2. This report should be considered at the HSB meeting on 29 June 2011.

Transcription

1 HSB ANNUAL REPORT ON AUDIT ACTIVITY Purpose 1. To provide an annual report on activity of the audit committee to HSB and to advise of any control issues and their implications for the Statement on Internal Control. Timing 2. This report should be considered at the HSB meeting on 29 June Background 3. The Audit Committee Handbook, which applies to Historic Scotland, requires the Committee to provide the Board and Accountable officer with an Annual Report, timed to support finalisation of the accounts and the Statement on Internal Control, summarising its conclusions from the work it has done during the year. 4. The Chair of the Committee currently reports after each committee meeting however this report covers the activities for the full year, The Committee met four times in ; June 2010, September 2010, December 2010 and March Matters considered by the Audit Committee, together with their conclusions, are set out below. Report from the Director of Finance 6. The Committee receives a report from the Director of Finance at each meeting. These cover the following matters: Finance Outturn 7. The Committee monitored the forecast financial outturn throughout the year, in particular the impact of the ash cloud on visitor numbers and associated income, and were satisfied that there were sufficient measures to keep expenditure broadly in line with approved budgets. 8. The Committee noted that the financial outlook for will be challenging with a 7.9% reduction in SG funding, and are aware that the Agency introduced a zero-based budgeting approach to ensure that expenditure is prioritised and managed corporately reflecting the organisations agreed strategic objectives. Commercial Systems 9. The Audit Committee continued to review the position in relation to the commercial IT systems which were recognised as representing a risk to the Agency. 1.

2 Retail system At the year end there was a difference of 108,000 in the value of stock recorded in the financial ledger and in the retail system. This was due to ongoing problems with the BLEEP retail system. Manual stock checks have had to be implemented during the year in order to verify the stock position and mitigate this risk. Visitor Attraction System (formerly Admissions and Retail System) Discussions took place with VisitScotland and NTS over a number of months on the possibility of joint procurement and implementation of a single admissions and retail system. Unfortunately due to procurement issues it was not possible to implement the IT system solution which had been purchased by NTS. Following discussions with Gateway the Agency s Admissions (ticketing) system supplier it was agreed that their retail system would be re-assessed against the detailed specification of requirements. This validation exercise established that the updated Galaxy retail system could meet the majority of the CVO requirements, and that this presented a very cost effective solution. The project was approved and implementation of the new VAS solution will commence in Admission system. There had been an issue relating to the handling of personal data through the Galaxy ticketing system which included ensuring that the system was PCIDSS compliant. After negotiations, Gateway, the supplier of the Galaxy Ticketing System signed an OGC model contract that addressed Data Protection issues. Discussions with ISIS Information Assurance Team established that they would have preferred that the supplier had signed an Information Commissioner s Office (ICO) model contract which is designed to deal with data processed and held outside of the European Economic Area. Gateway signed the ICO model contract in February 2011 and the Galaxy system is now fully compliant with PCIDSS. The admissions system, which includes on-line ticketing will be rolled out to Stirling Castle as part of the Palace Project for the opening in June Fraud/Reputational Risk 10. There were three incidences of fraud which were reported to the Audit Committee during The first case related to the loss of 285 in cash from the Elgin Cathedral safe. An internal investigation was undertaken and no further action was taken against the staff involved. Cash procedures at the site were reviewed and discussed with staff. The second incident related to a break in at Hermitage Castle, where 891 was taken from the safe. The police believed that this was the work of a professional thief. The third incident related to ticketing irregularities at Stirling Castle car park which resulted in an estimated loss of 400. This was investigated by Internal Audit and a number of recommendations were made relating to the car park ticketing procedures. All of the recommendations were accepted and Internal Audit will undertake a follow up review to ensure that the recommended changes had been implemented and are operating effectively 2.

3 Risk Management 11. The Audit Committee consider risk throughout the year. The committee receives the HSB risk register as part of the Director of Finance report. Some improvements in the process for recording risk were introduced during however further improvements are planned. In particular the SMT has agreed to adopt the new approach to risk management being introduced by the Scottish Government. The Audit Committee will continue to monitor progress in this important area during Business Continuity/Major Incident Planning 12. The Finance and HR Directorates updated their BC plans and these were tested by Business Continuity consultants in July The IT service Continuity role has transferred to Philip Troon, Head of the IT Infrastructure Team. IT connectivity was taken forward at Croft an Righ and Holyrood Education Centre to ensure that these premises can provide a base for critical operations should Longmore House be inaccessible as a result of an incident. In addition all key data servers have been virtualised to mitigate the physical risk to data in the Agency s offices. Responsibility for major incident planning for the estate transferred from PIC to Conservation Group in the course of the year. The Director of CG will attend the Audit Committee in to present on this area of risk. HR will be developing updated contingency plans to mitigate against any disruption to key business functions in the event of industrial unrest. The Committee will continue to monitor progress on Business Continuity / Major Incident Planning. Information Risk and Data Handling 13. The Audit Committee continued to monitor progress on the management of information risk. Information Risk Training has been rolled out across the Agency. Level 3 training for the Non Executive Directors (NEDs) has been completed and Level 2 training for Information Asset Owners (IAO), although completed by some IAOs has been deferred until there is clarification of roles within the new structure. HS carried out a user test of the Scottish Government s Information Asset Register between 14th - 18th March 2011 with a view to adopting this tool. Data handling deals with handling personal information, transfers, codes of connection, systems training and policies. Data handling is to be incorporated into a process within the new IT strategy to ensure that it is dealt with appropriately in relation to both existing and new Agency systems. A piece of work on improving the business processes, activities and functions surrounding information management and record keeping, as well as facilitating compliance with information legislation is being undertaken by a senior member of staff. This will establish the actions that the Agency will need to take before an erdm system solution can be considered. Electronic 3.

4 records management solutions are evolving and the appropriate Agency is being considered as part of the IT Strategy. PCIDSS 14. The Agency has been following the recommended prioritised approach to PCIDSS compliance. This uses a self assessment questionnaire format that measures compliance against 6 milestones. As stated above the outstanding issues relating to Edinburgh Castle Ticketing system were addressed in February 2011 ensuring that the Agency achieved 100% compliance with PCIDSS. Internal Audit Reports 15. The Committee considered the annual report from Internal Audit noting their overall opinion: that they could provide substantial assurance on the risk management, control and governance arrangements. 16. The following reports were considered by the Committee: Title Status Audit Assurance Provided Properties in Care Review of Tourism and Membership. Final report issued January Substantial Validation of the Achievement of Key Performance Targets for Technical Conservation Group Masonry Bursary Scheme. Investigation Stirling Castle Car Park Ticketing Arrangements. Biennial Review of Governance and Risk. Properties in Care Income from Admissions and Retail Sales. Final report issued August Final report issued March Final report issued November Audit not started. Audit not started. Substantial Reasonable Limited Not available Not available 17. In addition the Committee monitor the progress in implementing the recommendations arising from these reports and from Audit Scotland. Audit Scotland Reports: ISA 260 Report to those charged with governance on the audit 18. The Committee noted that, subject to the satisfactory conclusion of outstanding matters and receipt of a revised set of accounts for final review, Audit Scotland anticipate being able to issue an unqualified auditor s report. 4.

5 The Committee noted that unadjusted errors of 112,814 were identified during the audit and that Audit Scotland were content with the decision not to adjust for these. 19. The Committee also noted Audit Scotland did not identify any material weaknesses in the accounting and internal control systems during their audit which could adversely affect the ability to record, process, summarise and report financial and other relevant data so as to result in a material misstatement in the accounts. 20. There were three issues which Audit Scotland brought to the attention of the Audit Committee: Scottish Government Funding A change in accounting policy for recognition and drawdown of Scottish Government funding has been requested by Scottish Government Finance, for the first time in this year s financial statements. The change in policy requires Historic Scotland to take into account cash balances before making drawdowns of funding. The financial accounts were revised to reflect this change in policy and accounting disclosures were agreed with the Scottish Government. There is no effect on the Statement of Comprehensive Net Expenditure. Scottish Ten accruals amounts due to and from the Limited Liability Partnership for the Scottish Ten project had not been promptly invoiced/ accrued. The total estimated effect on the net operating cost for the year (overstated) and net assets (understated) is 125,000 Future improvements in communication between Historic Scotland business areas will ensure that transactions with the Limited Liability Partnership are dealt with promptly reducing the future risk of these errors occurring. The estimated error was not considered material to Audit Scotland s opinion. No further action is required. Scottish Ten valuation Historic Scotland and Glasgow School of Art are partners in this limited liability partnership. The partnership agreement provides for a contribution to be made of up to 650,000 by Historic Scotland. The Partnership is a relatively new body and its annual accounts have not yet been required, prepared or audited under the Companies Act. Historic Scotland has not identified the fair value of its investment in the financial statements, Audit Scotland recommend that a valuation of the investment is reviewed in 2011/12, by Historic Scotland, on the basis of audited financial statements provided by the Partnership Annual Accounts 21. The results of the review of evidence to support the efficiency KPI and other performance indicators has still to be completed by Internal Audit and forwarded to Audit Scotland. However the verbal report from the Internal Auditors at the Audit Committee meeting was that the evidence to support the 5.

6 KPI s provided substantial assurance. The Committee therefore recommends, subject to receipt of written confirmation of the review of the KPI s, that the HSB approve the accounts. Reporting Standard on Heritage Assets 22. Last year the Audit Committee noted the outcome of the work undertaken on the implications for the Agency of meeting the requirements of the reporting standard on heritage assets. This work established that much of the information associated with disclosure of heritage assets already existed in the management plan for each of the properties in care. The collections database also held information needed to meet the disclosure requirements. The Committee were aware that the standard required disclosure of information on access to the assets and valuations where possible, and that there was general concern across the heritage sector that disclosure of this type of information could put these assets at risk. 23. The approach taken by the Agency in the Annual Accounts for was to publish or provide links to all available information on the policy and management of our assets, and to disclose valuations at cost only where such values were available. It is understood that this area may be reviewed further once the annual report and accounts are published by organisations in the sector, in order to establish if there needs to be greater consistency in approach in implementing this standard. Performance of the Audit Committee 24. In line with last year s report to the Board the Committee may wish to note that it set itself a performance target that that there should be no issue reported in the audit management letter or statement of internal control of which the committee was not aware and had not alerted the HS Board. There is one item raised in the Statement on Internal Control relating to the risk presented by the retail system. This was an area of the business which was considered by the Committee in I therefore consider that this measure has been met in Decisions/Recommendations 25. HSB should: note that the Audit Committee recommend that the HSB should approve the accounts subject to the written confirmation of the validation of the KPI targets; note that the problems with accuracy in relation to the retail system have been raised in the SIC; and note the performance of the Audit Committee in David McGibbon Chair of the Historic Scotland Audit Committee 21 June