Draft Audit and Risk Committee Minutes – June 2024

Members of the Committee attended a private session.

The Chair welcomed the Committee and attendees to the meeting. There were apologies from CL.

There were no declarations of interests.

The Committee noted RP’s update on the progress of third-party contract re-lets.

The Chair confirmed that there were no updates from the Audit Chairs’ Network Meeting with the next meeting in August 2024.

RZ provided a verbal update on the 2023/24 external audit, noting that fieldwork would begin from 15 July 2024 with wider scope testing.

The Committee approved the minutes of the 25 March 2024 meeting.

RP presented the running list of matters arising, highlighting that environment considerations are now part of technical scoring tenders and that the Audit Chairs’ Network meeting papers had been circulated.

The Committee noted that there had been no update from the Information and Technology Services (iTECS) team, therefore a further meeting will be called to complete this assurance process.

RP presented the budget and expenditure update, drawing attention to the recommended addition of two new permanent posts within the organisation. The Committee noted that when looking at the projected budget profile, measures may need to be put in place to realise savings, alongside public service reform considerations.

The Committee agreed the revised budget for onward consideration by the Board at the meeting of 5 July 2024, but with awareness that ESS will face significantly tighter limits on its expenditure in future years.

The Committee noted RP’s update on the progress of third-party contract re-lets.

MR presented the updated risk register and a visual map of ESS risks

The Committee reviewed and approved the updates to the risk register. It was recommended that the Executive Team:

• reconsider cyber-related risks, specifically in terms of detecting cyber threats
• recognise that the risk associated with potential new monitoring roles for ESS is not within appetite

RP presented the draft Audit and Risk Committee Annual Report to the Board and Accountable Officer.

The Committee approved the report for onward consideration by the Board at the meeting of 5 July with the following updates:

• reference to the Audit and Risk Committee Chairs’ meeting
• the Committee’s self-assessment, development and training programme
• the scrutiny of iTECS cyber security arrangements

RP shared the Draft Annual Report and Accounts for the year ended 31 March 2024 and thanked the Committee, external and internal audit and staff members from ESS for their input.

The Committee approved the draft and recommended that:

• references to ESS as a young organisation be removed
• information on the collaborative approach ESS takes with external organisations, such as the Office for Environmental Protection, be added
• footnotes explaining internal audit ratings be included
• cyber security be added to the risks identified in the report
• checking of gender pay gap and pension information inclusion be carried out

It is now known that pension-related information will not be received from Civil Service Pensions until 31 August 2024 (due to the application of the public service pensions remedy). To enable Deloitte to complete the full external audit and provide the ISA 260 as part of the sign-off process, the extraordinary single-item meeting dates provisionally pencilled in with Committee and Board members will now need to be used (Committee: 2 October 2024, Board: 10 October 2024).

RP presented the corporate reporting update. The Committee noted the two new duties; the Consumer Duty and UNCRC Duty, and the consideration of the Public Sector Equality Duty. The Committee thanked CL for the work carried out to meet all requirements in full.

LQ presented the draft Specific Scheme of Delegation. The Committee approved the Scheme for onward consideration by the Board at the meeting of 5 July 2024, subject to amendments.

RP also presented the Committee forward work plan covering standing items for future meetings. This was approved by the Committee.

IB shared the Internal Audit progress report providing a strategic update on core Scottish Government and directorate work.

IB covered the outcome of the ESS Review of Cyber Security, which covered internal governance and cyber security arrangements. The Committee:

• noted that feedback demonstrated ESS is very alert to cyber issues
• agreed that this work can be further developed by the Board and staff Cyber Security Champions
• recommended targeted training for staff members in identifying and reporting cyber threats

IB reported Internal Audit’s opinion of substantial assurance for 2023/24. The Committee noted that the reports concluded that ESS continued to be a well-functioning organisation with an effective approach to governance.

The Committee thanked the Internal Audit and ESS teams for this assurance work.

The Committee noted the forward meeting dates.

Minutes subject to approval.