 Welcome to the first meeting in 2017 of the Scottish Commission of Public Audit. Before I begin today, I would like to welcome Jackie Baillie and Bill Bowman, who have joined the commission since our last meeting. I can also put in record a thanks to John Lamont for his work as a member of the commission. I will invite, first of all, Bill Bowman and then Jackie Baillie to declare any relevant interests that they might have. Thank you. I would refer to my register of interests and to make the point that I'm a member of the Institute of Chartered Accountants of Scotland. I was until 2012 a partner in KPMG and in 2016, through a consultant's aid, did some work for KPMG but I have not been involved with them since I became a member. Thank you. Jackie. No specific interests to declare and I would refer members to my register of interests. Thank you very much and again welcome to the commission. Maybe at this point I should just remind members and the public to switch off the mobile phones. Agenda 1. That's the election of a deputy chair because John Lamont has now left us. I would seek nominations for the position of deputy chair and I'd like to nominate Bill Bowman. Are there any other nominations? Do you accept the nomination, Bill? Yes, thank you. In that case, welcome as deputy chair. Next item in the agenda is item 2, which is the decision on taking business on private. Are members agreed to take item 4 on private today? Thank you. In that case, agenda item 3 is the Audit Scotland annual report and accounts for the year to 31 March 2016 and the auditor's report on the accounts. Maybe at this point I could maybe just put on record our thanks to Douglas Sinclair who's passed away for his services and obviously our sympathy to the family. I think it was in March that this happened. Yes, he passed away in March. He's previously a director, of course. Agenda item 3 relates to taking evidence in Audit Scotland's annual report and accounts for 2016-17. Members have a copy of the annual report and their meeting papers along with the auditor's report, but the auditor's report by Alexander Sloan on those accounts. We'll be taking evidence both from Audit Scotland and from Alexander Sloan at today's meeting. I'd like to welcome Ian Leitch, chair of the board of Audit Scotland and Ian's accompanied by Caroline Gardner, auditor general for Scotland, Dan McGiffin, chief operating officer and Russell Frith, assistant auditor general. I'd like to invite Ian Leitch, chair of the board, to make a short introductory statement of no more than two minutes. Time is tight and followed by the auditor general. Very tough constraint that chair, but thank you very much. As you know, the main task of the board, in addition to the statutory duty to provide the property staff and services required by the auditor general and the Accounts Commission, is to oversee Audit Scotland's operations and make sure that it achieves its objectives and its aims and to ensure that we get value for money because it looks at everybody else to get value for money. In the last year, we have streamlined our work to ensure that we keep pace with wider changes in Scotland's public finances. Significant steps have been taken to improve the efficiency and relevance of our audits and ensure that quality is maintained. During the past year, we have delivered a new code of audit practice 2016 and a smooth transition of new audit appointments and auditors for the next five years. That will save around £1 million per arm. The board was sad to hear, as you have indicated, chair of the death of our colleague Douglas Sinclair, who spent many years as chair of the Accounts Commission and, therefore, by statute, a member of the Audit Scotland board. We have recorded our appreciation for his services and our regrets at his passing. His successor, Ronnie Hines, has recently been appointed to the board in his temporary role as acting chair. Finally, I would like to thank my fellow board members and the accountable officer and all the staff for the hard work. With your permission, chair, and, hopefully, within the time limit set, Caroline can now add a few words. Thank you, chair. As you will see from the annual report, we have maintained our focus on our core work. We carried out over 300 annual audits and produced 20 performance audits in areas such as the NHS, social work and policing. On behalf of the Accounts Commission, we have developed a new approach to the best value audit of local government, and we have also been developing our approach to Scotland's significant new financial powers. All of this has been underpinned by internal work to continue to improve the quality value and relevance of what we do. We have developed a new, simpler and more transparent system for determining audit fees to ensure that audited bodies, parliaments and our other stakeholders have assurance on the cost and the quality of the services that we provide. We have continued to reduce audit fees by 6.7 per cent overall for 2016-17 audits. Looking ahead, we also secured approval for our budget for 2017-18, which will result in an introduction of 6.5 per cent in gross expenditure compared to the 2016-17 budget. This year's annual report records a substantial increase in the number of visitors to our website, as well as the number of downloads of our reports, and our social media engagement is also up. I hope that that demonstrates that our work continues to be relevant and that it is reaching a growing audience. We continue to focus on communicating our messages as clearly as possible. As always, chair, we are happy to answer the commission's questions as best we can. Perhaps I can start with the first question. On page 6 of the annual report, Audit Scotland states that 89.5 per cent of central government audit reports were completed by their due dates compared to 96 per cent in 2015-16. Similarly, 95.7 per cent of NHS audit reports were completed by their due dates compared to 100 per cent in the previous year. Obviously, there seems to be a little bit of a deterioration there. Can Audit Scotland indicate what the reasons might be for that? It is worth noting that they were all delivered within the statutory deadline of 31 December, but I will ask Russell to take you through the handful there that you have identified from the report. A small number were later than our target dates, which, as Caroline has already said, are well within the statutory dates. In most cases, they were only missed the target dates by a few days, generally due to the timing of the availability of accountable officers or audit committee meeting dates. They were not anything that gave us any great concern in terms of the delivery of audits. As I think that you are already aware, one central government body was much closer to the statutory deadline, and that was the police authority, which was also subject to a section 22 report. Were there any other reports that were significantly delayed? No, that was the one that was... Just the one? Just the one. Okay, thank you. Jackie. Page 15 of your report identifies the need to improve the working environment of your Glasgow office as a priority for the forthcoming financial year. I wondered whether you could enlighten the committee as to why the Glasgow office has been identified, simply because recently it was part of an overall rationalisation programme, so I would be keen to understand what is actually going on there. You are absolutely right. We have been coming to the end of an overall property strategy, which has refreshed and streamlined our property portfolio. I will ask Diane to talk you through our plans for Glasgow. Thank you. We are extending and increasing the number of flexible touchdown working spaces in the Glasgow office, and that reflects the different geographical we need following the round of new audit appointments, where we have slightly more people who are Glasgow-based working in the west of Scotland and not located in the audit offices of our clients, so we just need to increase and make available more touchdown space for people moving in and out. We are doing the work over the summer and it will be open to staff at the beginning of August, so it just increases, makes the workplace more flexible and increases our capacity to support colleagues in Glasgow. The cost of doing that, and is that accommodated within your budget? It's within next year's budget, it's not within the annual report and accounts budget, but it's met within the resources that we have. I'm on question 3 as well. There you go. Seven Auditor's opinions were modified this year, one in further education, two in central government, one in the NHS, and I'm told three in local government. Were there any additional resource implications for Audit Scotland arising from those modified audit reports? Russell, do you want to answer that one? Yes, if I can. Yes, in the case of the Scottish Police Authority, which was one of those that was modified as well, it was modified on the grounds that the authority had not kept proper records on its property, plant and equipment throughout the year, though it was able to satisfy the auditor at the end of the year that the figures were materially correct. There was additional time taken to work through all of that and get to the point where the auditor was satisfied, and that did result in an additional fee being charged to the Police Authority. Similarly, NHS Shetland had a modified report for the same reason, and again, the audit fee was increased as a result. So there are no issues for you then about having additional resource because you've recharged that? Where there are chargeable audits, which those were, had those been non-chargeable audits, then potentially, yes, it would have been a resource issue. Is that accommodated? We have an allowance within our overall work plan for a bit of additional audit work, but in this case, they were all once where we could make additional charges. Can I ask how much the additional cost was to both these bodies? I think I'd better say we'll let you have that information after. From memory, I believe, the Scottish Police Authority was £40,000. I can't remember what the Shetland mum was. Significantly less. Thank you, convener. On page 18, we learned that Audit Scotland has received a total of seven complaints from members of the public during 2016-17. That's an increase from 15 in 2015-16. Could you provide some background to the nature of these complaints, where they are vaguely similar? What was the outcome and what lessons have been learned? I'll have a first run-through, and I may wish to add to what I say. Of the seven complaints that we identified in the report, one was out with our complaints handling process, as it wasn't about us, and we advised the complainant to contact the ombudsman. We always try to be as helpful as we can, so we advised them to take that one on. One was about the lack of response to an inquiry that had been made to us, and it was upheld as we investigated it. Two were in relation to Glasgow Clyde College. Two were in relation to our role as the Auditor of Aberdeen City, and particularly in relation to Maryshal Square. One was in relation to our role as Aberdeen City and the insurance policies that it holds. In those cases, either the complaint was not upheld or partially upheld, and we've recognised in a few cases that we could have communicated with complainants earlier in the process, improved our process for doing so, and apologised to the individuals involved. It's a useful source of learning for us to see how we can handle what's often a very varied range of complaints, sometimes about us and sometimes about audited bodies, and we always seek to learn from them. Is it the case that those who did complain are satisfied with the response that they received? I think that it's hard for us to answer that. We always ask people who complain about us and people who contact us about audited bodies for their feedback on how well we've handled it. I think that the response will vary depending on whether the complaint was upheld or not, but we take it very seriously. We report the handling of complaints regularly to the board so that they have oversight of the process. Ian May wishes to add to that. Yes. We don't have a lot of complaints, but we did find a deficiency in our system here, which has now been corrected, as Caroline has mentioned. Because of the position that Audit Scotland enjoys—perhaps that's the wrong word—it has, as a matter of fact, in looking at other bodies, we are extremely conscious of the need to ensure that we are above reproach. No one is perfect, and there will always be errors, and there was a system error here. The number of complaints was small, and those who are partial upheld would try to get people to respond, but you know yourself that if people are satisfied, they'll generally not say they're satisfied. If they're continued dissatisfaction, you may get a response and find it. We do our best to try and monitor that, because we value absolutely the reputation that Audit Scotland has, and we wish to maintain it. I'd like to ask you about staffing. On page 22, you reported that staffing costs exceeded the budget by 0.8 million, and 0.2 million of that relates to temporary staff. I wonder if you could explain the apparent contradiction whereby the number of temporary staff exceeded your budget to that amount, yet full-time staff have been released by way of early retirement and severance in the early part of 2017-18. We've had a policy over the last five years of looking to reshape our workforce to make sure that we're getting the right skill mix in place to carry out the work that we need and that we can respond to new responsibilities such as the integration authorities, and particularly the work around the Scottish Parliament's new financial powers. We have had some voluntary severances over that period, which you'll see in the annual report. At the same time, we've had growth in some areas in new financial powers and integration authorities being the obvious example where we've had some movements going on there. We have a deliberate policy of using temporary staff in a planned way for two particular purposes. One is that the annual audit cycle has a very significant peak over the summer each year as we head towards the sign-off of audited bodies in a very compressed period, particularly for NHS bodies, which are due to be completed by the end of next week. The second need is to bring in particular skills for the performance audit work that we do, where we're looking to bring in people with expertise in the areas that we're looking at for a significant but limited period of time, and we often fulfil that with the comments from other public bodies to make sure that we've got the skills that we need to do our work well. You will see that sort of shifting going on against a backdrop of reshaping our workforce. We plan to use temporary staff for those reasons. Diane, do you want to add to that? The only other reason that we use agency staff is maternity and paternity cover, and we've had a bountiful year this year in audit productivity. What's the normal duration of your temporary staff then? I know that it'll vary, but just generally. It does vary. If we're talking about the peak audit period each year, that would typically be two or three months, people in for that period in a way. If we're talking about somebody working on a particular performance audit or area of policy, it could be a period of up to two years. For example, we have somebody on the convent with us now from Scotland's rural college, helping us to think about rural issues across our programme of work for a couple of years. This is a continuous work model or pattern that will go on. It's part of our workforce plan, and we would expect to continue working that way. Can you offer any background to the specific reasons that new job roles, grading and pay and reward arrangements will be a key priority in 2017, because you say that on page 15 of the report? At the end of 2016-17, we agreed a new package of pay terms and conditions and roles with our trade union representatives, and that was put to a ballot of staff who voted overwhelmingly in favour of it. We're implementing a new way of managing careers and managing recruitment and internal promotions. What we're looking forward to in 2017-18 is embedding those new principles of work. We did a lot of work. We worked for two years with union colleagues and staff to design a new system, to take into account how people wanted to work and the aspirations that people have for careers. Our new system is designed around all of that. Getting the agreement is one thing, making it come to life this year is another, and that's what we've focused on. The next phase of this, as Auditor General, I see it as a key way of us being able to keep responding to the changes in Scotland's public services and public finances to help people develop satisfying careers in a context where public pay is constrained. We're looking to make jobs as flexible as possible and to give people as many opportunities to broaden their skills and experience as possible while delivering what Parliament expects of us. General, you touched on the additional financial powers that are coming down to Scotland. Obviously, there will be substantial changes over the next year or two. Are you satisfied that you, at this moment, have enough resources to be able to deal with that and to prepare for that? I know that we've asked you this before, but it's something that the Commission has a considerable interest in. At this moment, yes, I can give you that assurance, Chair. The Commission has been good enough over the last couple of years to support our investment in developing our thinking, our understanding of these issues and developing our response. Members of the Public Audit Committee will have seen the reports that we've published in this area already. We are at the stage now, I think, of having a much clearer understanding of what this means in terms of additional audit responsibilities with the establishment now of Revenue Scotland, the Scottish Fiscal Commission and with legislation passing through Parliament today, the Social Security Agency. It's probably a good opportunity for me to ask you to look out for a substantive resource bid in our budget bid in the autumn looking ahead to the longer term to reflect what we now know will be required in those areas based on the work that we've been doing over the last couple of years. You will be coming for additional resources. We know that, with the new bodies that are being established, there will be a need for audit resource to do that. Given the requirements on Parliament to be scrutinising a much more complex budget, which includes, for the first time, significant revenue-raising powers, raising about 50 per cent of what's spent in Scotland and managing social security powers that will have a significant impact on the lives of a lot of the most vulnerable in Scotland, we will need to come back to you with proposals for how we resource that work and support Parliament in its scrutiny of those new responsibilities. We're working up those proposals just now for our budget bid later in the year. Now, if you're taking on additional responsibilities in work, that means somebody's giving up responsibilities in work. Maybe it's an unfair question, but would one offset the other? It's a very timely question. We are currently thinking through with colleagues in Government and in the national audit office at the UK level how some of these newly devolved areas that will continue to be the focus of both the UK Parliament and in future the Scottish Parliament should be audited and held accountable. I suspect that it won't be as simple as saying that there's an offset in there because both Parliaments will retain an interest, but I think that it will depend to an extent on the detailed shape of the new audit and accountability arrangements that are put in place and they are still developing. I think that a concern would be if there was a significant overlap and duplication of effort. I would share that concern, both in terms of resourcing and in terms of clear accountability for the services and the finances that are being managed. We're at the early stages of looking at the proposals for the very new areas, but I think that it's an entirely appropriate question to ask. Thank you, convener. Maybe I could just say at the beginning that this is a new venture to me and there's quite a lot of paper to read. Your report is quite recent, so I've read it and drilled down through some of the links as well to the sub-reports. If I haven't quite got my understanding correct and your structure and your organisation, which is perhaps a little bit unique, please take that in that context. To me, audit quality is key to an organisation like this. I find reference to quality and approach to quality, but it perhaps wasn't the sort of upfront and centre that I was expecting. I thought that the key risk would be a risk of audit failure. I suppose that it's in there and that's just a comment on the way that I read the report. One thing that I would ask for, and you don't necessarily need to tell me now, but to understand the structure of regulation that you operate under, is it from outside or is it internally generated? I know that you have a quality control section. I'd be interested to know the actual results of the reviews that you did at some point. Before I get on to my real question, one question specifically on the financials. I see that you've got a large pension deficit and there's quite a bit of explanation of how it's calculated, but I wasn't quite clear as to what it actually means to the organisation and if it has any impact on what you do or whether it's somebody else's problem that appears in there. I'll kick off. I'll give Russell Motors—I'll ask him to come in particularly on the pension question, but I'm sure that he'll also have something to say on quality. The first thing to say is that I absolutely share your concern about audit quality. Our reputation stands or falls by the quality of the work that we do. We know that in the current political climate in Scotland it's very thoroughly tested by stakeholders from a whole range of perspectives, and it has to fulfil all of our professional requirements and stand up to that sort of challenge, and I take that very seriously. I hope that you'll be reassured to know that, alongside the annual report, we also publish a separate audit quality report, which was published on the same day, and we can send you a copy of it. It's also worth noting that we're currently reviewing our quality arrangements for a number of reasons. First of all, I think that the expectations of our work keep on increasing with the change in Scotland's financial powers and the debate that's underway about public services and how best they should be delivered. We have just moved into a new round of audit appointments, which have generated some efficiency savings for us, and that obviously raises the risk that audit quality may not be at the level that we want it to be. I'm very conscious that the audit quality arrangements that we have in place are robust and effective and meet all of the professional standards required, but they don't give us the same information about all of the audit providers, firstly, between our significant in-house audit practice and the firms that we're going to do about a third of the work, and secondly, between the financial audit work and the performance audit work. We're currently reviewing that. We've agreed in principle that we will go ahead and commission external assurance about all of the audit work. We currently do that for the in-house financial audit and rely on the FRC's regulation and ICAS's regulation of the firms that we work with, but we want to bring that to a level playing field, and we are strengthening the role of the Audit Committee of the Board in overseeing that quality assurance and making sure that it provides the assurance that they expect on behalf of me in the Auditor General. Russell, do you want to add to that? If I may, yes. Just to be clear on the regulation, Audit Scotland, in the same way as the NAO or the Wales Audit Office, are not formally subject to regulation for the bulk of their work by the FRC or one of the institutes as a private sector firm would be, but all of the Auditor General have voluntarily agreed that they will adopt the ICAS and the ethical standards in the conduct of their work and we work on the basis as if we were a regulated firm. As the Auditor General said, our financial audit work, apart from being subject to internal reviews, is subject every second year to a review by ICAS who come in and review a sample of files that they pick. We do not tell them which ones. We are currently looking to extend the scope of that work to include the firms and the other types of audit work. The firms, which are regulated by the FRC or ICAS-ICAW, those regulatory reviews tend not to include the audits where we have made the appointments. That is why we are looking to plug that gap and extend the scope of it. In relation to pensions, you are quite right that the deficit that is identified in our accounts relates to the bulk of our staff who are in the local government pension scheme, the Lothian element of that. What it represents is our share of the overall deficit in the scheme, as calculated by the Actuary, in accordance with the Accounting Standards, IAS-19, in this case. What it means for us is that when the Actuary comes along to calculate the contribution rate going forward, it will calculate the rate for the existing staff going forward and the cost of providing those pensions. It will also add on to that an element to contribute to catching up that deficit over a period of years. Currently, it uses about 20 years for bodies such as Audit Scotland. Thank you for that. On the quality point, I will be interested to see how your work develops on that. For the pension, there is no immediate impact on your cash requirements to meet that. There are two elements to that, and I apologise in advance for the complexity of that. It is something that we struggle with every year. There is one element where we routinely, in our spring budget revision bit, by agreement with the Government, come forward to meet the known shortfall during the financial year. The accounting adjustment that we needed to make after the year, we have routinely consumed ourselves within our resources. You will see from the report that this year, for the first time, that included quite a significant reduction in the underspend that we had managed for the year. Obviously, as a counterbloster, I am keeping a very close eye on that and how we think it will move in future. So far, it has been managed in routine business for us, but given the very low discount rates that we are now working with and the increases in life expectancy that are still working through the actuarial report, it is something that we are keeping under close review. In the financial statements, on page 29, you say that most internal audits in 2016-17 have achieved substantial assurance being the highest standard available from your internal auditors. Which report did not conclude with substantial assurance and what, if anything, either in terms of lessons have been learned or consequences followed? All reports received substantial assurance both on the design and the operational effectiveness of the controls that we have in place. IT and information security received reasonable, which is the next level down on both design and operational effectiveness. There were a number six of low-level improvements that we could make, and that was very helpful. This year, we have spent a lot of time assessing and scrutinising our IT information security, as you can imagine. We were accredited for our ISO accreditation, which you will see in the report, which is the global standard on IT security. The internal audit looked at that work, but it is also more widely at some other documentation and records, and we are very pleased to continually have external review, in this case through internal audit, which is helping us to continually strive further to improve. We are having our next ISO audit over the summer, and we have been working again to maintain and enhance the accreditation that we have there. No serious concerns? No serious issues, all recording operational or documentation issues. On page 32, Audit Scotland makes reference to the information security arrangements that you have in place, given that you hold sensitive and personal data, and you advise that an extensive information security framework is in place. Given the number of recent high-profile cyber attacks, can Audit Scotland provide further details of the information security framework and the extent to which it is reviewed and tested? As I said, over the course of the year, both through internal audit and external accreditation, we focused a lot on that. We were not affected by the WannaCry virus, which affected large parts of the public and private sector. Partly that is because of the ways in which we manage the patching update systems that we have, a feature of which was reviewed in the internal audit. We commissioned external testing of our security to provide us with on-going information. This year, we also ran internal checks and sending fake emails internally to see whether people would click on links. Then we reported back to colleagues to say that, in this case, it was really good that no one clicked on the links that might have contained viruses. We have a rigorous programme of all that. Since the WannaCry virus, we have been running weekly updates on Yammer, our internal social networking site, to let people know what else we can do. We have run some training sessions for colleagues. We have been sharing both the management of our own security and the information security auditing work that we do as part of our programme of audits. We have been sharing current thinking and best practice on IT auditing and security. It is pretty comprehensive and it is the subject of regular reports to our audit committee. It has been a feature of our internal audit programme each year for the past several years, and I cannot see that changing. Yesterday, in health committee, one of the committees that I sit on, we were looking at the issue of the recent cyberattacks. We had two senior IT officers who worked for the NHS. We also had Professor Bill Buchanan from Napier University, who is regarded as something of an expert in this field. He was pointing out that medical records are now regarded as—they are worth more than a credit card, for example. That clearly is not an area of great concern. I think that the NHS is also reaching out to staff and sending test emails to see how people were reacting. Perhaps you were not hit because your own practice is fairly sound. I would like to understand how Audits Scotland is lasing with other organisations, because being caught out in this way or being affected by cybercrime could have a serious impact on many organisations' accounts. What joint working is going on in that regard? That is a very good question. First of all, we recognise that, as auditors, we have privileged access to sensitive information from all the public bodies right across Scotland, so we have a duty to treat that with as much care and attention as they do, and that is reflected in the approach that Diane is outlying for you. Secondly, in our audit work, auditors will routinely see digital risks as being one of the risks that they have to be addressing through their work as part of the wider scope of public audit, which is enshrined in the new code of audit practice that is mentioned in our annual report. That wider scope, over and above the financial statements, asks the auditors not just to review governance arrangements, including information security, but for the first time to draw a conclusion about them. That involves them working closely with the audited bodies to understand the risks that they face in a particular set of circumstances, how they are addressing them, and how they are dealing with any shortfalls or problems that they face. We also do our best to use our ability to look right across public bodies and to work with our audit colleagues across the UK to spread good practice. We are able to act in that way to remind people of what good practice looks like and to respond quite quickly when a new threat emerges. We see that most clearly in the NHS and in local authorities, where there is a large number of similar bodies and we can act as that focus for passing out either warnings or good practice when that is necessary. On page 33, you make reference to a breach in your records management policy. You reported during the year that it was established that there had not been full compliance with that record management policy and that some documents were not being retained for the period that you would expect them to be. You state that almost all of the documents were recovered, but clearly not all of the documents have been recovered. Can you tell us a bit more about how the situation arose and what will happen? How will you address the fact that some of those documents simply were not recovered? I will ask Diane to come in in a moment. It is probably worth starting by saying that the problem arose because of the focus we have on information security. Our document management system is set up on the basis that documents will expire after a certain period unless they are marked as records and retained. That was the issue that led to the problem. Diane can talk you through what happened and what we have done in response. We were able to recover using our resilience and recovery mechanisms. A version of the files, to a certain date, we have recovered as we say in the report almost all of the documents. There are a few supporting reports for some of the work that we do that we have not been able to recover, but they are not significant for the work. The work is all concluded and we are supporting pieces of information. The primary reason for the issue is that colleagues on occasion have not followed the guidance that we have in place. On occasion, this has just been compounded by absence or busy periods of work. We have done a lot on the back of the exercise to share all the information. We know with colleagues about what was happening. We have enhanced our processes. We have done refresher training for everyone on how the records management system works. I think that we are all very concerned to ensure that we learn the lessons. We have implemented them as well as we can. We know that this comes down to how we as people use the systems that we have. That has been a very big alert for us. We have used that to develop training and discussion sessions with colleagues to make sure that everyone is aware of what happens if we do not follow the procedures. Thankfully, in this case, the actual loss is quite small, but the learning is quite big. Were those documents to do with the running of the business or the running of the engagements? Were they audit documents? Do you have electronic audit files? They are all electronic documents, and they are related to both the running of the business and a few audit assignments. I think that your budget proposal for 2015-16 and its actual outcome is shown on page 57 of the annual report. You had significantly underspent on all except two budget lines, rent and rates and IT. Can you confirm that those underspends that are identified are recurring and non-recurring? How will they come through into the next year? I think that if I am right and Russell will keep me straight that page 57 shows the actual rather than the budget for the two years, 2015-16 and 2016-17. We can certainly explain the variance between the two years, but Russell can pick up the IT and rent and rates lines from that page. The IT costs on page 57 came down from 2015-16 to 2017 actuals. That is largely because of the 2016-17 as the first full year of being in the new single Edinburgh office. We were able to reflect the efficiencies of being in one place rather than another. In relation to the 2016-17 budget, the IT line is higher. The reason for that is twofold. One is further investment in IT resilience to make sure that we are not subject to vulnerability to things such as WannaCry and to increases in software licensing costs, particularly from Microsoft but from other suppliers. On page 35, the annual report states that a benefit and kind provided for the director of audit services has increased by 16 per cent from 4,500 to 5,200 following an increase in the previous year of 18 per cent. What are the reasons for the increase over that period and what governance do you have over approving such increases? The benefit and kind for the director of audit services is the provision of a car under our car scheme. She is the only director who receives a car and it reflects the nature of her role, which is managing our in-house audit practice across Scotland. It is a very mobile role compared to the other management team members here. The figure for the benefit and kind that we require to show in the accounts is the taxable benefit as assessed by HMRC and it reflects both the taxable value of the car and HMRC's decisions about the way in which that is taxed for a given individual. The increase simply reflects the difference in the way in which the benefit is assessed by HMRC and not any difference in the cost to audit Scotland, which is captain six for all employees. I would like to pick up one or two things in the report in the time on our way. On page nine, bullet point five, four and five really, again you referred earlier on in this meeting to reductions in fee levels. I think almost every year you have cut fees. You are now in a position of course where that probably won't be possible in the next year or two because you are going to be asking for more money. Would it have been better not to have cut the fees this year and retain the funds within the business? There are two slightly different things going on there, chair. You are absolutely right that, as I said earlier, we will be making a bid to the SCPA for additional resources for new financial powers. What we are referring to in the bullet point here is the level of fees for the bodies for whom we charge fees under the statute that covers us. That reflects both our internal programme of efficiencies that we have touched on and the first part of the new procurement of audits for the next five years, which generated some savings for us that will work out across five years. You are also right that we have consistently reduced fees over the last few years. Of course, there comes a point where you can't do that any more. We are in the middle now of putting in place our financial strategy for the next three years, which will help us to make decisions about how best to manage our finances overall and convert them into fee levels for the three quarters of our income that comes from fees. You will recall that we are constrained in that, both by the legislation that requires us to break even taking one year with another and does not enable us to carry reserves forward and by the fees policy that we have consulted the SCPA on, which aims to bring in more balance across individual sectors from year to year. The savings that we have made so far, which we think are a useful contribution to the financial pressures on public bodies, cannot continue indefinitely, but there is a difference between the fees that we charge and the new responsibilities for things such as the social security agency and the Scottish Government increases that will come through in future. You have touched on fees and the work that you have been doing on fees, which, of course, that commission has been very much interested in for over a period of several years. Have you now completed that exercise? Are we satisfied that there is no possibility of cross subsidy or similar anomalies? We have completed the work and, as part of that, as you know, we have reached the board has agreed that we will aim to balance each sector taking one year with another rather than the overall fees, which is what our statutory provisions require. We are currently finalising the management information that is needed to help us to monitor that throughout the financial year and, obviously, at the budget setting period, we will be in a good position to check in on where we are and how we take that forward. We saw some fairly significant movements between sectors last year at the start of the new audit appointments. We saw significant reductions, for example, for local authorities and NHS bodies and a shift in different directions in the central government and FE sectors, reflecting some historic imbalances that were there. We think that those are now thoroughly worked through, but we are still monitoring that carefully, given that it is a significant change in our financial management and the overall approach that we take to raising fees. I am keen to know that we supplied you with the fee strategy last year, and we did indicate that I had been looking at the question of cross-subsidy. It is unhealthy to have one sector cross-subsidy. It is historical. After a public consultation with our client groups, we introduced the strategy and I think that it was endorsed by your committee, which is transparent and it shows where the proper charges should be. That is what we are doing. On page 14, the very first point there, we are developing a new communications and engagement strategy and engaged extensively with the Scottish Parliament, committees in the Scottish Parliament Information Centre. Can you give me a little bit more information about that? I am very conscious, as Auditor General, that I am here to support Parliament in its scrutiny of public spending across Scotland. In the past, our focus has rightly been very much on the Public Audit and Post Legislative Scrutiny Committee, and we will continue to provide that service. However, we have been conscious with the new financial powers and with the debate about the role of subject committees that there is more that we can do to support subject committees. With the election of the new Parliament last May, we started a process in consultation with our colleagues in the clerking team in SPICE and the thinking around continuing professional development for members about how we can support that. As we say in the report, we have engaged quite significantly with a number of committees, the Health and Social Care Committee, Education and the Finance committees in particular, around the work that we do that is relevant to them. We hope that we can continue that as the Parliament reviews its process for overseeing the budget at the end of the budget process review at the end of this term. I am turning to page 46 on the balance sheet. Intangible assets are not to intangible assets. It does not actually tell you what the intangible assets are. I was quite interested in knowing because I see that they have increased substantially over the previous year. They are software licenses, chair. As Russell said earlier, the cost of software licenses and therefore their value has increased over the last year and that reflects the change that you are seeing in the balance sheet. I am looking at page 52 on pension assets and liabilities. There seems to be assumptions that the salary increases of 4.4 per cent, which seems a little bit optimistic. Pension increases of 2.4 per cent. That is not the case, but I will ask Russell to explain to you why it is not the case. These are the long-term average assumptions made by the actuary about the total increase in the total salary costs of the employers. It takes into account not only the cost of living increases, but it takes account of increments as well. It also takes account of the fact that, over people's working lifetimes, you may expect to see them promoted during the course of their working life. It is an overall average increase in the salary employment cost of people that is required when you are using a final salary-based pension scheme. Do any of the members have any other questions that they would like to ask? In case I will thank the witnesses for their attendance and suspend for a couple of minutes just to allow a change of panel. We now move to evidence from the auditors of Audit Scotland, Alexander Sloane, and I would welcome Stephen Cunningham, partner at Alexander Sloane and Gillian So, audit manager at Alexander Sloane. Perhaps I have one or two questions. I might start with the first one. We note that you have issued a true and fair audit opinion following your work at Audit Scotland's annual report and accounts. Can you confirm that you have received all the necessary information and explanations required by you to form your opinion on the financial statements? Good afternoon, convener. I am happy to confirm that we have received all the necessary information and explanations that will allow us to undertake our audit for the end of 31 March 2017. I would like to give an overview of our work, if that is okay. The form of Alexander Sloane has been appointed to carry out the external audit of the 2017 financial statements of Audit Scotland. We carried out an interim audit in February and the final audit work was carried out in May and early June. Our audit was carried out in accordance with international standards and auditing. As I mentioned earlier, we received all the information and explanations that were required to carry out our work and the audit was completed without any problems. We signed our audit report on 13 June 2017. Based on our audit work, we form an opinion on whether the accounts show a certain fair view, whether they have been prepared in accordance with international financial deporting standards as interpreted and adapted by the Financial Deporting Manual, and to confirm that they have been properly prepared in accordance with the Public Finance and Accountability Scotland Act 2000 and directions by Scottish ministers. Our audit report is unwordified. That is, we are satisfied that the accounts do give a certain fair view and in accordance with the legislation and the accounting rules. There are no significant matters to which the choir should be brought to the attention of the commission or the leaders of the accounts. We also prepare management letter based on our audit findings. The purpose of the report is to summarise the key issues arising from our audit and to support any weaknesses in the accounting system and internal controls that have come to attention during the audit. I am pleased to the port that, in the course of our audit work this year, we did not find any weaknesses in the accounting and internal controls. Finally, I would like to record my firm's thanks to the staff at Audit Scotland and the support staff at the SCPA for the assistance during the audit this year. Alison Johnstone, would you like to continue? That all sounds very positive. I am not expecting that you will have anything significant to respond with to the question. However, in your report to those charged with governance, as required by the international standard on auditing and in your report to the Audit Committee of Audit Scotland, did you raise any matters that the commission should be aware of? No, there was no matter there. There was no significant matter that we felt there should be the chair committee. Audit Scotland included a sum of £1.7 million, or thereabouts, in their accounts, which relates to what to be completed but hadn't yet been charged for. Are you satisfied that the calculation of the figure is robust? Yes. We had a detailed look at the working-progress figures, and we are happy with the working-progress figures within the balance sheet of the accounts. Can you explain, just for the benefit of the committee, how this process is undertaken, how you reassured yourself that actually the process is okay? We spend a lot of time looking at the working-progress figure due to the nature of the figure. It does involve a number of assumptions, and we therefore spend a lot of detailed time going through looking at the time recorded on the system, the methodology used, the fees that have been agreed, the progress, any changes that have been made to the assumption in terms of the time completed, just to make sure that we are satisfied that that figure is reasonable in terms of annual accounts. My question is pretty much a recap of what you said at the start and what has been asked. To reassure us that the committee relies on your company's expertise and its consideration of Audit Scotland's annual reporting accounts. It is particularly relevant to the highly technical accounting requirement around pension costs and liabilities, in particular. Can you confirm that you are satisfied with all such disclosures in the 2016-17 annual report and accounts? Yes, I can confirm. Again, we had a detailed look at the pension liabilities. We considered the actual needs report and we considered the assumptions used by the actual needs report. Based on the order of work, those all appear reasonable and we are happy with the figures that have been stated. Julian, do you have anything to add? No. Stephen has said that we check the accuracy of the figures. Nothing is slagged up? No anomalies or anything? No, we are happy. We are happy then. Can I ask during the course of your work whether you have come up with any audit adjustments that might have been processed by Audit Scotland, or whether the accounts have presented to you unadjusted? The accounts that have been presented to us were unadjusted. The various discussions took place during the course of the audit and received satisfactory replies to our questions, which resulted in no adjustments to the financial statements. There might have been one of two figures that would have been changed slightly in terms of how they had been presented, but nothing materially significant in terms of their accounts. In terms of your management letter, you had no comments to make on the accounting systems or processes. It is a little bit unusual for the auditors not to have some form of suggestion. No. We did have a detailed look in terms of all of the controls, all the staff were briefed and it was a very experienced audit team, but no, there was no control weakness of the identifier during the course of the audit. How often do you meet Audit Scotland's Audit Committee? We attend each of the Audit Committee meetings throughout the year. You are at every meeting? Yes. How many is that? A memory there is about four meetings a year. Who handles the internal audit for Audit Scotland? That is the BDO and the internal audit. Do you meet them regularly? Yes, we meet the internal audit. We see them at the Audit Committee meetings, but we also have discussions with some prior to then enter the audit, and then again prior to signing off the final audit, just to make sure that we are aware of any issues or any concerns that they have. Do you have a protocol for communicating that? Is there a level of severity or whatever at which they will contact you? We have a discussion at both stages in the audit process, regardless of if there are any concerns. During the course of the year, we also get all of the internal audit reports, so we are aware of any findings that they have and any concerns at those meetings, but we make sure that, before we carry out enter and work, and before the final is completed, that we have a discussion with them, just to make sure that we cover any aspect at all. When I talked previously about a protocol, do you have clear parameters within which they work and you work, and how you communicate? Yes. Without the process, we will see the internal audit to the scope of their work, their planned audit programme. We keep that into account. We make sure that we look at, if they have flagged up any areas that are concerned, which will have an impact on the audit, we will then build that into our external audit work. Even if they are satisfied in any areas that we are looking at, if they are in an external audit point of view, we are still checking the controls to make sure that we satisfy ourselves that the systems are working to be able to give our level of assurance that we require. You were present when I was discussing with the previous panel about fee structures. Have you had occasion to look at the changes in fee structure? Yes. Audit Scotland has cut the fees, and we have certainly been at committee meetings, and we have seen the discussions and the focus in terms of quality. I was thinking rather about the previous problem that Audit Scotland had, if you call it a problem, about cross-subsidy and how they have restructured their fees to eliminate that. We have had a look in terms of the external audit. We have not had a detailed examination that would form more part of an internal audit or an economy or free audit, looking at that in further detail. We have looked at it from the viewpoint of the external audit and how it implicates the financial statements. It is a significant thing that is a significant change in Audit Scotland. I would sort of thought that the external audit might have had a look at that. I mean, we have certainly had a look at the fees and how it has been charged in terms of that. I may be misinterpreting the question, but you have a look in terms of the actual cost, how that is built up in terms of each individual client, and how that reflects in the overall fee would be a large and additional piece of work to carry that out. Does any member have any other questions? In that case, thank you very much for your attendance. As is going to be at the beginning of the meeting, we will move into private session.