Audit and Risk Committee - June 2025

This document contains the agenda for the Audit and Risk Committee meeting of the Cairngorms National Park Authority (Park Authority) on 20 June 2025 at 10am, held at the Park Authority office in Grantown-on-Spey and online. The agenda includes items such as welcome and apologies, approval of minutes from the previous meeting, matters arising, declarations of interest, and several items for decision including the internal audit plan 2024/25, the internal audit annual report, and the internal audit plan. Other items for information include the external audit update, information requests and complaints update, and the procurement action plan. The agenda also includes a discussion on strategic risk registers, an update on outstanding internal audit recommendations, any other competent business (AOCB), a motion to take the next item in confidential session, approval of confidential minutes from the meeting on 21 March 2025, and the date of the next meeting, which is 12 September 2025.

This document contains the draft minutes from the Audit and Risk Committee meeting held on 21 March 2025 at the Cairngorms National Park Authority. During the meeting, the committee approved the minutes from the previous meeting on 8 November 2024 and discussed the external audit plan for 2024/25. They reviewed internal audit progress, strategic risk registers, and the draft governance statement. The committee also addressed the procurement action plan and guidance, along with internal audit report management action follow-up. Furthermore, the meeting covered the appointment of an internal auditor for 2025-2028 and the internal audit plan for 2024/25 relating to Cairngorms 2030. The next meeting is scheduled for 20 June 2025.

This document contains the internal audit plan for 2024/25, focusing on recruitment at the Cairngorms National Park Authority. The audit, conducted by Azets, reviewed the Park Authority's recruitment and onboarding processes and found that while the Park Authority has robust policies, there are some areas for improvement. Three recommendations have been made, with management accepting them all. These include a more systematic process for documenting recruitment proposals and the development of a timeframe for reviewing the Recruitment and Selection Policy. The Audit and Risk Committee is asked to consider the internal auditors report and findings.

This document contains an internal audit report for 2024/25 regarding recruitment at the Cairngorms National Park Authority (Park Authority). The report, dated March 2025, assesses the Park Authority's recruitment policies and processes, finding them to be generally robust and effective. It highlights some good practices, such as having a comprehensive Recruitment and Selection Policy and ensuring job descriptions contain essential information. The report also identifies a few areas for improvement, including documenting the approval process for recruitment and establishing a timeframe for reviewing the Recruitment and Selection Policy. The audit team identified three low-risk opportunities to strengthen existing controls, which are detailed in the management action plan with specific action owners and due dates.

This document contains the Internal Audit Annual Report for 2024/25 from the Cairngorms National Park Authority. The report summarizes the findings of the internal audit work done during the year ending 31 March 2025. The Audit and Risk Committee is asked to consider the report and endorse the inclusion of the Internal Auditor's opinion within the Governance Statement for 2024-25. The report notes that the Park Authority has a framework of governance, risk management and controls that provides reasonable assurance. The report also mentions a delay in the planned work on cyber security and a review has been included in the internal audit plan for 2025-26. The auditor will present the report and answer any questions.

This document contains the Cairngorms National Park Authority's (CNPA) Internal Audit Annual Report for 2024/25, prepared by Azets. The report summarizes the conclusions and key findings from internal audit work undertaken at the CNPA during the year ending 31 March 2025, including an overall opinion on CNPA's internal control system. The audit found that the CNPA has a reasonable framework for governance, risk management, and controls. The report also covers the scope of work, the planning process, and progress in implementing previous audit actions, and it includes a summary of a quality assurance assessment which found that Azets Risk Assurance generally conforms to standards.

This document contains an internal audit plan for the Cairngorms National Park Authority's Audit and Risk Committee, prepared by Louise Allen, Graham Gillespie, and Peter Clark. The plan is for 2025-26 and future years, and the committee is asked to consider the auditor's proposal and assess the plan to ensure it meets the Park Authority's needs for assurance. The report includes information on the approach to developing an Audit Needs Assessment, the operational plan for 2025-26, a three-year needs assessment, and appendices that tie the proposed work to the Authority's strategic risk register. The auditor will present the report and answer any questions from the committee.

This document contains the Audit Needs Assessment for the Cairngorms National Park Authority, created by Wbg Services LLP. It covers the period from 2025/26 to 2027/28 and outlines the planned internal audits, their scope, and the proposed audit team. The document includes an introduction to the Internal Audit Service, the approach to planning the audits, the operational plan for 2025/26, and the initial three-year audit needs assessment. It also provides information on reporting arrangements, grading structure, key performance indicators, training topics, an assurance map, and the audit universe. The Audit Needs Assessment will be presented to the Audit & Risk Committee for discussion and approval in June 2025.

This document contains an external audit update for the Audit and Risk Committee, dated 20 June 2025. The purpose of the report, prepared by Louise Allen and Tom Reid of Mazars, is to present the audit of the annual report and accounts for 2024-25. The Audit and Risk Committee is asked to consider the auditor's report and its progress. The report gives information on the audit's progress and links to national publications relevant to the Cairngorms National Park Authority. The auditor will present their report and answer any questions from the Committee.

This document contains an Audit Progress Report for the Cairngorms National Park Authority (CNPA) for the year ending 31 March 2025. It's being presented to the Audit and Risk Committee on 20 June 2025. The report provides an update on the external auditors' progress, noting a slightly delayed fieldwork phase, now planned for 30 June. It covers the status of the audit, including income and expenditure testing, and walkthroughs of key business processes. It also includes national publications from Audit Scotland on auditing climate change and from Forvis Mazars on climate-related financial disclosures in the public sector, and on challenges and innovations in the public and social sectors.

This document contains information for the Audit and Risk Committee of the Cairngorms National Park Authority, prepared by Louise Allen, Head of Finance and Corporate Operations, for discussion on 20 June 2025. The paper reviews the Park Authority's strategic risk management position and the Cairngorms 2030 programme risk management position, detailed in Annexes 1 and 2. The Committee is asked to consider the coverage and adequacy of the risk management positions, advising on any gaps or amendments required. The strategic risk register has 13 active risks, with six carrying a high risk score. Risk 5 is now considered managed, and vacant posts in the Engagement team have been filled. The total programme risk profile remains at Amber due to funding risks for Active Transport projects. The Committee is invited to consider the current coverage of the risk registers and provide feedback.

This document contains a risk assessment for the Cairngorms 2030 programme, reviewed on 22 February 2024. It identifies several risks, including potential funding shortfalls from Sustrans Scotland affecting project timelines and match funding, with the Active Communities project particularly impacted. Mitigation strategies include revising delivery plans, ongoing discussions with the Scottish Government and Transport Scotland, and increased monitoring of cash flow. Procurement standards and staffing levels are also identified as risks, with measures being taken to improve compliance and address staff turnover. The Park Authority is prepared to increase its core match funding in 2025/2026 to progress the transport project if Sustrans/Transport Scotland funding is not paid as planned.

This document contains a risk assessment from the Audit and Risk Committee on 15 June 2025 that focuses on several key areas, including financial resources, staffing, technical systems, and strategic delivery within the Cairngorms National Park Authority (Park Authority). The assessment identifies potential risks like insufficient funding, staffing skill gaps, cyber security threats, and challenges in delivering the Cairngorms 2030 community transport infrastructure enhancements. It also details existing preventative and remedial actions to mitigate these risks, such as ongoing discussions with the Scottish Government, recruitment efforts, and development of business continuity plans. The document further notes the target risk levels, risk owners, and the dates of the last updates.

This document contains an update for the Audit and Risk Committee on information requests and complaints handled by the Cairngorms National Park Authority. It covers the financial year 2024/25, providing data on Freedom of Information (Scotland) Act (FOISA) and Environmental Information (Scotland) Regulations (EIR) requests, as well as subject access requests and formal complaints. The report highlights the volume of requests, how well the Park Authority meets deadlines, and the nature of complaints received, with most requests coming from corporate services, and most complaints relating to planning. The Park Authority aims to resolve complaints quickly and has a process for handling them.

This document contains a procurement action plan for the Cairngorms National Park Authority, prepared by Louise Allen, Head of Finance and Corporate Operations. The plan aims to improve the Park Authority's procurement processes and internal controls, and it was developed following an internal audit. The Audit and Risk Committee is asked to review progress on the improvement programme and consider passing monitoring responsibilities back to the senior team. While nine actions are complete, some outstanding actions remain in progress, including staff training and the development of project initiation guidance and procurement Key Performance Indicators (KPIs). The committee might relinquish responsibility for monitoring the action plan and the senior team will continue to monitor the progress.

This document contains the Procurement Action Plan from the Cairngorms National Park Authority, presented to the Audit and Risk Committee on 20 June 2025. The plan outlines ongoing and completed actions related to procurement, including providing staff training, formalizing controls, developing key performance indicators (KPIs), updating policies and procedures, drafting templates, reviewing contracts, developing reporting mechanisms, and setting up a contracts register. The document specifies target dates, responsible officers, progress updates, and dates of review for each action item. Some actions are ongoing, while others are marked as complete with further development planned.

This document contains an update for the Audit and Risk Committee from David Cameron, Deputy Chief Executive and Director of Corporate Services, regarding outstanding internal audit recommendations relating to information technology, cyber security, and information management. The paper suggests replacing existing outdated recommendations with revised actions. The committee is asked to agree to supersede six prior internal audit recommendations, adopt three replacement actions, receive progress updates, and ensure internal audit work reflects the Park Authority's evolving operating environment for information technology and data services. The Park Authority is currently developing a new strategic overview and updated long-term direction for its information technology and Information Management, with key actions underway including establishing an information technology strategy, embedding information management approaches, and developing a business continuity plan.