SAAS Annual Report and Accounts 2013-2014 - page 29

SAAS
The cyclical nature of our business. We employ both permanent and seasonal staff to enable us to
process student applications, as the bulk of the applications arrive with us during April to June each
year, to be processed ready for payment by course start dates which are generally in August and
September. We use the Scottish Government’s contingent worker arrangements to secure the additional
staff required and have contingency arrangements in place;
We are also reliant on students submitting applications and documentary evidence to the Agency in
advance of starting their courses. We have continued our work with colleges, universities and student
representatives to encourage early applications; and
This year the Agency is also relocating from its current location at Gyleview House to Scottish
Government owned accommodation at Saughton House. The relocation project is being robustly
managed to safeguard against the risk of any business disruption.
Personal data related incidents
In line with Scottish Government guidance on managing risk to information, the Agency has a Senior
Information Risk Owner (SIRO) and we have an Information Security Policy. There was one minor data
issue during the year resulting in around 100 customers of the Part-Time Fee Grant scheme having
personal, but non-sensitive, information of another customer printed on the reverse of their award letters.
Mitigation and remedial action has been implemented to avoid a recurrence.
Review of effectiveness
As Accountable Officer, I have responsibility for reviewing the effectiveness of the risk and control
framework. My review is informed by:
Formal assurances from my Senior Management
Team who have responsibility for the development
and maintenance of our internal control framework;
The business managers within the organisation
who have responsibility for the development and
maintenance of the risk and control framework;
The Strategic Board which considers the overall
performance and strategic direction of the Agency;
Management Board which considers the plans and
risks and provides support and guidance to the Agency;
The Audit Committee which meets quarterly to
consider the internal controls of the Agency and
how effective those controls are;
The work of our internal auditors who submit regular
reports to the Agency’s Audit Committee. These
reports provide independent and objective opinion
on the adequacy and effectiveness of the Agency’s
systems of risk management and internal control
together with recommendations for improvement;
Comments made by our external auditors in their
management letters and other reports;
Regular reports on managing risks on key projects;
The risk register in place for all critical elements of
our operations. This is reviewed by the
Management Board at least half yearly and by
the Audit Committee half yearly.
The Agency’s risk and control framework is based on an on going process designed to identify the
principal risks to the achievement of the Agency’s polices, aims and objectives, to evaluate the nature and
extent of those risks and to manage them efficiently, effectively and economically. It can, however, only
provide reasonable and not absolute assurance of effectiveness. More generally, my organisation is
committed to a process of continuous development and improvement. Our focus over the coming year will
be on continuing to respond to the findings of the Independent Review and in developing and improving
our corporate governance arrangements to meet best practice standards.
David Wallace
Chief Executive
26 June 2014
1...,19,20,21,22,23,24,25,26,27,28 30,31,32,33,34,35,36,37,38,39,...50
Powered by FlippingBook