Present
Present: |
|
Siobhan White (SW) |
SHR Committee Chair |
Lindsay Patterson (LP) |
SHR Committee member |
Ewan Fraser (EF) |
SHR Committee member |
In attendance: |
|
Louisa Yule (LY) |
Senior Audit Manager - Audit Scotland |
Sanya Ahmed (SA) |
Audit Manager - Audit Scotland |
Jim Montgomery (JM) |
Senior Internal Audit Manager, Scottish Government |
Gary Gibb (GG) |
Internal Audit Manager, Scottish Government |
Paul Marshall (PM) |
Internal Audit Manager, Scottish Government |
Michael Cameron (MC) |
SHR Chief Executive (items 1-6) |
Iain Muirhead (IM) |
SHR Director of Digital and Business Support (items 1-6) |
Roisin Harris (RH) |
SHR Corporate Governance Manager (items 1-6) |
Clare Nicolson (CN) |
SHR Business Manager (items 1-6) |
Nicola Kane (NK) |
SHR Business Support Officer (items 1- 6) |
Chair’s welcome, apologies and declarations
The Chair welcomed everyone present to the meeting especially CN who recently returned to SHR. SW highlighted NK will attend all future ARAC meetings in her role as Business Support Officer. SW also explained that this is JM’s last meeting as SHR Senior Internal Audit Manager.
GG confirmed that he will attend the June ARAC meeting to deliver the audit opinion and present the report on the Regulatory Framework review.
The Board noted apologies from Louise Carmichael (LC) the incoming Senior Internal Audit Manager.
There were no declarations of interest.
Minutes of the previous meeting, matters arising & audit log
ARAC considered the action points from the draft minutes as well as the matters arising report and audit action log.
ARAC thanked JM for circulating further information on audit fees. It noted that ARAC meeting papers are now also being made available to the rest of SHR’s Board for reference. SW reported that SHR’s Board approved the proposed updates to ARAC terms of reference on 27 February 2024.
IM updated ARAC on cyber security. He confirmed that he, LP, another SHR Board member and SHR’s Assistant Director of Digital completed the training provided by Scottish Government aimed at public sector board members. IM reported that publication of the new public sector framework has been delayed, but is expected soon. He explained that this is expected to include a very comprehensive self-assessment tool and once available and completed he will update ARAC on the findings and action plans. IM also explained that in the meantime SHR’s work around cyber security continues with staff and suppliers. ARAC noted and agreed to IM’s proposal timeframe for a further update. LP confirmed that the training was very useful, particularly in highlighting the risk of phishing attempts.
IM confirmed that work on the records management policy is progressing with updates due to be considered by Management Team shortly.
ARAC considered and approved the minutes from its meeting on 19 December 2023 as an accurate record of the meeting subject to a minor correction.
Internal Audit Update
GG presented a progress report to ARAC. He highlighted that audit work on SHR’s review of the Regulatory Framework is on course to be completed by the end of March and he will report on this to ARAC in June 2024.
GG reported that the Scottish Government’s transformation programme for HR and Finance systems has been delayed and new systems are now due to go live in October 2024. He explained that gateway reviews are ongoing, so there could be other developments. ARAC noted SHR’s reliance on these systems.
MC reported that he sits on the customer board for the transformation programme and that both he and IM as well as some other SHR staff have a number of operational connects into the work. He confirmed that 1 October 2024 is the current go-live date and this is a drop dead date as it also relates to Scottish Government’s transition to a 35 hour working week which the systems are needed for to support the shift. ARAC noted that SHR will need to be involved for longer in the transformation work, but the new date does not clash with audit work as the original one did. IM also explained that there are a wide range of related Scottish Government forums, groups and briefings and it is not always clear for small bodies like SHR which are the most beneficial to resource.
GG presented the draft Internal Audit plan for 2024/25, explained how this is developed with input from SHR and wider risk scanning by Internal Audit. GG outlined the two proposed reviews covering Notifiable Events and in terms of business continuity SHR’s office accommodation moves. ARAC discussed:
- the importance of business continuity, noting that SHR was better placed than some other bodies at the time of pandemic related lockdowns due to arrangements it put in place around IT following an earlier emergency decant;
- how the introduction of Teams and other technology has made SHR less reliant on an office base, but that this still remains important; and
- the importance of understanding the contribution to public service reform and any learning as part of the office review.
ARAC thanked GG and noted the update. It approved the internal audit plan for implementation by PM.
External Audit Plan
SA presented External Audit’s work plans for the 2023/24 audit. She explained the purpose of the audit plan in identifying risks, audit work plans, associated timescales and how this relates to duties associated with International Audit Standards. SA highlighted:
- materiality levels for SHR’s audit;
- significant risks and the rebutted risk around fraud and the financial statement;
- that audit work will cover the performance report, governance statement and remuneration and staff report as well as SHR’s financial statements;
- wider scope focus around best value and financial sustainability due to risks associated with future funding;
- timescales agreed with SHR allowing for reporting to ARAC in June 2024; and
- an ask for any suspected fraud to be highlighted to auditors, confirming that there have been no reports to date.
ARAC considered the plan and discussed:
- the risks being considered noting that intangible valuation work was completed in the previous year;
- timescales, noting these had been discussed and agreed with SHR;
- expectations from public bodies around financial sustainability given the annual budget settlement approach and noting that Audit Scotland takes this into consideration as well as any forecasting and scenario work that SHR does. It also noted that as SHR’s staff costs make up a significant part of the budget, workforce planning will also be considered;
- how audit reports are considered and reviewed collectively to inform national reports and briefings; and
- assurance ARAC would welcome around Best Value.
ARAC agreed the audit plan for 2023/24.
Risk management strategy and register
IM presented a draft updated risk management strategy and risk register to ARAC. He explained these were developed following discussions with ARAC, SHR Board and Management Team. IM highlighted:
- work to address the connection between the register and tasks in SHR’s operating plan, reporting that the new plan will identify which risk each task is primarily mitigating;
- proposals to raise the profile of risk management with staff;
- proposals to update the risk register to separate out some risks, refresh narrative and recalibrate scores.
ARAC considered the strategy and register and discussed:
- risk scores and what this means for the overall risk environment that SHR is operating in, noting that risks to regulatory organisations are distinct and don’t necessary translate into risks to SHR, but that some of the newly separated risks try to address this;
- how SHR has responded recently to increased risks in the sector and how this approach has been broadly welcomed by stakeholders;
- importance of clarity around SHR’s role to help manage perceptions of risks, noting that the new strategy will clearly set out SHR’s role and that work such as the update statement on the homelessness services thematic identified what is beyond regulatory scope and requires a systemic response;
- objectives and priorities, asking IM to ensure the strategy is clear when referencing SHR’s statutory objective and strategic priorities; and
- how the risk register scores are used by readers to interpret the register, the impact of the scores on the overarching risk, noting that Management Team discussions are mostly focussing on the movement of likelihood scores. It also noted previous approaches taken and how this feels proportionate and that all the risks listed would have a significant impact on SHR given their strategic nature; and
- proposal to remove definitions around terminate, transfer or treatment of risk from the strategy, noting these no longer aligned with SHR’s approach.
ARAC agreed the risk management strategy and register for proposal to SHR’s Board subject to minor corrections. It agreed that IM should provide this to the Board with track changes to demonstrate the scope of the review considerations.
Action: IM to take account of ARAC’s feedback in making minor corrections and propose the strategy and register to SHR’s Board in March 2024 for approval.
Agenda Planner, AOB, New matters & DONM
ARAC considered the agenda planner. RH reported that a date has been agreed for ARAC in December 2024. ARAC agreed preference for an update on Best Value in September 2024.
ARAC noted the updates and forward agenda planner. There were no new matters for audit raised.
ARAC noted that this was JM’s last meeting with SHR ARAC prior to his retirement. JM thanked all the SHR staff and ARAC members that he had worked with past and present for their support. ARAC thanked JM for his work, advice and support for SHR and wished him well in retirement.
Private session
ARAC held a private meeting with the auditors.