Audit and Risk Committee Annual Report 2023/2024
Date: 14 May 2024
Purpose: | Decision |
---|---|
How does this link with our corporate priorities of improving biodiversity or delivering nature-based solutions to climate change: | Governance as an overarching framework covers all NatureScot outputs, which are firmly linked to the corporate priorities of Protect, Restore, and Value. |
Summary: | This report has been produced to summarise the work undertaken by the Audit and Risk Committee (on behalf of the Board of NatureScot) during 2023/24, and follows the format set out in the Scottish Government Audit and Assurance Handbook published in April 2018. |
Actions: | Board members to consider the work of the Audit and Risk Committee set out in this paper. |
Recommendations: | Board members are asked to endorse the work of the Audit and Risk Committee during the period 2022/23 and confirm that it is effective in supporting the Board in upholding its governance responsibilities. |
Report Authors: | Helen McGeorge, Head of Internal Audit John Donnelly, Head of Finance, Planning & Performance Sara Lewis, Governance Support Manager Jane Macdonald, Director of Business Services & Transformation |
Sponsor: | Ian Gambles, Audit and Risk Committee Chair |
Appendices: | Annex 1 - 2023/24 Internal Audit Plan |
Purpose
1. This report summarises the main work of the Audit and Risk Committee during the reporting period 1 April 2023 to 31 March 2024.
2. The report has been produced to summarise the work of the ARC in support of the Board of NatureScot in its governance role.
Background
AUDIT AND RISK COMMITTEE MEETINGS
3. The ARC holds four core business meetings per financial year, with a separate meeting for the review of the Annual Report & Accounts when required. This year the review took place at the November meeting. The key leads attending are:
- Accountable Officer
- Director of Business Services and Transformation
- Head of Finance, Planning and Performance
- Head of Internal Audit
- Planning and Performance Manager
4. Representatives of our external auditor Mazars have a standing invitation to attend all ARC Meetings, and have attended most during 2022/23, except for the February 2024 meeting.
5. Ian Gambles is the ARC Chair. Members are Nikki Yoxall, Colin MacPhail, Heather Reid, and Margaret Davidson.
NATURESCOT INTERNAL AUDIT SERVICES
6. The substantive NatureScot in-house complement for the Internal Audit function is 1.73 full time equivalents (FTE)
- 0.73 F grade Head of Internal Audit.
- 1 D grade auditor.
7. During 2023/24 the in-house team was supplemented by a co-sourcing contract with Azets. This provides additional and flexible audit resources when required, including access to specialists such as computer and financial auditors.
AUDIT SCOTLAND EXTERNAL AUDIT SERVICES
8. NatureScot received the services and advice of Mazars during 2023/24.
9. The work of Mazars for the 2023/24 financial year will include an independent opinion on the Financial Statements and additional information within the Annual Reports and Accounts. Mazars will also review and report on the arrangements within NatureScot to manage performance, and regularity.
2023/24 Summary
NATURESCOT ANNUAL INTERNAL AUDIT PLAN FOR 2023/24
10. Annex A summarises the 2023/24 Internal Audit Plan and the control assessments of the areas reviewed. All audits were completed as well as agreed consultancy input to a range of project boards or ongoing governance groups. The 2023/24 Annual Internal Audit Report, including the Head of Internal Audit’s annual assurance on the organisation’s internal control, risk and governance framework was presented to the ARC on 09 May 2024.
11. This report showed that NatureScot’s framework for internal control, risk management and corporate governance is broadly sound, with a number of well controlled areas. However, there were some areas that needed strengthening, including:
- Management of Complex Projects (Licensing and Deerline Stocktake, Review of CivTech Processes).
- Recruitment Framework.
- Learning and Development Framework.
12. In relation to complex projects, the Transformation and Resourcing Sponsor Group and a Project Management Office have been set-up. These will help to ensure strategic oversight of key transformation programmes and projects, clear business-led leadership and dedicated project management support from skilled staff. The 2024/25 internal audit plan includes an audit looking at how the new framework is operating in practice.
13. For Recruitment, whilst there is regular monitoring of staff turnover, internal churn and failed recruitments, plus salary benchmarking exercises, more analysis is needed around which advertising approach and which assessment techniques work best, why candidates turn down offers as well as getting feedback on the overall recruitment processes and experience. Some of these areas were included in the People Strategy but lacked detailed work plans. The People Programme is now coordinating the work, and detailed plans with measures of success are being developed. A follow-up exercise is included in the 2024/25 internal audit plan.
14. With respect to Learning and Development, areas for strengthening included ensuring alignment of skills identification work with the Corporate Plan cycle and reviewing uptake and effectiveness of training at the organisational, team or working-preference level. Again, this work is being taken forward though the People Programme and a follow-up exercise is included in the 2024/25 internal audit plan.
INTERNAL AUDIT AND FOLLOW-UP PERFORMANCE INDICATORS
13. The internal audit performance indicators for 2023/24 are set out in Table 1. All internal audit performance indicators were met. The follow-up Priority 1 implementation rate KPI was also met and at the end of 2023/24 there was only one delayed Priority 1 recommendation. Whilst the overall implementation rate for all recommendations was not met (outturn 70%; target 75%), at the end of the year, there were only five reportable delayed recommendations – one delayed Priority 1, and four delayed Priority 2 actions. Detailed quarterly reports are provided to the ARC on delayed recommendations.
Audit Team Performance Indicator | Target | Progress |
---|---|---|
Staff Adequately Qualified
| 100% | 100% |
Management of Closure Process – draft reports to HIA by agreed deadline.
| 100% | 100% |
Customer Satisfaction – average overall score out of 5 (1 = poor, 5 = excellent).
| 4 | 4.25 |
Priority 1 Recommendations – rolling average implementation rate. | 85% | 97% (at end of Q4 2023/24)
|
All Recommendations – rolling average implementation rate. | 75% | 70% (at end of Q4 2023/24)
|
ANNUAL REPORT AND ACCOUNTS
14. The Annual Report and Accounts were submitted to the Audit and Risk Committee in November 2023. The Committee was assured by the information provided by NatureScot’s Finance Team and Audit Scotland. It was content to recommend approval of the ‘Draft’ Annual Report and Accounts for 2022/23 by the Chief Executive as NatureScot’s Accountable Officer.
GOVERNANCE STATEMENT
15. The draft Governance Statement for 2022/23 was presented to the Audit and Risk Committee in August 2023. The Committee was assured by the information provided and concluded that the evidence adequately reflected the organisation’s governance arrangements during 2022/23.
RISK MANAGEMENT
16. The Audit and Risk Committee discussed the corporate risks at the end of each quarter. The ARC is satisfied with the overall management of risk within NatureScot. It has continued to consider ‘deep dives’ looking specifically at those risks that have been static for some time. Horizon scanning is undertaken by the Senior Leadership Team in order to identify future risks and offer mitigation.
17. Deep dives considered during 2023/24:
- Risk 393 – Future Funding of NatureScot
- Nature Finance
18. Operational deep dives are also being undertaken by the Health, Safety and Wellbeing Manager for consideration by the Committee:
- Firearms (completed June 2023).
- Chainsaw Use (completed February 2024).
- Diving (to be completed by the end of May 2024).
- Boat Use (to be completed by the end of July 2024).
- Storage and Use of Flammable Substances (to be completed by the end of September 2024).
19. The Audit and Risk Committee received the Annual Risk Management Review for 2023/24 and Risk Management Action Plan 2023/24 at its meeting on 09 May 2024. At the time of writing, the Committee are expected to endorse the Risk Management Action Plan for 2024/25 and discuss the 3 initial actions recorded.
20. Members, as well as the full Board have closely monitored progress on the Structural Funds risk, receiving updates both at their meetings and outwith.
INFORMATION MANAGEMENT AND CYBER SECURITY
21. The Audit and Risk Committee is provided with quarterly Security Threat Assessment reports, as well as alternating quarterly Information Management and Information & Cyber Security reports. These reports provide details on information management risks and issues; the level of virus activity and cyber security threats experienced by NatureScot; and resultant remedial or pre-emptive action during each quarter.
22. The current cyber security risk to NatureScot is currently judged as High. NatureScot’s current Information Management and Cyber Security controls continue to provide an adequate level of security, with 4 out of 6 compliance areas rated green.
ISO27001, CYBER ESSENTIALS AND CYBER ESSENTIALS PLUS CERTIFICATION
23. ARC was updated that it was planned to start our review of ISO27001 alignment, but instead the NatureScot environment will now be reviewed against the ISO27032 Cyber Security standard. This will take place in Q1 2024/25.
24. ARC noted that NatureScot achieved Cyber Essentials in October 2023 however it was not possible to take forward Cyber Essentials Plus as not all Android phones are managed under In-Tune (security and patching tool from Microsoft) as yet. Cyber Essentials Plus re-certification is planned for 2024.
GENERAL DATA PROTECTION REGULATION
25. The ARC has maintained visibility of data protection issues and NatureScot continues to monitor compliance with the GDPR. Colleagues continue to embed the approach of working collaboratively with project teams on finding creative solutions to data protection that enhance privacy as well as deliver project outcomes. Colleagues also continue to support the roll out of the M365 project. Expected changes to the UK GDPR and Data Protection Act (2018) proposed by the UK Government mean that some policy work is likely to need reworked in the coming months.
MID-YEAR FINANCIAL REPORT
26. The Audit and Risk Committee received its mid-year financial report for 2023/24 at its November 2023 meeting, enabling their challenge and scrutiny.
27. The following key themes were identified for the second half of the financial year:
- Structural Funds
- Pay Settlement
- Continued Higher Inflation
- Scottish Government Spending Controls
- Internal Audit Recommendations on Forecasting and Ring-Fenced Funds
MEDIUM TO LONG TERM FINANCIAL PLAN
28. The Audit and Risk Committee considered the Medium to Long Term Financial Plan (MLTFP) at its November 2023 meeting.
29. The following key themes were identified in the plan:
- Grant in Aid Funding
- Leverage (Structural Funds, Nature Finance)
- External Funding
- Income Generation
- Transformation
- Capital Investment
30. It was noted that the outlook for Grant in Aid remains challenging.
AUDIT AND RISK COMMITTEE SELF-ASSESSMENT EXERCISE
31. The exercise took place in May 2023, and included an extended discussion of the ARC’s strategic priorities and ways of working. The outcomes from this self-assessment are expected to further improve the effectiveness of the ARC, and will be implemented over the coming months, in discussion with the Chair of the Board where appropriate. The self-assessment will be conducted again in 2025.
VALUE ADDED BY THE AUDIT AND RISK COMMITTEE
- In addition to the ARC’s responsibilities for reviewing the comprehensiveness of assurances through a process of constructive challenge, they have also added value to the organisation in the following ways:
- Maintaining and developing relationships to continue an open and transparent culture.
- Providing oversight of limited assurances on the Structural Funds risk.
- Continuing review of Corporate Risk deep dives by the ARC.
Recommendations
33. Board members are asked to endorse the work of the Audit and Risk Committee during the period 2023/24 and its effectiveness in supporting the Board in upholding its governance responsibilities.
Annex 1: 2023/24 Internal Audit Plan
Audit |
Link to Risk Register |
Progress/Start Date
|
Assurance Level |
Date to ARC |
---|---|---|---|---|
Project Management Approach Health Check; |
Corporate Risk 137 |
Closed |
N/A |
May 2023 |
Workload Prioritisation and Management Stage 2; |
Corporate Risk 137 |
Closed |
Satisfactory |
May 2023 |
Azets Green Finance Initiatives |
Corporate Risk 393 |
Closed |
N/A |
May 2023 |
Audit |
Link to Risk Register |
Progress/Start Date
|
Assurance Level Control RAG Rating |
Actual or Anticipated Date to ARC |
---|---|---|---|---|
SRDP Service Level Agreement Compliance |
Corporate Risk 71 |
Closed |
Satisfactory |
August 2023 |
Azets Financial Forecasting Follow-Up |
Weak Assurance Corporate Risk 21 & 253 |
Terms of Reference Agreed Q4 2023/24 |
- |
March 2024 |
Health & Safety Risk Framework Follow-Up |
Weak Assurance |
Q4 2023/24 |
- |
April 2024 |
Project Management Framework Follow-Up |
Weak Assurance |
Q4 2023/24 |
- |
April 2024 |
Organisational Response to Pulse Survey Feedback |
Corporate Risk 137 |
Report Closure |
TBC |
January 2024 |
Recruitment Challenges |
Corporate Risk 137 |
Closed |
Limited |
August 2023 |
Learning and Development |
Corporate Risk 137 |
Closed |
Limited |
November 2023 |
Net Zero Plan |
Corporate Risk 646 |
Closed |
Satisfactory |
September 2023 |
Licensing and Deerline Stock Take |
Corporate Risk 21 & 85 |
Closed |
Limited |
October 2023 |
Review of NatureScot CivTech Processes |
Corporate Risk 21 & 85 |
Fieldwork starting early November |
- |
February 2024 |