Annual Report and Accounts 2023-24

Scope of responsibility

As Accountable Officer of Accountant in Bankruptcy, I have responsibility for maintaining a sound system of risk management and internal control. This system supports the achievement of AiB’s policies, aims and objectives set by the Scottish Ministers, while safeguarding the public funds and assets for which I am personally responsible.

In the discharge of these personal responsibilities, I ensure organisational compliance with the Scottish Public Finance Manual. This manual is issued by the Scottish Ministers to provide guidance to the Scottish Government and other relevant bodies on the proper handling and reporting of public funds. It sets out the relevant statutory, parliamentary and administrative requirements, emphasises the need for economy, efficiency and effectiveness, and promotes good practice and high standards of propriety.

Governance framework   

During 2023-24, I was supported by five Non-Executive Board Members who together formed the Advisory Board. I also had support of two Audit Committee Members who are not part of the Advisory Board. 

The Advisory Board, which met four times during the 2023-24 year, was supported by the Audit Committee, which met quarterly. Regular meetings were held throughout the year with AiB’s Fraser Figure, who is the Director of Economic Development at the Scottish Government and is responsible for facilitating relations between AiB and the Scottish Government. All meetings were fully attended and in line with committee Terms of Reference and AiB’s Framework Document.

Corporate governance compliance 

As an Executive Agency of the Scottish Government, AiB complies fully with On Board: a guide for members of management advisory boards. Each of AiB’s committees and groups maintain terms of reference which are reviewed annually in line with corporate governance requirements and recommendations.

Risk assessment

All bodies to which the Scottish Public Finance Manual is directly applicable must operate a risk management strategy in accordance with relevant guidance issued by the Scottish Ministers. The general principles for a successful risk management strategy are set out in the manual.

AiB maintains a corporate risk register which records internal and external risks and identifies the mitigating actions required to reduce the threat of these risks occurring and their impact. The corporate risk register is regularly updated and reviewed by the Senior Management team. Each individual risk is allocated an owner who ensures that any mitigating action is carried out.

Key corporate risk management activities during the year are set out in Part 1 of this report.

Risk registers were also used for specific projects as a management control tool to help enable successful outcomes. These provided a mechanism to report risks to the relevant project management board for assessment and to escalate high level risks to senior management should preventative action need to be taken.

AiB follows Scottish Government policy on information security and has a Senior Information Risk Owner and Information Asset Owners in place to manage information risk for each business area. No issues were identified through 2023-24 which required reporting to the Information Commissioner (2022-23: no issues reported).

Risk and control framework

AiB’s risk and control mechanism is based on an on-going process designed to identify the principal risks to achieving the organisation’s policies, aims and objectives. It seeks to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically.

The process accords with guidance from the Scottish Ministers provided in the Scottish Public Finance Manual and has been in place for the year ended 31 March 2024 and up to the date of the approval of the annual report and accounts.

I have continually reviewed AiB’s capacity to manage risks during the course of the year. The Advisory Board met regularly to assess and manage the risks identified in the corporate risk register. The Audit Committee, chaired by an independent Non-Executive Board Member, has taken a lead role in ensuring the risk management strategy functioned properly.

More generally, AiB is committed to a process of continuous development and improvement, creating systems in response to any relevant reviews and emerging best practice in this area.

Review of effectiveness

AiB employs a hybrid working model. This means nearly all staff spend three days working from home and two from the office. I am satisfied having assessed our risks and internal controls that we have appropriate key electronic processes and communications, and these help ensure the continued delivery of essential governance arrangements during hybrid working. In 2023-24 we were able to deliver all statutory functions maintaining a high level of public service.

Throughout 2023-24, there were sufficient IT security controls in place to ensure AiB's data and assets were protected as staff worked from home under the hybrid working model.

During 2023-24 I reviewed arrangements for governance and risk management for AiB. This included making identified improvements from internal audit reviews and AiB’s assurance map. There was an annual review of the Audit Committee Terms of Reference.

As Accountable Officer, I have had responsibility over the past year for reviewing the effectiveness of the risk and control framework. This review has been informed by:

• AiB’s assurance map, which is a structured way of presenting assurances against the internal control checklist to assess how effectively our risks are being managed and to identify any gaps. During the year, an internal audit review and a focused ‘deep dive’ by the Audit Committee on key areas of the assurance map demonstrated that our internal control framework is working effectively
• the business managers within the organisation who develop and maintain the risk and control framework
• the work of AiB’s internal auditors who submitted regular reports to AiB’s Audit Committee. These reports and the annual audit assurance report issued in May 2024 provide an independent and objective substantial assurance opinion on the adequacy and effectiveness of AiB’s systems of risk management and internal control together with recommendations for improvement
• comments made by AiB’s external auditors in the annual audit report and management letters
• assurances provided by the Audit Committee
• the risk registers in place for all critical elements of operations, which is reviewed by business managers at quarterly intervals
• regular reports on the management of key project risks
• information provided by the core financial systems of the Scottish Government which AiB used and relied upon to carry out accounting and payment functions and some procurement of goods and services

The risk and control framework has been designed to manage rather than eliminate the risk of failure to achieve the organisation’s policies, aims and objectives. It can therefore only provide substantial but not absolute assurance of effectiveness.

Assurance on the maintenance and review of internal control systems was provided by all members of AiB’s Senior Management team, each of whom submitted an annual certificate of assurance covering their areas. These assurances were based upon ongoing updates to AiB assurance map for which all Senior Managers have responsibility. No significant control issues were identified for the 2023-24 financial year or the period up to the signing of the accounts and I am satisfied the overall operation of the governance framework at AiB is reasonable.