internal Audit Standards which will result in updates to the Audit Committee Handbook. The Committee agreed to consider any updates to ESS’ governance and procedures in light of these changes at the next Committee meeting.
Action: to consider impacts of the updated Global Internal Audit Standards at the November 2024 Committee meeting.
8. External Audit
RZ gave an update on the progress of ESS’ annual audit, noting completion of the wider scope assessment work and that the ISA 260 is being finalised.
9. General Audit Updates
The Chair presented an updated from the previous Audit Chairs Network meeting, noting updates on the Global Internal Audit Standards and highlighting discussions around key performance indicators for internal audit.
10. Any other business
There was no other business to consider.
Minutes subject to approval
Morag Sheppard
Deputy Chair, Environmental Standards Scotland Audit and Risk Committee
25 November 2024