Consumer Scotland
Audit and Risk Committee Meeting
17 June 2025
Minute of Meeting
Present:
Nick Martin – Chair
Angela Morgan – Member
In attendance:
David Wilson – Chair, Consumer Scotland Board
Sam Ghibaldan – Chief Executive
Sue Bomphray – Director of Operations and Partnerships
Douglas White – Director of Policy and Advocacy
David Eiser – Director of Research and Analysis
Louise Carmichael – Senior Internal Audit Manager, Scottish Government
Glen Bissett – Internal Audit Manager, Scottish Government
Noel Simba Jana – External Audit Partner, Deloitte LLP
Rashid Zaman – Manager, Deloitte LLP
Ian Forbes – Finance and Accountancy Adviser
Ifthakhar Eresh – Finance, Governance and Corporate Services Officer (minutes)
Apologies:
James Walker – Member
Agenda Item 1 – Welcome and Declarations of Interest.
1. The Chair welcomed everyone to the meeting and introductions were made, and the chair updated everyone regarding the departure of Lesley Halliday from the committee.
2. There were no declarations of interest noted.
Agenda Item 2.1 – Minutes of Previous Meeting
3. The chair submitted minor adjustment to the minutes via email which were accepted by the committee. The minutes of the previous meeting on 10 December 2024 were approved by the Committee with amendments.
Agenda Item 2.2 – Action Tracker
4. The Action Tracker had one action ongoing and the Director of Operations and Partnerships gave an update on the Oracle reporting functionality still being rolled out. The remaining actions were all marked as complete.
Agenda Item 3 – Director of Operations and Partnerships update, Management Accounts, Strategic Risk Register, Business Continuity Policy and Plan, Whistleblowing Policy
5. The Director of Operations and Partnerships gave an update on the key items from her report. She agreed to share a more detailed report and explanation on the figures in the management accounts after this meeting.
6. The committee discussed progress on the Medium Term Financial Strategy; the next draft is due to be shared with the Board at its next meeting on 19th August.
7. The Director of Operations and Partnerships updated the members on the recruitment of a new B2 role on a 12 month Fixed Term basis to provide additional support for the grant management and communications work which will in turn free up some capacity in Operations and Partnerships team for the statutory governance activities.
8. The Director of Operations and Partnerships emphasised that savings related to resource sharing with other NMOs are being actively tracked. In addition, our smaller NMOs working group (Consumer Scotland, Environmental Standards Scotland, Office of the Scottish Charities Regulator, Scottish Housing Regulator and Scottish Fiscal Commission) is proving very useful in terms of information sharing and collaborative working on statutory activities.
9. The Director of Operations and Partnerships updated that the strategic and operational risk registers are reviewed quarterly at the Executive Team and bi annually at the Senior Leadership Team meeting.
10. The scoring for the finance risk (24-002) score had been expected to decrease further in Q4 as the Oracle system settled down. There remain issues with the Oracle system including the delayed deployment of the budget and reporting module which is now expected in mid-June. As a result of this, the scores for this risk remain as is.
11. The strategic risk (24-006) score has decreased further and following discussion at the December ARC meeting and proposed that this risk is moved to the Operational Risk Register. The committee approved this proposal.
12. There are two emerging risks discussed for the Board’s attention – no escalation was raised at this stage, but the Director of Operations and Partnerships assured members that both are being scoped via the Operational Risk Register.
a. Risk that proposed changes to SG Hybrid Working policy results in employee relations issues.
b. Risk that lack of understanding of AI leads to unintentional misuse, data and information breaches and reputational damage.
13. It was noted that grant funding from DBT was still to be confirmed, which was delaying recruitment in the energy teams. A risk based approach was being taken with employment offers being made on a provisional basis, which allowed security checking to get underway in anticipation of funding approval.
14. The committee approved the business continuity and whistleblowing policies. The Director of Operations and Partnerships confirmed that Consumer Scotland has not received any whistleblowing complaints in FY2024-25 or in FY2025-26. and is not aware of any fraudulent activity in FY2024-25 or in FY2025-26 to date.
Agenda Item 4 – Annual Report and Accounts
15. The Director of Operations and the Finance and Accountancy Adviser presented the Draft Annual Report and Accounts, which had been separated into two parts for ease of review.
16. There are still some changes to be made to the draft ahead of submission to Deloitte LLP including the new climate change disclosure and the pensions disclosures which we expect to receive in August.
17. The Finance and Accountancy Adviser presented the financial report, showing where funding comes from and how it is spent. He explained the differences between last year and this year as well as explaining the new IFRS16 lease arrangement and its implication on the balance sheet.
18. The Director of Operations and Partnerships advised it is our intention to sign off at the September Board meeting and lay in the Parliament by 31st October.
19. The committee noted the hard work of the team to get us to this point. It was agreed that the report was comprehensive with the right tone and provided assurance on compliance with reporting requirements.
20. The Operations team will continue to refine the document, incorporating the points raised by members, ahead of submission to Deloitte with supporting evidence in early August.
21. Deloitte will review submitted documents and provide feedback on compliance and audit field work is due to take place from the 21st of July to the 8th of August.
Agenda Item 5 – Internal Audit
22. The Senior Internal Audit Manager highlighted some of the updates from his submitted papers.
23. Annual Assurance Opinion – was confirmed as reasonable assurance opinion, consistent with the previous year, reflecting the organisation’s growing maturity in governance, risk management, and control.
24. Two assurance reviews were conducted last year:
· Cyber Security – Limited assurance.
· Procurement & Financial Controls – Substantial assurance.
25. Two follow-up reviews showed good progress on implementing recommendations, with residual risks being managed appropriately. Positive feedback was noted regarding Consumer Scotland’s candour and responsiveness, which has enabled Internal Audit to add value effectively.
26. The Internal Audit Manager provided an update on the Internal Audit Progress Report including the activity for the current year (Q3):
· Grants Management Review – focus on financial control and governance of funding and third-party grant payments.
· Structure & Operating Model Review – assessing alignment with evolving responsibilities of Consumer Scotland.
· A follow-up on cyber resilience will also be conducted.
27. Board members welcomed the timing and relevance of the planned audits and expressed appreciation expressed for the constructive relationship between Internal Audit and Consumer Scotland staff.
Agenda Item 6 – External Audit
28. The External Audit Manager from Deloitte LLP presented the External Audit update and expected timeline for current year field work.
29. Deloitte LLP’s IT specialist team are performing audit testing of the Oracle implementation, and the work has now been finalised and is currently going through review. So far nothing major has been flagged by Deloitte LLP IT team in relation to Oracle implementation.
30. Deloitte LLP performed business process walkthroughs with CS management and have also tested several controls that are relevant to financial reporting. No major concerns have been flagged.
31. Audit field work will commence from July, and there has been no change in the timelines which Deloitte LLP originally agreed.
Agenda Item 7 - AOB
32. It was noted that the Director of Operations and Partnerships would be absent from the next meeting but that the Assistant Director of Operations and Partnerships would deputise.
33. The Chair thanked everyone for their participation and expressed his thanks for all the progress that had been made, then closed the meeting.
34. The date of the next meeting is Tuesday 23rd September 2025 at 10:00am online via Teams.