ARAC Minutes - 13 June 2023

Published

03 October 2023

Updated

17 October 2023

Present

Present:

 

Siobhan White (SW)

SHR Committee Chair

Lindsay Patterson (LP)

SHR Committee member

Ewan Fraser (EF)

SHR Committee member

 

In attendance:

 

Gary Gibb (GG)

Internal Auditor Manager, Scottish Government

Jim Montgomery (JM)

Senior Internal Audit Manager, Scottish Government

Louisa Yule (LY)

Senior Audit Manager - Audit Scotland

Iain Muirhead (IM)

SHR Director of Digital and Business Support

Roisin Harris (RH)

SHR Corporate Governance Manager

Nigel Gregory (NG)

SHR Regulation Manager 

Murray Smith (MS)

SHR Regulation Manager 

Observing:

 

Stephen Lalley (SL)

SHR Regulation Manager

Chair’s welcome, apologies and declarations

The Chair welcomed everyone present to the meeting, particularly new ARAC member LP and staff observer SL.

ARAC noted Michael Cameron (MC) SHR Chief Executive had submitted apologies.

There were no declarations of interest.

Minutes of the previous meeting, matters arising and audit log

ARAC considered and approved the minutes from its meeting on 14 March 2023 as an accurate record of the meeting. 

ARAC considered the matters arising and audit action logs. It noted that:

  • JM provided further information around the UK Government’s Functional Standard in connection with fraud and that this has been circulated;
  • Internal Audit reviewed other approaches to handling concerns around fraud etc and found that it is very dependent of the type and function of the public bodies, but welcomed that SHR has robust policies and response plans in place to ensure it can be responsive;
  • the cyber security audit is on the agenda; and
  • progress with audit recommendations.

ARAC also noted it would discuss assurance mapping further under AOB.

ARAC noted the matters arising and audit log and all the related updates.

Internal Audit Update

GG presented an update on Internal Audit work.  He reported:

  • that the Cyber Security review is completed and signposted ARAC to the report in the meeting pack, highlighting the substantial assurance rating with one low level recommendation;
  • on reference and background reading documents provided to ARAC via Connect;
  • indicative timelines for Scottish Government’s shared services transformation with planned completion dates of Oct 2023 for HR systems and April 2024 for finance systems;
  • that a reasonable assurance rating has been achieved by Scottish Government Corporate Services level audit; and
  • that work is underway around the first SHR review of the 2023/24 audit programme: deregistrations.

ARAC considered the progress report and discussed the impact of the Scottish Government Corporate Services assurance level, noting this covers the finance systems used by SHR and that there have been both resourcing and system limitation issues.  It also noted the current transformation project status and challenges around scale, resources and data migration and that it is the largest transformation programme ever for the Scottish Government.  ARAC noted the importance of SHR remaining engaged in the project via the Customer Service Board, Delivery Bodies Group and operational engagement. 

GG updated ARAC on the completed Cyber Security review.   He explained the substantial assurance rating and the one low level recommendation around saving any correspondence made via WhatsApp into the official record when systems become available.  GG reported that SHR has a proactive and pragmatic approach to cyber security underpinned by well thought out processes and is doing all it currently can to mitigate risks.   GG explained it is live area that needs constant oversight and monitoring and welcomed that SHR’s “cyber essentials plus” status. 

ARAC considered the report and discussed:

  • the relevance of all discussions on WhatsApp, noting the ongoing judicial review with the UK Government and a statutory public inquiry;
  • the recommendation to ensure decision making correspondence should be saved to the official record when the record becomes available and noted that this has been actioned and added into SHR’s response plan;
  • Staff training, noting that SHR is encouraged to record completion in the Cyber Resilience Group minutes as further evidence of appropriate oversight; and
  • a mock cyber event planned for 2023/24.

GG presented the annual report for internal audit for 2022/23 and highlighted the substantial assurance opinion, explaining this is the highest that can be given and that it builds on previous opinions, as well as review work and engagement with ARAC and management.   JM reported that the next quarterly audit newsletter will detail audit opinions across public sector clients and updated ARAC on the audit of Scottish Government.

ARAC thanked Internal Audit and welcomed all the reports and the assurance provided. It also thanked the SHR staff team who supported the audit work.  

Actions:

  • JM/GG to provide the Scottish Government corporate Services internal audit report.

External Audit & SHR’s Annual Report & Accounts 2022/23

LY presented Audit Scotland’s work on SHR’s 2022/23 annual report and accounts, highlighting the draft audit report and covering letter. She explained that, subject to satisfactory conclusion of outstanding matters, an unqualified audit opinion is anticipated . LY reported that the financial statements provide a true and fair view of SHR and have been properly prepared in accordance with standards and requirements.  LY explained that the outstanding matters are: pension data expected in June; information on interim office costs not currently available; the internal audit opinion that has just been reported and will be reflected in the governance statement and information on controls testing undertaken at Scottish Government.

LY set out the key findings in the report and highlighted that there are no significant issues to report. She detailed some non-material misstatements and disclosure amendments around intangible assets, untaken leave accrual and renumerations. She explained that there had been no significant audit adjustments beyond what might be expected. 

LY reported on financial sustainability and welcomed work SHR has done around workforce planning, climate change and Best Value.  She highlighted that there is only one recommendation to continue to monitor progress against planned workforce activities and consider the related impact on SHR’s budget.

ARAC welcomed the report and discussed:

  • wider scope, noting this is reported on by exception;
  • report status, outstanding items, noting that the report remains in draft until it is signed in August and ARAC will be alerted to any changes;
  • discussions around SHR’s future office and minor adjustments made to the annual report to reflect the late change in future plans, noting that SHR Board will in due course need to review climate change targets already agreed;
  • workforce planning, noting that this recommendation may fall away next year if progress continues;
  • pension data, noting this is provided by DWP and is expected by the end of June and will be entered into the renumeration report when available;
  • Scottish Government system testing, noting this will not overlap with Internal Audit work;
  • IFRS 16, noting this should be straightforward as SHR does not have any long term leases;
  • the Audit experience given the new client arrangement, and noted this went smoothly; and
  • some final typos..

ARAC thanked LY, all the SHR staff involved in the production of the annual report and accounts and noted the draft audit opinion.  It agreed subject to conclusion of the outstanding elements and minor corrections to recommend the report and accounts to SHR Board for signing by the Accountable Officer in August 2023. 

Actions:

  • IM to complete any final typo corrections in the 2022/23 annual report and accounts.
  • LY and IM to alert ARAC to the conclusion of outstanding items.
  • ARAC to recommend the SHR Annual Report & Accounts to SHR Board and Accountable Officer for signing in August subject to conclusion of outstanding work and corrections.

Annual report on fraud and security

IM presented the annual report on fraud, security and whistleblowing to ARAC.  He highlighted updated policies and staff training that is underway. IM also highlighted the Data Protection compliance monitoring report for 20022/23 and confirmed that there have been no incidents that SHR required to report to the Information Commissioner’s Office.

The Board noted the report and that it is referenced in its annual assurance statement to SHR Board (covered at item 6).

Draft ARAC report to SHR Board

ARAC considered a draft annual statement of assurance from it to the SHR Board and Accountable officer.  It discussed appointment of SHR’s auditors and noted this is carried out by the Auditor General. 

ARAC welcomed and approved the statement.  It asked SW to sign this on behalf of ARAC.

Actions: SW to sign and make available the annual statement of assurance from it to the SHR Board and Accountable officer.

Risk Management

IM presented the risk register to ARAC. He reported that scores have been static since the last Management Team review, but that there have been changes made since ARAC and the Board last considered it.  IM also reported that shared services, the Regulatory Framework review and SHR’s office move will be considered by Management Team at the next review in June 2023. 

ARAC considered the risk register and discussed:

  • SHR’s office, noting work carried out to date by IM to seek a longer-term office for SHR;
  • shared services transformation, noting that this may not resolve all the HR issues experienced and the risk rating overview for the overall transformation programme. It noted that Management Team is keeping this under close review;
  • the Regulatory Framework review, noting this is at an early stage with the discussion paper recently launched;
  • emerging risks, noting Management Team has an eye to Scottish Government policy developments and the impact on SHR’s regulation; stakeholder relationships and response to the Framework discussion paper; and
  • interim accommodation, noting the current timescales available for SHR to remain in George House.

Actions:  Management Team to consider ARAC feedback when it next reviews the risk register.

Agenda Planner, AOB, DONMs & Effectiveness of meeting and papers

Agenda Planner

ARAC noted the agenda planner and that meeting dates are confirmed for 18 September 2023 and 19 December 2023.

IM reported that due to new work, resource pressures and prioritising Best Value and workforce planning work, the planned review of assurance mapping has been delayed until September 2023.  ARAC noted that it may receive an update on ongoing work  in September rather than a completed review.  

AOB

SL thanked ARAC for the opportunity to observe the meeting. 

SW reported she will participate in the all staff briefing on 22 June 2023 and will provide updates on SHR Board and ARAC work. 

DONM

18 September 2023