 Good morning, and can I welcome everyone to this, the fifth meeting of the Public Audit Committee in 2022. This morning, we have apologies from Colin Beattie, and I would like to see that Willie Coffey is joining us through video link this morning. Before I begin, can I remind members and visitors that the social distancing rules of the Parliament apply, and if you are moving around the room or entering or leaving the room, if you could wear a face covering, that would be much appreciated. The first item on our agenda is to agree to take items 4 and 5 in private. Are members of the committee agreed on that? Yes, they are. Thank you very much. The second item on our agenda is to take evidence from the Auditor General for Scotland and members of the Audit Scotland team into a report that they published just a couple of weeks ago on planning for skills. Can I welcome our witnesses to the meeting this morning? Once again, Stephen Boyle, Auditor General for Scotland, who is joining us in the committee room. We are also being joined online by Gordon Smale, Audit Director, Rebecca Seidel, Senior Manager and Douglas Black, Audit Manager, Performance, Audit and Best Value, Audit Scotland. We have a considerable number of questions to ask of the report, but first of all, I would like to ask the Auditor General to give us an introduction. Thank you, convener. Good morning, committee. Today, I am bringing my report on planning for skills. Scotland's skills system needs to operate efficiently and effectively for individuals, employers and add value to the economy. The labour market in Scotland faces a combination of skills shortages, skills gaps and skills under utilisation. Many organisations have a role in funding and developing workforce skills, including colleges, universities, employers and private sector training providers. That audit focuses on the Scottish Government's support for integrated skills planning and how it works with Skills Development Scotland and the Scottish Funding Council, the main public bodies responsible for providing access to post-school skills and knowledge. In 2017, the Scottish Government, SDS and SFC agreed to work towards skills alignment, a more integrated approach to equipping people with the workforce skills that Scotland needs. The intention was for SDS and SFC to work together to agree what skills were required to develop a plan for providing them and then review and evaluate their impact. However, convener, we found slow progress has been made since 2017, with anticipated benefits not realised. The Scottish Government has not provided the necessary leadership or oversight for joint working between SDS and SFC. There has also been insufficient clarity on what it wanted to achieve and what success would look like. We also found that progress by SDS and SFC was impeded by a lack of agreement between the two organisations about what skills alignment would involve. While the Covid-19 pandemic has undoubtedly affected progress, other obstacles included the delayed appointment of a skills alignment director, changes in staffing in the Scottish Government and constraints on capacity in the Scottish funding council. As a result, opportunities for more efficient and effective investment have been missed. During 2021, the Scottish Government proposed some new approaches to skills alignment. However, many of the same challenges remain and present risks to progress. I have therefore made a series of recommendations, including that the Scottish Government needs to set out what it wants to achieve from skills alignment, how it will measure progress and clarify governance and oversight arrangements. All three parties also need to agree how they will work together to deliver the shared outcomes for skills, and SDS and SFC should implement solutions to overcome obstacles to joint working. Lastly, at the time of finalising my report, the three parties were developing a new shared outcomes framework. They intend to use the framework at regular meetings between the minister and the chief executives and chairs of the two agencies to measure progress and agree shared outcomes and priorities. As ever, my colleagues and I will do our best to answer the committee's questions. Auditor General, thank you very much indeed. We do have a large number of questions. I will go straight into the questions, but just to remind people that for the aid of broadcasting it would be helpful if you were directing your questions to anyone, in particular of the team who were here, if you could say that. Again, Stephen MacDonald, if there are members of the team that want to come in as well as at your invitation, if they want to add something to our evidence gathering, if they were able to just put an R in the chat box function and will pick that up and bring them in. I will turn first of all to Sharon Dowie, who has a number of questions to put. We have seen a lot of reports coming through here, but that is probably one of the most damning ones. Some of the comments say that the Scottish Government has not provided the necessary leadership for progress. Current arrangements are unlikely to achieve the ambitions for skills alignment at the pace that is required, so there is a lot of concern. The report states that the intended benefits of skills alignment have not been realised and that the opportunity for more efficient and effective investment has been missed. I appreciate that, but it might be hard to quantify. Do you have any information on what this largely failed project has cost the public purse or what opportunity costs have been lost through the catalogue of errors outlined in the report? Good morning, Deputy convener. It is a difficult report and significant in the extent of the findings that we set out today. I will pass to Gordon Smaill in a minute. Gordon led the report, but he is also the auditor, the external auditor of both Skills Development Scotland and SFC, who may wish to say a bit more about some of the quantification of the cost. In truth, though, as we set out in parts of the report, it is difficult to quantify numerically what this has cost in totality, and we think that it is much more in the frame of the opportunity cost of not progressing with skills alignment. For all the reasons that I have spoken about with the committee in recent months of the impact of the pandemic and what that will mean for Scotland's economy, the requirement of skills and effective skills planning that the country needs. I should say before I hand to Gordon that there are some positive examples in the report, so we highlight through some case studies where progress was made around examples of early learning and childcare. Perhaps it might serve as a template for further progress, but it does not mask the overall picture of a missed opportunity. There is much work to do to progress with skills alignment and effective skills planning for all the reasons that we know that Scotland's economy needs, but I will pass to Gordon Smaill if I may to say a bit more about some of the costs of the project. I think that there might be some problems with Douglas and Gordon's camera, but we can still hear. In fact, here is Gordon, so Gordon, please join us. Thank you, convener. Sorry, we just get to go out for the technology here. Thank you and good morning, committee. Just to pick up on this particular point, first of all, just to, as we say in the report, we need to bear in mind, of course, that what we are talking about this morning, skills alignment, is only part of what SDS and SFD do. While that has been a relatively narrow focus on the element of skills alignment that they are both involved in, it should be kept in that context. On the financial side of things, we look carefully at the accounts of both SDS and SFC to see if we could identify the specific spend from each of the organisations that are related to that particular activity. Frankly, we are not able to untangle that. It is effectively parking parcel of SDS and SFC's work. In terms of the quantification of the financial amount of money that is involved here, it is difficult to do that. The other general is right here. I think that it is more about the opportunity cost that has been missed and the benefits that have been missed here. The final point is that, if you look at the report, one of the objectives of this at the start was to avoid duplication of effort and to drive out better value for money. Without that type of information, it is very difficult for us or anybody to see what duplication of expenditure has been avoided through this process or what might be achieved. I guess that brings us back to the outcomes issue, which I am sure will come up as part of the committee's further deliberations. The report highlights that, while the Scottish Government made a commitment to skills alignment, there was a complete absence of strategic intent or a performance management framework to measure the progress. Can you outline why the fundamental elements were not put in place and the extent to which that has led to the significant lack of progress and skills alignment highlighted in your report? I will start again and turn to Gordon to anything that he wishes to elaborate on. We set out a paragraph 8, the deputy convener, to the report. The broad intent around skills alignment was intended to achieve what then did not follow the ways in which you could appropriately measure progress. With a detailed set of milestones and outcomes that you could translate from that intent. We talked about in the report the need for the Government to be clear what strategic ambitions are to set milestones, performance measurements, targets and so forth. I am building on Gordon's last answer about that. It is measurable what the financial cost of skills alignment is and, therefore, a sense of avoiding one of the intended measures of that. There is an absence of duplication of public spending between the two organisations. To elaborate further, we say in the report that there is no doubt that Covid-19 has had some bearing on the progress of skills alignment. However, we also point to changes in senior staff within the Scottish Government during the course of the project and a lack of capacity within the Scottish Funding Council to support parts of skills alignment. There is also a disagreement in part between the organisations about how that would best work. We are a number of factors, all of which were relevant and all of which have led us to the point of today's report, pointing out that there is a lack of progress, a lack of clarity and opportunities missed for progressing that important strand of work to support Scotland's skills and economies. I will pause again, and I am sure that Gordon will want to say a bit more. Thank you, Odedot General. I really do not have much more to say on this particular point. I think that the things that you have said have drawn that out quite nicely. The overarching thing that we have found in our audit working from the evidence is that lack of strategic intent, which is so crucial for any initiative so that everybody is clear about what is expected from the overall programme and what is expected of individual organisations working through that. That also includes having clear ideas of what the outcome is, what exactly is expected to be achieved through this. As I said, it is very much important to have methods in place that can monitor progress. We have identified a couple of things in the report, first of all, the point that was mentioned about the duplication of spending and the issues of money, but also some of the other intentions about the skills gap that was mentioned in particular areas and measures that would have been possible in terms of seeing how that gap is narrowing through the efforts of the work that was intended through this particular initiative. We know that, in 2021, the now disbanded skills alignment assurance group was tasked with agreeing a definition of skills alignment. That was just three years after the Scottish Government, SDS and the SFC agreed a road map for skills alignment. Is the lack of shared definition of skills alignment indicative of a wider lack of a shared vision across the Scottish Government, SDS and the SFC? Probably more importantly now, how confident are you that a shared vision can ever be achieved? In terms of those points, it comes through in the report that there have been disagreements between the parties on how to progress with skills alignment. I don't think that there is any disagreement about the necessity and the importance of that, but what there has been disagreement on is how best to take that forward. I will bring the team in a moment to ask Rebecca to say a word or two about some of this in a bit more detail. What is clear, Deputy convener, is that the Government needs to show leadership and clarity through its letters of guidance to the organisations both SFC and SDS, so that it drives that shared vision and clarity for what is to be achieved. There have been examples that Rebecca might want to show on where some of those disagreements have manifested about the nature of the model. We have started with a five-stage model, we are now moving to a three-stage model. There have been changes in governance and oversight in terms of assurance committees and so forth and how they would operate where they would sit. I think that those factors have gotten the way of progress. As we say in the report, it comes back to the Government to say that here is how they intend it to work. We are pleased to see the Government's confirmation that they welcome the report and we understand that they intend to, as well as the strategic framework that I mentioned in my opening remarks, intend to issue further letters of guidance to both SDS and SFC to more clearly set out how they intend skills alignment to progress. Again, I will pause there, but I think that Rebecca will want to say a few words more. Thank you, Auditor General. As the Auditor General said, because of the lack of consensus between SDS and the SFC on the way forward with skills alignment and the lack of progress that has been made since 2017, in 2021 the Scottish Government proposed a new approach to skills alignment, moving away from the original five-stage model that everyone had signed up to and proposing a slightly different three-strand model, which the intentions of which were slightly different to the original intentions of skills alignment that were set out following the Enterprise and Skills Review. This model was proposed mid-2021, but by the point that we finalised our audit work at the end of November 2021, we found that timescales and success measures for some of the projects that had to be taken forward under that new model still hadn't been agreed. As we identify in the report, the obstacles that had prevented progress over the preceding years still prevail. In terms of your question around how confident we are that things will move forward, Auditor General said that the new shared outcomes framework that the Scottish Government SDS and the SFC are agreeing between themselves is a promising step forward, but it is early days. That was not finalised by the time that we finished our audit work, but we will obviously be interested to see how that progresses. That was just one final thing that I was going to ask, then. The audit report took us up to the end of November 2021. We obviously need more involvement from the Government, so I know that you said that we welcome the report and that they intend to issue further letters. Are we aware of any action that the Government has taken since the report was done? I will check in with the team again, but perhaps I will ask Douglas to say a word about what we know and what has happened since. In overall terms, the Government has welcomed the report and committed to more action in itself. We share their own words to the community that it is welcome. What matters next is to know what actions follow, what changes are felt and particularly the impact of skills alignment. We are really referencing back to the original intent of a co-ordinated, coherent skills alignment system between the two agencies that learners feel the benefit of it, employers feel the benefit and, by extension, Scotland's economy feels the benefit of it. If I may, it is perhaps referencing back to the committee's discussion last week about income tax, the Scottish economy and the vital importance of the relative growth of the Scottish economy and how that translates into public spending that is on offer in Scotland. I do not understand the debate that this really matters, but what matters is that we see impact from some of the changes that are being proposed. As Rebecca mentioned, we will continue to track and monitor that through our audit work and consider any public reporting as necessary. If I may, I will invite Douglas in to say a bit more about the strategic framework and what we are seeing from that. I am not entirely sure who everyone can see or hear. I have had a couple of issues this morning. The key development that I will focus on is an outcome framework that is being led by the Scottish Government in association with STS and the Scottish Funding Council. At the time of writing our report, that work was at an early stage. We will be interested to see how that captures clarity of expectations on the part of the Scottish Government and is explicit about the expectations of the two skillsetions and the associated performance management framework for capturing their progress in reporting that. Both the Scottish Government and the Enterprise and Skills Strategic Board. I am going to move straight now to Craig Hoy, who has a number of questions to ask. Before perhaps, Mr Ball, we will go into maybe some detailed questions around the structure of the role and the remit of the ESSB. I just maybe want to take you back to your opening remarks, because I very much agree with what it was that you just said that the skills agenda is vital for the economy, for business and for individuals' own career progression. I just perhaps wanted you to reflect on, in your key messages, number two, which is that the Scottish Government has not provided the necessary leadership for progress and then you go on to say that it is the leadership and oversight functions that have failed here. If you look at section 10 of the report, which you referred to earlier, you make reference to the letters of guidance here, and it strikes me that if they were not fit for purpose, then the whole system was set up to fail. In terms of those failures of leadership and oversight, is it fair to say that this was a failure of ministerial leadership and oversight in respect of everything that we read about in your report? Good morning, Mr Ball. We are not drawing that distinction between ministers and officials in our reporting. We do reference a couple of sets of circumstances that are relevant to the judgment that we make, but the high volume of turnover of officials within the Scottish Government departments and what we tried to set out in Exhibit 1 to the report is a fairly complex landscape of how skills planning operates with the two organisations, SDS and SFC, and then two Government directorates that are responsible for the oversight of the respective agencies. At the time of May 2021, two ministers are also responsible for those arrangements. Following the recent parliamentary elections, we now have one minister with overall oversight of skills planning, and within that gives a better opportunity to have a single view, more clarity and oversight. As we have touched on already this morning, as we move into revised letters of guidance, a revised strategic outcomes framework, there is more opportunity not to have those missed opportunities that we have talked about through the report, but a real need for impetus from Government to provide clarity of what their expectations are around skills alignment. That is what is writ large through the report, is that we have had broad intent that has not been sufficiently measurable in terms of outcomes or impact, but more signs of optimism that we are moving into an environment that will provide that clarity and see additional pace in terms of skills planning and alignment. You welcome the consolidation of those two elements under one minister? I think that it gives a better opportunity. As we have seen through the turnover of staff, two separate directorates and two ministers at the time, inevitably that is harder for which to have clarity from Government, but there is now one set of arrangements. It is clear that it is for Government to determine their arrangements that, through the letters of guidance, those really matter, that there is consensus and commonality between the letters of guidance and what is intended to be achieved from skills planning. Turning to just some details about the ESSB, you stated in the report that the board lacks the authority to hold the schools agencies to account and therefore limiting its ability to support progress by SDS and the SFC on skills alignment. Why do you think that this has been the case and to what extent do you believe that the lack of authority has contributed to the lack of progress? I will invite Gordon to come in in a moment or two as well, just to say a bit more if it is helpful for the committee, but background to the ESSB and what that is designed to achieve. Governance matters is a recurring theme in discussions that the committee has and why a lack of clarity around governance and roles and responsibilities can get in the way of delivering impact change improved outcomes. The strategic board was not able to direct the work of SFC or SDS in respect of skills planning. We have seen not necessarily the right or the wrong thing, but its presence is a factor for how skills alignment ought to work and coupled with some of the changes that took place over the course of the past few years with a committee, an assurance group and that ending of further changes, all of its points to a confusing environment with which to make the changes. I don't think that it's the only factor. I think that there have been a combination of circumstances as to why it hasn't progressed as intended, but a lack of clarity around governance and roles and responsibilities is no doubt one of those. Gordon will want to say a bit more, I'm sure. That's a very good place for me to start off, because in our opinion and reflected throughout the report, that's one of the central issues. The complex governance arrangements that are in place involving the Scottish Government, the Enterprise and Skills Standards Board, SDS and SFC. I think that our experience in auditing quite often, where the governance arrangements are complicated, it does lead to uncertainty about roles and responsibilities and crucial things to do with governance and accountability as well. I think that the intentions were good in terms of what the Government expected of the SSB in terms of the various missions that were driven through there, and I bear in mind that skills planning was one strand of the work that's done, because it involves bringing together a whole number of things that are directly involved in the economy. There's absolutely no doubt that in terms of this particular report that we've brought that there has been a lack of clarity about roles and responsibilities, and indeed the accountability process has not worked as it would had it done so. Everybody would be very clearer what was expected of them. There have been regular reporting that allowed a good degree of scrutiny and accountability, not from the point of just holding people to account for progress, but also for understanding better what the barrier or some of the obstacles that we call them in the report are and how they might well have been resolved. Finally, if I can, Mr Hoyer, there's something about just the confidence that everybody involved in this type of activity has in the governance arrangements. I think that over the period of time that's covered by our report, there is an essence of, I guess, frustration and lack of confidence in how governance is supposed to work, who's supposed to be doing what, when and where, and who's accountable for what as well, and I think that these are key things. Hopefully, going back to the previous question, some of the things that we've seen since publication of the report tend to suggest a reset of some of those things, and I rethink about just how best to deliver on this really quite crucial element of Government initiative. Thank you. Thank you, Mr Smylton. You've touched on confidence in the governance process. Maybe we'll just turn to confidence in the board itself, because we note that the board became aware that limited progress had been made on skills alignment, but despite that request for information were ignored or provided to the board at very short notice. Mr Baud, do you think that the board is sufficiently respected by the Scottish Government and the skills agencies? If not, should its role be strengthened, or is there a case for looking again and starting afresh? I'm not sure I know the answer to the motivations behind some of the circumstances that you outlined, Mr Hoy. I think that probably we would identify, in overall terms, that a lack of clarity around roles and responsibilities is perhaps the key contributor to the circumstances that we set out in the report, as distinct from any feelings of respect or otherwise. It's for Government, of course, to determine what governance arrangements it intends around skills alignment, as Gordon mentioned. There's been a lack of clarity has been a key contributor of why there hasn't been the progress, but not the only one. As we set out in the report, that had there been a much clearer framework of what was intended from skills alignment, that feeds into effective governance. For any board of governance, attempting to monitor and support progress without clear measureables is really very difficult. That inevitably is one of the factors that impedes the governance arrangements alongside the others that we set out in the report. Okay, thank you very much indeed. I'm now going to turn to Willie Coffey. Willie, this morning, joins us via video link. I know that he's got a number of questions to raise about the report. Willie, over to you. Welcome. Thanks, convener. Good morning, Auditor General, and to the rest of the panel. I think that before I ask a couple of questions relating to the skills room's group, Auditor General, could I just take up the points that you made in your opening remarks about the impact that the pandemic has had on this whole programme? I'm looking particularly at paragraph 18 in your report, and you say there, Stephen Mac, that from March 2020, much of the skills alignment work was paused to allow staff in the Government so on to focus on the emerging pandemic for emergency response. What kind of impact did all of this have on the entire programme? It goes on to talk about the Government reviewing, asking the funding council to review the whole tertiary education system in light of all that. It seems like a not insignificant impact on the programme there, but could you tell us a bit more about its overall impact and whether that review that was initiated in June 2020 has been completed in a view and a chance to assess the effectiveness of that? Good morning, Mr Coffey. I'm happy to start on your questions. I'll probably invite Rebecca to say a bit more to anything that I add. We're clear in the report that the Covid-19 pandemic is one of the contributory factors behind the lack of progress of skills alignment in Scotland, along with some of the other factors. You're right and not unique to SDS or SFC. Many civil servants and public officials at the start of the pandemic were diverted from their key core role to focusing on pandemic efforts. That was an absolutely necessary step that the Government took at that time. I think that it's one factor, but I don't think that it's a sole factor if I may. As we draw the committee's attention to Exhibit 3, we look to track the chain of events dating back to 2016-17 with the education and skills review and the progress that took place over a number of years before the pandemic. It's worth saying to the committee this morning that we would have been reporting likely on this before now had it not been for the pandemic as well. We signalled in our briefing paper that we produced in 2019 some of the on-going challenges of the skills alignment and following through on the work of the enterprise and skills review. Undoubtedly, it's a factor, Mr Coffey, but it's also fair to say that there had been a chain of events preceding the pandemic that had led to some of the challenges that we know in the report. If I may, I'll invite Rebecca to address specifically your question about SFC and its work on the tertiary education review and the Government's response to it, and of course anything else that she wishes to add about the pandemic impact. The Scottish ministers commissioned the SFC to undertake a review of the provision of tertiary education in partly in response to the Covid-19 pandemic and the recognition that the landscape around further and higher education was changing and would need to change in future for a more sustainable long-term approach towards delivery and provision. That review commenced in June 2020 and it was a year-long review. The SFC published its findings in June 2021. We found that, as we say in our report, the SFC had limited resources to devote to the skills alignment agenda. In setting out on that review, which had a wide-ranging scope, that meant that it had to reprioritise some of its work and redeploy some resources towards focusing on that review, which meant that it impeded progress further with the skills alignment agenda. In terms of taking that review forward, the Scottish Government published its response to the recommendations in that review in October 2021. As I say, it was a very wide-ranging review. There are a number of recommendations in it and work is on-going between the SFC, the Scottish Government, SDS and other stakeholders in terms of taking forward those various recommendations. Thank you for that, Rebecca. Has the review that was carried out completely reshaped the entire skills alignment programme? Has it completely changed how we think about it and what we intend to do? It seems to me that it is a major impact in rethinking the direction of travel for it. Is it feared to say that? I am happy to start, Rebecca. I am sure that we will want to give an opinion on that. I think that it is too complementary but separate things, Mr Coffey. The SFC's review of tertiary provision, as Rebecca is right, is that the SFC's capacity constraints are noted in the report, and undertaking that review is another significant piece of work for them to do alongside their important role in skills alignment. However, I do not think that the two have a direct read across to addressing the skills alignment factors that we know in the report. We might also be referencing back to what the strategic outcomes framework and the letters of guidance are. We would point to perhaps a more direct contribution to the Government's intent on skills alignment. It is important that the Government's response is, of course, to the tertiary review that the SFC undertook. It is too complementary, but it is not exactly the same thing. I am happy for Rebecca to come in and say a bit more. I absolutely agree with what the Auditor General said. I think that some of the findings and recommendations from the SFC's review will feed into the approach that is going forward around skills alignment, but they are not going to be the only factors involved. Some of the things that came through in the review included the establishment of some pathfinder projects to work in different regions with employers, training providers, etc., to try to get better at recognising local skills needs and thinking about how, through colleges and universities, those skills can be better delivered. There are recommendations in the review about engaging more effectively with employers in local regions. Some of those things will feed through to the approach that is going forward around skills alignment, but, as the Auditor General said, that is not the only thing at play here. Okay, thanks for that, Rebecca. I have a question or two on the skills alignment assurance group, Auditor General. You tell us in the report that the Government established the alignment assurance group but wound it up less than a year after it was established. Can you give us a little bit more information on what happened there and whether that decision to wind it up was supported by the partners within the arrangement? I am happy to start, Mr Coffey. I will ask Gordon to come in and say a bit more about the circumstances that led to that. There is a bit of history around the work of the assurance group that intends to play a key role in driving forward some of the alignment, but it might also be relevant to the earlier discussion in response to Mr Hoey about the lack of clarity of how governance would best operate as part of the process. The Government's intent to wind up the assurance group is clearly a decision for the Government to make, and we expect that that is part of its longer-term thinking about how assurance arrangements will complement clearer governance arrangements and more clarity around roles and responsibilities. However, in terms of the awareness of the other parties to that process, I might ask Gordon to say a bit more about what we found out through our discussions with the SFC and the SDS. As we say, we are trying to repair a 26-hiver report where we set out some of the chronology here. I think that the attempt from the skills line and assurance group of the intention of that was to try and bring that word, I said a minute ago, a reset to how things were being brought forward. However, as a report says, I think that this was something that came as a bit of a surprise to some of the parties involved in the fact that the Government was bringing that forward. As I was saying earlier, I think that the confidence in all parties involved as to what the direction of travel is. After a few attempts by the SSB to try and get some clarity and information about how progress was going, the fact that this new group was set up, and it is clearly not delivered in what it was intending to do. I think that it was born out with the fact that the Government has decided to stand that down with a new arrangement now in place through the shared outcome assurance group. I think that it is part of the story here overall and part of that common theme that we have this morning about the governance arrangements and then being fit for purpose for driving forward this important area of development. Can you say just a wee bit more, though, Gordon? What's the difference between the two, if you don't mind me asking? We've had a skills alignment assurance group, now we've got a shared outcomes assurance group. What's the fundamental difference between the two? Do you have confidence that that's going to be an effective way to monitor progress going forward? What's the difference between the two, if you don't mind me asking that? Thank you, Mr Coffey. It's a good question. I think that it probably tells a bit about the overall story. I think that the main thing that's different here is an attempt through the current group, the shared outcomes assurance group. I think that, firstly, the titles helpful focus on outcomes should help a bit of clarity around that. I also think that the composition of the group is different in terms of who's going to be participating in that. Early days, we know that that's just been set up. Obviously, as auditors, we've only gone to the base of the evidence that we can see. However, I would hope that some of the lessons that have been learned to date, because I think that there's a general acceptance that things haven't moved as quickly as they might have, or in the right direction, or indeed generated the benefits that would have been expected from that. As well, to be fair, I think that some of the audit work that we've been doing over the last few months has helped focus minds as well about some of the things that are important. I hope that we've added some value through the work that we've been doing in terms of our audit work and then our report and recommendations. Early days, in short, I think that the composition of the group gives hope that that will help to generate the kind of momentum that's required at this stage, and to move on with that quickly, because, for all the reasons that we say in the report, that's a really crucial part in terms of Scotland's economy at the end of the day. Thank you very much for that, Gordon. I'm hoping to come back in later, convener, but for the moment, back to you. Thank you. Thank you very much indeed, Willie. I will come back to you. For me, one of the stand-out features of this report is that, over recent weeks, we've looked at section 22 reports of quite small organisations with fairly limited resources and budgets and staffing levels, yet here we have two premier agencies of central government, Skills Development Scotland and the Scottish Funding Council, which, between them, each year have got a budget combined of £2 billion and more of public money. The story of this report is that, going back to 2016-17, they've failed to agree that things haven't happened, which is quite staggering. One of the inferences of the report is that the Scottish Government has failed to provide leadership to address and rectify it. There have been a few reheated attempts to set up different committees and bodies to co-ordinate things, but all of which, according to the report that's laid before us, seem to have largely failed. Why do you think that that is, Auditor General? You're right, convener. In terms of the committee's recent work programme, this is of a different scale and size. The £2 billion expenditure is what's set out in the funding of these two organisations. If I may, perhaps I'll reiterate the point before I address the rest of your question. Our report looked at one aspect of the work of SDS and SFC as opposed to the entirety of their operations, so it is just about skills alignment and skills planning. We're clear in the judgment that we make, convener, that whilst recognising that the Covid-19 pandemic has interrupted progress, it goes back to three years prior to that. One of the very clear judgments and the associated recommendations that we make is that, for the Scottish Government to be clear in what it intends of skills alignment, it is clear on the outcomes to be achieved and that it provides necessary clarity and leadership to arrive at that so that it can provide guidance, appropriate direction, if required, to SDS and SFC, so that there is no ambiguity about what's intended and what progress is expected to be made. For all the reasons that you outline in the committee are familiar with, there is a direct correlation between the performance of Scotland's economy and the relative performance to the rest of the UK and how that then feeds through to Scotland's budget and its ability to support fund public spending. Let me turn to the skills alignment action, which is, as you say, the principal focus of the report that we are considering this morning. The report notes that, back in 2018-19, the Scottish Government said that it was to issue the same strategic skills guidance through letters of guidance to the boards of Skills Development Scotland and the Scottish Funding Council to support the delivery of the enterprise and skills strategic boards strategic plan, once that was published. Consistent and complementary guidance being issued by the Scottish Government to both agencies, has that ever happened? I'll ask the team to come in and perhaps Gordon to say about the commonality between the guidance. As we've mentioned already, one of the stated intents following the report that the Government has noted that it plans to provide further new letters of guidance to both SDS and SFC imminently. I look forward to reading those and to seeing that they are clear and set out outcomes along with the new strategic outcomes framework. It matters clearly, convener, that that is not the replicating circumstances that have already happened. Wherever the detail of the previous letters is, it has not provided clarity of intent from the Government that, as we know in the report, there are broad overarching themes that have been noted that led to challenges in governance and accountability. It is important work to follow, but, in terms of the specifics of what went before in the respective letters of guidance, I'll ask Gordon to say a little bit more to the committee. Thank you, Auditor General. Just to be clear, the letters of guidance are an important part of the machinery here. The machinery of government, as I would call it, is crucial in terms of Government's articulation through the sponsor arrangements into non-departmental public bodies as to what is expected of them. Obviously, they have been in place. There is a requirement of the accountability framework. The point is that they clearly have not done the job that they were intended to do in terms of giving clarity about expectations around the skills alignment. In terms of your observation in relation to our report, the proof has been that the lack of progress that they have not done the job required is an important part of the machinery. Specifically for me, it comes back to what we were talking about previously about outcomes, the shared outcomes assurance group. There needs to be much more said in the letters of guidance about what the outcomes are intended, but there also needs to be a good grid across between the letters of guidance to Skills Development Scotland and the Scottish Funding Council. They need to be complementary. They need to demonstrate through that part of the machinery of government a clear articulation and a clear reference point about how the two organisations will, individually and together, work with the Scottish Government to achieve the outcomes that are required. Finally, if I can, to complete the said in terms of our recommendations, there needs to be a clear articulation and a clear reference point about what the reporting requirements are for individual organisations and together so that the governance arrangements, as they change and pan out through ESSB through the shared outcome assurance group and through our audit working into public about how much progress has been made in this important area. I want to turn now to another aspect that is covered in the report around the Skills Alignment Action Plan strategy. That is about the Skills Committee. To somebody coming to this for the first time, there was a little bit of confusion about which Skills Committee is the because there was, as I understand it, a proposal to amend the joint Scottish Funding Council and Skills Development Scotland Skills Committee to convert that to a Skills Committee of the Enterprise and Skills Strategic Board. If I can quote the report because I think that this is quite illuminating, in the report you say, this did not happen because of the statutory requirement for the existing committee to be chaired by an SFC board member. No alternative governance structure was introduced at the Enterprise and Skills Strategic Board level and the Joint SFC and SDS Skills Committee has not met since August 2017 and this is a report written in November 2021. The SFC consolidated the Joint Skills Committee with another of its committees, which has since become the SFC's Skills Access Enhancement and Learning Committee and Skills Development Scotland does not sit on this committee. That poses a whole host of questions, but one of them is, do you know why the Enterprise and Skills Strategic Board did not seek to set up an alternative governance structure that would allow a proper co-operative-collaborative skills committee to be established in engaging both of those two organisations? I will ask Gordon to say a bit more as some of the detail and chronology of all of this, convener, but it is a very difficult part of the report, difficult reading, I think, about how governance has operated in terms of skills alignment, about the understanding expectations of the Enterprise and Skills Board, the participation, the roles and responsibilities of SDS and SFC, the lack of clarity and agreement between how all of this would work between the respective parties. I think that the example that you cite probably best serves to illustrate how all of this has all felt challenging, muddled and lacking clarity. In those circumstances, there was a clear role for the Government to step in, whether through its letters of guidance or other mechanisms, to say that this is how they expected matters to work. That did not happen, and that led us to the co-recommendation that the Government has to be clear and show leadership in what is intended from skills alignment. On the specifics of the committee structure of the ESSB, I will ask Gordon to take the committee through that. Thank you, Mr General. Mr Lyon, on your right to highlight this particular part of the report and this particular element, I think that what it does to demonstrate well the overlaying of governance mechanisms, if you like, and varying degrees of success are otherwise, as we point out in the report. That overlaying serves to demonstrate what I was talking about earlier, but the confidence of everybody involved in what governance looks like, who is accountable to who and when. I think that that demonstrates that in really good style. As well, be it in mind, it is interesting to look at the timetable of the change of the committee, and it is starting off with a statutory responsibility of the ESSB, and then how it might have been changed to drive forward the agenda that we are talking about today, and then how that did not happen. It is interesting to look at that alongside the chronology of what we are describing in our report overall and the ability of, for example, as we say here about SDS, to be able to participate in that, to understand what its purpose is, what its role is in terms of being involved in that, and at the end of the day, not being involved at all. It gives you an insight into the overall picture. In terms of the detail of that, I am not sure whether Douglas and Rebecca might be able to pry a bit more lighter whether that is sufficient for the moment, Mr Leonard. Well, if Douglas or Rebecca do want to come in, I would be keen to hear their views if they think that they have got something additional to add to that. If not, let me move on, because there was another area that, again, I just found particularly striking. It is another strand of the skills alignment strategy, which was to appoint a senior position of skills alignment director. If I look again at Exhibit 3, after the rather dysfunctional episode with the Skills Committee and not the Skills Committee and so on, if I look at the chronology that is outlined in Exhibit 3, so, in February of 2018, the recruitment of a skills alignment director began, and then there was a gap then from February of that year until October of that year, when an interim director was appointed. In March the following year, the interim skills alignment director's term ended, and then there was another gap before, in August, the permanent position was filled. I do not know whether Gordon, you are in a position to explain this order to general whether you want to have a go. This also seems to be, when efficiency and effectiveness is one of the cornerstones of what we are looking at here, that seems to be highly inefficient in terms of recruiting what seems to be a key strategic part of driving this whole agenda forward, albeit that now it has been decided that the permanent skills alignment director having left has been decided that post is no longer required, it is surplus to requirements. Could you explain that for us, please? I will say a wee word or two and I am sure that Gordon will have his own perspective on it. You draw the comparison convener with the committee and I think that this is a similar set of circumstances in that context of a lack of clarity around roles and responsibilities and accountability and no doubt impacted the attractiveness of the post. For anybody coming into any job, I suppose that they want to be clear what is expected of them, who they are accountable for, what the intended outcomes will be of the job. In that context, I think that we have seen challenges in recruiting and challenges in retaining people in the post. I think that it is really significant in telling that the intention is not to continue with the role. I think that that is probably the right decision for the time being when you think that, rather than replicating some of the challenging circumstances that have been the case with the post, but until the Government, SDS and SFC are clear what is intended from skills alignment, it would sound like a very difficult job for anybody to demonstrate successful impact and alongside the other recommendation that we report, which I think speaks very clearly to those circumstances for SFC and SDS to work together to remove any obstacles to further progress. If there is to be shared leadership through a single director that any successor has the best chance of success in the post, Gordon might want to say a bit more about some of the circumstances that we know in the Exhibit convener. Thank you, Auditor General. I will pass to Douglas in a minute, if that is okay. Auditor General Douglas will give the detail around the sequence of events around the director that was appointed. I think that, just to set as often this thing, it is worth it bearing in mind, as we say in paragraph 10 of the report back in 2017, that the Scottish Government identified three actions to ensure that appropriate guidance and oversight of this particular initiative. The letters of guidance was the first one and the second one was the skills committee, and we have covered both of those issues. The third of those actions was the appointment of a skills alignment director. Clearly, therefore, part of the way in which the Government thought that this should be driven forward, so I just want to set in the scene there just emphasising what an important part of that appeared at the start of this process. Douglas, can you take us through some of the detail of how things then planned out? Sure. Looking back through the chronology, clearly the sequence of events wasn't ideal. The original recruit was unable to actually take up the post as things materialised, so an interim arrangement was put in place. The position was filled on a permanent basis, and that position was filled permanently in August 29. The person resigned in February 2021, and very shortly after that, after the resignation of the skills alignment director, the skills alignment assurance group was established. Just to confirm perhaps with you, Douglas, the position was originally advertised and the recruitment process originally began to appoint a permanent skills alignment director in February of 2018, and the position was only permanently filled in August of the following year. That's a huge gap between the intent to recruit somebody to that critical position at a critical time, presumably, and the final result being that somebody was recruited on a permanent basis? Yes, it's not ideal. The original appointment was in May 2018, but it became evident that the person was unable to take up the post, and that is why a position was filled on a temporary basis until a permanent person could be recruited to the job. I just observed that there are huge gaps both from the date of the post being originally advertised and it finally being filled permanently, but there are also gaps in the coverage provided by interim director or interim director of Plural. I don't know whether it's one person or not, but there were large spaces of time when there was nobody in post carrying that function out, which was seen to be absolutely pivotal to the delivery of this Scottish Government strategy. I think that that's true, convener. The exhibit sets out that there were gaps, there wasn't continuity, and any director coming into post in certainly any new job, to be fair, there is a period of time of induction, learning a role, asserting themselves, impacting and so forth. Having such an interrupted recruitment campaign, appointment, levers, intermediaries and permanent appointments that follow and then subsequently nobody in the post, I think that one of the additional factors that we draw out in the report is the lack of continuity of leadership. It hasn't just been this post, convener. We also note in the report that there has been a lack of continuity of leadership within the Scottish Government directorates that sponsor both SDS and SFC. Again, in our view, channels up to that overarching view of there's been a lack of leadership and clarity of expectation, but certainly the circumstances of the skills alignment director clearly haven't helped. I want to now bring Craig Hoy back in, who's got a couple of questions that he wants to put. Craig. I just want to briefly turn to the five stage model and then move to a three stage or a three strand model because it strikes me that what we have here is a vehicle that's going in the wrong direction. We've lifted the bonnet and we've seen that it's overly complex, difficult to maintain and repair and we don't know what component affects what outcome. As I understand it, three pilot projects were undertaken to assess the five stage model into early learning and childcare, financial and professional services and the Glasgow College region. It seems to me that the early learning and childcare pilot did yield some positive results. What factors contributed to the success of that pilot and what lessons will land from it? I'll invite the team in pretty quickly, probably Rebecca, just to say about the five stage model and then the evolution into the three principles stage and then about the pilot results as well. I think it's fair to say that the case study that we note in the report in early learning and childcare is positive that there were successes coming out of that work and opportunities to apply that learning across other aspects of the model. I wouldn't want to characterise the entire report on skills alignment of that there haven't been some aspects of progress because I think in that case study we would say that there have been but the applicability of that learning has been challenging for a variety of other circumstances. Before I invite Rebecca in, I think it's also fair to say that one of the other conclusions that we draw in the report is that it's unlikely under the current arrangements to deliver the step change needed in skills alignment that we're still seeing a lack of consensus between SDS, SFC on the respective models and how they'll be brought to bear also as an issue that needs to be resolved and relates to our recommendation that there has to be a consensus for this to work to best effect, whether it's five stage, whether it's a three stage model that both parties have to agree and how best to move forward with skills alignment that there is that clarity. Rebecca will want to say more, I'm sure, about both the pilots and the respective models. As you recognise, Mr Hoy, those pilots happened quite early on in the process in terms of the ambition towards skills alignment and making that a reality. Those pilot projects were a good test of that five stage model and provided some indicators as to what could work well and perhaps what didn't work as well. As well as the things that contributed towards success in those pilots, they also highlighted at that early stage that there was a lack of understanding around what skills alignment meant, what it should look like and what the respective roles and responsibilities of those involved were. That was flagged up quite early on during those pilots. As SDS and SSC moved on from those pilots and tried to implement the five stage model more broadly, it quickly became clear that there was that lack of consensus that the Auditor General referred to between the two agencies around how skills alignment should work and how that model should be applied. For SSC in particular, they found it difficult to see how the model could be applied in practice to further and higher education sector effectively and felt that it did not fully represent some of the mechanisms that work within those sectors. In terms of the detail of the particular pilot that you highlight and the elements that work well, if it is okay with the committee, that is something that we can provide in writing. I do not have those details to hand just now. Areas of evaluation. I think that you just referred to it. It says in paragraph 26 in the note that there was no clarity in terms of who should lead the process of alignment. If we do not know who is leading it, how is it going to get off the ground? As we move to a three-stage process, which is the three strands of sectoral and regional projects, national initiatives and analytics, is there any clarity that the three strand model that is now referred to is going to make much more progress? I note in the report that you should also show that this approach is already showing signs of stagnation. Is it not essentially going to just repeat the mistakes of the five strand or the five step model? We hope not, but there needs to be clarity and consensus between all three parties as to how the three strand model will work. I think that that is the basis for the third recommendation that we have in the report. Unless there is clarity and consensus and a shared understanding, there are risks repeating the lack of progress around the skills alignment that we have seen over the course of the past five years. I do not wish to labour the point, but I think that it really matters regardless of whether it is a five stage model or a three strand approach that is understood as consensus. It is accompanied by milestones, intended outcomes, clarity, transparency of the costs and impact of the respective models. We will continue to monitor and track that both through our annual audit work and consider if any further public reporting is required. Just one final question on funding, if I can. Paragraph 14 states that, in October 2019, the Scottish Government instructed SDS and the FFC to implement a new funding and delivery model for foundation apprenticeships and graduate apprenticeships to fundamental elements of what we are talking about here, but it appears that through your report that you are raising concerns that sustainable funding for these two areas is still uncertain. Why do you think that the Government has not been able to provide sufficient clarity on where this funding will come from? I am going to invite Gordon to come in and say a bit more as the auditor of SFC and SDS. Ultimately, it will be a choice in terms of the funding distribution as to how it looks to apply that to the respective agencies. We have commented in the committee on a number of occasions about the need for greater transparency and clarity to support long-term financial planning of all public bodies so that they are able to be clear with the recipients of their work, and particularly in this example with employers, students and so forth, that they know what is available and what they can expect. If we have any more detail, Gordon might be able to provide it, but again, we may need to come back to you in writing, Mr Roy, or perhaps the respective organisations that we would be in a better place to answer, but I will just check with Gordon first. Thank you, auditor General. I do not think that there is much more to say in that particular point. It is a point that we feel strongly about as part of our routine annual audits. We are looking at financial sustainability as part of our wider co-work that we do, so it is not just about the financial statements, which are important, but it is also about other elements of public financing governance. We have certainly been flagging in the case of Skills Development Scotland, which has had responsibility across the whole range of apprenticeships, the whole question of financial sustainability in the context of budgets that are coming through annually, and that question about longer-term financial planning. Obviously, when you commit to apprenticeships, it is over a period of more than a year, and that is important for the individuals that are involved, but for the employers and the training providers. It was appropriate for us in this report to flag that change that is happening. It comes off the back of changing how some of the funding comes through from what was previously the European Social Fund and with responsibilities transferring over to the funding council. It is a crucial area in ensuring a smooth transition. We are putting a marker down that we are not quite sure how that is going to unfold. I agree with the auditor General. It is something that needs to be explored further, probably, with the two organisations that are at the front line of this, as it were, just to make sure that that happens at the best that it can. Indeed, the funding commitments are clear into the future so that everybody can be individuals and employers and the public organisations involved can have assurance that the money will be available to make sure that, ultimately, people come off the back of apprenticeships with the skills that the economy needs to be successful in Scotland. Thank you very much indeed. There are a couple of other areas that I think we wanted to explore before we finished the session this morning. Again, what was striking to me was that there was a heading here in an audit Scotland report, which is that staff capacity constraints within the SFC created tensions between the agencies. It goes on to talk about the fact that there were staff capacity constraints in the Scottish Funding Council, and that was highlighted to the Skills Alignment Joint Programme Board in February 2020. My first question is, who is on that board? Who is represented on that board? Was any action taken at that time? Do you have a view on an atmosphere where tensions exist between two agencies, both of which are supposed to be serving the public interest? On the point of who is on the board, I will ask Douglas or Gordon to set that out for the committee. On the wider point of tensions, it was clear from our work that manifesting itself in terms of both a lack of consensus around the different models that we have talked about, some of the governance arrangements that the committee has also explored this morning, the reporting lines, and the contribution of different teams into different initiatives have all been features of the evidence that we have gathered from our report. Just before handing to the team, I think that, if I may, just to reiterate that a new strategic outcomes framework will help, as will clear letters of guidance, but the culture of working together between the two organisations is a key component of the successful delivery of skills alignment. Capacity constraints have been a feature, but the tensions that have manifested themselves as a result of those issues need to be resolved in order for skills alignment to have the impact that it needs to have for Scotland's economy. I will pass to convener to the team, if colleagues can select themselves as to who is best placed to take the committee through their membership of the board. We would need to get back to the committee on the details of board membership. That is fine, Douglas. If you could do that, that would be helpful. It helps us to navigate through this myriad of organisations, committees and boards that are supposed to be working together, not in all cases apparently doing so, to further this skills alignment agenda. The other thing that was mentioned in the report was that there is now a proposal to increase the funding to the Scottish Funding Council and the Advanced Learning and Science Directorate in 2022-23. Is that money being ring-fenced to boost the skills alignment agenda, or is that just additional funding resourcing that is being given to the director and to the agency? I will ask Rebecca to come in on that point. I am not sure that we would apply the term ring-fenced on it just about whether that is relevant in the circumstances. It relates also back to Mr Coffrey's previous question about the SFC's review of tertiary education, which might also be a factor of some of the application of funding into next year's Scottish budget. Rebecca, I might want to say a bit more, and as I have a convener, if we do not have that detail, we can come back to you in writing. This is a commitment that the Scottish Government made last year to increase resourcing for the SFC, recognising the capacity constraints in there and also in the Advanced Learning and Science Directorate of the Scottish Government. The draft budget documents for 2022-23 do not include any specific information or details on what funding is available, so we are not clear on what that actually looks like, how much that might be or, as you say, if it is ring-fenced funding or not. We understand that that is a conversation that the Scottish Government is continuing to have with the Scottish Funding Council. It may be an area that the committee would want to follow up with. Thank you, Rebecca. I am sure that we will consider that. I know that Willie Coffrey wants to come back in. I will bring you in at this stage before we go to the last lap of our evidence. Willie Coffrey Okay. Thanks again, convener. Auditor General, I wanted to say something about the regional dimension to all of this. You have mentioned in the report that the Government signalled a change to this approach to skills oil in December 2020. My interest is in how do we plan locally, regionally in Scotland, for example in Ayrshire, to match up the skills that we need for the economic opportunities that are emerging in the Ayrshire economy? How does that shape up by what we offer, by training in courses and so on in our colleges locally? Can you say a bit more about the regional dimension to this and what the impact of all your report is having on the successful delivery of that? I will do my best, Mr Coffrey, recognising that it is a complex landscape in terms of skills planning, skills alignment across Scotland and the respective roles that the Education and Skills Strategic Board has, such as SDS and SFC. It is also worth recognising the important role that Scottish Enterprise has, particularly the new enterprise agency—I should say the Highlands and Islands Enterprise—and the southern enterprise agency that it newly created for the south of Scotland. Other players are also relevant, notably Scotland's colleges that UN touched on and the local authority to all have a role. However, in terms of the impact—I think that you asked about the impact—of the report, Gordon alluded to this in one of his earlier answers. As we often hope to be the cases that our audit work leads to improvements and leads to change and how public services are delivered, our expectation is that, through the report, there will be more clarity in terms of how skills planning will work between the lead players and that that flows through to a regional basis, which is relevant. However, to individual learners and individual employers, they will see improvements in the planning of apprenticeships and the planning of relevant colleges courses. That is tailored to the employment and industry circumstances of different regions in Scotland, which are supported by appropriate funding arrangements. I do not need to tell the committee that the circumstances arising from the pandemic have led to challenges in different parts of Scotland. We know that some parts of Scotland are more reliant on leisure, hospitality, service industries and the challenges that those businesses have faced. Therefore, the skills alignment, skills planning for training courses, apprenticeships, colleges courses and so forth have to be tailored for the different needs of Scotland's regions and council areas. However, it is important that we see the impact that is sustained, Mr Coffey, that the value of skills alignment feeds through to the different areas of Scotland. Gordon might want to come in and say a bit more about, through his work on Scottish Enterprise, if there is anything that he wishes to add. I think that it is a point well made by yourself, Mr General, about how the whole system works together. Also from Mr Coffey, I absolutely agree that, ultimately, we will have a conversation this morning about governance and structures, letters of guidance and so on. All those things are important, but ultimately it is the difference that it makes in terms of post-school skills and workforce skills. The information that we have about some of the regional approach here gives some sense of what can be achieved when we look across the piece in terms of the proven apprenticeships and how colleges and education work together to better skills. That is the intention here, but I think that it is worth us collectively keeping our eyes on the particular outcome here, which is better skills that support the economy and fill the gaps and best use of public money. It is a point well made and something that we all expect to be able to see evidence of that from Government and those involved as the coming months unfold very much in line with our recommendations and reports so that we can see progress and allow promote scrutiny of progress and improvement, as the Auditor General says. Thank you very much for that to both of you. Back to you, convener, thank you. Willie, thank you very much indeed. We have just got a couple more questions that we want to ask about. I am going to bring Craig Hoy in a minute, but one of the other substantive areas of the report is around data sharing. One of the threats that seems to run through the report is a lack of consensus between the two agencies, a lack of agreement on timescales, success measures and so on. There also appears to be an inordinate delay in getting into place a data sharing agreement that addressed the task at hand around skills alignment. My question is really just to understand why there was such a delay in getting the data sharing agreement in place. Data, it seems to me, is absolutely fundamental to the planning of future demand in the labour market and the kind of skills that we are going to need in five years, time, ten years, time and so on. That data, that evidence, is absolutely critical. Why did it take so long to get to the point that we have got to? Even now, is that data sharing agreement fit for purpose? Will it address the challenge that we face? I am going to hand pretty quickly to Rebecca, just to take the committee through the circumstances, but I really agree with the premise of your question that it is a vital component of tracking impact outcomes, progress and it has been an unhelpful feature of the skills alignment progress that, in order to assess progress, you need to have the data. There needs to be consistency of data between the organisations and unfortunately that has not been the case. Rebecca will take the committee through where we are now. Data sharing is a really essential part of the skills alignment process in being able to assess skills demand and for SDS and SSC to use that data collectively to help inform investment in skills provision. As you recognise, there were delays in getting a data sharing agreement together. That was something that was progressed by the permanent skills alignment director when they took post and it was pushed forward by them. As you recognise, the delays in pulling that together did impede progress and we cite that as one of the obstacles in our report for lack of effective joint work between SDS and the SSC. Gats and data were identified by both parties. I think that we would argue that there will never be perfect data and that organisations need to try and work as best they can with the data that is available. In our recommendations, we recommend that SDS and the SSC work together to overcome the obstacles to joint working and specifically cite collectively using data together as one of those specific obstacles where we would expect to see progress made. In the report, you describe it as a barrier to progress, which needs to be broken down. I want to turn to Craig Hall, who has a last question from the committee to ask. To open on paragraph 1 of your report, just looking at the skills gaps and the effects that those will have on Scotland's labour market and ultimately the economy, we will see those in the form of two costs today—for example, as we have seen in social care, where your recent report identified the crisis in care and the costs that are not dealing with preventative care, meaning at the other end of the spectrum. We will see it, for example, as you identify in digital and climate emergencies where there will be a huge economic opportunity cost in not having the skills to meet the future demand within those sectors. On that basis, looking at the skills gaps today and the future, what confidence have you got that the Scottish Government, along with its partners, is satisfactorily addressing those skills gaps? As ever, Mr Hoy, it is one of those ones that our audit takes us up to a certain point to the end of November. Clearly, what we are highlighting today is that there are very significant risks and challenges to be overcome in order to address the challenges that Scotland's economy is facing and that it has the labour in place to tackle the skills gaps that are under utilisation. Historically, the relative challenges in terms of the productivity of Scotland's labour also need to be overcome. It relates back to the point that I touched on a couple of times today and last week with the committee that the relative performance of Scotland's economy compared to the rest of the UK is so important with the increasing powers of the Scottish Parliament and that that will directly impact on the availability of public funds to Scotland. We make recommendations, as we do in our reports, on the need for urgent progress and leadership for all the context that we look to set out in paragraph 1. I am not able to offer you assurance today that that will happen, but the need for urgency that it does happen. Thank you. That was the final question. I thank the Auditor General and his team, Gordon Douglas and Rebecca, for joining us this morning. We are now going to have a changeover of witnesses, so I propose to suspend the meeting. I reopen this morning's public audit committee meeting. The next item on our agenda is consideration of the 2021 Audit of the Scottish Environment Protection Agency. We are joined this morning by the Auditor General, Stephen Boyle and also via video link Moray Campsy, who is a senior manager audit services in Audit Scotland and also by Johann Brown, who is a partner in Grant Thornton, who carried out the audit on the ground, as I understand it. However, I invite Stephen Boyle, Auditor General, to make an opening statement. Many thanks, convener. On Christmas Eve 2020, the Scottish Environment Protection Agency experienced a sophisticated ransomware attack, which meant that its systems and data were inaccessible to its staff and customers. The majority of SIPA's data, including underlying financial records, was encrypted, stolen or lost. I have prepared the report today under section 22 of the Scottish Public Finance and Accountability Scotland Act on the 2020-21 audit of SIPA to highlight the significant impact that the ransomware attack has had on SIPA's operations and staff on its ability to deliver its services and on the preparation of its annual report and accounts. SIPA had to recreate accounting records from bank and HMRC records. That made it difficult for the auditor to gain sufficient evidence to substantiate around £42 million of its income from contracts. As a result, the auditor Grant Thornton has issued a disclaimer of their audit opinion, a very unusual set of circumstances and choices for an auditor to make. SIPA was able to prioritise and deliver some of its critical services within 24 hours of the attack. However, over 12 months on from the attack, it continues to rebuild and reinstate some of its systems. The full financial impact is not yet known. SIPA will continue, therefore, to face financial and operational challenges in the years to come. SIPA convener has demonstrated a willingness to learn and to help other organisations to learn from the attack. There are on-going investigations, and not all of the findings can be publicly made available so as not to expose any potential vulnerabilities. It is important that all public bodies learn from this incident. Independent reviews have identified that SIPA had good cybersecurity arrangements in place, but they have made 44 recommendations of which SIPA have accepted and are taking action. No organisation can fully mitigate against the risk of a cyber attack, but it is crucial that public bodies are prepared and have fully tested systems and plans in place. As you mentioned, I am joined by Joanne Brown, who is the external auditor, who will be able to support me with answering the committee's questions in terms of the annual audit and its impact and how SIPA has responded. I can also say that one of the senior managers in Audit Scotland who leads on much of our digital work and between the three of us will do our best to answer your questions. That is great. I am very much appreciated. I will go straight into the questions and invite Sharon Dowie to pose a couple of questions that she has. Good morning. You touched on it in your open statement. Paragraphs 89, page 4 of the report, state that SIPA commissioned independent reviews of the cyber attack so that it in the wider public sector could learn lessons. It concluded that SIPA had a high level of cybersecurity maturity, but the further improvements could be made. The independent review made 44 recommendations, as you have just said, for SIPA to take forward to enhance processes and controls in relation to information security. 44 recommendations seems a lot considering SIPA was found to have a high level of security maturity. How likely is it that other public sector organisations also currently consider to have a high level of security maturity, maybe at risk, from a similar cyber attack? Has all the recommendations been passed over and are they taking action on it? Good morning, deputy convener. I will ask Joanne and perhaps Morag also what I want to say a word or two about this. I know that the recommendations and the number of recommendations, inevitably, they will be split between high, medium and low risk. Joanne will want to say a bit more about the grading of those and the progress in terms of their implementation. I do not think that it detracts from the overall conclusion that we have made in the report that SIPA, as the independent reviews have concluded, was well prepared. It did have a high level of cyber awareness, the training for its staff, tested its systems and so forth. It had emergency plans in place. I bear in mind the type of organisation that it is. It is a regulator. It does respond to emergency incidents. All those have been fed through to the type of organisational culture of preparedness. Before adding to Joanne and Morag, I would stress that preparedness can only take you so far with determined criminal intent. That is what we are noting in the report, which is that any organisation can be vulnerable to a cyber attack. By way of context, at the time that SIPA's incident took place, there were other incidents in the Irish health system and in a small public body in Wales. We have seen, even in the past few days, that there have been further reported incidents in respect of the foreign commonwealth office. There is no organisation that can do anything to guard it in its entirety against a cyber attack. In that context, we conclude that SIPA was well prepared and had a high level of maturity, but that did not stop the circumstances that we will come on to talk about further. I am sure that I will pause and hand over to Joanne and then Morag Fawrty for improvement recommendations were pulled across from all the independent reviews, and, as the Auditor General has outlined, those are categorised in terms of priority and risk. From speaking to SIPA, approximately half of those have been completed, and they are on track to complete the majority of those by the end of March this year. That is something that we will focus in on in our external audit for 2021-22. The routinely report progress against the action plan to the agency management team and through to the audit committee. There are a couple of those recommendations that require longer-term consideration, particularly around areas of investment and priority, which they are continuing to discuss with the Scottish Government. Those actions might slip beyond 31 March, but it is something that SIPA is tracking very carefully, and a number of those actions have been completed. I was going to ask about progress there, so you have already answered my question. That is great. Willie Coffey, who is joining us online, has a question that he wants to put, so I am going to bring Willie in just now. Willie Coffey, who is one of the lessons from this? The whole cyber criminal fraternity has a step ahead of the game here, despite various organisations' best efforts to have the best systems and security systems in place. I imagine that a number of those recommendations try to address that. First, we know that it is still subject to an on-vone police investigation, but do you think that you will be able to tell us where the exact root source of the attack managed to penetrate systems, or will that remain confidential? We will do our best, as you would expect. We will say as much as we can today and as we set out in the report that the general consensus was that the route into SEPA systems was through a phishing incident or a phishing attack. Committee members will be able to say that this is a genuine or an email masker aiding as a genuine email, and a link that typically a member of staff would click on the link, and that then sets out a chain of events in terms of virus ransomware into the systems. Unfortunately, Mr Coffey, that means that there is likely to be an element of human error that has allowed the attack, the route into SEPA systems. The specifics on that have probably gone as far as we were able to in the report, but the phishing attack is also safe to say that no matter how much training and preparation that is done, that those events do happen in even well prepared organisations with high levels of maturity, it needs to be reinforced with training, with IT departments and also with colleagues across the piece that everybody is able to exercise a degree of caution when they receive an external email and think really carefully before they click on any link. Absolutely. I imagine that the cyber attacks make a reason to guess about the behaviours that we all eliminate when we're using computers and so on, and we're all vulnerable to this when we get emails and we inadvertently click a link. That seems to be a fairly common route for them. It would seem to me that the sophistication that all systems need is to somehow guard against that even when we do make those mistakes. I'm hopeful that any of your colleagues might say a little bit about that, but whether additional protections can be brought into systems like that so that if we are subject to phishing, even if we do click the links, there's still a degree of protection available to us to protect the systems. I'd like to say a bit more about perhaps what unfolded here. We're also moving forward in the generality of how we might guard against some of the after-effects of a phishing attack that's successful. Unfortunately, it was one of the features of this attack and we refer to the language a number of times in the report of sophistication in the nature of the attack and the debilitating nature that resulted in particularly the availability of backups so that when an attack happens, data is locked, compromised, is that organisations typically have a backup server with the information that they're able to recreate pretty quickly. That didn't happen in SEPHAS circumstances because the backups were also lost or hacked, hence being dreamed as we set out in the report. That's still being felt in terms of recreating systems. It led to the audit qualification and availability and reliability of the information in SEPHAS accounts. The learning from that matters, Mr Coffey, but I'll invite Morag just to say about what's come next, but perhaps also how public body can guard against their systems even when a phishing incident does happen. Morag. Thanks, Auditor General. One of the really important things is that it's best for everybody in the organisation to be cyber-aware in the first place. Training is crucial, but it's also setting culture within the organisation and that awareness that people know what to do if they spot anything suspicious or if they think that they might have clicked on a link because if they feel confident to notify the appropriate people quickly, then the incident response plan can be put in place. It's key that organisations have a tried and tested cyber-incident response plan in place, but there's a lot in terms of the infrastructure that can be put in place around network segmentation, authentication and making sure that user access is controlled as well. The SEPHAS report and the foreign independent reviews make a number of recommendations around all that in terms of protecting assets, detecting tax and how to respond and recover from that. I think that what I would also say is that it probably will need a collaborative effort that has been demonstrated in this incident as well with the Scottish Government's cyber-resilience units and the National Cyber Security Centre and the Scottish Business Resilience Centre, working very closely with SEPHAS in its response to make sure that they took action quickly and kept the rest of the public sector informed throughout the process. Willie, do you want to come back in? I was just waiting for the mic to come back on there. On the point of the backups, convener and auditor general, the backups data seem to be targeted early. I have to say that I'm a wee bit surprised at that about how easy it was to get access to the backups. Systems are, I would have expected even in my long experience of working in computing, that backup data would be physically separate, logically separate so that it is not subject to that cyber attack and it's completely protected and separate from the main data, let's say. I don't think that's been the case here and I just wonder if that's an area in terms of the recommendations that you're inviting SEPHAS and indeed any other organisation to look a bit more closely at to protect, to essentially separate and protect the data that's essential to keep the business running. I'll ask Joanne to say a bit more about the recommendations and if they relate to backups, but it's a fair conclusion that you reach, Mr Coffey. The principle of backups is that they are available in the event of not just an IT security attack but, just in case there's a system failure, organisations can re-create, re-install and pick up where they're left off, as it were. Beforehand, it's also fair to say that the sophistication point that we draw in the report targeted backups in the way that it did at the hallmarks of the ransomware. I think that I haven't just to state for the record that SEPHAS didn't pay the ransom, so public money wasn't used to that effect, but not having access to the backups has really been debilitating to the organisation in terms of the availability of its records, re-creating its accounts and so forth. I really set a challenging set of circumstances, but in terms of the recommendations in the back-up last Joanne, just to speak to the committee about that. SEPHAS had in place a digital transformation strategy, and what they've done as a result of the cyber attack is escalate that digital transformation, but within the 44 improvement actions, there is something specifically there around backup, and part of that is looking at cloud-based storage, including cloud-based backup and strengthening the backup arrangements in place. That is captured within the action plan, and that's something that they're taking very seriously within the improvement plan. Will that give you the assurance, though, that if SEPHAS has another attack, a similar attack, there's bound to be, there's bound to be another attack on some organisation, but to have a direct link possible to the backup, data and servers, from the main data and servers, is still dangerous to have in my opinion, and there should be some kind of physical separation and logical separation of the two, so that if the attack is successful in one part of the operation's data, then it doesn't succeed in the other one because they're second. Is that something that they're planning to consider? My understanding in terms of the backup is that there's a number of conversations going on with those that supported SEPHAS in the independent reviews around that backup arrangement and how best to ensure the security of those backups. Obviously, in that case, it was a very sophisticated attack, and if an attacker wants to manipulate a system and get around a system, they'll do their best to do that, but SEPHAS are taking advice on how best to have that segregation and how best to protect those backups. Should there be something in the future that impacts on SEPHAS from a cyber perspective? That's good to hear. I'm convener. You'll be delighted to hear that in my days working with computers and our guys, we used to take the backup in a case and take it to the bank on a server. You know, we would actually take a hard drive away and just make sure it was physically protected, so that if something like that happened, you could immediately restore it. I think that there's a lesson from the past there, I think, with some of that. My last query is just about the training for the staff. I mean, it's recognised that the SEPHAS staff were well trained in all of these aspects and the care of that. Going forward, is there further plans to improve training, to try and look at cyberattacks and make the staff more aware of the possibilities in the risks? I'll start, Mr Coffey. I'll enjoy my answer a bit more, too. I think that there is a fair conclusion that SEPHAS did have a high level of cyber awareness across its organisations. We know that, in the report, 95 per cent of people were trained up-to-date in their training. You could reasonably ask, well, was it one of the 5 per cent that clicked on a link? I don't think that we know the answer specifically to that. Inevitably, there's turnover of staff, people may not be available for whatever reason to do their training, but 95 per cent is a good level of confidence that an organisation is prepared. The importance of further training is always there, not just for the organisation to follow through in the recommendations, but the individual members of staff, absolutely in SEPHAS, but also that there's a sharing of their experience across other public bodies. I think that it's important to recognise that we think that SEPHAS has been doing that. In a way that's probably been difficult for the organisation, it laid out the circumstances that they've faced. They have reported publicly on some of the circumstances that they've faced and the steps that they've been taking. That transparency is welcome and the real necessity for other public bodies to learn from their experience and do their best. There's no guarantee to avoid the cyberattack that SEPHAS has faced. Again, Mr Cofill, I'll pass to Joanne for anything that she wishes to add about the training in the next steps. Thanks, Auditor General. The only other thing that I would add is that training is again captured in the improvement action plan with a look at mandatory training as well as a programme of greater training around awareness. SEPHAS has more than 1,000 staff, so they have a high proportion of staff across the organisation. What they have looked at is mandating that training, but how do they make sure that all staff are reached and that the training is all completed by all staff? That is something that they've got in place as a forward plan, not just of the back of this improvement plan, but how do they continue to strengthen training, particularly on awareness training across the organisation? Thanks, Willie. I think that we will come back to you before the end of this session for another area of questions that you've got, but I'm going to turn now to Craig Hoy, who wants to explore the response, both in media and medium term, that SEPHAS has made to the crisis attack when it happened. Craig? Thank you, convener. If I may, Mr Ball, it looks like this ransomware attack was quite carefully timed coming midnight on Christmas Eve. We were aware through the report that the person responsible, the staff member, was unable to contact any member of senior management to escalate the issue. Have you explored whether SEPHAS now has contingencies in place to make sure that, should that situation arise again, that channel of communication would be open and available to them? Good morning, Mr Hoy. Do I confirm that specific point? I think that your understanding is that, yes, that's the case that they have reviewed their immediate response protocols. I think that it's not just that it relates to the contactability of senior management important that it is, but it's also touching on paragraph 15 of the report that the information services department of SEPHAS wasn't part of the immediate response protocol either. Given the nature of the attack, that's clearly a learning point for the organisation, too. We understand that both those points have been rectified, but I'll just ask Joanne to confirm that that's the case. Yes, I can confirm that that's the case. I can also highlight the report itself on paragraph 19. It talks about business continuity plans and storage of the business continuity plans. Unfortunately, they couldn't be accessed after the event and they've strengthened again their security and how they document business continuity and who's aware of that following the incident. In paragraph 18, the report states that SEPHAS has been open and transparent from the start, ensuring that staff, the public and other public sector organisations were aware of what was happening and you also referred to the fact that no ransom was paid. Can you outline the benefits of SEPHAS taking that approach? Are you aware of any other examples within the public sector in Scotland where that approach may not have been taken on, for example, where public funds may have been used to make a ransomware payment? I'm happy to cover both those things. There's a balance between transparency and sharing, learning the incident and helping other public bodies where possible to avoid the pitfalls that SEPHAS has experienced. Again, we commend SEPHAS for taking that approach. The balance is that it exposes vulnerabilities in terms of putting at risk any further cyber attacks. I think that our understanding is that they're carefully treading that fine line so as not to offer any further attempts to criminal enterprise in respect of the incident that you referred to on Christmas Eve. No, they haven't paid a ransomware and are not aware of any other public bodies doing so either. I think that the context of this is important that public bodies are subject to phishing attacks, attempts to penetrate their systems day in, day out, and that through training, sophistication around IT security, the vast majority of those have been prevented. Unfortunately, that won't be the last one. There will come another day when there is another cyber incident and that the effects of it are able to be mitigated as much as possible. SEPHAS sharing their experience is an important component of helping other bodies to respond and prevent. In terms of lessons learned, 103 projects were to be undertaken, identified by the emergency management team as part of the recovery plan. They were due to be completed by June 2021. Have you managed to assess whether all those 103 projects have now been completed as yet? We are seeing real progress in terms of the projects. It is no small undertaking of 103 projects, and I am sure that Joanne will want to say a bit more about it. Some of them come with varying degrees of importance and significance in terms of timing and with any action plan following recommendations. It matters that that is clear as set out who is responsible and that there is governance around it in terms of tracking progress, but Joanne can confirm the status of progress against the actions. Within our 2021-22 audit, we will look closely at the status of those projects in terms of how they have progressed. It was a very large number of projects, and the ordering that the ENT took was around just priority. Priority of SEPHAS services, priority of customers, priority of stakeholders and priorities of staff. Those 103 projects were ordered in order to reinstate SEPHAS systems. Beyond that, there will be further projects as they move through digital transformation and recreate and reimplement new systems. That will be in 2021-22 and beyond, but that is something that we will specifically look at and comment on in our 2021-22 audit. Thank you very much indeed. One of the striking things in your opening statement, Auditor General, was the fact that the auditor issued a disclaimer of opinion on SEPHAS annual report and accounts for 2021. The accounts that have not been signed off, which is, as you use the word, unusual, is extremely unusual. You also said that that was principally because of unsatisfactory records or evidence around the whole of income from fees, which adds up to a notional, presumably £42 million. My first question is, who takes the decision to put in that disclaimer and not to sign off the accounts? Is that Joanne Grant Thornton? Is that you, Auditor General, Audit Scotland? At what level is that decision taken? I am happy to say a bit more about this, but Joanne is appointed by the Auditor General, Grant Thornton, to conduct the annual external audit of SEPHAS. She will arrive at her own judgments on the annual report and accounts that are presented to her in terms of auditing standards and the code of audit practice. I will pass to Joanne in a moment to set out for the committee how she arrived at that judgment in terms of her independent auditor's report and opinion. To perhaps say in context, it is very unusual, convener. There are very few examples of where an auditor has been unable to achieve or see sufficient evidence to support providing an opinion on an annual report and accounts of a public body in Scotland. The circumstances here have clearly contributed to the unavailability of accounting and banking records, and very specifically, as we note in the report drawn from Joanne's annual audit report, that that relates to income from contracts. As we have touched on this morning, SEPHAS, a regulator, charges fees for some of its services, and Grant Thornton reached a judgment that they were not able to see sufficient evidence for income from those contracts. That has a pervasive effect against many different components of the annual report and accounts. I can very clearly understand and Joanne and I have spoken at this length as to why Grant Thornton were not able to give an opinion and thus issue their disclaimer of opinion. Probably enough for me, convener. I am sure that Joanne will want to say more. In terms of the circumstance and what happened within SEPHAS, as part of the cyber attack, SEPHAS lost its entire financial ledger and financial records. It therefore had to recreate effectively those financial records to recreate the financial statements. From the very start of our audit for 2021, we have been in conversation with the Audit Committee in their role as those charged with governance around the difficulties in undertaking an audit, the alternative audit procedures and what that could mean in terms of our opinion. That challenge has been well recognised by management and the Audit Committee itself. What I would say in terms of SEPHAS is how hard, as a group of finance individuals and as a finance team as an organisation, SEPHAS worked to recreate those financial records. Some of that has been through bank records, some of that has been data that they could recover via email. It has been what records they have to effectively rebuild the financial position during the year and those financial statements. While we were able to get assurance over expenditure, we did not get that same audit evidence and assurance around income. Particularly in terms of whether we could see the income hit the cash, we could see it in the bank, but what SEPHAS was not able to do was to match that to the individual customers. For us, it is around whether that material misstatement or otherwise on the income in terms of accounting records. I am very clear that it is an unusual situation to issue a disclaimer opinion. One of the debates that the Audit Committee and then effectively the board had was around a timing. Could they, in effect, get the financial records that they needed to? Would they ever be able to reach a point where we would not have some form of qualification on the accounts? In thinking about that, what would that timetable look like? For example, I am aware of one organisation down in England that did have a cyber attack. That took them nearly three years to create financial statements and create the financial statements for that year. For SEPHAS, for management and the board, it was that conversation around what can we practically do and what makes sense and accepting that there would be a qualification in the accounts this year due to the serious nature of losing their financial ledger. Thank you. That is very helpful. I wanted to turn to—let me follow that up. This covers the year 2020-21. Will we, eventually, at some point, even if it is three years hence, see signed off accounts for SEPHAS for the year 2020-21? Or is that gone forever? From our perspective, we have signed off the 2021 accounts, albeit that disclaimer opinion has very many caveats that said that we are not signing them off, given an opinion that we usually would. Our intention is to audit the 2021-22 accounts. SEPHAS has put in place now a financial ledger. They have recreated the records that they have the controls in place for 2021-22 that they had prior to the cyber attack. At the moment, we are working closely with SEPHAS to be able to give them an opinion on the 2021-22 accounts, recognising that there will be opening balances related to income, but what assurance can we get around that to effectively have an unqualified opinion in 2021-22? From an audit perspective, we will be able to provide an opinion in 2021-22. We just need to consider what that looks like when we do that audit work. I thank you for clarifying that. That is very helpful. To some extent, you have inferred it, but it strikes me that one of the things that brought out in the report is that temporary financial arrangements had to be put in place, for example, to pay staff salaries as well as to pay suppliers. Can you tell us from your perspective, as the auditor, whether you were satisfied that those temporary financial arrangements were sound? From our perspective, we looked at the temporary arrangements that they put in place, including things such as segregation of duties and approvals and the judgments that the finance team made in making those payments. We were satisfied that there were controls in place over that. For example, you mentioned their payroll. Until the payroll system was rebuilt, there were satisfactory controls to ensure payment of staff through the banking system. There were controls in place, and SEPA for 2021-22 are looking to restate all the good financial controls that they had prior to the cyber attack within the new financial system and the new ways of working. My final question before I bring Willie Coffey back in is, presumably, that means that you or a team are having to work very closely with the SEPA finance people, their audit committee and so on to make sure that things are going on track at the best pace, the fastest pace that that can be done, while retaining the integrity of the accounting systems. Is that the case that you are devoting a lot of your time to developing things from where they have been? We are working very closely, as you would expect, with SEPA. In the aftermath of the cyber attack, we had conversations pretty much straight away with the finance team around the impact of the cyber attack on finances, the financial ledger and we had a number of discussions during the audit around the financial control that SEPA put in place and how we could effectively do the audit. Those conversations are continuing to take place, particularly as we look at how SEPA implement the recommendations and how we plan the 2021-22 audit and what financial controls are likely to be in place and the timing. From our perspective, we have a good relationship with SEPA and the SEPA finance team have been very open and honest around the financial controls and the judgments and estimates that they have had to make in creating financial records. Thank you. As I said, I wanted to bring Willie Coffey back in because I know that he has at least one question that follows up this line of inquiry that we have. So, Willie, back to you. Thanks again, convener. Before I just ask a question on looking ahead to the financial sustainability of SEPA because of all of this, I am just curious again, if you do not mind me asking us in general, what kind of volume of data are we talking about here? I can only see a reference in your report in Appendix page 9. I think it is to about 1.2 gigabytes of data that was stolen. Is that what we are talking about here, 1.2 gigabytes of data? That is a tiny amount of data that has caused such a catastrophic impact. I refer back again, convener, to the point that I made earlier about offline storage. You can buy data sticks that can accommodate huge amounts of data for per 10 quid or 50 quid. You can put almost your entire data set on physical separate data sticks and make nothing can hack them if you do that. I am wondering if there is any information on the volume of data that we lost and whether we have the right strategy in place to protect it. Thanks, Mr Coffey. You are highlighting the Appendix. We used the expression that the 1.2 gigabyte of data is equivalent to a small fraction of the contents of an average laptop hard drive. In the greater scheme of things, not a huge amount of data but 1.2 gigabyte can contain many tens of thousands of records and transaction history. As Joanne is outlining, you can refer to in the report that within that sphere that has meant that there has been either a locking, an encrypting or a loss of some of those vital financial and system records in order for SIPA to function. It probably speaks to the point that you are making about the ever-increasing reliability that we have on IT systems to, as we lead our lives and as public bodies, deliver their services. It is important to agree with your earlier questions, Mr Coffey, that when an event happens that there are sufficient safeguards in place in terms of backup and to recreate notwithstanding the sophistication of the nature of the attack that targeted those backups. However, the direct point of your question is that 1.2 gigabyte, although in the greater scheme things are small and you could replicate that in the palm of your hand in an external storage drive, can still contain tens of thousands of records as well as the case in those circumstances. In relating that to the audit qualification, that meant that Joanne and her team were not able to see with sufficient evidence how that translated into the £42 million of income from contracts. My final question is about the long-term implications for SIPA in terms of its financial sustainability. I know that you said that we do not know the full cost of the cyber attack, but have you got any kind of indications of how that is going to affect SIPA and its financial sustainability going forward? Yes, and we touched on the financial sustainability point and the reporter said a bit more about that. SIPA's financial strategy had identified up to £17.9 million of vulnerability and variability in the longer term up to 2024. As Joanne has already mentioned, there is now a digital transformation strategy that SIPA is reasonably deploying that is not necessarily a case of trying to go back to where it had been but perhaps using a catalyst for how it will deliver its services in the future and what that will mean for the nature of its activity and its work. As with all public bodies, they need to manage and track profile their financial position and sustainability into the future. They have forecast Mr Coffey that there will be a surplus of £6.2 million in 2021-22 and to use that to support their recovery and transformation. As Joanne has mentioned, she will continue to track and monitor and report on financial sustainability during the annual audit. I want to turn now to a final question, but in a sense it is absolutely critical that we ask this. There are clearly wider implications here of the incident that happened on 24 December 2020 to the whole of the public sector. In the report that was made clear in paragraph 34, it is important that all public sector bodies review the recommendations of the independent reviews that have been carried out of SIPA's cyber attack and lessons that I have learned from what happened to SIPA. My question is whether you can talk us through your understanding of any steps that have been taken today, either by the Scottish Government or by other public sector bodies, to make sure that lessons are learned and that the experience that SIPA has gone through is shared and acted upon? I will start, convener, and I will ask more. I want to come in and say a bit more about the Scottish Government's role in this and its cyber strategy as part of, not just the important learning from this incident but also more widely how it is leading in terms of helping all public bodies in Scotland to learn from this, but also to safeguard against the incident. The other point that I would make is that, as external auditors, between myself and the Accounts Commission, we appoint the external auditors of over 200 public bodies. Those auditors look annually at aspects of IT controls and will report through our annual audit reports on the extent to how robust they are, particularly where there is any deficiency. As ever, there is anonness on public bodies to be satisfied about their own internal control arrangements, how robust they are and that also includes cyber. There is an audit work responsibility and a responsibility of individual organisations, but, in the role of the Scottish Government, I want to bring more again, just to say a bit more about the strategy and what the Government's intentions are around cyber. As we have said before, both SIPA and the Scottish Government have been sharing the independent reviews and they are readily available for public sector bodies. There has been a series of events to raise awareness. There are a couple of aspects. As the Auditor General said, the strategic framework, which built on the cyber strategy, came out in February 2021 last year. That set out action plans for the public sector, private sector and third sector. There is an action plan on learning and development and skills, which is a key area, as we have said before, in terms of making sure that employees are cyber aware and making sure that the IT specialists have the right skills. In that, I took evidence earlier today about skills planning. We know that that is a key area in terms of making sure that the skills pipeline is in place for computing skills. The Scottish Government is looking to make investments to ensure that computing skills and that pipeline are invested in. We should also say that the national cyber incident response regime is making sure that it is effective. The Scottish Government intends to bring in a central collaborative function to make sure that all the resources and technical expertise are approved. Obviously, the public sector has a number of organisations of different scales and sizes, so they have different resources available to them. There is a role for the Scottish Government there in making sure that the centralised functions that the organisations can go to get information, share intelligence and make use of resources to make sure that they are prepared as possible and that they can respond quickly as well. We will continue to monitor the implementation of those arrangements as they go forward. Morach, thank you very much indeed. Auditor General, I do not know whether you want to add anything to that. No, convener. Morach is reasonably set out. It is an important point to agree with her. There is a wide range of scale and size of public bodies in Scotland. The ability to recruit and retain key IT skills is challenging for all public bodies, so there are centres of excellence through the Government to support all public bodies is a vital component for all of them to guard against and prepare, mitigate and, if necessary, recover from a cyber incident. Thank you very much indeed. As you know, the committee retains a watching brief on ICT projects not least from the capital expenditure point of view, but we will also look at the security aspects of it as well. I think that all of us need to learn the lessons of the experience that SEPA has undergone and make sure that the impact of that on an organisation that is mentioned in the report is by its nature geared up to dealing with emergencies has had to deal with something that maybe it did not foresee and I think that there will be broader lessons which the whole of the public sector needs to take from this. I thank you very much indeed for your evidence this morning. Morach for joining us online, Joanne and Auditor General. It has been a very useful session for us and we will consider our next steps shortly, but I want now to bring the public part of this morning's committee meeting to a close. Thank you.