NRS Audit and Risk Committee (ARC) meeting minutes - 28 August 2024

Home
Publications
NRS Audit and Risk Committee (ARC) meeting minutes - 28 August 2024

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

Wednesday 28 August 2024

MICROSOFT TEAMS 10:00 – 13:00

(Private discussion 13:00-13:15)

ARC Members

Maggie Waterston (Chair) NRS Non-Executive Director
Anne Moises NRS Non-Executive Director
Tim Wright NRS Non-Executive Director

ARC Attendees

Janet Egdell NRS, Interim CEO
NRS, Director of Corporate Services & Accountable officer
NRS, Director of Digital & Delivery
NRS, Director of Information and Records Services
NRS, Chief Financial Officer
Internal Auditor – Scottish Government
Internal Audit Manager – Scottish Government
Internal Auditor – Scottish Government
Head of Census PMO
Engagement Director for NRS – Grant Thornton
Engagement Manager – Grant Thornton
NRS, Chief Purchasing/Procurement Officer
NRS, Head of NRS Business Management
NRS, Corporate Business Assurance Manager
NRS, Business Management (Secretariat)

Apologies

NRS, Director of Census Statistics
Internal Audit Manager – Scottish Government

1. Welcome, Introductions and Apologies. Declaration of Interests & Matters Arising

1.1 Maggie Waterston welcomed everyone to the meeting. Apologies were noted as listed above.

1.2 There were no declarations of interests or matters arising.

2. Meeting held on 26 June 2024

2.1 Tim Wright requested a minor change to the draft minutes from 26 June 2024. Tim requested paragraph 6.1.2 ‘Australia’ be changed to ‘New Zealand’. The minutes were approved and would be published on the NRS website. Changes outlined below:

6.1.2 Tim Wright noted the wider trend of countries shifting towards using more administrative data sets to complement Census data and noted potential negative public reaction to this, and highlighted an example of complaints raised by New Zealand citizens in relation to the gathering and misuse of 2021 New Zealand Census data.

2.2 A review of actions was undertaken. The action tracker would be updated accordingly.

2.3 NXDs requested target dates and more substantial updates were provided in future action log updates.

Action 11/24: NXDs requested target dates and more substantial updates were provided in future action log updates. Action Owner: All Members / BMU

3. NRS Risk Dashboard

3.1.1 The Director of Corporate Services & Accountable officer introduced the NRS Risk Dashboard to the meeting and covered the following key points below:

Work was underway to update the NRS Risk Register and Risk Framework
A revised Risk Register and Risk Framework would be presented to EMB in September 2024 with options for consideration
NRS were continuing to track and mitigate risks and issues
An update would be provided to ARC at the December 2024 meeting

3.1.2 Maggie Waterston asked how achievable risk target dates were. The Director of Corporate Services & Accountable officer advised the revised risk register would provide more granularity on progress towards target scoring and target dates. Linda advised work was also underway to separate strategic issues from risks to help reduce risk scoring.

3.1.3 Anne Moises asked if NRS were planning to continue to manage risks at the high aggregated level or was there work elsewhere to disaggregate risks to lower target scores to green. The Corporate Business Assurance Manager advised the proposals for the new risk framework would allow EMB to alter risk scoring and the revised risk and issue registers would provide live updates on progress towards reducing risk and issue scoring. Corporate Business Assurance Manager advised the NRS Statistics Team were developing improvements to the presentation of risk data. The Director of Corporate Services & Accountable officer noted aggregated risks blocked ownership and transparency.

3.1.4 Tim Wright suggested the revised risk register provide NXDs with more sense of NRS risk appetite and further granularity on how mitigations improved scoring.

3.1.5 Tim Wright requested an update on the NRS physical storage project and potential partnerships with other public bodies. Janet Egdell advised positive engagement had taken place between NRS, public bodies and SG to work together on future storage requirements which would be presented as a wider project of Public Sector Reform. Janet advised discovery work was underway to relocate some NRS services to free up existing NRS estate storage space.

4. Update on the data sharing review and updated DPA template

4.1 The Chief Purchasing/Procurement Officer provided an update on the data sharing review and updated DPA template with the following key points below:

The NRS Accountable Officer commissioned Internal Audit to conduct a review of NRS Data Sharing and Processing Risk Management
A draft report was produced by Internal Audit in July and was being reviewed by NRS
NRS would implement agreed recommendations from the Advisory Review of Data Sharing and Processing Risk Management report findings once they were finalised
Internal Audit recommendations would be added to the audit tracker and a follow up review would be carried out for further assurance
A stock take was being commissioned by the Head of Data Services to review NRS data flows and identify any legacy sharing agreements in place across all NRS business areas
These agreements would then be formally reviewed and authorised in accordance with NRS procedures (i.e. risk assessed and where the share was approved a new Agreement authorised)
The Data Services Team would heat map different areas and prioritise any risks identified with findings reported to EMB in September 2024
The findings of the stock take of legacy sharing agreements would be shared with NRS Information Governance and Procurement Teams in order to ensure they were updated in line with current procedures and where necessary new duly authorised data sharing agreements (DSA) put in place where the data share was still appropriate
Additional guidance would be prepared to support the completion of the risk assessment of a DSA and the DSA template would be published with the revised DSA template in order to provide the required assurances on the security of NRS Data
NRS Information Security Committee had agreed revised data sharing procedures based on proportionality. For example, high risk DSAs would be reviewed more regularly
Risk Assessments would be carried out on all new data sharing requests

4.2 SG Internal Audit advised the recommendations provided were mainly to strengthen and build on existing NRS governance and procedures and to ensure a consistent and proportionate approach on data sharing agreements.

4.3 Anne Moises requested more information on the scale of the project and target date for the project to return to business as usual. The Director of Corporate Services & Accountable officer advised that the project scope and timelines were being finalised and likely that future governance of DSAs would lie with the NRS Information Security Committee.

5. Progress Report: Archive and Digital Storage Business Case

5.1 The Director of Information and Records Services introduced the paper with the following key points:

The Archive and Digital Storage programme would transition to a planning stage to revise the governance arrangements from its current lean set up to formal programme boards, project boards with new project initiation documents that articulate the revised timeline, resource and funding requirements, and deliverables
The single investment case would be split into separate business cases for physical archiving and digital archiving
The Physical Storage project would be initiated to progress a long-list of options which would be shared with directors. Workshops would then be arranged to agree priority areas
The Physical Storage project would explore new opportunities for joint-working with National Library of Scotland and Edinburgh Council
The Digital Archiving project was considering a scope change to consider strategic options and enable the appraisal of a wide range of options to further develop a long-list of options
This approach would align to the format used by Future of Population Statistics
Proposals would follow to DSB for funding and resource requests to further define the requirements for physical and digital archiving over this financial year
The Digital Archiving Project were looking to identify ‘quick win’ changes to NRS’s current digital archiving processes which could be implemented without additional budget, to help deal with larger quantities of digital material arriving in 2024-25. A small number of wins had been identified and were being implemented
NRS were exploring a potential short-term fix for digital preservation system storage
An additional strategic workstream was added to build on this, identifying priority areas for improvement and feeding into/informing overarching Archive Services Project

5.2 Maggie Waterston asked if a programme manager and project managers were in place for the Archive and Digital Storage programme. The Director of Information and Records Services confirmed that project managers were in place for the two projects and the Programme Manager position was under development.

5.3 Anne Moises requested if plans were in place for the two projects and an overarching programme plan. The Director of Digital & Delivery advised a Steering Group, ToR all project documentation were all in place for the three key projects (Digital Archiving, Physical Storage and Archive Environment) with Project Managers an individual project Boards and Plans. The Director of Digital & Delivery advised a Steering Group would oversee direction, ensure joined up and consider dependencies and enabling elements plus the benefits. The Director of Digital & Delivery offered to share any more detail of the programme, projects and governance.

Action 12/24: The Director of Digital & Delivery to share overarching Archive and Digital Storage Business Case Project Plan with NXDs, and project plans for Digital Archiving, Physical Storage and Archive Environment. Action Owner: The Director of Digital & Delivery

5.4 Anne Moises asked if any external partners were members of the Programme Board. The Director of Digital & Delivery advised that this was an action from the first meeting and was being considered. Janet Egdell advised a stakeholder reference group was also being considered.

5.5 Maggie asked who was leading on the culture cluster. Janet Egdell advised SG DG office sponsor team were leading on this.

6.1 Future of Population Statistics - Final FoPS Strategic Outline Case

6.1 The Head of Census PMO introduced the paper with the following key points below:

The FoPS Strategic Outline Business Case would be presented to EMB for formal approval following confirmation of the SG budget position in December 2024
An Outline Business Case was planned in 2026, followed by Full Business Case in 2027
NRS were continuing engagement with SG to raise awareness of the FoPS programme
Research would continue over the next three years
NRS were monitoring the direction of other countries regarding FoPS
Focus for FoPS planning and risk register including contingency planning

6.2 Census 2022: Evaluation Report Draft Lessons Learned

6.3 The Head of Census PMO advised the Census 2022 General Report and Lessons Learned would be published by the end of 2024 and would inform options for FoPS.

6.4 The paper was noted by the Committee.

7. External Audit: Annual Audit Report

7.1 Grant Thornton introduced the paper which was noted by the Committee.

7.2 Anne Moises requested what the impact would be if NRS had to change their useful economic life policies. Grant Thornton advised the impact would be minimal to NRS annual accounts. The Chief Financial Officer advised NRS would look to review useful economic life policy and consider how long NRS assets would last.

7.3 Tim Wright requested further background to the external audit risk identified around NRS financial sustainability - future financial plans for 2024/25 and beyond. Grant Thornton advised this was a common risk across central government, whilst noting the nature of SG one-year settlements and financial climate. Grant Thornton advised some public sector bodies presented medium to longer term financial scenario modelling and assumptions. The Chief Financial Officer advised scenario planning was taking place for staffing costs and short to medium term modelling would be carried out going forward. The Director of Corporate Services & Accountable officer advised that NRS had focused on FoPS as a priority and were looking to securing future funding strands to ensure NRS financial sustainability.

8.1 NRS Annual Report and Accounts (ARA) Covering Report

8.1 The Chief Financial Officer presented the NRS AR&A Covering Report which outlined the process and timelines completed as part of the audit by Grant Thornton of the NRS Annual Report and Accounts. No matters arising were raised as significant and Grant Thornton had advised of an unmodified audit opinion and were content that the financial statements gave a true and fair view of NRS as of 31 March 2024.

8.1.2 The Chief Financial Officer advised the AR&A from 2023-2024 would be laid in Parliament before the end of the year.

8.2 NRS Annual Report and Accounts for 2023-24

8.2.1 The Chief Financial Officer introduced the NRS AR&A for 2023-2024.

8.2.2 The Director of Corporate Services & Accountable officer noted she was content that the accountability and governance reports were an accurate reflection of NRS.

8.2.3 The Committee were content to recommend that the Accountable Officer approve and sign the NRS AR&A for 2023-2024.

8.2.4 The NRS Accountable Officer and Grant Thornton would sign the AR&A which would be submitted to the Auditor General.

8.3 NRS Letter of Representation

8.3.1 The Chief Financial Officer introduced the NRS Letter of Representation.

8.3.2 The Committee noted the letter’s content.

8.4 NRS Financial Report: Financial Performance and Achievement of Financial Targets

8.5 The Chief Financial Officer introduced the NRS Financial Report. Members noted the 2024/25 forecast outturn position at May 2024 (Period 02), and noted next steps.

8.6 The Director of Corporate Services & Accountable officer advised the recruitment freeze ahead of the roll out of Oracle Cloud had stopped NRS ability to recruit additional resources from the end of July 2024 until early October 2024. Linda confirmed no external recruitment was available during this period and advised recruitment would be limited for the remainder of 2024 as the impact of the new recruitment process being rolled out, including mandatory training for recruitment panels.

8.7 Maggie Waterston asked how resourcing and capacity challenges impacted NRS risks. The Director of Corporate Services & Accountable officer advised some projects were taking longer to complete due to resourcing challenges but NRS were ensuring key programmes and projects were being prioritised and Directors were engaging with other areas to identify any opportunities for internal managed moves.

9.1 Internal Audit Annual Assurance Report for 2023/24

9.1.1 SG Internal Audit introduced the Internal Audit Annual Assurance Report for 2023/24 and covered the following key points:

SG Internal Audit Team resourcing had increased prior to the recruitment freeze to build capacity in both Internal Audit and Counter Fraud
SG Internal Audit Team were carrying out a self-assessment to identify gap analysis for the new Global Internal Audit Standards that were being introduced in 2025. The self-assessment would identify any changes that may be required and these would be in place by end January 2025
SG Internal Audit were also currently undertaking an annual Internal Quality Assessment and were due to have an External Quality Assessment carried out in late Autumn 2024. Findings from these would also help inform readiness for the new Standards
An External Audit quality assessment was also being carried out on SG Internal Audit work. They would also review SG gap analysis which would provide further assurance
An NRS Audit Recommendation Tracker had been introduced and was being developed further
SG Internal Audit would continue to keep ARC updated on progress

9.1.2 Members noted the report.

9.2 Internal Audit progress reports for 2024/25 on active/follow-up audits

9.2.1 SG Internal Audit introduced the Internal Audit progress reports for 2024/25 on active/follow-up audits and covered the following key points:

The overall assurance opinion on corporate systems was Reasonable
SG Internal Audit provided Reasonable Assurance on the arrangements for risk management, control and governance over the SG’s Key Corporate Systems
Control improvements were anticipated through the implementation of Oracle Cloud as SG moved away from legacy systems

9.2.3 Members noted the report.

9.2.4 Tim Wright requested further background to the integrated assurance and approvals plan. Anne Moises advised the IAAP plan process was introduced to minimise the burden of assurance on programmes; planning for audit, Gateway and Technical Assurance reviews aligned with the programme plan and identifying where any audit and assurance processes could be streamlined. The Director of Corporate Services & Accountable officer advised the plan provided assurances at different stages of NRS programmes and complemented TAF reviews and other forms of assurance such as cyber accreditation. SG Internal Audit advised the plan had been formalised to capture assurance activities and had been shared with the programme board for approval.

9.3 Ad hoc advisory Information Governance Audit progress

9.4 SG Internal Audit introduced the Ad hoc advisory Information Governance Audit progress and this was noted by the committee.

10. ARC Governance

10.1 ARC Annual Report 2023-2024 to the NRS Chief Executive, Accountable Officer and Strategic Board

10.1.1 Members noted NRS BMU were to finalise the Annual Report 2023-2024 to the NRS Chief Executive, Accountable Officer and Strategic Board.

Action 13/8 - BMU to finalise ARC August Paper 10.1 - ARC Annual Report 2023-2024 to the NRS Chief Executive, Accountable Officer and Strategic Board. Action Owner: BMU

10.2 Committee Self-Assessment Checklist

10.2.1 The Committee noted the Self-Assessment Checklist.

10.3 Checklist Improvement Actions

10.3.1 Maggie Waterston requested BMU add checklist improvement actions to ARC action log. Checklist of Improvement Actions noted below:

Action 14/8: BMU to add the checklist of improvement actions to the ARC action log (A15/24 - A23/24). Action Owner: BMU
Action 15/24: Committee Terms of Reference to be reviewed and condensed if possible. Action Owner: BMU & Committee
Action 16/24: Consider an increase of Quorum to 3 and number of Committee members to 4. Action Owner: Chair/CEO/Accountable Officer
Action 17/24: Induction pack and process to be reviewed based on most recent experience. Action Owner: BMU
Action 18/24: All Members to have a tour of the full estate. Action Owner: BMU
Action 19/24: Regular 1:1 meetings to be arranged between CEO and all members. Action Owner: BMU
Action 20/24: Process for review of Committee Member’s performance to be introduced. Action Owner: BMU
Action 21/24: Committee Calendar to schedule 50% of ARC meetings to be held in person and 50% via Teams. Action Owner: BMU
Action 22/24: Draft Governance Statement to be reviewed informally by members prior to it being introduced as a paper to an ARC meeting. Action Owner: BMU/Chief Financial Officer/Accountable Officer
Action 23/24: A review of the Fraud Policy to be included in the forward look for 2025. Action Owner: BMU

10.3.2 Maggie Waterston requested a meeting be arranged between NXDs, CEO and The Director of Corporate Services & Accountable officer over the next few months to discuss the Checklist Improvement Actions.

Action 24/24: BMU to arrange a meeting between NXDs, CEO and The Director of Corporate Services & Accountable officer over the next few months to discuss the ARC Checklist of Improvement Actions. Action Owner: BMU

10.4 ARC Terms of Reference Review

10.4.1 The Committee noted the updated version of the Terms of Reference, including the updated Non-Executive Director membership. Members agreed the Terms of Reference would be condensed and approved via correspondence as per self-assessment action 15/24.

11. Committee Reports - To Note and Questions

NRS Governance Report

11.1 The Committee noted the report.

11.1.2 The Director of Corporate Services & Accountable officer advised ARC of the Ancestry Tribunal regarding refusal of access to re-use of public information. The Committee noted this.

11.1.3 Anne Moises requested further information on the impact of the move to a 35-hour working week. The Director of Corporate Services & Accountable officer advised NRS were considering impact on delivery and discussions were ongoing with union representatives regarding proposals to revise NRS opening hours. Linda advised NRS were also considering implications around the pro-rata 35-hour week applied for part time staff.

11.1.4 Anne Moises commended NRS for building penetration testing capabilities to NRS cyber security.

NRS Portfolio report

11.2 The Committee noted the report.

NRS Assurance update

11.3 The Committee noted the report.

NRS Audit Recommendations Status Report

11.4 The Committee noted the report.

11.5 Tim Wright suggested moving the Audit Recommendations Status Report agenda item after the Internal Audit agenda item so they could be reviewed together going forward.

Action 25/24: BMU to update the ARC agenda order with the Audit Recommendations Status Report to follow after the Internal Audit agenda item. Action owner: BMU

11.6 Maggie Waterston requested an update on the progress of NRS Ways of Working and managing change. The Director of Corporate Services & Accountable officer advised Ways of Working had published a hybrid working policy and framework including the introduction of team anchor days and a new cloud booking system for hot desking. Linda advised phase one of the Ways of Working Programme had completed and NRS were considering staff communications including the introduction of Oracle Cloud and the 35 hour week. Linda advised NRS were also considering setting up a People Board and were working through business continuity plans ahead of the roll out of Oracle Cloud.

12. To Note: ARC Forward Look for year ahead

12.1 The Forward Look was noted by all Committee members. Maggie Waterston requested NRS Policies be added to the forward look for 2025. The Director of Corporate Services & Accountable officer suggested an update be provided at December ARC on the Census General Report and Lessons Learned recommendations.

Action 26/24: BMU to add NRS Polices to the forward look for 2025. Action owner: BMU

13. AOB & Date of Next Meeting

13.1 Maggie Waterson gave apologies for the 4 December 2024 ARC meeting and requested Anne Moises chaired the meeting in her absence.

13.2 The date of the next meeting was noted as 4 December 2024 and Close

End

Was this page helpful? *

Yes

Yes, but

Your comments