Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

190503 Approved ARC Minute

CAIRNGORMS NATION­AL PARK AUTHORITY

Approved MINUTES AUDIT & RISK COM­MIT­TEE 03/05/19

Approved MINUTES of MEET­ING of the AUDIT & RISK COM­MIT­TEE of THE CAIRNGORMS NATION­AL PARK AUTHORITY

held in Grant Room, Am Fas­gadh, High­land Folk Museum, New­ton­more on 3 May 2019

Present:

  • Peter Argyle
  • Janet Hunter
  • John Lath­am
  • Dr Gaen­er Rodger (Vice Chair)

In Attend­ance:

  • Claire Robertson, BDO via tele­phone conference
  • Grant Moir, Chief Executive
  • Dav­id Camer­on, Dir­ect­or of Cor­por­ate Services
  • Danie Ral­ph, Fin­ance Manager
  • Alix Hark­ness, Clerk to the Board
  • John Kirk, Board Member

Apo­lo­gies:

  • Judith Webb
  • John Boyd, Grant Thornton

Elec­tion of Com­mit­tee Vice-Chair

  1. Dav­id Camer­on high­lighted that accord­ing to Stand­ing Orders fol­low­ing the revi­sion of Board mem­ber­ship on Com­mit­tees and Groups at the Decem­ber 2018 Board meet­ing, the Elec­tion of Com­mit­tee Vice-Chair was due to take place. He there­fore asked for nom­in­a­tions for the Vice-Chair of the Committee.

  2. Nom­in­a­tions were made. Janet Hunter nom­in­ated Gaen­er Rodger and this was seconded by Peter Argyle. Gaen­er Rodger accep­ted this nom­in­a­tion. Mem­bers present con­firmed that Gaen­er Rodger take on the role of Com­mit­tee Vice-Chair. There being only one nom­in­a­tion, it was declared that Gaen­er Rodger be appoin­ted as Vice-Chair.

  3. Action:

    • Gaen­er Rodger to take the pos­i­tion of Vice-Chair of the Audit & Risk Com­mit­tee to last until the next 3 year revi­sion of com­mit­tee memberships.

Wel­come and Apologies

  1. Every­one was wel­comed to the meet­ing by the Vice-Chair and the apo­lo­gies were noted.

  2. The Vice-Chair exten­ded the Audit & Risk Committee’s thanks to Dave Fal­lows for his hard work on this Com­mit­tee over the years. Dav­id Camer­on agreed to pass these thanks on to him.

  3. Action:

    • Dav­id Camer­on to pass the Audit & Risk Committee’s thanks onto Dave Fallows.

Minutes of Pre­vi­ous Meeting

  1. The draft minutes of the 8 March 2019 meet­ing were approved sub­ject to the fol­low­ing amendment:

    • At 24i: will be dealt with­in the Board Terms of Ref­er­ence paper, (Paper 5 on today’s agenda).
  2. The draft minutes of the 29 March 2019 meet­ing were approved with no amendments.

Mat­ters Arising

  1. Dav­id Camer­on reminded the Com­mit­tee that at the last meet­ing they had agreed the final pro­posed Intern­al Audit Plan for 2019/2020 so that the two items sched­uled for spring 2019 could begin. He explained the fol­low­ing points:

    • He is happy from author­ity per­spect­ive with the pro­pos­als set out in the plan, which will cov­er off areas like expenses claims. This is an admin­is­trat­ively heavy area, which as well as cov­er­ing reg­u­lar­ity of expenses claims, Dav­id inten­ded that the audit included an advis­ory ele­ment to cov­er prac­tise used in oth­er organ­isa­tions to learn how to mod­ern­ise and pos­sibly sim­pli­fy process.
    • The Com­mit­tee will be asked to endorse this change in scope in the intern­al audit plan for 201920 sub­sequently on the agenda.
  2. Dav­id Camer­on repor­ted that move­ment on the out­stand­ing actions through­out and lis­ted at the bot­tom of the 8 March 2019 Audit & Risk Com­mit­tee Minutes are:

    • Audit & Risk Com­mit­tee mem­ber train­ing – Open – Option to hold half day ses­sion on a Thursday after­noon pri­or to Fri­day Board ses­sion, 13 June pri­or to 14 June Board was sug­ges­ted as a pos­sible date. Doodle poll of poten­tial future dates to be arranged as the Chair can­not make 13th June. Dav­id Camer­on agreed to let LLT­NP know once a date had been set to invite their Audit & Risk Com­mit­tee mem­bers along if they are available.
    • Audit & Risk Com­mit­tee mem­ber induc­tion pack – Open – Delayed until after the mem­ber train­ing has taken place.
    • Risk Mit­ig­a­tion action for LEAD­ER Account­able Body role – Open – will write to Scot­tish Gov­ern­ment with­in the next month.
    • Plan­ning Con­sent Com­plaint dat­ing from 2017 which had been escal­ated to the SPSO, DC to report back to Com­mit­tee when resolved – Open – An update from the Ombuds­man had been received regard­ing plan­ning advice. It was hoped to be in the pos­i­tion to close the com­plaint towards the end May early June.
    • Gov­ernance state­ment amended to reflect Committee’s assur­ance role — Open — will be reflec­ted in the final accounts.
    • Dav­id Camer­on apo­lo­gised for the sporad­ic issue of papers for this meet­ing. Sug­ges­tion made from mem­ber to find a way of nam­ing the papers dif­fer­ently to make it easi­er to dif­fer­en­ti­ate between them. Dav­id Camer­on advised he would con­sider this.
    • The Vice Chair advised that the feed­back from ombuds­man would be wel­come. Dav­id Camer­on agreed that the feed­back would be brought back to this Com­mit­tee. The Vice Chair added that any pos­it­ive feed­back would be nice to share with staff, to help mor­ale. This was agreed by Dav­id Camer­on who added that any com­plaint received wheth­er upheld or not, it was nor­mal prac­tise to see if any­thing could be learned from it to improve the system.
  1. Actions:
    • Dav­id Camer­on to con­sider nam­ing the papers dif­fer­ently so that they can eas­ily be differentiated.
    • Feed­back from the Ombuds­man to be brought back to the Com­mit­tee when available.

Intern­al Audit Review: Busi­ness Con­tinu­ity (Paper 1)

  1. Claire Robertson presen­ted a Paper which presents the intern­al auditor’s report on the Authority’s busi­ness con­tinu­ity planning.

  2. The Audit & Risk Com­mit­tee made the fol­low­ing com­ments and observations:

    • Dav­id Camer­on advised that busi­ness con­tinu­ity plan­ning could be around an intern­al or extern­al dis­aster such as cata­stroph­ic weath­er or indoor flood­ing. It was about scen­ario plan­ning around each theme of pos­sib­il­ity, so that a response plan for each scen­ario is in place.
    • Was this sim­il­ar to resi­li­ence plans that Loc­al Author­it­ies have? Grant Moir advised that it was slightly dif­fer­ent e.g. If the com­puter serv­ers were to crash how would the Author­ity get it back work­ing and in what times­cale? This type of instance was what was meant by dis­aster recov­ery. He added that they were look­ing to recruit to a post with respons­ib­il­ity for this work this built into it.
    • Mem­bers ques­tioned the Authority’s insur­ance pro­vi­sions and cov­er­age for sig­ni­fic­ant events? Dav­id Camer­on explained that the main dif­fer­ence to many oth­er organ­isa­tions is that the Author­ity is a Non Depart­ment­al Pub­lic Body (NDPB), there­fore, unlike Loc­al Author­it­ies for example, we don’t have extern­al insur­ance policies in place oth­er than those that are stat­utory and leg­al (e.g. for pool cars etc.). Rather, the Author­ity self-insures” and cov­ers the cost of actions fol­low­ing events and seek reim­burse­ment from Gov­ern­ment. Grant Moir advised that the Author­ity work closely with Loch Lomond & Trossachs Nation­al Park (LLT­NP) on many aspects of back up and cov­er for events that would oth­er­wise be covered by insur­ances, and there­fore we are quite well served.
    • Could it be cla­ri­fied how much staff resources is required in deal­ing with these areas of activ­ity? Grant Moir explained that when someone leaves the organ­isa­tion, they look at the role and plug any pri­or­ity gaps. Dav­id high­lighted that we have a rel­at­ively small IT and facil­it­ies team with those staff cov­er­ing their own areas of busi­ness con­tinu­ity as part of their core roles.
    • Dav­id Camer­on added that in look­ing at the IT Strategy and busi­ness con­tinu­ity, cloud based strategies are expens­ive how­ever they could lim­it the risk of ser­vice loss from loc­al events, for example elec­tric­al short­age in the serv­er room, there­fore it is timely to look at longer term IT devel­op­ment strategies now with­in the con­text of wider busi­ness con­tinu­ity evaluations.
    • Com­ment made that a num­ber of recom­mend­a­tions with dead­lines against them have been iden­ti­fied reas­sur­ance sought that resources are in place to meet them. Dav­id Camer­on agreed and advised that some of the recom­mend­a­tions spe­cific­ally in terms of the new post, with a July dead­line may slip into August September.
    • Note that it would be good prac­tise to review the dis­aster plan annu­ally, could it be explained why the staff train­ing was not sched­uled to take place until 2020 which seemed a long way away? Dav­id Camer­on explained that the dead­line of Feb­ru­ary 2020 had been set to allow time to achieve oth­er recom­mend­a­tions, it would allow suf­fi­cient time to go over with staff the entirety of changes as a hol­ist­ic group­ing. In terms of test­ing, how reg­u­larly we test the entirety of our build­ing, bring the serv­er down and go through pro­cess of start­ing it back up, doesn’t mer­it doing it annu­ally: the dis­rup­tion doing it annu­ally doesn’t match up to the risk. There was a bal­ance between over­all risk and resource. Claire Robertson added that so long as key details such as con­tacts, updat­ing name changes either through resig­na­tions and/​or names of part­ners is car­ried out reg­u­larly in the inter­im, leav­ing the dis­aster recov­ery test­ing for 30 months would be satisfactory.
    • Were paper cop­ies of the dis­aster recov­ery plan stored off line? Grant Moir con­firmed that paper cop­ies were kept off­s­ite how­ever fur­ther thought would have to go into how this could be accessed.
    • Sug­ges­tion made to bring an inter­im pro­gress report on Busi­ness Con­tinu­ity to the next meet­ing for the Com­mit­tee to review. This was agreed.
  3. The Audit & Risk Committee:

    • Con­sidered the intern­al auditor’s find­ings on the Authority’s arrange­ments for busi­ness continuity;
    • Endorse the man­age­ment responses to recom­mend­a­tions for action raised by the intern­al auditor.
  4. Action:

    • Inter­im pro­gress report on Busi­ness Con­tinu­ity to be brought to the next meet­ing for the Com­mit­tee to review.

Intern­al Audit Review: Audit Recom­mend­a­tions Fol­low Up (Paper 2)

  1. Claire Robertson presen­ted a Paper which presents the intern­al audit review of the Authority’s pro­gress in imple­ment­ing agreed actions in response to pre­vi­ous audit recommendations.

  2. Dav­id Camer­on added that there had been a num­ber of recom­mend­a­tions around IT and IT secur­ity. He explained that the Author­ity had to under­take Scot­tish Gov­ern­ment secur­ity cyber plus accred­it­a­tion which had to take pri­or­ity over these recom­mend­a­tions to meet gov­ern­ment report­ing deadlines.

  3. In dis­cus­sion the Audit & Risk Com­mit­tee made the fol­low­ing com­ments and observations:

    • With ref­er­ence to page 22, where it is dated 2012 it should read 2018.
    • Con­tent­ment that the Authority’s Seni­or Man­age­ment Team were on the case and appro­pri­ate action being taken on audit recom­mend­a­tions approved by the Committee.
  4. The Audit and Risk Com­mit­tee con­sidered the intern­al auditor’s find­ings on the Authority’s pro­gress in imple­ment­ing the actions to address pre­vi­ous audit recom­mend­a­tions and endorsed the man­age­ment responses to actions which remain imple­men­ted or are cur­rently par­tially implemented.

  5. Actions: None.

201819 Intern­al Audit Plan (Paper 3)

  1. Claire Robertson presen­ted Paper 3 which presents the intern­al auditor’s Annu­al Audit Plan for the audit of the 201819 accounts.

  2. Claire noted the point high­lighted by Dav­id earli­er in the meet­ing on the pro­posed audit of expenses claim sys­tems and indic­ated that with the agree­ment of the Com­mit­tee the scope for this work would be amended to include a wider advis­ory ele­ment to con­sider sys­tem sim­pli­fic­a­tions, mod­ern­isa­tion and digitisation.

  3. The Audit & Risk Committee:

    • Approved the Annu­al Intern­al Audit Plan for 201819
    • Approved the broad­en­ing of the scope for the review of expenses claim sys­tems to include an advis­ory ele­ment on sys­tem sim­pli­fic­a­tion and modernisation.
    • Approved the Intern­al Audit Charter as set out in Appendix VI of the Intern­al Audit Plan.
  4. Action: None.

Risk Register Review (Paper 4)

  1. Dav­id Camer­on presen­ted an update of the Authority’s stra­tegic risk man­age­ment and a com­ment­ary on management’s review of action taken and cur­rent risk status. He asked that the Com­mit­tee con­sider remov­ing the risks which had shown a con­sist­ent redu­cing risk level, greyed out in the doc­u­ment, from the register as not cur­rently pos­ing a sig­ni­fic­ant stra­tegic risk to deliv­ery of object­ives. He high­lighted that he had added risks around work­force man­age­ment on pages 8 and 9.

  2. Grant Moir high­lighted risk VII Cairngorm and Glen­more Strategy. He explained that the Author­ity should know more about the funicu­lar soon although work will go on for fore­see­able future.

  3. In dis­cus­sion the Audit & Risk Com­mit­tee made the fol­low­ing com­ments and observations:

    • Could it be cla­ri­fied wheth­er the risks were issues or actu­al risks? Grant Moir advised that Cairngorm Moun­tain was a risk to the eco­nomy in the Strath and wider, and there­fore is a repu­ta­tion­al risk to the CNPA. The entries in the register were stra­tegic risks with poten­tial impacts on the Author­ity if not man­aged and mit­ig­ated. Dav­id explained that the Author­ity did not oper­ate a sep­ar­ate issues log.
    • With ref­er­ence to risk A3, 3 red arrows now that the loc­al elec­tions that took place in March 2019 were com­plete, would the red rat­ing improve? Dav­id Camer­on con­firmed that it would become green in time to reflect declin­ing risk. How­ever, at this point in time, only a few weeks after the dir­ect elec­tions to the Board, there was still a stra­tegic risk posed by the high level of change in Board mem­ber­ship and hence the risk rat­ing of man­aging the poten­tial impacts of stra­tegic lead­er­ship change had not yet declined.
    • Sur­prise por­trayed with risk A1. Grant Moir explained that pub­lic sec­tor fin­ances are reduced year on year, the Author­ity have been good at bring­ing in Her­it­age Lot­tery Fund­ing (HLF). Risk A1 is the cor­rel­a­tion between our budget from Scot­tish Gov­ern­ment (SG) and what the Author­ity have man­aged to bring in.
    • With fund­ing com­ing in for pro­jects at what point, with poten­tial budget cuts, would the Author­ity cease to be able to per­form effect­ively? Grant Moir advised that annu­ally the Author­ity have scen­ari­os to work out based on poten­tial 5%, 10% cut to budget. From exper­i­ence when you get over 10% budget cuts there is no capa­city to fin­ance and effect­ive oper­a­tion­al plan to con­trib­ute to Nation­al Park Part­ner­ship Plan deliv­ery and the Author­ity needs to con­sider sig­ni­fic­ant staff­ing reduc­tions. The Author­ity have done well to main­tain our budget and have done just as well in find­ing oth­er money. Dav­id Camer­on added that SG grant in aid fund­ing would not likely increase to fund the Authority’s path main­ten­ance respons­ib­il­it­ies, there­fore income diver­si­fic­a­tion is required to fund that togeth­er with oth­er new’ budget pres­sures, e.g. The Cairngorms Trust as a char­it­able body is a mech­an­ism through which we hope the stake­hold­ers in the Nation­al Park are able to get that fund­ing. An addi­tion­al example of income diver­si­fic­a­tion is Nation­al Parks UK who are fund­ing travel grants for chil­dren through their cor­por­ate spon­sor­ship activities.
    • Path main­ten­ance: what is the intent under­pin­ning this risk? Dav­id Camer­on advised that as an Author­ity we want to see the path net­work main­tained so that work to rebuild the paths repeatedly from scratch is avoided.
    • With ref­er­ence to risk A16 it was noted that it had changed from amber to red with the expect­ance for it to remain red for a while, the need for the Board to keep a close eye on it.
    • Com­ment made that it would be inter­est­ing for the Author­ity to learn from the OATS exper­i­ence of run­ning a car park facil­ity that appears fin­an­cially encouraging.
    • Should there be a risk around busi­ness con­tinu­ity plan­ning? Dav­id Camer­on agreed that it would be worth­while hav­ing a sep­ar­ate risk around this. He acknow­ledged that the risks asso­ci­ated with busi­ness con­tinu­ity plan­ning and IT needed more thought as to how they would inter­act with each other.
    • Con­cern raised that it was too soon to remove risk A8. Dav­id Camer­on explained his con­cerns around hav­ing too many risks, he advised that if it looked like it was becom­ing a risk again it could be rein­stated. Sug­ges­tion made that risk A8 fits neatly into risks A14 and A15 which are still val­id and out­stand­ing. Dav­id Camer­on advised that from a man­age­ment per­spect­ive there was no reas­on it should not be removed.
  4. The Audit & Risk Com­mit­tee con­sidered the update presen­ted on the Authority’s Stra­tegic Risk Register and agreed the fol­low­ing amend­ments and addi­tions to the register:

    • A risk around busi­ness con­tinu­ity plan­ning to be added and the risks asso­ci­ation with IT to be amended to reflect this addition.
    • Greyed risks to be removed.
  5. Action:

    • Amend­ments to Risk Register as detailed in para­graph 27a and b.

Com­plaints Log (Oral)

  1. Dav­id Camer­on repor­ted that there had been no com­plaints received by the Author­ity since the last update on this sub­ject to the Com­mit­tee in March 2018.

  2. The Audit & Risk Com­mit­tee com­men­ded this update.

  3. Action: None.

Terms of Ref­er­ence Review (Paper 5)

  1. Dav­id Camer­on presen­ted the Audit & Risk Committee’s terms of reference.

  2. The Audit and Risk Com­mit­tee con­sidered the terms of ref­er­ence for the Audit & Risk Com­mit­tee and con­sidered the fol­low­ing amend­ments to be made to the scope and remit of the committee’s oversight:

    • The addi­tion of the words to provide assur­ance’ to the detail of the terms of reference.
  3. Actions:

    • Make addi­tion to Audit & Risk Com­mit­tee terms of ref­er­ence as detailed in para­graph 33a.

Any Oth­er Com­pet­ent Business

  1. There were no items.

Date of Next Meeting

  1. 6 Septem­ber 2019, loc­a­tion – tbc.

  2. Meet­ing closed 10.25 hours

Audit & Risk Com­mit­tee: Out­stand­ing Actions

ActionStatus
Audit and Risk Com­mit­tee mem­ber trainingOpen
Audit and Risk Com­mit­tee induc­tion packOpen
Risk mit­ig­a­tion action for LEAD­ER Account­able Body roleOpen
let­ter to Scot­tish Gov­ern­ment as out­lined in paper to Com­mit­tee 31 August 2018
Plan­ning Con­sent Com­plaint dat­ing from 2017 which had been escal­ated to the SPSO, DC to report back to Com­mit­tee when resolved (23 Novem­ber 2018)Open
×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!