CAIRNGORMS NATION­AL PARK AUTHORITY

Audit & Risk Com­mit­tee Paper 4 Annex 1 08/03/19

Gov­ernance Statement

Scope of Responsibility

As Account­able Officer I am respons­ible for main­tain­ing sound sys­tems of intern­al con­trol which sup­ports the achieve­ment of Cairngorms Nation­al Park Authority’s policies, aims and object­ives, whilst safe­guard­ing the pub­lic funds and depart­ment­al assets for which I am per­son­ally respons­ible in accord­ance with the Man­age­ment State­ment agreed between the Park Author­ity and Scot­tish Gov­ern­ment, and also respons­ib­il­it­ies assigned to me in the Scot­tish Pub­lic Fin­ance Manu­al (SPFM).

The SPFM, issued by the Scot­tish Min­is­ters, provides guid­ance to the Scot­tish Gov­ern­ment and oth­er rel­ev­ant bod­ies on the prop­er hand­ling of pub­lic funds. The SPFM sets out the rel­ev­ant stat­utory, par­lia­ment­ary and admin­is­trat­ive require­ments for hand­ling pub­lic funds, emphas­ises the need for eco­nomy, effi­ciency and effect­ive­ness, and pro­motes good prac­tice and high stand­ards of pro­pri­ety. I am respons­ible as Account­able Officer to ensure the Park Authority’s intern­al con­trol sys­tems com­ply with the require­ments of the SPFM.

The Man­age­ment State­ment sets out the role of the Park Authority’s Board in provid­ing lead­er­ship and gov­ernance. The gov­ernance respons­ib­il­it­ies of the Board are sup­por­ted by Stand­ing Orders last revised and adop­ted in 2019; a Code of Con­duct revised and adop­ted in 2014; a group of pro­fes­sion­al, seni­or staff advisors; and appro­pri­ate Board train­ing and devel­op­ment pro­cesses. As a body, the Park Author­ity aims for the highest stand­ard in cor­por­ate governance.

Oth­er than the resource alloc­a­tion let­ters issued to me over the course of the year, there are no oth­er writ­ten author­it­ies provided to the Account­able Officer in ²⁰¹⁸⁄₁₉ bey­ond those doc­u­ments referred to above.

The Oper­a­tion of the Board and Sub-committees

The full Board meets reg­u­larly in pur­su­ance of its stra­tegic object­ives, set out in the approved Cor­por­ate Plan. Meet­ings are sched­uled quarterly, with addi­tion­al meet­ings con­vened as required. Agen­das and papers are pub­lished and placed in the pub­lic domain and meet­ings are open to pub­lic attend­ance wherever possible.

In addi­tion to these full form­al Board meet­ings, Board mem­bers also par­ti­cip­ate in inform­al dis­cus­sion ses­sions in which emer­ging policy issues and pro­pos­als can be dis­cussed and a pre­ferred stra­tegic dir­ec­tion iden­ti­fied pri­or to fuller, open con­sid­er­a­tion at form­al meet­ings. Inform­al dis­cus­sion ses­sions also provide an oppor­tun­ity to take for­ward Board train­ing and aware­ness rais­ing on spe­cif­ic sub­jects of rel­ev­ance to the Authority’s stra­tegic objectives.

Cor­por­ate Governance

Since the Park Authority’s incep­tion, sub-Com­mit­tees are in place with del­eg­ated respons­ib­il­ity to over­see and scru­tin­ise the Park Authority’s deploy­ment and man­age­ment of resources. There are four sub-Com­mit­tees in place: Fin­ance and Deliv­ery, Staff­ing and Recruit­ment, Audit and Risk, and a Plan­ning Com­mit­tee which deals with all aspects of the Park Authority’s stat­utory plan­ning responsibilities.

The Audit and Risk Com­mit­tee leads on the over­sight of all aspects of the organisation’s intern­al man­age­ment and con­trol sys­tems, the annu­al accounts and audit pro­cess, as well as tak­ing a lead in stra­tegic risk man­age­ment. The Com­mit­tee takes respons­ib­il­ity for ensur­ing that risks impact­ing on stra­tegic object­ives are iden­ti­fied and mit­ig­ated as well as ensur­ing that risk man­age­ment is embed­ded through­out the Park Authority’s operations.

The Audit and Risk Com­mit­tee is sup­por­ted by the Park Authority’s intern­al (BDO LLP) and extern­al aud­it­ors (Grant Thornton LLP), who both have rights of inde­pend­ent access to the Com­mit­tee and to its Con­vener. The Audit and Risk Com­mit­tee is tasked with mon­it­or­ing the oper­a­tion of the intern­al con­trol func­tion and bring­ing any mater­i­al mat­ters to the atten­tion of the full Board. Detailed find­ings of all audit reviews are made avail­able to both man­age­ment and the Audit and Risk Com­mit­tee. The Audit and Risk Com­mit­tee meets a min­im­um of three times each year and reports annu­ally to the Board on the adequacy and effect­ive­ness of the Park Authority’s intern­al con­trols, and more widely on its work in the pre­ced­ing year.

The Board has con­tin­ued a pro­cess of self-eval­u­ation of effect­ive­ness and gov­ernance over the course of ²⁰¹⁸⁄₁₉, these pro­cesses hav­ing been ini­ti­ated under the ​“Lead­er­ship” ele­ment of the first Organ­isa­tion­al Devel­op­ment Strategy in ²⁰¹⁵⁄₁₆. Oth­er ele­ments of Board gov­ernance and effect­ive­ness are reviewed and sup­por­ted by seni­or officers as ques­tions or rel­ev­ant mat­ters arise.

The Board has also adop­ted a set of Cor­por­ate Per­form­ance Indic­at­ors through which to improve its over­sight of deliv­ery against key stra­tegic object­ives and mon­it­or achieve­ment of the Park Authority’s Cor­por­ate Plan. The Board receives a detailed report twice each year on deliv­ery against the Cor­por­ate Plan and the Authority’s con­tri­bu­tion to deliv­er­ing Nation­al Park Part­ner­ship Plan pri­or­it­ies. These twice-yearly reports also high­light pro­gress against per­form­ance indic­at­ors adopted.

Peri­od­ic reports from inde­pend­ent intern­al and extern­al aud­it­ors form a key and essen­tial ele­ment in inform­ing my review of the effect­ive­ness of the sys­tems of intern­al con­trol with­in the Park Author­ity. The Board’s Audit and Risk Com­mit­tee also plays a vital role in this regard, through its con­sid­er­a­tion of audit recom­mend­a­tions arising from reviews of intern­al con­trol sys­tems and its scru­tiny of pro­posed man­age­ment action to address any improve­ments required.

Shared Ser­vices Delivery

The Author­ity plays an import­ant role in provid­ing sup­port over a range of activ­it­ies to loc­al com­munit­ies and organ­isa­tion to help deliv­er the Nation­al Park Part­ner­ship Plan’s pri­or­it­ies. In the last year we have sup­por­ted the Out­door Access Trust for Scot­land, Cairngorms LEAD­ER Pro­gramme Loc­al Action Group, the Tomin­toul and Glen­liv­et Land­scape Part­ner­ship, the Great Place Badenoch Pro­ject as well as the Caper­cail­lie Frame­work. Our man­age­ment and intern­al con­trol struc­tures ensure that sup­port for these entit­ies are sep­ar­ated from the core activ­it­ies of the Author­ity, while ensur­ing that sup­port gen­er­ally achieves ​“best practice”.

The Author­ity is also act­ive in both deliv­er­ing shared ser­vices to oth­er pub­lic bod­ies (for example Scot­tish Land Com­mis­sion and Loch Lomond and the Trossachs NPA, LLT­NPA) and also receiv­ing shared ser­vices sup­port from oth­ers (LLT­NPA). In deliv­er­ing and using shared ser­vices the Author­ity drives effi­cien­cies and best value in pub­lic ser­vice deliv­ery and in use of pub­lic funds.

Intern­al Audit

The intern­al audit func­tion is an integ­ral ele­ment of scru­tiny of the Park Authority’s intern­al con­trol sys­tems. BDO LLP was appoin­ted as the Park Authority’s intern­al aud­it­ors in 2016 and have under­taken a com­pre­hens­ive review of key intern­al con­trol sys­tems since their appoint­ment. Dur­ing the year to 31 March 2019, they have repor­ted to the Audit and Risk Com­mit­tee on deliv­ery against their intern­al audit plan for ²⁰¹⁸⁄₁₉ com­pris­ing inde­pend­ent reviews of:

• Gov­ernance & risk
• Busi­ness Per­form­ance Management
• Busi­ness Con­tinu­ity Planning
• Intern­al con­trol systems
• Fin­an­cial Planning
• LEAD­ER administration
• Resource Plan­ning
• Part­ner­ship Management
• Stra­tegic Planning

Recom­mend­a­tions made by BDO are con­sidered and imple­men­ted as appro­pri­ate. A full fol­low-up review of action taken on recom­mend­a­tions for improve­ment is under­taken each year.

The extern­al aud­it­ors, Grant Thornton LLP, review key sys­tems to form a view on the effect­ive­ness of con­trol arrange­ments, which in turn sup­ports their audit opin­ion on the fin­an­cial statements.

Best Value

The Audit and Risk Com­mit­tee con­tin­ues to mon­it­or the Authority’s adher­ence to Scot­tish Gov­ern­ment Best Value guidelines. We launched Phase two of our Organ­isa­tion­al Devel­op­ment Strategy in ¹⁷⁄₁₈, to improve the Park Authority’s pro­cesses and ser­vices, and deliv­ery has con­tin­ued in ¹⁸⁄₁₉.

Risk Man­age­ment

All bod­ies to which the SPFM applies must oper­ate a risk man­age­ment strategy in accord­ance guid­ance issued by Scot­tish Min­is­ters. The SPFM also sets out the gen­er­al prin­ciples for a suc­cess­ful risk man­age­ment strategy.

The Board recog­nises the import­ance of risk man­age­ment and con­tin­ues to mon­it­or the Park Authority’s Stra­tegic Risk Register. The Stra­tegic Risk Register records risks, action taken to mit­ig­ate the iden­ti­fied risks and seni­or management’s respons­ib­il­ity for lead­ing on mit­ig­a­tion gen­er­ally. The Stra­tegic Risk Register has con­tin­ued to be reviewed and updated by Board, Audit and Risk Com­mit­tee and Seni­or Man­age­ment Team three to four times each year.

The Audit and Risk Com­mit­tee with the Seni­or Man­age­ment Team lead on embed­ding risk man­age­ment pro­cesses through­out the Park Author­ity. Both groups con­sider the man­age­ment of stra­tegic risk in line with the Risk Strategy and seek to ensure that the required actions are appro­pri­ately reflec­ted and incor­por­ated in oper­a­tion­al deliv­ery plans. A revised Risk Man­age­ment Strategy was adop­ted by the Audit and Risk Com­mit­tee in 2016, with the Com­mit­tee also receiv­ing an intern­al audit report on the effect­ive­ness of oper­a­tions of risk man­age­ment with­in the organ­isa­tion in that year.

The Seni­or Man­age­ment Team refreshed the Stra­tegic Risk Register with ref­er­ence to the new Cor­por­ate Plan, cov­er­ing 1 April 2018 to 31 March 2022. The refreshed Stra­tegic Risk Register was presen­ted to the Board in June 2018, and mon­it­or­ing and revi­sion is ongoing.

Data Secur­ity

Pro­ced­ures are in place to ensure that inform­a­tion is being man­aged in accord­ance with legis­la­tion and that data is held accur­ately and securely. The Park Author­ity has no repor­ted nor recor­ded instances of data loss over the course of the year.

Shared ser­vices arrange­ments remain in place with Loch Lomond and the Trossachs Nation­al Park Author­ity to sup­port the Park Authority’s data back-up arrange­ments and work con­tin­ues to enhance and improve data security.

Dur­ing the year the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) reg­u­la­tions came into force. Organ­isa­tion­al con­trol arrange­ments have been reviewed and staff have been giv­en suit­able train­ing to ensure data man­age­ment with­in the Author­ity is com­pli­ant with GDPR. Also in the year the Cyber Essen­tials Plus accred­it­a­tion was achieved with the Park Author­ity now on the path of annu­al reviews to ensure that its Inform­a­tion and Com­mu­nic­a­tion Tech­no­lo­gies (ICT) remain fit for pur­pose and that all reas­on­able steps are taken to min­im­ise the risk of data loss or com­prom­ise of sys­tems due to Cyber Attacks.

Late in the year work began on intro­du­cing and imple­ment­ing an Elec­tron­ic Doc­u­ment Man­age­ment Sys­tem and Cus­tom­er Rela­tion­ship Man­age­ment (CRM) system.

Con­clu­sion

As Account­able Officer I am respons­ible for review­ing the effect­ive­ness of the sys­tem of intern­al con­trol. In order to do this my review is informed by:

a) The exec­ut­ive Dir­ect­ors and Man­agers with­in the organ­isa­tion who have respons­ib­il­ity for the devel­op­ment and main­ten­ance of the intern­al con­trol frame­work and who provide assur­ance on sys­tems with­in reg­u­lar Seni­or Man­age­ment Team meet­ings; b) Intern­al mon­it­or­ing of con­trol sys­tems by staff against SPFM require­ments; c) The work of the intern­al aud­it­ors, who sub­mit reg­u­lar reports to the Audit and Risk Com­mit­tee which include the Head of Intern­al Audit’s inde­pend­ent and object­ive opin­ion on the adequacy and effect­ive­ness of our sys­tems of intern­al con­trol togeth­er with recom­mend­a­tions for improve­ment; d) Com­ments made by the extern­al aud­it­ors in their man­age­ment let­ter and oth­er reports.

I am sup­por­ted by a Cor­por­ate Ser­vices Dir­ect­or, who in turn is sup­por­ted by the Cor­por­ate Ser­vices staff group, and who provides seni­or man­age­ment lead­er­ship on the fin­an­cial man­age­ment, intern­al con­trols and gov­ernance arrange­ments. I take assur­ance from the effect­ive­ness of intern­al con­trol sys­tems, fin­an­cial man­age­ment and plan­ning pro­cesses and risk man­age­ment from the assur­ances received from the Cor­por­ate Ser­vices Director.

As Account­able Officer, I have also been advised on the implic­a­tions of the review of the effect­ive­ness of the sys­tem of intern­al con­trol by the Board and its Audit and Risk Com­mit­tee. Appro­pri­ate action is taken against any weak­nesses iden­ti­fied, and to ensure con­tinu­ous improve­ment of our systems.

[(The intern­al auditor’s annu­al report for ²⁰¹⁸⁄₁₉ states that, based on the work under­taken over the course of the year, the Authority’s sys­tems provide a reas­on­able basis for main­tain­ing con­trol and that the con­trol frame­work provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of stra­tegic object­ives. – based on ¹⁷⁄₁₈ accounts state­ment: to be amended pri­or to finalisation)]