Annual Performance Report – Audit and Risk Committee
- Summary
- Introduction
- Committee information
- Review of the work of the Audit & Risk Committee 2022-23
- Appendix 1: Member attendance at Audit & Risk Committee meetings 2022-23
- Appendix 2: Summary of annual internal audit plan and fees for 2022-23
- Appendix 3: Summary of draft annual internal audit plan and fees for 2023-2024
Summary
Agency Board Report Number: SEPA 33/23
This is the fifteenth annual report on the workings of the Audit Committee now called the Audit & Risk Committee. The report covers the activity of the Audit & Risk Committee for the financial year 2022-2023. The purpose of this report is to inform the Agency Board of the activities of the Audit & Risk Committee and provide assurance to the Agency Board that the internal control and risk management systems are fit for purpose.
Audit and Risk Committee members only at this stage, then the Agency Board and the public
Nicola Gordon, Chair of the Audit and Risk Committee
Audit Committee Annual Report 2022-2023
- Appendix 1: Member attendance at Audit & Risk Committee Meetings 2022-23
- Appendix 2: Summary of Annual Internal Audit Plan and Fees for 2022-23
- Appendix 3: Summary of draft Annual Internal Audit Plan and Fees for 2023-2024
Introduction
The Audit and Risk Assurance Committee Handbook (HM Treasury 2013; updated March 2016) sets out best practice for committees to provide an Annual Report which summarises work undertaken in the last year and how responsibilities have been discharged. It was revised by the Scottish Government Audit and Assurance Handbook (March 2018) which included minor amendments as well as increased responsibilities for the audit committee to clearly set out its assurance framework and to understand the various sources of assurance received. The Handbook sets out five good practice principles for Audit and Risk Assurance Committees:
- Membership, independence, objectivity and understanding;
- Skills;
- The role of the Audit and Risk Assurance Committee;
- Scope of work;
- Communication and reporting.
As Chair of the Audit & Risk Committee since 1 January 2022, I have assessed the activities of the Committee during the financial year 2022-2023 against the good practice principles outlined in the Handbook.
During the year, the Committee has considered its role and how its activities can best contribute to its declared purpose.
As such:
- We increased focus on risk management and further improved the connection between the formal risk management process on the one hand and the work of the organisation and its board on the other.
- We secured board support to update the name of the committee from Audit to Audit and Risk.
- We re-aligned the way of working with financial reports to better allow for detailed scrutiny in the committee and more focused information to be provided to the board.
- We have influenced the direction of internal auditing activity to support business improvement in addition to providing assurance.
Reflecting on the activities of the Audit & Risk Committee during the financial year 2022-2023 I would like to thank the members of the Committee for their diligence in supporting the Board and the Accountable Officer by reviewing the reliability of assurances on governance, risk management and financial control.
I would also like to acknowledge the support provided to the Audit & Risk Committee by the Clerk to the Board, the CLT (Corporate Leadership Team) & Board Support team and the Business Strategy team.
Committee information
Constitution of the Committee
The Audit & Risk Committee currently has four non-executive members.
The Committee is attended by SEPA’s Accountable Officer (also Chief Executive), the Chief Officer Finance and the Clerk to the Board. Due to changes at CLT level during 2022, the Committee agreed that the Acting Chief Officer Performance and Innovation should also be invited to all Committee meetings (initially until end of June 2023). The Chair of the Board and other senior staff, including the Head of Governance, attend as required. Additional Board members have attended Committee meetings as required. SEPA’s internal and external auditors also attend and are given the opportunity to speak confidentially to the Committee members. During 2020-21 the then Audit Committee agreed that the two private sessions per annum with the internal auditor would be replaced by an annual session. This workshop style session took place on 29 July 2022. It was subsequently agreed that the workshop was best placed to take place nearer the start of the calendar year, so a further workshop took place on 9 February 2023. The Audit & Risk Committee also sat privately for part of the meetings as appropriate during 2022-23.
The Committee is attended by SEPA’s Accountable Officer (also Chief Executive), the Chief Officer Finance and the Clerk to the Board. Due to changes at CLT level during 2022, the Committee agreed that the Acting Chief Officer Performance and Innovation should also be invited to all Committee meetings (initially until end of June 2023). The Chair of the Board and other senior staff, including the Head of Governance, attend as required. Additional Board members have attended Committee meetings as required. SEPA’s internal and external auditors also attend and are given the opportunity to speak confidentially to the Committee members. During 2020-21 the then Audit Committee agreed that the two private sessions per annum with the internal auditor would be replaced by an annual session. This workshop style session took place on 29 July 2022. It was subsequently agreed that the workshop was best placed to take place nearer the start of the calendar year, so a further workshop took place on 9 February 2023. The Audit & Risk Committee also sat privately for part of the meetings as appropriate during 2022-23.
The Audit & Risk Committee met virtually on four planned occasions during 2022-23 and a full list of members and attendance at Committee meetings for 2022-23 is attached in Appendix 1. There was an extra, Special, Committee meeting on 24 November 2022 to discuss the Annual Report and Accounts 2021-22. Extra meetings have been planned during 2023-24 due to the increased scrutiny on financial reporting. The Audit & Risk Committee agreed that these single agenda item financial report meetings worked well.
The Committee was established by SEPA in accordance with powers granted under Schedule 6 of the Environment Act 1995. Committee business is conducted in accordance with the Standing Orders which were approved by the Agency Board on 22 February 2022.
The skills required for the Committee are reviewed as part of the skills matrix for the Agency Board. The current membership to the Committee brings a good range of skills and experience in relation to governance, risk and control that effectively fulfils the role of the Committee.
Duties of the Committee
The purpose of the Audit & Risk Committee is to monitor and review risk, control and corporate governance; acting independently and objectively. The Committee reports to the Agency Board and its programme of work complements the conduct of internal and external audit and the process of preparing and approving the annual accounts.
The Terms of Reference for the Audit & Risk Committee, as approved by the Agency Board on 22 February 2022, outline in more detail the functions of the Committee including internal and external audit, risk management, whistleblowing, best value and code of conduct. They are available on SEPA’s website.
The Audit & Risk Committee can seek independent external advice if it considers it necessary to discharge its duties.
Performance of the Committee
The development of members of the Audit & Risk Committee is assessed as part of the appraisal process for members of the Agency Board and subsequently considered by the Chair of the Audit & Risk Committee to ensure the availability of the skills necessary for the Committee to be effective. New members of the Committee participated in relevant Scottish Government training in 2022.
During 2022-23, members of the Audit & Risk Committee participated in several Board seminars that enhanced their knowledge of the Agency’s activities. These covered a broad range of subject matters including, Grangemouth, regulatory recovery service reform, serious organised crime (including sentencing), Environmental Standards Scotland (ESS), COVID wastewater treatment monitoring, Standards Commission training, Climate Change Public Sector Duty, the Annual Operating Plan (AOP) for 2023- 24 and the Corporate Plan (including a session with Scottish Government, Strategic Insights Unit), and MSP research. Members of the Audit & Risk Committee also attended external conferences and events virtually and worked with staff as ‘board buddies’ to provide advice and guidance on specific subject matters.
The Audit & Risk Committee members received audit reports on a wide range of subject matters including: digital services, voluntary severance, drought management, Deposit Return Scheme, financial systems and controls, cyber lessons-learnt, and violence and aggression. The Audit & Risk Committee worked closely with the Agency Board with the aim of ensuring that both fulfil their roles, responsibilities and accountabilities. Safe SEPA at Board updates are provided at the start of every Agency Board meeting.
Review of the work of the Audit & Risk Committee 2022-23
Audit activity – internal
The Audit & Risk Committee is responsible for recommending to the Accountable Officer the appointment and remuneration of internal auditors.
The internal auditors provide assurance on the effectiveness of SEPA’s internal control systems and the adequacy of these systems to manage business risk and safeguard SEPA’s assets. With audits undertaken during the reporting period, the internal auditors have also provided ‘value for money’ recommendations to help SEPA improve key areas of its work, seeking to increase effectiveness and efficiency, and helping to embed a culture of continuous improvement.
This service is provided by Azets (formerly known as Scott-Moncrieff) working under an initial three-year contract from 2019-22. This contract was extended, following agreement by the Audit & Risk Committee in December 2020, for a further two years to March 2024.
The budget for 2022-2023 was 84 days and £56,330 (excluding VAT). We spent £54,830 on 84 days.
The Internal Audit activity carried out in 2022-23 is detailed in Appendix 2.
An internal audit plan for 2023-2024 from Azets showing 86.25 audit days went to the Audit Committee in September and December 2022 and March 2023 with an estimated cost of £56,450. The 2023/24 audit plan was approved at the March 2023 Committee meeting.
A summary of the draft plan for 2023-24 is provided in Appendix 3.
Audit activity - external
Under the Public Finance and Accountability (Scotland) Act 2000, SEPA’s auditors are appointed by Audit Scotland on behalf of the Auditor General. Audit Scotland was appointed as SEPA’s auditor for the financial year 2022-23. They replace Grant Thornton, SEPA’s previous external auditor. The external audit fee for the year is £72,630 in respect of statutory audit for 2022-23.
External audit provides an independent audit opinion on the financial statements as to whether:
- they give a true and fair view;
- they have been prepared properly in accordance with relevant legislation and standards;
- they are consistent with the wider information contained in the Annual Report e.g., the Performance Report and Accountability Report;
- they reflect regularity of expenditure;
- audited parts of the remuneration and staff report have been prepared in
As part of their wider role they also undertake work on the following and report to SEPA and the Auditor General for Scotland:accordance with applicable guidance.
- Financial sustainability
- Financial management
- Governance and Transparency
- Value for Money
In respect of financial year 2022-23, Audit Scotland is planning to conduct the audit remotely starting 23 October 2023. Pre-work has already commenced with a view to reporting the unaudited version to the Audit & Risk Committee on 12 September 2023 with the fully audited version accompanied by the External Audit Letter of Representation and External Audit Report on 12 December 2023.
Their audit approach is risk based and proportionate: it is undertaken in accordance with the relevant international auditing standards and the Audit Scotland code of practice 2021.
Risk management
SEPA has a framework for the management of risk which aims to minimise the likelihood and effect of risks to SEPA. This includes the identification and assessment of risk at corporate level, but also through risk registers held in each portfolio and for corporate programmes and projects.
When formulating the strategic and annual internal audit plans the Audit & Risk Committee and the Internal Auditors have taken into consideration the risks on the corporate risk register. Relevant risks are referenced in the terms of reference for the scope of each internal audit.
The Audit & Risk Committee reviewed the risk process and the corporate risk register twice during financial year 2022-23; in September 2022 and March 2023. There was also an additional risks and opportunities update provided in September 2022, and “risk appetite” in March 2023. The annual workshop in February 2023 also included a risk session on risk management dynamic. In addition, on the recommendation to the Audit & Risk Committee in 2021-22, a Consideration of new risk item was added as a standing item at the end of all Audit & Risk Committee and Agency Board agendas.
The Audit & Risk Committee will from time to time draw the attention of the Agency Broad to risks of concern. The Board reviews existing risks annually and holds a workshop on risk once a year.
Audit & Risk Committee outcomes and recommendations in 2022-23
The Internal Audits undertaken in 2022-2023 (detailed in Appendix 2) resulted in 23 findings, from the seven audits, the Audit & Risk Committee has discussed. The Audit & Risk Committee has also considered the adequacy of management’s responses and progress of the actions taken as a result of the audit findings.
During the year the Audit & Risk Committee received additional reports including in relation to a Governance framework update, a drought management update and regularly quarterly complaints reporting.
Appendix 1: Member attendance at Audit & Risk Committee meetings 2022-23
| Member | Number of meetings attended |
|---|---|
| N Gordon (Chair) | 4 (out of possible 4) |
| M Hill | 3 (out of possible 4) |
| H Kohli | 4 (out of possible 4) |
| J Hutchison | 4 (out of possible 4) |
Appendix 2: Summary of annual internal audit plan and fees for 2022-23
The total planned audit days for 2022-23 is 84 days broken down as follows:
| Internal audit area | Planned Days | Actual Days |
|---|---|---|
| Deposit Return Scheme – Set Up | 8 | 8 |
| Drought Management | 8 | 8 |
| Financial Systems and Controls | 10 | 10 |
| Cyber: Implementation of Lessons Learned | 8 | 8 |
| Implementation of Digital Services | 8 | 8 |
| Violence and Aggression | 8 | 8 |
| Implementation of Voluntary Severance scheme | 8 | 8 |
| Follow up of previous IA recommendations | 8 | 8 |
| Management | 18 | 18 |
| Total | 84 | 84 |
The budget and actual costs for the year 2022-23 (excluding VAT) were:
| Total budget | Total paid (estimate) | |
|---|---|---|
| Audit and management activity | £54,830 | £54,830 |
| Expenses | £1500 | 0 |
| Total (excluding VAT) | £56,330 | £54,830 |
Appendix 3: Summary of draft annual internal audit plan and fees for 2023-2024
The total planned audit days for 2023-2024 is 86.25 days broken down as follows:
| Internal audit area | Planned Days |
|---|---|
| Environmental Events | 10 |
| Permitting Process | 10 |
| Reservoirs | 11 |
| Access to Information | 9.25 |
| Compliance with Health and safety Legislation | 10 |
| Civil Contingencies Emergency Response | 10 |
| Follow up of previous IA recommendations | 8 |
| Management | 18 |
| Total | 86.25 |
The budget costs for the year 2023-2024 (excluding VAT) has been agreed as not exceeding £54,950 plus an expenses allowance of £1500.