Minutes of the Audit and Risk Committee – November 2018

Present

• Robert Tinlin, Non-Executive Director (Chair)
• Annie Gunner Logan, Non-Executive Director
• David Watt, Non-Executive Director

In attendance

• David Harvie, Crown Agent
• Ian Walford, Deputy Chief Executive
• Stephen Woodhouse, COPFS Director of Finance
• William Wilkie, Audit Manager, SG Internal Audit
• Iain Burns, Senior SG Internal Audit Manager
• Lindsey Miller, Deputy Crown Agent (Operational Performance)
• Esther Scoburgh, Audit Manager, Audit Scotland
• Sharon Fairweather, Director of Internal Audit
• June Campbell, COPFS Secretariat

Apologies

• Evelyn Aitken, Head of Management Accounting and Planning
• Stephanie Harold, Senior Auditor, Audit Scotland
• Gillian Woolman, Assistant Director Audit Services, Audit Scotland

The Chair welcomed everyone to the meeting. Iain Burns, replacement for Stuart Dickson, was introduced to the committee.

Non-Executive Director’s (NXD’s) had a short general discussion with Internal Audit regarding their role and the forthcoming Internal Audit Annual Report.

The minutes were agreed by the Audit & Risk Committee (ARC).

The Chair received confirmation from the ARC that there were none.

Actions 2, 5, 6 and 9 are open but are ongoing or relevant to a future ARC meeting. Action 2- it was agreed that a copy of the current Draft COPFS Finance Strategy would be issued to the NXDs with the caveat that significant changes are a possibility depending on our 2019-20 budget allocation. All other actions are closed.

Action: Finance Director to issue a copy current Draft COPFS Finance Strategy to the NXDs

The tracker included details of action plans being undertaken by management in respect of seven External Audit (EA) recommendations.

The committee were content with Management actions/responses in respect of recommendations 1, 2, 5, 6 and 7. The committee would like to see more specific/succinct updates in respect of actions 3 and 4 using bullet points and test assurance of progress. EA will follow up risks and report back to responsible officers.

The committee was asked to note the forecast position as at 30 September 2018. The forecast against budget shows an overspend – mainly attributable to Office & Admin Costs, Post Mortem pressures and Centrally Managed costs. The forecast position includes the additional funding that COPFS expect to receive from Scottish Government in the Autumn Budget Revision. Further additional funding is expected in the Spring Budget Revision plus capital for Justice digital related projects.

Finance, Business Managers and Human Resources (HR) continue to work closely to ensure robust/accurate forecasts.

Over half of required new staff have been recruited. It is anticipated at present that the Expansion project will be completed by January 2019 in respect of recruitment of new staff.

Negotiations in respect of Post Mortem contracts are ongoing.

Internal Audit (IA) provided a progress report in respect of the COPFS 2018-19 Audit programme which includes five main audits and three follow-up reviews. A further update will be provided at the February ARC meeting.

The Audit in respect of Information Management Assurance Phase 2 has been deferred to 2019-20 and expected to be carried out in either quarter one or two. Following discussion the committee were content for this to be deferred.

Internal Audit provided a report in respect of their Information Assurance Phase 1 review which outlined four recommendations and an overall reasonable assurance.

The Deputy Crown Agent (Operational Support) who is leading on COPFS ability to comply with General Data Protection Regulations (GDPR) will be asked to consider rationalisation of some of the documentation held to stream line the guidance if possible, review COPFS GDPR Action Plan, breach data log entries and project roles and responsibilities. A follow up review will be carried out in phase 2 which will also include a review of changes in digital strategy and post Brexit.

The update was noted by the committee.

Action: Deputy Chief Executive (DCE) will discuss IA recommendations in respect of GDPR with DCA (Operational Support)

The committee received copies of the Audit Scotland ‘Annual Report on Internal Audit’ and ‘Scottish Government Overview of Internal Audit’ at their August meeting. A COPFS management response to the Audit Scotland report was commissioned for discussion at today’s meeting.

The Director of Finance provided an assessment of the service received by COPFS from Internal Audit Directorate and reasons for continuing with this service as opposed to COPFS having its own internal audit function.

Internal Audit recognises findings from Audit Scotland Report. They have a project in place to address issues raised in respect of recruitment and have the resources they require to deliver plans for the financial year.

Following discussion the committee agreed they are content with the assurance/service provided by Internal Audit. The ARC considered briefly the merits of revisiting and refreshing an assurance map for the organisation.

Action: Finance Director/ Internal Audit Scotland and Audit Scotland will look at information they have in respect of assurance mapping.

The DCE provided the ARC with an update on the ongoing work and progress made in developing the new risk register following the risk workshop on 3 May 2018 and the subsequent Risk Management Group (RMG) meetings. The new register includes seven strategic risks.

Each Function has an individual risk register. At their meetings RMG carries out a deep dive review into Function Registers or a specific corporate risk. RMG reviewed the combined Serious Casework Group Risk Register (previously separate High Court and Serious Casework registers) at their October meeting (outcome detailed in October RMG minutes included in today’s ARC papers). The RMG will carry out a further review of this register at their May meeting and report back to the ARC.

RMG will revisit the Corporate Risk Register once the COPFS Strategic Plan has been approved. The ARC is content with the progress made and the detailed minutes for the RMG October meeting.

The Deputy Chief Executive and Finance Director provided a report in respect of their review of the above remits. The committee were asked to note the distinct roles of the ARC and RMG and to consider a small amendment to the ARC responsibilities to reflect the role of the RMG in providing ARC with assurance on risk management.

Following discussion the ARC agreed it was content with the paper/remits and small amendment proposed.

At the May meeting the ARC requested a progress report to be provided at the November ARC meeting in respect of Internal Audit’s 2017-18 ‘Validation of Key Performance Indicators’ Report which provided an overall Limited assurance opinion and identified five recommendations.

The Deputy Crown Agent (Operational Performance) and Internal Audit agreed some progress has been made but that work is ongoing. One recommendation has been implemented, two are partially implemented and two are still to be undertaken.

A further update will be provided by the end of the financial year when it is expected more progress will have been made. The Committee is content with the progress made so far.

Action: Update in respect of COPFS progress with Internal Audit recommendations- KPI to be provided in time for May ARC meeting

The Chair thanked everyone for their contribution to the meeting. He also thanked Stephen Woodhouse for his valuable contribution to the Audit & Risk Committee and wished him well in his retirement.

The next meeting will take place on 7 February 2019 in COPFS.