Audit & Risk Committee - March 2020

This document contains the draft minutes of the Cairngorms National Park Authority Audit and Risk Committee meeting held on 6 December 2019. The meeting covered several topics, including approving the minutes of the previous meeting, discussing criteria for assessing private finance proposals, reviewing the handling of an information request, and examining internal audit reviews of payroll and expense claims processes. The committee also considered the external auditor's annual audit plan and received an update on complaints handling, with action points arising related to marketing investment opportunities, refining criteria for assessing private finance proposals, and improving documentation processes. The next meeting was scheduled for 6 March 2020.

This document contains an internal audit review of the Cairngorms National Park Authority's staff appraisal and objective setting approaches. As part of the 2019-20 internal audit plan, the design and operational effectiveness of these processes were reviewed. The audit graded the effectiveness as moderate and made one medium-level and three low-level recommendations for improvement. Management has accepted all recommendations, and their responses and timelines for action are detailed in Annex 1. The Audit and Risk Committee are asked to consider the internal auditor's findings and endorse management responses to the recommended actions.

This document contains an internal audit report from November 2019 regarding staff objective setting and appraisals at Cairngorms National Park Authority. The audit found a generally sound system of internal control, but identified some areas for improvement, such as ensuring all staff participate in regular performance development conversations and that job plans align with the Authority's corporate plan. The audit team made several recommendations, including spot checks on staff and manager diaries and adding a field to the job plan template to reference corporate plan priorities. Management agreed with the recommendations and planned to implement them, with a moderate level of assurance provided for the design and operational effectiveness of the objective setting and appraisal process.

This document contains an internal audit review of the Cairngorms National Park Authority's processes for handling Freedom of Information (Scotland) Act 2002 (FOISA) requests. Following a review triggered by the Scottish Information Commissioner, the audit assessed the design and operational effectiveness of the Authority's arrangements. The audit graded both as moderate and made one medium-level and five low-level recommendations for improvement, which management has accepted and outlined in Annex 1 along with action timetables. The Audit & Risk Committee is asked to consider the internal auditor's findings and endorse management responses to recommended actions.

This document contains an internal audit report on the Cairngorms National Park Authority's (CNPA) Freedom of Information (FOI) practices from January 2020. The audit reviewed the design and operational effectiveness of the CNPA's arrangements for managing Freedom of Information (Scotland) Act (FOISA) and Environmental Information (Scotland) Regulations (EIR) requests. The audit gave a moderate assurance level and identified areas of good practice, such as mandatory FOI e-learning for new staff and regular FOI team meetings. However, the audit also found inconsistencies in how FOI and EIR requests were handled, instances of responses exceeding the 20-day deadline, and the need to update the FOI policy and guidance. The report recommends several actions, including creating flowcharts for FOI processes, providing refresher training on General Data Protection Regulation (GDPR), and updating procedures to ensure timely responses.

This document contains an internal audit review of project finances for the Cairngorms National Park Authority's Audit and Risk Committee. The purpose is to share the internal auditor's findings. The Audit and Risk Committee is asked to consider these findings and endorse management's responses to recommended actions. The audit reviewed the effectiveness of the Authority's project finance management. The design and operation of the Authority's processes were graded as moderate, with internal auditors making some recommendations for improvement which have all been accepted by management.

This document contains an internal audit report from December 2019 regarding project financing arrangements at Cairngorms National Park Authority (CNPA). The audit, conducted in November and December of 2019, reviewed the design and operating effectiveness of controls around project financing for four projects: LEADER, Tomintoul & Glenlivet Landscape Partnership (T&G), Capercaillie, and the Great Place Badenoch Project (GPB). While the audit found some good practices, it also identified areas for improvement, with an overall moderate level of assurance. Recommendations include regular management review of accounts, better documentation for claims, improved cash flow forecasting for T&G, and regular forecasting of CNPA's year-end position, with project managers needing to submit progress reports to National Lottery Heritage Fund (NLHF) in a timely manner.

This document contains an internal audit report for the Cairngorms National Park Authority's Audit and Risk Committee, dated 27 March 2020. The report, prepared by David Cameron, Director of Corporate Services, includes a follow-up review by BDO, the Authority's internal auditors, on the implementation of internal audit recommendations and an annual internal audit report for 2019/20. The report highlights progress made in addressing identified internal controls and process improvements, noting that 75% of recommendations with action due have been completed or are in progress. The Audit and Risk Committee is asked to consider the follow-up action on internal audit recommendations and note the internal auditor's Annual Report for 2019/20.

This document contains an internal audit report for the Cairngorms National Park Authority (Park Authority), dated March 2020, which follows up on the implementation status of 44 recommendations raised from previous internal audit work. The recommendations relate to 16 audit areas, including risk management, financial processes, grant funding, partnership management, and information technology (IT) general controls. As of March 2020, 8 recommendations (22%) were fully implemented, 19 (51%) were partially implemented, and 9 (24%) were not implemented. The report also identifies responsible officers and implementation dates for each recommendation. BDO LLP conducted the audit and thanks Park Authority staff for their help in the review.

This document contains the Internal Audit Annual Report for 2019-20 for the Cairngorms National Park Authority (Park Authority), prepared in March 2020 by BDO LLP. The report provides an independent assessment of the Park Authority's risk management, control, and governance processes. It reviews control policies and procedures, and evaluates the effectiveness of risk management activities. The report summarizes recommendations made across seven completed reviews, and details the progress made in implementing previous internal audit recommendations. It also includes an annual statement of assurance, concluding on the adequacy and effectiveness of Audit Scotland's risk management, governance, and internal control processes based on the audits conducted.

This document contains a draft Governance Statement from the Cairngorms National Park Authority for inclusion in its annual accounts for 2019/20. The statement, prepared by Daniel Ralph, Finance Manager, and David Cameron, Director of Corporate Services, outlines the governance framework, the operation of the governing board, and an assessment of corporate governance. It also details the organisation's risk management arrangements and any significant risk-related matters, as well as any data security lapses. The Audit & Risk Committee is asked to consider and endorse the draft Governance Statement, subject to any necessary amendments. The Committee should also provide feedback on the accuracy of the statement based on their experiences.

This document contains a governance statement from the Cairngorms National Park Authority, focusing on the scope of responsibility, the operation of the Board and sub-committees, the Audit and Risk Committee, shared services delivery, internal and external audits, risk management, and data security. As Accountable Officer, the author details their responsibility for maintaining sound internal control systems that align with the Park Authority's policies and objectives. The Board, comprised of 19 members, meets regularly to consider strategy and performance, supported by sub-committees, internal audits by BDO LLP, and external audits by Grant Thornton LLP. The Park Authority also engages in shared service arrangements with other public bodies and emphasizes risk management and data security, aiming for continuous improvement and adherence to Scottish Government Best Value guidelines.

This document contains an update for the Cairngorms National Park Authority Audit & Risk Committee on 27 March 2020. Prepared by David Cameron, Director of Corporate Services, the update covers the Authority's strategic risk management, management's review of actions taken, and current risk status. The paper also supports a discussion on the risk management approach to be taken around the management of the current Coronavirus pandemic. The Audit & Risk Committee is asked to consider updates to the Strategic Risk Register, incorporate additional risks if needed, and agree that the Director of Corporate Services should develop a draft risk register around the management of the Coronavirus. The Strategic Risk Register covers the delivery of the 2018 to 2022 Corporate Plan. The Annex specifies senior managers responsible for the management of each risk, together with a brief commentary on the management actions being taken to mitigate the risk.

This document contains the Cairngorms National Park Authority's strategic risk register from March 2020, which identifies and assesses key risks that could impact the delivery of the corporate plan. The register includes information on crossover risks such as resource constraints, wider government and policy changes, and the impact of leaving the European Union. It also addresses staffing capacity, financial stability, IT security, and reputational risks along with specific concerns around partnership working, housing delivery and the need for strong governance and communication. For each risk, the document outlines preventative and remedial mitigation strategies, along with a summary of comments and whether the trend of the risk is increasing, decreasing, or static.