Audit & Risk Committee’s Annual Report to the Board 2023-2024
This is the sixteenth annual report on the workings of the Audit & Risk Committee. The report covers the activity of the Audit & Risk Committee for the financial year 2023-2024 and was approved by the committee for submission to the Board at its meeting on 11 June 2024. The purpose of this report is to inform the Agency Board of the activities of the Audit & Risk Committee and provide assurance to the Agency Board that the internal control and risk management systems are fit for purpose.
The Board is asked to discuss and note the content of the report and agree that adequate assurance has been provided.
Nicola Gordon, Chair of the Audit & Risk Committee
12 June 2024
1. Introduction
The Audit and Risk Assurance Committee Handbook (HM Treasury 2013; updated March 2016) sets out best practice for committees to provide an Annual Report which summarises work undertaken in the last year and how responsibilities have been discharged. It was revised by the Scottish Government Audit and Assurance Handbook (March 2018) which included minor amendments as well as increased responsibilities for the audit committee to clearly set out its assurance framework and to understand the various sources of assurance received. The Handbook sets out five good practice principles for Audit and Risk Assurance Committees:
- Membership, independence, objectivity and understanding;
- Skills;
- The role of the Audit and Risk Assurance Committee;
- Scope of work;
- Communication and reporting.
1.1 As Chair of the Audit & Risk Committee since 1 January 2022, I have assessed the activities of the Committee during the financial year 2023-2024 against the good practice principles outlined in the Handbook.
1.2 Reflecting on the activities of the Audit & Risk Committee during the financial year 2023-2024 I would like to thank the members of the Committee for their diligence in supporting the Board and the Accountable Officer by reviewing the reliability of assurances on governance, risk management and financial control.
1.3 At a workshop late in the previous year, 2022-2023, the committee addressed its role and how its activities could best contribute to its declared purpose. Areas identified for increased attention were risk management, detailed scrutiny of financial reporting and audit in support of business improvement.
1.4 This provided key focus for the committee during 2023-2024 and considerable progress has been made. However, on the priority area of risk, there remains a need to strengthen the management of strategic risk, streamline and professionalise the process, and consider risk appetite. Plans from management to review and update the Risk Management Framework will be considered at the committee's annual workshop planned for June 2024.
I would also like to acknowledge the support provided to the Audit & Risk Committee by the Clerk to the Board, the CLT & Board Support team and the Business Strategy team.
Nicola Gordon
Chair of the Audit & Risk Committee
May 2024
2. Overview
2.1 Constitution of the Committee
2.1.1 The Audit & Risk Committee currently has four non-executive members.
2.1.2 The Committee is attended by SEPA’s Accountable Officer (also Chief Executive), the Chief Officer Finance and the Clerk to the Board. Due to changes at CLT level during 2022, the Committee agreed that the Acting Chief Officer Performance and Innovation should also be invited to all Committee meetings (initially until end of June 2023 then extended to the period of her acting up position). In February 2024 the Agency Board agreed the revised Terms of Reference for the Committee including adding explicit reference to the Chief Officer Governance, Performance and Engagement attending Committee meetings. The Chair of the Board and other senior staff, including the Head of Governance, attend as required. Additional Board members have attended Committee meetings as required. SEPA’s internal and external auditors also attend and are given the opportunity to speak confidentially to the Committee members. Due to the change in membership of the Committee in February 2024 it was agreed that the annual workshop, usually taking place at the start of the year, would be moved to 11 June 2024. The Audit & Risk Committee also sat privately for part of the meetings as appropriate during 2023-2024.
2.1.3 The Audit & Risk Committee met on four planned occasions during 2023-24 (a mix of virtual and in person meetings) and a full list of members and attendance at Committee meetings for 2023-2024 is attached in Appendix 1. The Committee also met for single agenda item financial report meetings five times virtually during 2023-2024 including on 11 December 2023 with a meeting focus on the Annual Report and Accounts 2022-2023.
2.1.4 The Committee was established by SEPA in accordance with powers granted under Schedule 6 of the Environment Act 1995. Committee business is conducted in accordance with the Standing Orders which were approved by the Agency Board on 27 February 2024.
2.1.5 The skills required for the Committee are reviewed as part of the skills matrix for the Agency Board. The current membership to the Committee brings a good range of skills and experience in relation to governance, risk and control that effectively fulfils the role of the Committee.
2.2 Duties of the Committee
2.2.1 The purpose of the Audit & Risk Committee is to monitor and review risk, control and corporate governance; acting independently and objectively. The Committee reports to the Agency Board and its programme of work complements the conduct of internal and external audit and the process of preparing and approving the annual accounts.
2.2.2 The Terms of Reference for the Audit & Risk Committee, as approved by the Agency Board on 27 February 2024, outline in more detail the functions of the Committee including internal and external audit, risk management, whistleblowing, best value and code of conduct. They are available on SEPA’s website.
2.2.3 The Audit & Risk Committee can seek independent external advice if it considers it necessary to discharge its duties.
2.3 Performance of the Committee
2.3.1 The development of members of the Audit & Risk Committee is assessed as part of the appraisal process for members of the Agency Board and subsequently considered by the Chair of the Audit & Risk Committee to ensure the availability of the skills necessary for the Committee to be effective. New members of the Committee participate in relevant Scottish Government training including Board Induction.
2.3.2 During 2023-2024, members of the Audit & Risk Committee participated in several Board seminars that enhanced their knowledge of the Agency’s activities. These covered a broad range of subject matters including, Environmental Standards Scotland (ESS) and Environmental Governance, the Scottish Government consultations on Environmental Governance and Right to a Healthy Environment (Human Rights Bill) and SEPA’s response, Public Sector Reform, and training for the Standards Commission for Scotland. Members of the Audit & Risk Committee also attended external conferences and events virtually and worked with staff as ‘board buddies’ to provide advice and guidance on specific subject matters. The Board approved the proposal to move from a ‘board buddies’ approach to a ‘board champion’ initiative to reflect the role of Board members in adding value and engaging at strategic level to work with SEPA’s Executive team and colleagues on priority areas of work on 27 February 2024.
2.3.3 The Audit & Risk Committee members received audit reports on a wide range of subject matters including: permitting, environmental events, H&S – safety cover, access to information, civil contingencies and reservoirs. The Audit & Risk Committee worked closely with the Agency Board with the aim of ensuring that both fulfil their roles, responsibilities and accountabilities. Board updates are provided at the start of every Agency Board meeting with a focus on keeping our people and information safe and secure.
3. Review of the Work of the Audit & Risk Committee 2022-23
3.1 Audit Activity - Internal
3.1.1 The Audit & Risk Committee is responsible for recommending to the Accountable Officer the appointment and remuneration of internal auditors.
3.1.2 The internal auditors provide assurance on the effectiveness of SEPA’s internal control systems and the adequacy of these systems to manage business risk and safeguard SEPA’s assets. With audits undertaken during the reporting period, the internal auditors have also provided ‘value for money’ recommendations to help SEPA improve key areas of its work, seeking to increase effectiveness and efficiency, and helping to embed a culture of continuous improvement.
3.1.3 This service was provided by Azets (formerly known as Scott-Moncrieff) working under an initial three-year contract from 2019-2022. This contract was extended, following agreement by the Audit & Risk Committee in December 2020, for a further two years to March 2024.
3.1.4 New auditors BDO commenced appointment on 1 April 2024.
3.1.5 The budget for 2023-2024 was 86.25 days and £54,950 (excluding VAT). We spent £54,950 on 86.25 days.
3.1.6 The Internal Audit activity carried out in 2023-2024 is detailed in Appendix 2.
3.1.7 An internal audit plan for 2024-2025 from BDO showing 100 audit days went to the Audit & Risk Committee in March 2024 with an estimated cost of £53,350. The 2024-2025 audit plan was approved at the March 2024 Committee meeting with scheduling to be adjusted accordingly.
3.1.8 A summary of the plan for 2024-2025 is provided in Appendix 3.
3.2 Audit Activity - External
3.2.1 Under the Public Finance and Accountability (Scotland) Act 2000, SEPA’s auditors are appointed by Audit Scotland on behalf of the Auditor General. Audit Scotland was appointed as SEPA’s auditor for a five-year period until 2026/2027. The external audit fee for the year is £77,010 in respect of statutory audit for 2023-24.
3.2.2 External audit provides an independent audit opinion on the financial statements as to whether:
- they give a true and fair view;
- they have been prepared properly in accordance with relevant legislation and standards;
- they are consistent with the wider information contained in the Annual Report e.g., the Performance Report and Accountability Report;
- they reflect regularity of expenditure;
- audited parts of the remuneration and staff report have been prepared in accordance with applicable guidance.
3.2.3 As part of their wider role they also undertake work on the following and report to SEPA and the Auditor General for Scotland:
- Financial sustainability
- Financial management
- Governance and Transparency
- Value for Money
3.2.4 In respect of financial year 2023-24, Audit Scotland is planning to conduct the audit remotely starting 2 September 2024. Pre-work has already commenced with a view to reporting the unaudited version to the Audit & Risk Committee on 30 July 2024 with the fully audited version accompanied by the External Audit Letter of Representation and External Audit Report on 11 November 2024.
3.2.5 Their audit approach is risk based and proportionate: it is undertaken in accordance with the relevant international auditing standards and the Audit Scotland code of practice 2021.
3.3 Risk Management
3.3.1 SEPA has a framework for the management of risk which aims to minimise the likelihood and effect of risks to SEPA. This includes the identification and assessment of risk at corporate level, but also through risk registers held in each portfolio and for corporate programmes and projects.
3.3.2 When formulating the strategic and annual internal audit plans the Audit & Risk Committee and the Internal Auditors have taken into consideration the risks on the corporate risk register. Relevant risks are referenced in the terms of reference for the scope of each internal audit.
3.3.3 The Audit & Risk Committee reviewed the risk process and the corporate risk register in September 2023 with a Q2 review of risk and corporate risk provided in December 2023 and risk update in March 2024. The annual workshop on 11 June 2024 is focused on risk.
3.3.4 The Audit & Risk Committee will from time to time draw the attention of the Agency Broad to risks of concern. The Board reviews existing risks annually.
3.4 Audit & Risk Committee Outcomes and Recommendations in 2023-24
3.4.1 The Internal Audits undertaken in 2023-2024 (detailed in Appendix 2) resulted in 19 findings, from the six audits, the Audit & Risk Committee has discussed. The Audit & Risk Committee has also considered the adequacy of management’s responses and progress of the actions taken as a result of the audit findings.
3.4.2 During the year the Audit & Risk Committee received additional reports including in relation to a risk management and reporting update, a procurement and associated risk update, the annual procurement report and regular quarterly complaints reporting.
Appendix 1
Member attendance at Audit & Risk Committee Meetings 2023-2024:
Member | Number of meetings attended |
---|---|
N Gordon (Chair) | 3 (out of a possible 4) |
M Hill - Term of office as a board member ended on 31 December 2023 | 3 (out of possible 3) |
H Kohli | 4 (out of possible 4) |
J Hutchison | 4 (out of possible 4) |
C Evan (member of ARC from 27 Feb 2024) | 1 (out of possible 1) |
L MacDonald (member of ARC from 27 Feb 2024) | 1 (out of possible 1) |
Member attendance at Finance Audit & Risk Committee Meetings 2023-2024:
Member | Number of meetings attended |
---|---|
N Gordon (Chair) | 4 (out of possible 5) |
M Hill | 4 (out of possible 4) |
H Kohli | 4 (out of possible 5) |
J Hutchison | 4 (out of possible 5) |
Appendix 2
Summary of Annual Internal Audit Plan and Fees for 2023-24
Azets
The total planned audit days for 2023-2024 is 86.25 days broken down as follows:
Internal audit area | Planned Days |
---|---|
Environmental Events | 10 |
Permitting Process | 10 |
Reservoirs | 11 |
Access to Information | 9.25 |
Compliance with Health and Safety Legislation | 10 |
Civil Contingencies Emergency Response | 10 |
Follow up of previous IA recommendations | 8 |
Management | 18 |
Total | 86.25 |
The budget costs for the year 2023-2024 (excluding VAT) has been agreed as not exceeding £54,950 plus an expenses allowance of £1500.
Total budget | Total paid (estimate) | |
---|---|---|
Audit and management activity | £54,950 | £54,950 |
Expenses | £1500 | £0 |
Total (excluding VAT) | £54,450 | £54,950 |
Appendix 3
Summary of draft Annual Internal Audit Plan and Fees for 2023-2024
BDO
The total planned audit days for 2024-2025 is 100 days broken down as follows:
Internal audit area | Planned Days |
---|---|
Complaints management | 13 |
Flood planning advice | 13 |
Corporate governance framework | 13 |
Staffing - workforce planning, skills assessment and succession planning | 13 |
Estates management | 13 |
Risk management | 13 |
Follow-up | 5 |
Management | 17 |
Total | 100 |
The budget costs for the year 2024-2025 (excluding VAT) has been agreed as not exceeding £53,350.