Official Report

 

  • Meeting of the Commission 21 June 2017    
    • Attendance

      Committee members

      *Jackie Baillie (Dumbarton) (Lab)
      *Colin Beattie (Midlothian North and Musselburgh) (SNP) (Chair)
      *Bill Bowman (North East Scotland) (Con)
      *Alison Johnstone (Lothian) (Green)
      *Rona Mackay (Strathkelvin and Bearsden) (SNP)

      *attended

      The following also participated:

      Steven Cunningham (Alexander Sloan)
      Russell Frith (Audit Scotland)
      Caroline Gardner (Auditor General for Scotland)
      Ian Leitch (Audit Scotland)
      Diane McGiffen (Audit Scotland)
      Jillian So (Alexander Sloan)

      Location

      The Adam Smith Room (CR5)

       

    • Deputy Chair
      • The Chair (Colin Beattie):

        Good afternoon and welcome to the first meeting in 2017 of the Scottish Commission for Public Audit.

        I welcome Jackie Baillie and Bill Bowman, who have joined the commission since our last meeting. I put on record our thanks to John Lamont for his work as a member of the commission.

        I invite Bill Bowman and Jackie Baillie to declare any relevant interests that they have.

      • Bill Bowman (North East Scotland) (Con):

        I refer members to my entry in the register of members’ interests. I am a member of the Institute of Chartered Accountants of Scotland, and until 2012 I was a partner in KPMG. In 2016, I did some work for KPMG through a consultancy, but I have not been involved with KPMG since I became a member of the Scottish Parliament.

      • Jackie Baillie (Dumbarton) (Lab):

        I have no specific interests to declare. I refer members to my entry in the register of members’ interests.

      • The Chair:

        Thank you. I welcome you to the commission.

        I remind members and the public to switch off their mobile phones.

        Agenda item 1 is the election of a deputy chair, because John Lamont has left us. I seek nominations for the position of deputy chair. I nominate Bill Bowman.

      • Alison Johnstone (Lothian) (Green):

        I am happy to second that.

      • The Chair:

        There are no other nominations. Do you accept the nomination, Bill?

      • Bill Bowman:

        Yes, thank you.

        Bill Bowman was chosen as deputy chair.

      • The Chair:

        I welcome you as the deputy chair.

    • Decision on Taking Business in Private
      • The Chair:

        Agenda item 2 is a decision on taking business in private. Do members agree to take item 4 in private?

        Members indicated agreement.

    • Audit Scotland Annual Report and Accounts for the Year to 31 March 2016 and Auditor’s Report on the Accounts
      • The Chair:

        I put on record our thanks to Douglas Sinclair, who has passed away, for his services, and I offer our sympathy to his family. He was previously the chair of the Accounts Commission, and he passed away in March.

        Agenda item 3 is evidence on Audit Scotland’s “Annual report and accounts 2016/17”. Members have in their papers a copy of the annual report and the auditor’s report by Alexander Sloan. We will take evidence from Audit Scotland and from Alexander Sloan.

        I welcome Ian Leitch, who is the chair of the board of Audit Scotland. He is accompanied by Caroline Gardner, the Auditor General for Scotland; Diane McGiffen, the chief operating officer at Audit Scotland; and Russell Frith, the assistant auditor general.

        I invite Ian Leitch to make a short introductory statement of no more than two minutes—time is tight—after which I invite the Auditor General to make an introductory statement.

      • Ian Leitch (Audit Scotland):

        Thank you, chair. That is a very tough constraint.

        As you know, in addition to our statutory duty to provide the property, staff and services that are required by the Auditor General and the Accounts Commission, the main task of the board is to oversee Audit Scotland’s operations, make sure that it achieves its aims and objectives and ensure that we get value for money. Audit Scotland looks at everybody else to ensure that we get value for money.

        In the past year, we have streamlined our work to keep pace within the wider changes in Scotland’s public finances. Significant steps have been taken to improve the efficiency and relevance of our audits and to ensure that quality is maintained. During the past year, we have delivered a new “Code of audit practice 2016” and have ensured the smooth transition of new audit appointments and auditors for the next five years, which will save around £1 million per annum.

        Like you, chair, the board was sad to hear of the recent death of Douglas Sinclair, who spent many years as the chair of the Accounts Commission and was, therefore, by statute a member of the Audit Scotland board. We have recorded our appreciation of his services and our regret at his passing. His successor, Ronnie Hinds, recently joined us on the board in his temporary role as the acting chair of the Accounts Commission.

        I thank my fellow board members, the accountable officer and her staff at Audit Scotland for all their hard work and contributions over the year.

        With your permission, chair—and, I hope, within the time limit that has been set—Caroline Gardner will say a few words.

      • Caroline Gardner (Auditor General for Scotland):

        As you will see from the annual report, we have maintained our focus on our core work. We carried out more than 300 annual audits and produced 20 performance reports in areas such as the national health service, social work and policing. On behalf of the Accounts Commission, we have developed a new approach to the best-value audit of local government, and we have been developing our approach to Scotland’s significant new financial powers. All of that has been underpinned by internal work to continue to improve the quality, value and relevance of what we do.

        We have developed a new, simpler and more transparent system for determining audit fees, so that audited bodies, Parliament and our other stakeholders have assurance on the cost and quality of the services that we provide. We have continued to reduce audit fees, which fell by 6.7 per cent overall for the 2016-17 audits. Looking ahead, we have also secured approval for our budget for 2017-18, which will result in a reduction of 6.5 per cent in gross expenditure compared to the 2016-17 budget.

        This year’s annual report records a substantial increase in the number of visitors to our website as well as in the number of downloads of our reports. Our social media engagement is also up. I hope that that demonstrathatthat our work continues to be relevant and is reaching a growing audience. We continue to focus on communicating our messages as clearly as we can.

        As always, chair, we are happy to answer the commission’s questions on the annual report.

      • The Chair:

        Thank you. I will ask the first question.

        Page 6 of the annual report states that 89.5 per cent of central Government audit reports were completed by their due dates, compared with 96 per cent in 2015-16. Similarly, 95.7 per cent of NHS reports were completed by their due dates, compared with 100 per cent in the previous year. There seems to be a bit of a deterioration there. Can Audit Scotland indicate what the reasons for that might be?

      • Caroline Gardner:

        Of course, chair. It is worth noting that all those reports were delivered before the statutory deadline of 31 December. Russell Frith can take you through the handful have been identified in the report.

      • Russell Frith (Audit Scotland):

        A small number of reports were completed later than our target dates, which, as Caroline Gardner said, are well within the statutory dates. In most cases, they missed the target dates by only a few days, generally due to issues with the availability of accountable officers or the timing of audit committee meeting dates. Those are not issues that give us any great concern in terms of the delivery of audits.

        As you will be aware, the report on one central Government body—the Scottish Police Authority, which was also subject to a section 22 report—was completed much closer to the statutory deadline.

      • The Chair:

        Were any other reports significantly delayed?

      • Russell Frith:

        No. That was the only one.

      • Jackie Baillie:

        Page 15 of your report identifies the need to improve the working environment of your Glasgow office as a priority for the forthcoming financial year. Can you enlighten the committee as to why the Glasgow office has been identified in that regard? I know that it was recently part of an overall rationalisation programme, so I am keen to understand what is going on there.

      • Caroline Gardner:

        You are absolutely right. We are coming to the end of an overall property strategy that has refreshed and streamlined our property portfolio. Diane McGiffen can talk you through our plans for Glasgow.

      • Diane McGiffen (Audit Scotland):

        We are extending and increasing the number of flexible touchdown working spaces in the Glasgow office to reflect the different geographical needs following the new round of audit appointments, which resulted in slightly more Glasgow-based people working in the west of Scotland and not being located in the audit offices of our clients. We need to make available more touchdown spaces for people moving in and out of that office. We will do that work over the summer, and the office will be open to staff at the beginning of August. The work will make the workplace more flexible and will increase our capacity to support colleagues in Glasgow.

      • Jackie Baillie:

        What is the cost of doing that, and is it accommodated within your budget?

      • Diane McGiffen:

        It is within next year’s budget. It is not within the annual report and accounts budget, but it is met within the resources that we have.

      • Jackie Baillie:

        Thank you. Audit Scotland notes that seven auditor opinions were

        “modified this year—one in further education, two in central government, one in the NHS and three in local government”.

        Did any additional resource implications for Audit Scotland arise from those modified audit reports?

      • Caroline Gardner:

        Russell—do you want to answer that one?

      • Russell Frith:

        Yes. The Scottish Police Authority report was modified on the ground that the authority had not kept proper records on its property, plant and equipment throughout the year, although it was able to satisfy the auditor at the end of the year that the figures were materially correct. Additional time was taken to work through all of that and get to the point at which the auditor was satisfied, and that resulted in an additional fee being charged to the Scottish Police Authority. NHS Shetland’s report was modified for the same reason, and the audit fee was increased as a result.

      • Jackie Baillie:

        You have no issues about needing additional resource because you re-charge those bodies.

      • Russell Frith:

        For chargeable audits, which those were, we can make an additional charge. Had they been non-chargeable audits, there could potentially have been a resource issue.

      • Jackie Baillie:

        Is that work accommodated?

      • Russell Frith:

        We have an allowance within our overall work plan for a bit of additional audit work. However, in this case, they were all reports for which we could make additional charges.

      • The Chair:

        How much was the additional cost to those bodies?

      • Russell Frith:

        We will let you have that information after the meeting. From memory, I believe that the cost to the SPA was £40,000. I cannot remember the cost for NHS Shetland, but it was significantly less.

      • The Chair:

        If you could let us know, that would be helpful. Thank you.

      • Alison Johnstone:

        On page 18 of the report, we learn that Audit Scotland received a total of seven complaints from members of the public during 2016-17, which is an increase from four complaints in 2015-16. Can Audit Scotland provide some background on the nature of those complaints? Were they vaguely similar? What was the outcome and what lessons have been learned?

      • Caroline Gardner:

        I will have a first run through, and Diane McGiffen may wish to add to what I say.

        Of the seven complaints that we identify in the report, one was outwith our complaints handling process, as it was not about us. We always try to be as helpful as we can be, so we advised the complainant to contact the Scottish Public Services Ombudsman. One complaint was about the lack of response to an inquiry that had been made of us, and it was upheld when we investigated it. Two complaints related to Glasgow Clyde College; two related to our role as the auditor of Aberdeen City Council, particularly in relation to Marischal Square; and one related to our role at Aberdeen City Council and the insurance policies that it holds. In those cases, either the complaint was not upheld or it was partially upheld.

        In a few cases, we have recognised that we could have communicated with complainants earlier in the process. We have improved our process for doing so and have apologised to the individuals involved. It is a useful source of learning for us to see how we can handle what is often a very varied range of complaints, which are sometimes about us and sometimes about audited bodies, and we always seek to learn from them.

      • Alison Johnstone:

        Are those who complained satisfied with the response that they received?

      • Caroline Gardner:

        It is hard for us to answer that. We always ask people who complain about us or who contact us about audited bodies for their feedback on how well we have handled their complaint. The response will vary depending on whether the complaint was upheld, but we take that feedback seriously and report on our handling of complaints regularly to the board so that it has oversight of the process. Ian Leitch may wish to add to that.

      • Ian Leitch:

        We do not get a lot of complaints, but we found a deficiency in our system that has now been corrected, as Caroline Gardner mentioned. Because of the position that Audit Scotland enjoys—perhaps that is the wrong word—in relation to looking at other bodies, we are extremely conscious of the need to ensure that we are above reproach. No one is perfect. There will always be errors, and there was a system error in that one case.

        The number of complaints that we received was small, and some were partially upheld. We try to get people to respond but, as members will know, if people are satisfied, they will generally not say so whereas, if they continue to be dissatisfied, we may get a response and learn that that is the cathatWe do our best to monitor the situation because we value Audit Scotland’s reputation and we want to maintain it.

        12:45  
      • Rona Mackay (Strathkelvin and Bearsden) (SNP):

        Good afternoon. I want to ask about staffing. Page 22 of your annual report says that staff costs exceeded the budget by £0.8 million. A total of £0.2 million of that overspend relates to temporary staff costs. Will you explain the apparent contradiction whereby the number of temporary staff required exceeded your budget by that amount, but full-time staff were being released by way of early retirement and severance in the early part of 2017-18?

      • Caroline Gardner:

        Certainly. Over the past five years, we have had a policy that is looking to reshape our workforce to ensure that we get in place the right skill mix that we need to carry out the work and that we can respond to new responsibilities such as the integration authorities and, particularly, the work on the Scottish Parliament’s new financial powers.

        Over that period, we have had voluntary severances, which are detailed in the annual report. At the same time, we have had growth in some areas—new financial powers and integration authorities being the obvious examples—and there have been staff movements.

        We have a deliberate policy of using temporary staff in a planned way for two particular purposes. First, the annual audit cycle has a significant peak over the summer each year as we head towards the sign-off of audited bodies in a compressed period, particularly for NHS bodies—that work is due to be completed by the end of next week. Secondly, we need to bring in particular skills for our performance audit work and employ people with expertise in the areas that we look at for a significant but limited time. We often fulfil that through secondments from other public bodies, to make sure that we have the skills that we need to do our work well. Therefore, that shifting goes on against a backdrop of our reshaping our workforce. We plan to use temporary staff for those reasons.

        Diane, do you want add to that?

      • Diane McGiffen:

        The only other reason why we use agency staff is to provide maternity and paternity cover. This year, we have had a bountiful year in audit productivity.

      • Rona Mackay:

        What is the usual duration of your temporary staff contracts? I know that the period will vary, but what is their general length?

      • Caroline Gardner:

        It does vary. If we were talking about the peak audit period each year, we would need to bring in people for two or three months. If we were talking about someone working on a particular performance audit or area of policy, the period could be up to two years. For example, we have someone on secondment with us from Scotland’s Rural College who is helping us to think about rural issues across our programme of work for a couple of years. That is the extreme end.

      • Rona Mackay:

        It is a continuous work model or pattern.

      • Caroline Gardner:

        Absolutely. It is part of our workforce plan and we would expect to continue to work in that way.

      • Rona Mackay:

        I will continue on the theme of jobs. Can you offer any background to the specific reasons why new job role, grading and pay and reward arrangements will be a key priority in 2017-18? That priority is set out on page 15 of your report.

      • Diane McGiffen:

        At the end of 2016-17, we agreed a new package of pay, terms and conditions and rules with our trade union representatives, which was put to a ballot of staff. They voted overwhelmingly in favour of that package. Therefore, we are implementing a new way of managing careers, recruitment, internal promotions and so on.

        In 2017-18, we will be embedding those new work principles. We have done a lot of work—we worked for two years with union colleagues and staff to design a new system to take into account how people wanted to work and their career aspirations. Our new system is designed around all that. Getting agreement on that package was one thing; making it come to life this year is another matter, but that is what we have focused on.

      • Rona Mackay:

        Does anyone else want to comment?

      • Caroline Gardner:

        Diane McGiffen has talked about the next phase of the work. As Auditor General, I see it as a key way of our being able to keep responding to the changes in Scotland’s public services and finances while helping people to develop satisfying careers. In a context in which public pay is constrained, we are looking to make jobs as flexible as possible and to give people as many opportunities to broaden their skills and experience as possible, while delivering what Parliament expects of us.

      • The Chair:

        Auditor General, you have touched on the additional financial powers that are coming to Scotland, and obviously there will be very substantial changes over the next year or two. Are you satisfied that, at this moment, you have enough resources to deal with and prepare for those changes? I know that we have asked you that question before, but the commission has a considerable interest in the issue.

      • Caroline Gardner:

        At this moment, I can give you that assurance. The commission has been good enough over the past couple of years to support our investment in developing our thinking and understanding of those issues and our response to them. Members of the Public Audit and Post-legislative Scrutiny Committee will have seen the reports that we have already published in those areas, and we now have a much clearer understanding of what the changes will mean in respect of additional audit responsibilities, what with the establishment of Revenue Scotland, the Scottish Fiscal Commission and, with the bill that is passing through Parliament today, the social security agency. In fact, this is probably a good opportunity for me to ask the commission to look out for a substantive resource bid that will be in our budget bid in the autumn, which will look ahead to the longer term and reflect what we now know will be required in those areas, based on the work that we have been doing over the past couple of years.

      • The Chair:

        So you will be coming for additional resources.

      • Caroline Gardner:

        We know that, with the new bodies that are being established, there will be a need for audit resource in that respect. We think that, given the requirements on Parliament to scrutinise a much more complex budget that will include for the first time significant revenue-raising powers, which will raise about 50 per cent of what is spent in Scotland, and to manage social security powers that will have a significant impact on the lives of a lot of the most vulnerable in Scotland, we will need to come back to you with proposals for how we resource that work and support Parliament in its scrutiny of those new responsibilities. We are working up those proposals just now for our budget bid later in the year.

      • The Chair:

        If you are taking on additional responsibilities and work, that must mean that someone is giving up responsibilities and work. This might be an unfair question, but should one not offset the other?

      • Caroline Gardner:

        It is actually a very timely question. We are currently thinking through with colleagues in Government and the National Audit Office at United Kingdom level how some of the newly devolved areas that will continue to be the focus of the UK Parliament and which will be the focus of the Scottish Parliament in future should be audited and held accountable. I suspect that it will not be as simple as saying that there is an offset in that respect, because both Parliaments will retain an interest, but it will depend to an extent on the detailed shape of the new audit and accountability arrangements that are put in place, which are still being developed.

      • The Chair:

        It would be a concern if there were a significant overlap and duplication of effort and cost.

      • Caroline Gardner:

        I would share that concern with regard to resourcing and clear accountability for the services and finances that are being managed. We are at the early stages of looking at the proposals for the very new areas, but it is an entirely appropriate question to ask.

      • Bill Bowman:

        This is a new venture for me, and there are quite a lot of papers to read. I have read your report, which is quite recent, and I have also drilled down through some of the links to the sub-reports, but if my understanding of your organisation’s structure, which is a little bit unique, is not quite correct, I ask that you take my comments in that context.

        Audit quality is key to such an organisation. Although I found references to quality and approach to quality, I did not think that they were as up front and centre as I would have expected them to be. I would have thought that the key risk would have been one of audit failure; I suppose that that is mentioned in your report, but that is just a comment on the way that I have read it.

        You do not necessarily need to tell me this now, but does the structure of regulation that you operate under come from outside or is it internally generated? I know that you have a quality control section now, and I would be interested to know the actual results of the reviews that you have carried out.

        I come to my real question, which is about the financials. I see that you have a large pension deficit; although there is quite a bit of explanation of how that has been calculated, I am not quite clear about what it means for the organisation, whether it will have any impact on what you do or whether it is somebody else’s problem.

      • Caroline Gardner:

        I will kick off. I give Russell Frith notice that I will ask him to come in on the pension question, but I am sure that he will also have something to say on quality.

        The first thing to say is that I share Bill Bowman’s concern about audit quality. Our reputation stands or falls on the quality of the work that we do. We know that, in the current political climate in Scotland, our work is very thoroughly tested by stakeholders from a whole range of perspectives. It has to fulfil all our professional requirements—it has to stand up to that challenge, which I take very seriously. I hope that the commission will be reassured to know that, alongside the annual report, we also publish a separate audit quality report, which is published on the same day, and we can send the commission a copy of it.

        It is also worth noting that we are currently reviewing our quality arrangements, for a number of reasons. First, the expectations of our work keep on increasing, with the change in Scotland’s financial powers and the debate that is under way about public services and how best to deliver them.

        Secondly, we have just moved into a new round of audit appointments, which has generated some efficiency savings for us. That raises the risk that the audit quality might not be at the level that we want it to be. I am very conscious that the audit quality arrangements that we have in place are robust and effective and meet all the required professional standards, but they do not give us the same information about all the audit providers: first, between our significant in-house audit practice and the firms that we appoint to do about a third of the work; and, secondly, between the financial audit work and the performance audit work.

        We are currently reviewing that. We have agreed, in principle, that we will go ahead and commission external assurance about all the audit work. We currently do that for the in-house financial audit. We rely on regulation by the Financial Reporting Council and ICAS of the firms that we work with, but we want to bring that to a level playing field. We are strengthening the role of the board’s audit committee in overseeing that quality assurance and making sure that it provides the assurance that board members expect on my behalf, as the Auditor General.

        Russell, do you want to add to that?

      • Russell Frith:

        Yes, if I may. I want just to be clear about regulation. Like the NAO and the Wales Audit Office, Audit Scotland is not formally subject to regulation of the bulk of its work by the FRC or one of the institutes in the same way that a private sector firm would be. However, all the Auditors General have agreed that they will voluntarily adopt the international accounting standards and the ethical standards in the conduct of their work. We work on the same basis as we would if we were a regulated firm.

        As the Auditor General has said, apart from being subject to internal reviews, our financial audit work is subject, every second year, to a review by ICAS, which comes in and reviews a sample of files that it picks—we do not tell it which ones to review. We are looking to extend the scope of that work to include the firms and other types of audit work. Firms are regulated by the FRC, ICAS or the Institute of Chartered Accountants in England and Wales. The regulatory reviews of firms tend not to include the audits for which we have made the appointment. That is why we are looking to plug that gap and to extend the scope of that work.

        Bill Bowman is quite right on pensions. The deficit that is identified in our accounts relates to the bulk of our staff, who are in the Lothian element of the local government pension scheme. It represents our share of the overall deficit in the scheme, as calculated by the actuary in accordance with the accounting standard—IAS 19, in this case. What it means for us is that when the actuary comes to calculate the contribution rate, going forward, they will calculate the rate for the existing staff—the cost of providing those pensions—and add on to that an element to contribute to catching up that deficit over a period of years. Currently, they use an element of about 20 years for bodies such as Audit Scotland.

      • Bill Bowman:

        Thank you for that. I will be interested to see how your work develops on the quality point.

        On pensions, is it correct that there is no immediate impact on your cash requirements to meet that shortfall?

        13:00  
      • Caroline Gardner:

        There are two elements to that. I apologise in advance for the complexity of this; it is something that we struggle with every year. We routinely, in our spring budget revision, and by agreement with the Government, come forward to meet the known shortfall during the financial year. As for the accounting adjustment that we need to make after the year, we have routinely consumed that ourselves, within our resources. You will see from the report that this year, for the first time, that included a significant reduction in the underspend that we had managed for. As accountable officer, I am keeping a close eye on that and on how things might move in future. So far, the adjustment has been managed within routine business for us, but given the very low discount rates with which we are now working and the increases in life expectancy that are still working through the actuarial report, we are keeping the issue under close review.

      • Bill Bowman:

        In the financial statements, on page 29, you say:

        “Most internal audits in 2016/17 achieved ‘substantial assurance’, the highest standard available, from our internal auditors.”

        Which reports did not provide that standard? What lessons have been learned, or what consequences have there been, if any?

      • Caroline Gardner:

        I will bring in Diane McGiffen on that.

      • Diane McGiffen:

        All reports provided “substantial assurance” on both the design and the operational effectiveness of the controls that we have in place. Information technology and information security received “reasonable”, which is the next level down, on both design and operational effectiveness. There were six low-level improvements that we could make—that was very helpful.

        We spent a lot of time this year assessing and scrutinising our IT and information security, as you can imagine. We received ISO accreditation—that is the global standard on IT security from the International Organization for Standardization. The internal audit looked at that work and, more widely, at other documentation and records; we are pleased to continually have external review, in this case through internal audit, which is helping us to strive to improve further. We have our next ISO audit over the summer, and we have been working to maintain and enhance our accreditation.

      • Bill Bowman:

        There are no serious concerns, then.

      • Diane McGiffen:

        There are no serious concerns on recording, operational or documentation issues.

      • Alison Johnstone:

        On page 32, you refer to the information security arrangements that you have in place, given that you hold sensitive and personal data, and you say:

        “We have an extensive information security management framework in place”.

        There have been a number of high-profile cyberattacks recently. Can you give us more detail about your information security management framework and the extent to which it is reviewed and tested?

      • Diane McGiffen:

        Certainly. As I said, over the course of the year, both through internal audit and external accreditation, we focused a lot on the issue. We were not affected by the WannaCry virus, which affected large parts of the public and private sector, partly because of the way in which we manage the patching update systems that we have, a feature of which was reviewed in the internal audit.

        We commission external testing of our security, to provide us with information. This year, we also ran internal checks, sending fake emails internally to see whether people would click on links that might contain viruses—no one clicked on the links, which was really good. We have a rigorous programme in that regard. Since the WannaCry virus incident, we have been running weekly updates on Yammer, our internal social networking site, to let people know what else we can do. We have run some training sessions for colleagues and we have shared—for the management of our own security and for the information security auditing work that we do as part of our programme of audits—current thinking and best practice on IT auditing and security.

        Our approach is pretty comprehensive, and IT security is the subject of regular reports to our audit committee. It has been a feature of our internal audit programme for the past several years and I cannot see that changing.

      • Alison Johnstone:

        Yesterday, the Health and Sport Committee, which I am a member of, was considering the recent cyberattacks. We took evidence from two senior IT officers who work for the NHS and from Professor Bill Buchanan of Edinburgh Napier University, who is regarded as something of an expert in the field. He pointed out that medical records are worth more than a credit card, for example. IT security is clearly an area of great concern. I think that the NHS has been reaching out to staff by sending test emails to see how people would react.

        Perhaps you were not hit because your practice is fairly sound. I would like to understand how Audit Scotland is liaising with other organisations. Being caught out in that way or being affected by cybercrime could have a serious impact on many organisations’ accounts. What joint working is being done in that regard?

      • Caroline Gardner:

        That is a very good question. First of all, we recognise that, as auditors, we have privileged access to sensitive information from all the public bodies across Scotland. We have a duty to treat that with as much care and attention as they do. That is reflected in the approach that Diane McGiffen has outlined.

        Secondly, in our audit work, auditors will routinely see digital risks as being among the risks that they must address through their work as part of the wider scope of public audit that is enshrined in the new code of audit practice that we mention in our annual report. As part of that wider scope, which goes beyond the financial statements, the auditors are asked not just to review governance arrangements, including those for information security, but—for the first time—to draw a conclusion about them. That involves them working closely with the audited bodies to understand the risks they face in a particular set of circumstances, how they are addressing them and how they are dealing with any shortfalls or problems they face.

        We also do our best to use our ability to look right across public bodies and to work with our audit colleagues across the UK to spread good practice. As a result, we are able to remind people of what good practice looks like and to respond quickly when a new threat emerges. We see that most clearly in the NHS and local government, where there are many similar bodies and we can act as a focus for passing out warnings or good practice when that is necessary.

      • Alison Johnstone:

        That is helpful—thank you.

        On page 33 of your report, you make reference to a breach in your records management policy. You say:

        “During the year it was established that there had not been full compliance with Audit Scotland’s record management policy and that some documents were not being retained for the appropriate time periods.”

        You state that

        “Almost all of the documents were recovered”,

        but it is clear that not all of them have been recovered.

        Will you tell us a bit more about how that situation arose? How will you address the fact that some of the documents were simply not recovered?

      • Caroline Gardner:

        It is probably worth starting by saying that the problem arose because of our focus on information security. Our document management system is set up on the basis that documents will expire after a certain period unless they are marked as records and retained. That was the issue that led to the problem. Diane McGiffen will talk you through what happened and what we have done in response.

      • Diane McGiffen:

        Using our resilience and recovery mechanisms, we were able to recover a version of the files to a certain date. As we say in the report, we have recovered almost all of the documents. There are a few supporting reports for some of our work that we have not been able to recover, but they are not significant, because the work that they were supporting information for has all been concluded.

        The primary reason for what happened is that, on occasion, colleagues had not followed the guidance that we have in place. That has occasionally been compounded by absence or busy periods of work.

        On the back of that, we have done a lot to share with colleagues all the information that we know about on what was happening. We have enhanced our processes, and we have given everyone refresher training on how the records management system works. We are all very concerned to ensure that we learn the lessons, and we have implemented them as well as we can.

         

        We know that it comes down to how we as people use the systems that we have. That has been a very big alert for us, and we have used that to develop training and discussion sessions with colleagues to ensure that everyone is aware of what happens if we do not follow the procedures. Thankfully, in this case, the actual loss is quite small, but the learning is quite big.

      • Bill Bowman:

        Were those documents to do with the running of the business or the running of engagements? Do you have electronic audit files?

      • Diane McGiffen:

        They are all electronic documents. They related to the running of the business and a few audit assignments.

      • The Chair:

        Over to you, Bill.

      • Bill Bowman:

        Oh—I thought that I had asked my questions.

        I think that Audit Scotland’s budget proposal for 2015-16 and the actual outcome are shown on page 57 of the annual report. You significantly underspent on all except two budget lines: rent and rates, and IT. Can you confirm whether the identified underspends are recurring or non-recurring? How will they come through into the next year?

      • Caroline Gardner:

        I think—Russell Frith will keep me straight on this—that page 57 shows actual expenditure rather than the budgets for 2015-16 and 2016-17. We can certainly explain the variance between the two years but, for clarity, I think that actual expenditure is shown. Russell Frith can pick up on the IT and rent and rates lines from that page.

      • Russell Frith:

        The actual IT costs on page 57 came down from 2015-16 to 2016-17 largely because 2016-17 was the first full year of being in the new single Edinburgh office. That reflects the efficiencies of being in one place rather than another.

        The 2016-17 budget IT line is higher for two reasons: further investment in IT resilience to ensure that we are not vulnerable to things such as the WannaCry virus, and increases in software licensing costs, particularly from Microsoft but also from other suppliers.

      • The Chair:

        It is stated on page 35 of the annual report that a benefit in kind that was provided for the director of audit services increased by 16 per cent, from £4,500 to £5,200. That follows an increase of 18 per cent in the previous year. What are the reasons for the increase over that period? What governance arrangements do you have for approving such increases?

      • Caroline Gardner:

        The benefit in kind for the director of audit services is the provision of a car under our car scheme. She is the only director who receives the car, and that reflects the nature of her role, which is to manage our in-house audit practice across Scotland. That role is very mobile compared with those of the other management team members.

        The figure for the benefit in kind that we require to show in the accounts is the taxable benefit as assessed by Her Majesty’s Revenue and Customs, and it reflects both the taxable value of the car and HMRC’s decisions about the way in which that is taxed for an individual. The increase simply reflects the difference in the way in which the benefit is assessed by HMRC and not any difference in the cost to Audit Scotland, which is capped and fixed for all employees.

      • The Chair:

        In the time-honoured way, I want to pick up one or two things in the report. On the fourth and fifth bullet points on page 9, you referred earlier to reductions in fee levels. I think that you have cut fees almost every year. That will probably not be possible in the next year or two, because you will be asking for more money. Would it have been better not to have cut the fees this year and to have retained funds within the business?

        13:15  
      • Caroline Gardner:

        There are two slightly different things going on there, chair. You are absolutely right that, as I said earlier, we will be making a bid to the SCPA for additional resources for new financial powers. What we are referring to in the bullet point is the level of fees for the bodies to which we charge fees under the statute that covers us. That reflects our internal programme of efficiencies, which we have touched on, and the first part of the new procurement of audits for the next five years, which generated some savings for us that will work out across five years.

        You are also right that we have consistently reduced our fees over the past few years, and there comes a point when we cannot do that any more. We are in the middle of putting in place our financial strategy for the next three years, which will help us to make decisions about how best to manage our finances overall and convert them into fee levels for the three quarters of our income that comes from fees. You will recall that we are constrained in that by the legislation, which requires us to break even, taking one year with another, and does not enable us to carry reserves forward, and by the fees policy, which we have consulted the SCPA on, which aims to bring in more balance across individual sectors from year to year.

        We think that the savings we have made so far are a useful contribution to easing the financial pressures on public bodies. Those savings cannot continue indefinitely, but there is a difference between fees we charge and the new responsibilities for things like the social security agency, and the Scottish Government increases that will come through in future.

      • The Chair:

        You have touched on the work that you have been doing on fees, which the commission has been very interested in for several years. Have you completed that exercise, and are we satisfied that there is no possibility of cross-subsidy or similar anomalies?

      • Caroline Gardner:

        We have completed the work. As you know, as part of that the board has agreed that we will aim to balance each sector, taking one year with another, rather than the overall fees, which is what our statutory provisions require. We are currently finalising the management information that is needed to help us to monitor that throughout the financial year and, at the budget setting period, we will be in a good position to check where we are and how we take that forward.

        We saw fairly significant movements between sectors last year at the start of the new audit appointments. We saw significant reductions, for example, for local authorities and NHS bodies, and a shift in different directions in the central Government and further education sectors, which reflected some historical imbalances. We think that those are now thoroughly worked through, but we are still monitoring that carefully, given that it is a significant change in our financial management and the overall approach we take to raising fees.

      • Ian Leitch:

        You will recollect, given your keen interest in this, that we supplied you with the fee strategy last year. We indicated that I had been looking at the issue of cross-subsidy. It is unhealthy to have one sector cross-subsidising another—it is historical. After a public consultation with our client groups, we introduced a strategy, which I think was endorsed by the commission, which is transparent and shows where the proper charges should be.

      • The Chair:

        Good. Page 14 of the report says that you have

        “developed a new communications and engagement strategy and engaged extensively with the Scottish Parliament, committees and Scottish Parliament Information Centre”.

        Can you give me a little more information about that?

      • Caroline Gardner:

        I am very conscious, as Auditor General, that I am here to support Parliament in its scrutiny of public spending across Scotland. In the past, our focus has rightly been very much on the Public Audit and Post-legislative Scrutiny Committee, and we will continue to provide that service, but we have been conscious, with the new financial powers and the debate about the role of subject committees, that there is more that we can do to support subject committees, too. With the election of the new Parliament in May last year, we started a process, in consultation with our colleagues in clerking and the Scottish Parliament information centre, about how we can support continuing professional development for members. As we say in the report, we have engaged quite significantly with a number of committees—in particular the Health and Sport Committee, the Education and Skills Committee and the Finance and Constitution Committee—about the work that we do that is relevant to them. We hope that we can continue that, as the Parliament reviews its process for overseeing the budget at the end of the budget process review at the end of this term.

      • The Chair:

        The balance sheet, which is on page 46, notes intangible assets but does not tell us what those are. I am quite interested in knowing, because I see that they have increased substantially over the previous year.

      • Caroline Gardner:

        They are software licences. As Russell Frith said, the cost of software licences and therefore their value has increased over the past year, which reflects the change that you see in the balance sheet.

      • The Chair:

        On page 52, which sets out pension assets and liabilities, there are what I presume to be assumptions of salary increases of 4.4 per cent and pension increases of 2.4 per cent. That seems a little optimistic.

      • Caroline Gardner:

        That is not the case; I ask Russell Frith to explain why.

      • Russell Frith:

        Those are the long-term average assumptions made by the actuary about the total increase in the total salary costs of the employers. That takes into account not only cost-of-living increases but increments, and the fact that, over people’s working lifetimes, one may expect them to be promoted. It is an overall average increase in the salary employment cost of people that is required with a final-salary based pension scheme.

      • The Chair:

        As members have no further questions, I thank the witnesses for their attendance and suspend the meeting for a couple of minutes to allow for a change of panel.

        13:21 Meeting suspended.  13:23 On resuming—  
      • The Chair:

        We move to evidence from the auditors of Audit Scotland, Alexander Sloan. I welcome Steven Cunningham, who is a partner at Alexander Sloan, and Jillian So, who is audit manager at Alexander Sloan.

        We have one or two questions; I will start. We note that you have issued a “true and fair” audit opinion following your work on Audit Scotland’s annual report and accounts. Can you confirm that you received all necessary information and explanations that you required to form your opinion on the financial statements?

      • Steven Cunningham (Alexander Sloan):

        Good afternoon, chair. I am happy to confirm that we received all the necessary information and explanations to allow us to undertake our audit for the year ending 31 March 2017.

        I would like to give an overview of our work, if that is okay.

      • The Chair:

        Absolutely.

      • Steven Cunningham:

        The firm of Alexander Sloan was appointed to carry out the external audit of the 2017 financial statements of Audit Scotland. We carried out an interim audit in February, and the final audit work was carried out in May and early June. Our audit was carried out in accordance with international standards on auditing and, as I mentioned, we received all information and explanations that were required to carry out our work, and the audit was completed without any problems. We signed our audit report on 13 June 2017.

        Based on our audit work, we form an opinion on whether the accounts give a true and fair view, whether they have been prepared in accordance with international financial reporting standards, as interpreted and adapted by “The Financial Reporting Manual 2016 to 2017”, and to confirm that they have been properly prepared in accordance with the Public Finance and Accountability (Scotland) Act 2000 and directions by Scottish ministers.

        Our audit report is unmodified—that is, we are satisfied that the accounts give a true and fair view and are in accordance with legislation and the accounting rules. There are no significant matters that require to be brought to the attention of the commission or the attention of other readers of the accounts.

        We are also required to prepare a management letter based on our audit findings. The purpose of that report is to summarise the key issues arising from our audit, and to report any weaknesses in the accounting systems and internal controls that come to our attention during the audit. I am pleased to report that, in the course of our audit work this year, we did not find any weaknesses in the accounting and internal controls.

        Finally, I would like to record my firm’s thanks to the staff at Audit Scotland and the support staff of the SCPA for their assistance during our audit this year.

      • The Chair:

        Thank you. Alison Johnstone is going to continue.

      • Alison Johnstone:

        That all sounds very positive. I do not expect that you will have anything significant to say in response to this question, but in your report to those who are charged with governance, as required by the international standards on auditing, and in your report to the audit committee of Audit Scotland, did you raise any matters of which the commission should be aware?

      • Steven Cunningham:

        No. There were no significant matters that we felt should be raised with the commission.

      • Jackie Baillie:

        Audit Scotland included in its accounts a sum of £1.7 million or thereabouts that relates to work that was to be completed and for which it had not yet charged. Are you satisfied that the calculation of that figure is robust?

      • Steven Cunningham:

        Yes. We had a detailed look at the work-in-progress figures and were happy with them within the balance sheet of the accounts.

      • Jackie Baillie:

        Can you explain for the benefit of the commission how that process is undertaken and how you reassured yourself that the process is okay?

      • Steven Cunningham:

        We spend a lot of time looking at the work-in-progress figure. The nature of that figure is that it involves a number of assumptions, so we spend a lot of time going in detail through the time recorded in the system, the methodology that was used, the fees that have been agreed, the progress that has been made and any changes to assumptions about time, just to make sure that we are satisfied that the figure in the annual accounts is reasonable.

      • Rona Mackay:

        My question is pretty much a recap of what you said at the start. The commission relies on your company’s expertise in its consideration of Audit Scotland’s annual report and accounts, and that is particularly relevant to the highly technical accounting requirement around pension costs and liabilities. Can you confirm that you are satisfied with all such disclosures in the 2016-17 annual report and accounts?

      • Steven Cunningham:

        Yes, I can confirm that. Again, we had a detailed look at the pension liabilities. We considered the actuary’s report and we considered the assumptions that were used by the actuary. Based on our audit work, those all appear to be reasonable, and we are happy with the figures that were stated.

      • Rona Mackay:

        Does Jillian So have anything to add?

      • Jillian So (Alexander Sloan):

        No. As Steven Cunningham has said, we check the accuracy of the figures.

      • Rona Mackay:

        No anomalies were flagged up.

      • Jillian So:

        No. We are happy with the figures.

      • Rona Mackay:

        Then we are happy. Thank you.

      • Bill Bowman:

        During the course of your work, did you come up with any audit adjustments that may then have been processed by Audit Scotland, or were the accounts as presented to you unadjusted?

      • Jillian So:

        The accounts as presented to us were unadjusted. Various discussions took place during the course of the audit and we received satisfactory replies to our questions, which resulted in there being no adjustments to the financial statements.

      • Steven Cunningham:

        There would have been one or two figures that would have been changed slightly in terms of how they were presented, but there was nothing materially significant in terms of the accounts.

      • Bill Bowman:

        In your management letter, you had no comments to make on the accounting systems or processes. It is a little bit unusual for the auditors not to make some form of suggestion.

        13:30  
      • Steven Cunningham:

        We had a detailed look at all of the controls. All of the staff were briefed and the audit team was a very experienced one. We did not identify any control weaknesses in the course of the audit.

      • The Chair:

        How often do you meet Audit Scotland’s audit committee?

      • Steven Cunningham:

        We attend each of the audit committee’s meetings throughout the year.

      • The Chair:

        You are at every meeting.

      • Steven Cunningham:

        Yes.

      • The Chair:

        How many meetings are there?

      • Steven Cunningham:

        From memory, I think there are about four meetings a year.

      • The Chair:

        Who handles the internal audit for Audit Scotland?

      • Steven Cunningham:

        That is done by BDO LLP, which is an internal audit firm.

      • The Chair:

        Do you meet that auditor regularly?

      • Steven Cunningham:

        Yes. We see internal audit at the audit committee meetings, but we also have discussions with the internal auditor prior to the interim audit and again prior to signing off the final audit to make sure that we are aware of any issues or concerns that it might have.

      • The Chair:

        Do you have a protocol for communicating? Is there a level of severity, or whatever, at which the internal auditor contacts you?

      • Steven Cunningham:

        We have discussions at both stages of the audit process, regardless of whether there are concerns. During the course of the year, we also get all the internal audit reports, so we are aware of any findings or concerns that the internal auditor has at the meetings. We make sure that, before we carry out the interim work and before the final audit is completed, we have a discussion with it to make sure that we cover all aspects.

      • The Chair:

        I talked previously about a protocol. Are there clear parameters within which you and the internal auditor work, and for how you communicate?

      • Steven Cunningham:

        Yes. We take into account the scope of internal audit’s work and the planned audit programme. We make sure that we look at any areas of concern that the auditors flag up that will have an impact on the audit and we build that into our external audit work. Even if they are satisfied about areas that we are looking at from an external audit point of view, we still check the controls to ensure that we satisfy ourselves. The system gives the level of assurance that we require.

      • The Chair:

        You were present when I discussed fee structures with the previous panel. Have you had occasion to look at the changes in fee structure?

      • Steven Cunningham:

        Yes. We are aware that Audit Scotland has cut its fees and we have seen the discussions and the focus on quality at audit committee meetings.

      • The Chair:

        I was thinking rather about the previous problem that Audit Scotland had—if you would call it a problem—with cross-subsidy and how it has restructured its fees to eliminate that.

      • Steven Cunningham:

        Although we have had a look at that as part of external audit, we have not done a detailed examination. Looking at that in further detail would form part of an internal audit or an economy fee audit. We have just looked at it from the viewpoint of the external audit and the implication for the financial statements.

      • The Chair:

        It was a significant change for Audit Scotland. I would have thought that the external auditors might have had a look at that.

      • Steven Cunningham:

        We have certainly had a look at the fees and how they have been charged. I might be misinterpreting the question, but to have a look at the actual cost and how that is built up for each individual client and reflected in the overall fee would be a large additional piece of work.

      • The Chair:

        Thank you. As there are no other questions, I thank you for your attendance. As agreed at the beginning of the meeting, we will continue in private session.

        13:34 Meeting continued in private until 13:41.