Report Summary
This report provides members of the Scottish Police Authority's Audit, Risk & Assurance Committee with an overview of with internal audit reports from the 2024/25 internal audit plan. These are: estates and asset management; review of ICT general controls; grant management process and health and safety (transportation of dangerous goods).
To access the full document please open the PDF document above.
To view as accessible content please use the sections below. (Note that tables and some appendixes are not available as accessible content).
Meeting
The publication discussed was referenced in the meeting below
Audit, Risk and Assurance Committee - 21 May 2025
Date : 21 May 2025
Location : online
Report detail
The Internal Audit plan for 2024/25 was approved by the ARAC in February 2024.
Internal audit undertook the following reviews to provide ARAC with assurance over the design and operating effectiveness of controls in these areas:
a. Estates and Asset Management
b. Review of ICT General Controls
c. Grant Management Process
d. Health & Safety (Transportation of Dangerous Goods). This is an additional audit, not included in the original plan, conducted at the request of Police Scotland
Appendix A - Estates and Asset Management
a. Background:
• The objective of the Estates Masterplan is to create a modern fit for purpose estate that best serves our communities and workforce.
b. Internal Audit Findings:
Moderate assurance on design of internal controls.
Moderate assurance on effectiveness of procedures and controls.
• BDO noted the Estates Master Plan offers a comprehensive future outlook for SPA’s Estates portfolio, using data-driven analysis and master planning tools.
• There were many areas of good practice noted throughout the review. However, internal audit has identified weaknesses in the design of internal controls, which represent opportunities for improvement.
• While the plan addresses current estate issues and the investment needed to mitigate rising maintenance costs, it lacks detailed implementation steps and a clear roadmap for improvement.
c. Summary of Findings of the Report:
SUMMARY OF FINDINGS/ OF AGREED ACTIONS
High 0/ 1
Medium 2/ 3
Low 2/ 2
TOTAL 4/ 5
d. SPA Considerations:
• Positive assurance is received over the adequacy of arrangements in place to address the challenges faced within Police Scotland’s estates management, including property management and health & safety.
• All recommendations have been accepted and are forecast to be completed by in a relatively short timescale, December 2025.
Appendix B - Review of ICT General Controls
a. Background:
• Effective IT change controls are crucial to an organisation’s IT Testing Function as they ensure changes are systematically managed, reducing risks and maintaining stability.
• Amid rapid and accessible technological advancements, such as AI-driven developments, a robust change and testing framework is increasingly important for organisations – both for control and agility.
b. Internal Audit Findings:
Substantial assurance on design of internal controls.
Substantial assurance on effectiveness of procedures and controls.
• BDO noted a substantial assurance conclusion on the design and operating effectiveness of IT change controls. They found that the Digital Division has a well-documented and implemented IT Change Management policy and associated procedures in operation.
• The audit highlighted few areas for improvement within the agreed scope, reflecting a good awareness of IT change risks and controls and proactive stance by the current management team.
c. Summary of Findings of the Report:
SUMMARY OF FINDINGS/ OF AGREED ACTIONS
High -
Medium -
Low 1/ 2
TOTAL 1/ 2
d. SPA Considerations:
• The overall results and findings of this audit are extremely positive and give assurance the controls/processes are robust with BDO providing substantial assurance and identifying only one low finding.
Appendix C - Grant Management Process
a. Background:
• Management recognised that historically, there has been a lack of clarity around the nature of disbursements i.e. whether they are grants or gifts/donations; and also noted that there are legacy grants in place that have not been subject to review and therefore, there is little understanding around their purpose.
• The Corporate Governance Framework of the Authority sets out the scheme of delegation in relation to grants.
b. Internal Audit Findings:
Moderate assurance on design of internal controls.
Limited assurance on effectiveness of procedures and controls.
• BDO noted in the main, controls surrounding the grant management processes are well designed. However, they also noted several areas that Police Scotland could improve in relation to the grant management arrangements in place.
• The findings showed that the policy and procedure refresh has enhanced the design of the controls in place and once embedded and if consistently applied will provide a robust grant management control environment. However, the results of the review showed that there is still work to be done in embedding and ensuring compliance.
c. Summary of Findings of the Report:
SUMMARY OF FINDINGS/ OF AGREED ACTIONS
High 2/ 3
Medium 3/ 5
Low 1/ 1
TOTAL 6/ 9
d. SPA Considerations:
• Seven recommendations have been agreed with the remaining two being partially agreed (one low and one medium). All recommendations are scheduled to be completed by October 2025.
• Having grant management policies and procedural documents in place is positive. However, the audit highlights areas for improvement are required leading to limited assurance on effectiveness of procedures and controls.
Appendix D - Health & Safety (Transportation of Dangerous Goods).
a. Background:
• This audit was not included in the original internal audit plan. It was conducted as an additional audit at the request of Police Scotland recognising a risk area.• Police officers and staff frequently transport and store items like nitrous oxide canisters, fireworks, lithium-ion batteries, and chemicals used in drug production. These goods are seized at crime scenes and transported to production stores in police cars and vans.
b. Internal Audit Findings:
Limited assurance on design of internal controls.
Limited assurance on effectiveness of procedures and controls.
• BDO noted several key deficiencies across the internal control environment, the root cause of which is likely minimal policies and procedures covering transporting, storing and disposing of dangerous goods, and a lack of recent dangerous goods training, which has led to inconsistent and in some cases, poor practice.
• On-site visits highlighted goods are not always identified before they are stored, and labelling was often inadequate to communicate the risks and hazards associated with dangerous goods.
• The audit found considerable inconsistencies in how dangerous goods are being stored at different sites and some transport vehicles do not have ventilation facilities and appropriate apparatus to secure items.
• Given the nature of the findings identified, management should prioritise taking action on the recommendations noted in this report.
c. Summary of Findings of the Report:
SUMMARY OF FINDINGS/ OF AGREED ACTIONS
High 3/ 8
Medium 4/ 11
Low -
TOTAL 7/ 19
d. SPA Considerations:
• The number of findings and actions are high and requires to be addressed as a matter of urgency.
• The number of findings were expected and management were proactive in requesting this independent audit given awareness that there were challenges in this area that required an expert review.
• All recommendations have been accepted and are forecast to be completed by October 2026.