Audit & Risk Committee - May 2022

This document contains the draft minutes from a Cairngorms National Park Authority Audit and Risk Committee meeting held on 11 February 2022. The meeting covered several topics including the approval of minutes from a previous meeting, a review of the external audit plan, discussions about the internal audit of financial management and reporting, assurance mapping of major projects and the strategic internal audit plan for 2022/23. The committee also reviewed the strategic risk management overview, focusing on the Heritage Horizons programme and other key risks, and discussed upcoming board election processes. The next meeting was scheduled for 13 May 2022.

This document contains an internal audit report on the Cairngorms National Park Authority's ICT strategy. The audit, conducted by Azets, found four areas needing improvement. All recommendations for improvement have been accepted, with actions, responsibilities, and timetables outlined. Two recommendations had high-risk exposure and two were moderate. Two control objectives were achieved, but with room for improvement, while two more were not achieved due to inadequate controls. The Audit and Risk Committee is asked to review the report's findings and endorse the management's response.

This document contains the Cairngorms National Park Authority's 2021/22 Internal Audit Report on its ICT strategy. The review found that the IT and Data Strategy lacked clearly defined objectives and timelines, and didn't include a financial plan. Consequently, there were no operational plans in place to support the strategy's implementation. The report recommends creating clear objectives, a financial plan, and detailed operational plans with assigned staff and deadlines to improve the effectiveness of the IT and Data Strategy. Several action plans are outlined to address these issues and ensure better alignment with the Authority's overall corporate strategy.

This document contains the Cairngorms National Park Authority's (CNPA) internal audit report on cyber security. An independent review found that four recommendations for improvement were made, all of which the CNPA accepted. Three of these recommendations addressed high-risk areas, while one was considered moderate risk. The audit also assessed four control areas, with one area meeting objectives (though with room for improvement) and three areas failing to meet objectives due to inadequate controls. The Audit and Risk Committee is asked to review the report's findings and endorse the CNPA's planned responses.

This document contains the Cairngorms National Park Authority's 2021/22 internal audit report on cyber security. The review found that while the Park Authority has some good technical security measures, improvements are needed. Specifically, they need better procedures for handling cyber events, and to improve the low (58%) completion rate of cyber security training. The report also recommends a more proactive approach to managing cyber risks, including a formal risk assessment and risk register. Several recommendations for improvement are included, with assigned owners and due dates.

This document contains the Cairngorms National Park Authority's internal audit report for 2021/22, focusing on management action follow-up. The report summarizes progress made by management in implementing agreed actions from previous audits. It shows that eight actions were completed, three are no longer applicable, and many are partially complete or overdue. The report highlights a high number of outstanding actions, particularly those assessed as low or moderate risk, and asks the Audit and Risk Committee to note the progress and approve actions with revised timescales. Appendices detail action status by report, outstanding actions past their due dates, and audit risk categorizations.

This document contains the Cairngorms National Park Authority's May 2022 Internal Audit Progress Report. It summarizes internal audit activities since the last Audit and Risk Committee meeting. Fieldwork has begun on two audits: Performance Management and Workforce Management and Planning. The report confirms that the audit plan remains unchanged and on schedule. The next Audit and Risk Committee meeting in August 2022 will receive reports on Performance Management and Workforce Management and Planning. The committee is asked to review the report and approve the next quarter's plan.

This document contains the Cairngorms National Park Authority's internal audit annual report for 2021/22. The report, completed in May 2022 by Azets, confirms that the Park Authority has a good system of internal controls that ensures its objectives are met effectively and efficiently. The audit covered 51 days of work, fulfilling the planned schedule with no limitations. The report highlights some areas for improvement, particularly in financial management, project management, and the ICT strategy, but also notes that management is addressing these issues. The audit service's quality and compliance with relevant standards were confirmed through internal and external assessments.

This document contains an overview of the Cairngorms National Park Authority's strategic risk management. It presents an updated strategic risk register, reviewed in May 2022 by the Senior Management Team. The Audit and Risk Committee is asked to review this register, agreeing on any needed changes or mitigation actions. The document also notes that one risk shows consistent improvement and may be closed, while two IT-related risks could be combined. Finally, the report mentions the Heritage Horizons Programme's risk management, which is handled separately and not included in this document.

This document contains the Cairngorms National Park Authority's strategic risk register, a list of potential problems and how the Park Authority plans to deal with them. The register covers various areas, including finances, staffing, IT systems, and community engagement. For each risk, the document identifies the level of risk, the actions being taken to reduce the risk, and the overall trend of the risk (improving, stable, or worsening). The document shows that the Park Authority is actively managing these risks, using a variety of preventative and remedial actions.

This document contains a draft Governance Statement for the Cairngorms National Park Authority covering the year 2021/22. The Audit and Risk Committee needs to review this draft and, if they agree with any changes, approve it for inclusion in the Authority's annual report. The statement will include details about the Park Authority's governance structure, how it operates, a risk assessment, and any significant issues. The Scottish Public Finance Manual (SPFM) outlines the essential features that the statement must have, and the Committee is asked to consider these when reviewing the draft.

This document contains a governance statement from the Cairngorms National Park Authority (CNPA). The CNPA's Accountable Officer is responsible for maintaining sound internal controls, guided by the Scottish Public Finance Manual (SPFM). The Board, with 19 members from various backgrounds, oversees governance through committees covering planning, resources, performance, and audit and risk. Regular meetings, self-evaluations, and internal and external audits ensure accountability and continuous improvement. The CNPA also shares services with other organizations and actively manages risks through a risk register and strategic plans. A focus on data security and a robust business continuity plan ensured continued operations during the COVID-19 pandemic. The Authority is transitioning to hybrid working arrangements.

This document contains information on complaints received by the Cairngorms National Park Authority between September 2021 and April 2022. Eight complaints were received; five were dealt with quickly at a basic level, while three needed a more thorough investigation. Most investigations were completed within the 20 working days' target, although one took longer due to the Christmas holidays. The Authority wasn't aware of any complaints being escalated to the Scottish Public Services Ombudsman (SPSO), but complainants have twelve months to do so.