NRS Audit and Risk Committee Meeting, August 2025

Home
Publications
NRS Audit and Risk Committee Meeting, August 2025

Share this page

Click here to share this page on Facebook. Click here to share this page on LinkedIn. Click here to share this page on X (formerly known as Twitter).

NRS Audit and Risk Committee (ARC) Meeting

Thursday 28 August 2025

Hybrid / Teams 10:00 – 13:00

(Private discussion 13:00-13:15)

ARC Members

Maggie Waterston (Chair) NRS Non-Executive Director

Anne Moises NRS Non-Executive Director

Tim Wright NRS Non-Executive Director

Bryan Robertson NRS Non-Executive Director

John McDonough NRS Non-Executive Director

ARC Attendees

Alison Byrne NRS, CEO

NRS, Director for Corporate Services & Accountable Officer

NRS, Director for Customer Services, Operations and Archives

NRS, Director for Delivery

NRS, Interim Director for Digital & IT Services

FCDO, (Foreign, Commonwealth and Development Office)

SG, Director, Internal Audit & Assurance

SG, Senior Internal Audit Manager

SG, Internal Audit Manager

SG, Internal Auditor

Grant Thornton, External Audit Engagement Director

Grant Thornton, External Audit Engagement Manager

NRS, Head of NRS Business Management

NRS, Corporate Business Assurance Manager

NRS, Business Support Officer (Secretariat)

NRS, Finance Manager

NRS, Head of Census PMO

NRS, Archive Services Programme Manager

NRS, Head of Information Risk, Security and Governance

Apologies

NRS, Interim Director for Statistics

NRS, Director for Census Statistics

NRS, Head of Data Services

1. Welcome, Introductions and Apologies. Declaration of Interests & Matters Arising

1.1 Maggie Waterston welcomed everyone to the meeting. Apologies were noted as listed above.

1.2 There were no declarations of interests or matters arising.

2. Meeting held on 19 June 2025

2.1 The minutes were approved and would be published on the NRS website.

2.2 A review of actions was undertaken. The action tracker would be updated accordingly.

2.3 The Director of Corporate Services & Accountable officer updated ARC on the Ancestry Tribunal regarding refusal of access to re-use of public information. The Committee noted NRS were still awaiting the outcome of the tribunal and would update ARC at a future meeting.

3.1.1 NRS Risk Dashboard

3.2 The Director of Corporate Services & Accountable officer introduced the NRS Risk Dashboard and Issues Log to the meeting and covered the following key points below:

A new dashboard report had been run to support the meeting papers, offering a more comprehensive overview of NRS risks, exploring improved ways to present risk data via PowerBI dashboards
Directors had been engaged in monthly meetings to support a new approach to risk management, with regular updates provided at executive team meetings
Work was underway to develop a cyber incident scenario to test and strengthen these entries
The Census 2031+ funding risk had been escalated, with expectations for clarity by December, once the Memorandum of Understanding was finalised
Portfolio funding risk had been added to reflect upcoming projects, with an anticipated reduction in risk score in the coming months
A climate change risk had been formally accepted, with ongoing work to reduce the carbon footprint across the NRS estate
A directorate-level risk regarding the CALM cataloguing system reaching end-of-life in December 2027 had been escalated to the corporate register. A formal discovery phase and options analysis for its replacement had been completed under the Archive Services Board
The Ancestry.com tribunal risk remained on the SG risk register. NRS had instructed external legal advice, expected to conclude by December 2025
Preparations were underway for a Director and staff risk leads workshop to review draft frameworks and guidance, including escalation processes.

3.3 In discussion the following points were raised:

· The addition of several new risks were due to better risk reporting in NRS

· A multi-stakeholder cyber simulation exercise was being arranged for autumn 2025. This exercise would help to reduce the risk scoring for cyber-attacks

· ARC would undertake a deep dive on Cyber Security Assurance and Risk Response (aligned timing to Internal Audit Review) at the November 2025 meeting

· An updated Risk Register and Issues Log would be circulated to NXDs following the next Executive Management Board meeting

· ARC noted Climate Change Risk in relation to securing starter funding to transition to future zero targets

3.4 The committee noted the update. The actions noted were as follows:

Action A39/25: BMU to circulate risk register and issues log updates to NXDs following EMB review. Action Owner: BMU

4.1. NRS Data Strategy, Data Maturity and Information Governance workstreams (follow up work of NHS CR and Internal Audit recommendations)

4.2 The NRS, Head of Information Risk, Security and Governance provided an update on NRS Data Strategy, Data Maturity and Information Governance workstreams with the following key points below:

· Groundwork to improve oversight of NRS data sharing arrangements had been completed in May 2025
· Ongoing work to maintain and review data sharing arrangements had been embedded into the Information Governance team’s routine activities
· Improvement efforts for the remainder of 2025/26 had been focused on updating arrangements for sharing vital events data with Public Health Scotland and health boards
· This work had been positioned as a foundation for enhancing NRS’s data maturity
· NRS had engaged Data Orchard, a data advisory service provider, for six months starting September 2025 to accelerate progress on data maturity
· Commissioned work for delivery by March 2026 had included:

o A current state assessment of NRS data practices

o Development of a future-state NRS Data Strategy

o A framework for delivering the strategy over a three to five year period

o A cross-directorate NRS Reference Group had been supporting this work

o A further update had been planned for Q1 of 2026/27

4.3 In discussion the following points were raised:

· The committee noted the importance of stakeholder engagement and analysis in the development of an NRS Data Strategy. NRS advised a Data Group would identify key stakeholders and keep the committee updated on progress
· NXD’s requested further background to the Data Orchard contract. NRS, Head of Information Risk, Security and Governance advised Data Orchard were assisting NRS in the development of NRS data maturity outcomes to take forward and were arranging workshops with relevant staff

5. Progress Report on Major Programmes:

5.1. Archive Services Programme

5.1.1 The Archive Services Programme Manager introduced the paper with the following key points.

Governance & Project Updates: The Programme Initiation document and Terms of Reference had been approved, marking the transition into the delivery phase. Key milestones had been baselined for all three projects

· Physical Storage Project: The PID for short-term opportunities had been approved. Seven out of eight scheduled workshops had been completed, focusing on identifying record sets for relocation and internal storage opportunities. Target achievements for the next period had included:

Completion of the final workshop and preparation of an options paper.
Approval of short-listed options and plans to create internal space during 2025/26.
Commencement of an NRS-wide estate space planning survey.

· Digital Archiving Project: The business case for a new Digital Preservation System had been approved by the Executive Management Board. The solution overview had been approved by the Architecture Review Board. DAO assessment planning had been completed. Target achievements for the next period had included:

Completion of the DAO assessment.
Issuing the Invitation to Tender (ITT).

· Archive Environment Project: An updated business case had been approved by the Digital & Strategy Board. Target achievements for the next period had included:

Completion of Stage 1, including the closure report.
Contract awards for Stage 2 fit-outs of both the updated physical environment and the new treatment space.

5.1.2 The committee noted the update.

5.2. 2031 Census

5.2.1 The NRS, Head of Census PMO introduced the Census 2031 Outline Business Case with the following key points:

The Outline Business Case (OBC) had been presented to SG in Investment Mode (ETIM) on 24 June, following an independent expert review by SG Functional Leads
ETIM had commended NRS for the quality of the OBC, while identifying areas requiring further development
NRS had committed to refreshing the OBC by Spring 2026 to address the feedback.
A key recommendation had been to provide more detail on how the proposed partnership with ONS—via a Memorandum of Understanding (MoU)—would operate in practice (Plan A)
ETIM had also recommended that NRS develop a Plan B contingency in case the partnership with ONS failed, including identifying a "point of no return" beyond which Plan B could no longer be implemented without jeopardising the 2031 census
NRS had prioritised this contingency planning, with an initial Plan B workshop scheduled for 16 September to explore threat scenarios, impacts, and appropriate responses
The workshop had aimed to define indicators and triggers that would guide any decision to pivot from Plan A to Plan B
While contingency planning progressed, NRS had continued to work closely with ONS to develop the MoU as the preferred approach
A gateway health check review had been proposed for October (date to be confirmed) to provide independent assurance on readiness to enter into the MoU by the end of 2025

5.2.2 5.2.2 The committee noted the update. In discussion the following points were raised:

Director for Corporate Services & Accountable Officer provided NXD’s with further detail on the areas of the OBC requiring further development, including the MoU

6. External Audit: Annual Audit Report (AAR)

6.1 Grant Thornton introduced the report with the following key points below:

· Grant Thornton were still awaiting the pension information to finalise their report
· The anticipated audit report would be unmodified on the basis that all MyCSP information was received and incorporated into the Annual Report and Accounts (ARA)
· Unlike in 2023/24, there was no pension remedy which meant before the accounts could be signed, the updated pension disclosures would be required and the audit team would have to audit these figures. This was a national issue for several public bodies
· The quality of the Annual Report and Accounts and supporting papers were of a good standard
Annual Audit Report: Key Elements

The draft report included the audit opinion, confirming whether the financial statements were free from material misstatement
It provided commentary on the wider scope areas, highlighting strengths and areas for improvement in governance and financial planning
The report also included recommendations for enhancing internal controls and improving transparency
A summary of audit findings and conclusions was presented to those charged with governance
· The wider scope audit assessed areas such as financial sustainability, governance, value for money, and performance management
Significant Risk Areas
Key audit risks were identified and assessed, including:

Risk of management override of controls
Risk of fraud in revenue recognition
Estimation and valuation risks, particularly around pensions and asset valuations
Financial sustainability risks, especially in relation to budget pressures and medium-term planning

6.2 In discussion the following points were raised:

· The committee noted their disappointment around delays in pensions data being provided by MyCSP

· Members agreed to attending a further meeting to sign off the final ARA, AAR and Letter of Representation following receipt of pensions data from MyCSP

7.1 NRS Annual Report and Accounts (ARA) Covering Report

7.1.1 The NRS, Finance Manager presented the draft NRS AR&A Covering Report which outlined the process and timelines completed as part of the audit by Grant Thornton of the NRS Annual Report and Accounts. The committee noted a further meeting was arranged for 11 September 2025 to formally sign off the final ARA report once pensions data had been provided by MyCSP.

7.1.2 No matters arising were raised as significant and Grant Thornton had advised of a unmodified audit opinion and were content that the financial statements gave a true and fair view of NRS as of 31 March 2025, subject to receipt of pensions data from MyCSP.

7.1.3 The actions noted were as follows:

Action A40/25: BMU to email ARC to confirm when MyCSP pensions data had been received. Action Owner: BMU

7.2 Draft NRS Annual Report and Accounts for 2024-25

7.2.1 The Committee noted the draft NRS AR&A for 2024-2025.

7.3 NRS Draft Letter of Representation

7.3.1 The Committee noted the draft Letter of Representation.

7.4 NRS Financial Report: Financial Performance and Achievement of Financial Targets

7.5 The NRS, Finance Manager introduced the NRS Financial Report. Members noted the 2024/2025 draft outturn along with the statutory audit plans and timings and 2025/2026 budget update.

7.6 The committee discussed NRS income stream performance and how NRS could look to understand what was happening in the wider market. NRS Finance agreed to include an update on income stream performance in MYR report. The committee agreed to add a future deep dive on NRS Income stream performance to the Strategic Board forward look for December 2025.

The actions noted were as follows:

Action A41/25: Finance to provide MYR Report on income stream performance. Action Owner: NRS Finance

Action A42/25: Deep Dive on NRS Income streams to be added to Strategic Board Forward look for December 2025. Action Owner: BMU

8.1 Internal Audit update:

8.1.1 SG Internal Audit provided an update on the following:

· Q2 ARC Progress report and supporting papers
· SG Core Corporate Systems Annual Assurance for 2024-25
· Annual Performance Report for 24-25 Final

8.1.2 Members noted the report. In discussion the following points were raised:

· The committee noted the circular impact of the proposed introduction of charges by SG

· NXD’s requested NRS seek clarity from SG on future charging for SG shared services, including charging for internal audit as the introduction fees for shared services would significantly impact on NRS budget and change projects

· NRS would have to raise income to cover costs for services and would have to move to charging for non-statutory services and increase charging to public services

· NRS were concerned there was a lack of control of services being implemented and standards of services. For example, ongoing issues with the Oracle Cloud system where efficiencies had not been delivered

· NRS would share feedback on assets and value of buildings

8.1.3 The actions noted were as follows:

Action A43/25: Alison Byrne to write to SG for clarity on future charging for internal audit and central shared services. Action Owner: Alison Byrne

Action A44/25: NRS to share feedback on assets and value of buildings with NXD’s. Action Owner: Director for Corporate Services & Accountable Officer / NRS Finance Manager

9. NRS Audit Recommendations Status Report

9.1 The Committee noted the report.

10. ARC Governance

10.1 ARC Annual Report 2024-2025 to the NRS Chief Executive, Accountable Officer and Strategic Board

10.1.1 Members noted NRS BMU were to finalise the Annual Report 2024-2025 to the NRS Chief Executive, Accountable Officer and Strategic Board.

10.2 Committee Self-Assessment Checklist

10.2.1 The Committee noted the Self-Assessment Checklist.

10.3 Checklist Improvement Actions

10.3.1 The Committee noted the Checklist of Improvement Actions.

10.4 ARC Terms of Reference Review

10.4.1 The Committee noted and approved the updated Terms of Reference.

11. Committee Reports - To Note and Questions

NRS Governance Report

11.1 The Committee noted the report. In discussion the following points were raised:

· The committee discussed work to reconcile two sources of information regarding the presence and location of asbestos at West Register House
· Remedial works at West Register House to repair / encapsulate asbestos were outstanding
· Following site visits involving the FM contractor’s subcontractor, the proposed scope of works with associated costs were to be submitted
· NRS confirmed there were no recorded incidents where there has been an unsealed asbestos risk within NRS. No staff were impacted by asbestos within the NRS estate

NRS Portfolio report

11.2 The Committee noted the report.

NRS Assurance update

11.3 The Committee noted the report.

12. To Note: ARC Forward Look for year ahead

12.1 The Forward Look was noted by all Committee members.

13. AOB & Date of Next Meeting

The date of the next meeting was noted as 27 November 2025.

End

Was this page helpful? *

Yes

Yes, but

Your comments