27
City of Glasgow College Annual Report & Accounts 2020-21
Other Audit Committee Activities
In addition to the work of the Internal and External
Auditors, the Committee considered a range of other
matters including:
• Review of the Finance and IT Functions
As noted above, following the discovery by
College staff of a fraud during 2019, a number of
recommendations on the appropriateness of the
financial control environment andthe effectiveness
of controls over key IT processes were raised. As
a result, the Principal had commissioned separate
independent External Audit reviews of both the finance
function and IT effectiveness. The main findings,
including areas of good practice and key areas for
improvement with recommendations were submitted
for review, and action plans agreed.
Updates to these action plans were provided to the
Committee at each meeting, with the implementation
status for each action reported.
• Assurance Framework
The new Assurance Framework includes a grid
mapping all College assurances within the Three Lines
of Defence Model with the College's Strategic Themes
and Priorities, and mapped against the College's
strategic risks. This provides a coherent and complete
reference point for the Committee to assess assurance
strengths and areas for further development. The
Committee noted the completion of the Assurance
Framework, and it was agreed to review the
Framework twice yearly.
• Freedom of Information
The Committee received an update report on the
nature and volume of requests received in relation
to the Freedom of Information (Scotland) Act 2000
(FOISA) and the Environmental information (Scotland)
Regulations 2004 (EIRs). It was noted that while the
number of requests had fallen since a peak in 2017-
18, this does not necessarily reflect the demands
placed upon the College, as some requests are
complex and the preparation of responses timeconsuming. There
has been a steady improvement in
the College's response rates in relation to the 20-day
timescale, from 90% in 2016-17, to 96% in 2019-20.
• Data Protection
The Committee reviewed an update on progress
and achievements in relation to the College's Data
Protection arrangements. Following the withdrawal
of the College's agreement with HEFESTIS for the
provision of a Data Protection Officer, a new DPO
service has been entered into with the Director of Data
Services at Thornton's Solicitors. A full action plan was
progressed and it was reported to the Committee that,
as of May 2021, there were no "red" risks. Mandatory
Data Protection training had been undertaken by ELT/
SMT.
• Internal Audit and External Audit Contracts
The College's Internal Audit contract was due to expire
in September 2021, and a full competitive tender
process was progressed via the APUC Framework.
Two Committee members, including the Convener,
were involved in the process.
The Committee was also advised that advised that
the re-tender process for External Audit (EA) would
be undertaken by Audit Scotland during the 2021
summer period with the appointment made and in
place for session 2021-22.
• Risk Management
The College's Risk Register and Risk Management
Actions Plans for key risks, and highest scoring risks,
were reviewed at each meeting of the Committee. All
risks have been updated as required in the context of
the Covid pandemic, with commensurate increases to
Risk scores in some areas, given the varied impacts
involved. Overall the average risk score increased
from the outset of the pandemic, and has gradually
diminished through 2020-21 as the consequences
have been managed.
A full review of Risk Management through 2020-21 is
provided below.
• Annual Report 2019-20
The Committee reviewed the draft annual report for
2019-20, noting that while whilst the statements
record a deficit of over £4.7m, due to the impacts of
the pandemic, the full financial statements showed an
underlying operating deficit of £0.36m, in the context
of an improving position.
Risk Management
The College Risk Management strategy is embodied in
the following Documents:
• Risk Management Policy
• Risk Management Procedure
• Risk Management Guidance
• Risk Register
• Risk Management Action Plans (currently numbering
23 at July 2021)
The College Risk Management Policy outlines its
approach to risk management and internal control,
and the roles of the Board of Management and senior