190503AuCtteePaper2 Annex 1 Follow Up 2018-19 Final Report
CAIRNGORMS NATIONAL PARK AUTHORITY
INTERNAL AUDIT REPORT — DRAFT
Follow up review
April 2019
CONTENTS
- Executive Summary 3
- Recommendation Status 6
- Appendices:
- I Staff Interviewed 26
- II Definitions 27
- III Terms of Reference 28
REPORT STATUS
- Auditor: Gemma Rickman
- Dates work performed: 4 February – 16 April 2019
- Draft report issued: 16 April 2019
- Final report issued: 26 April 2019
DISTRIBUTION LIST
- David Cameron Director of Corporate Services
- Daniel Ralph Finance Manager
- Audit & Risk Committee Members
Restrictions of use
>The matters raised in this report are only those which came to our attention during the course of our audit and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. The report has been prepared solely for the management of the organisation and should not be quoted in whole or in part without our prior written consent. BDO LLP neither owes nor accepts any duty to any third party whether in contract or in tort and shall not be liable, in respect of any loss, damage or expense which is caused by their reliance on this report.
EXECUTIVE SUMMARY
Scope and Work Undertaken
Background
As part of the provision of continual assurance with regard to internal control arrangements, a review of the degree of implementation of previously agreed internal Audit recommendations was conducted in February/March 2019. In accordance with the Internal Audit Annual Plan 2018 – 19, we have considered the implementation status of all recommendations raised from previous Internal Audit work which were due to be implemented at the time of this review. A total of 13 recommendations were followed up from the work undertaken by BDO during 2018⁄19, and 30 recommendations carried forward from work undertaken in previous years. The recommendations relate to 16 audit areas, as listed below:
- Financial Management, Planning & Efficiency 2014⁄15 (2 recommendations)
- Corporate Governance 2017⁄18 (1 recommendation)
- Community Engagement/Stakeholder Engagement 2014⁄15 (1 recommendation)
- Project Management 2017⁄18 (2 recommendations)
- Risk Management 2016⁄17 (2 recommendations)
- Communications & Social Media Strategy 2017⁄18 (3 recommendations)
- Project Financing 2016⁄17 (2 recommendations)
- Financial Reporting 2017⁄18 (1 recommendation)
- Financial Processes 2016⁄17 (1 recommendation)
- Business Performance Management 2017⁄18 (1 recommendation)
- Grant Funding & Management 2016⁄17 (2 recommendations)
- Partnership Management 2018⁄19 (2 recommendations)
- Tomintoul & Glenlivet Partnership Management 2016⁄17 (2 recommendations)
- Resource Planning 2018⁄19 (3 recommendations)
- IT General Controls 2016⁄17 (10 recommendations)
- LEADER 2018⁄19 (1 recommendation)
- Business Continuity Planning 2018⁄19 (7 recommendations)
Methodology
Cairngorms National Park Authority’s Internal Audit recommendation progress report was reviewed to determine the degree of implementation achieved. Where the responsible person stated that recommendations had been implemented, evidence was sought, and testing undertaken where relevant, to verify continued compliance.
Acknowledgement
We appreciate the assistance provided by the staff involved in the review and would like to thank them for their help and on-going co-operation.
Status of recommendations as at April 2019
The summary below and overleaf provides a simple overview of the status of each recommendation. Of the 32 recommendations due to be implemented, 17 recommendations (53%) have been categorised as fully implemented, 7 (22%) have been categorised as partially implemented, 7 (22%) have been categorised as not implemented, and 1 (3%) has been considered as superseded. Details of the not implemented and partially implemented recommendations are included from page 6 onwards.
On this basis, we conclude that Cairngorms National Authority Park has made reasonable progress in implementing the recommendations made and we can provide assurance that management’s resolve to implement previously agreed Internal Audit recommendations is sound. However, continued focus is necessary to ensure the remaining outstanding recommendations are implemented within a reasonable timeframe, particularly in relation to the four recommendations outstanding from the IT General Controls review.
| Audit | Fully Implemented | Partially Implemented | Not Implemented | Superseded | Not Due for Implementation | Total |
|---|---|---|---|---|---|---|
| Financial Management, Planning & Efficiency 2014⁄15 | 2 | 0 | 0 | 0 | 0 | 2 |
| Community Engagement/Stakeholder Engagement 2014⁄15 | 1 | 0 | 0 | 0 | 0 | 1 |
| Risk Management 2016⁄17 | 0 | 2 | 0 | 0 | 0 | 2 |
| Project Financing 2016⁄17 | 2 | 0 | 0 | 0 | 0 | 2 |
| Financial Processes 2016⁄17 | 0 | 0 | 1 | 0 | 0 | 1 |
| Grant Funding & Management 2016⁄17 | 0 | 1 | 1 | 0 | 0 | 2 |
| Tomintoul & Glenlivet Partnership Management 2016⁄17 | 0 | 1 | 1 | 0 | 0 | 2 |
| IT General Controls 2016⁄17 | 5 | 1 | 3 | 1 | 0 | 10 |
| Corporate Governance 2017⁄18 | 1 | 0 | 0 | 0 | 0 | 1 |
| Project Management 2017⁄18 | 0 | 2 | 0 | 0 | 0 | 2 |
| Communications & Social Media Strategy 2017⁄18 | 2 | 0 | 1 | 0 | 0 | 3 |
| Financial Reporting 2017⁄18 | 1 | 0 | 0 | 0 | 0 | 1 |
| Business Performance Management 2017⁄18 | 1 | 0 | 0 | 0 | 0 | 1 |
| Partnership Management 2018⁄19 | 0 | 0 | 0 | 0 | 2 | 2 |
| Resource Planning 2018⁄19 | 1 | 0 | 0 | 0 | 2 | 3 |
| LEADER 2018⁄19 | 1 | 0 | 0 | 0 | 0 | 1 |
| Financial Planning 2018⁄19 | 0 | 0 | 0 | 0 | 0 | 0 |
| Strategic Planning 2018⁄19 | 0 | 0 | 0 | 0 | 0 | 0 |
| Business Continuity Planning 2018⁄19 | 0 | 0 | 0 | 0 | 7 | 7 |
| TOTAL | 17 | 7 | 7 | 1 | 11 | 43 |
RECOMMENDATION STATUS — RISK MANAGEMENT 2016⁄17
Ref. 1
Original Recommendation
>We recommend that, on development of a risk management policy, staff with risk management responsibilities are required to sign a checklist to confirm whether they are aware of the organisation’s risk management approach or require further training in this area.
Management Response
>Original Agreed. I think the recommendation for staff to sign a checklist and self-certify awareness of risk management approaches or need for further training is a very practical recommendation that can help avoid staff undergoing unnecessary “mandatory” training.
August 2018
>The post-holder responsible for delivery has now left the organisation and the recommendation has not been implemented as intended. The Director of Corporate Services, will now seek to draw up a checklist for sign off by appropriate staff in discharge of this recommendation by end of December 2018.
Responsibility & Implementation Date
- Responsible Officer: Governance and Information Officer
- Implementation Due Date: 31/03/2017
Status at April 2019 & Revised Recommendation
Partially Implemented
Staff have not yet been requested to confirm whether they are aware of the organisation’s risk management approach. We note that the Authority has integrated risk management within its project planning tool; however, there has been no formal confirmation received in line with our recommendation that all staff with risk management responsibilities are aware of the approach as detailed within the risk management policy.
Management Response at April 2019
>The Director of Corporate Services emailed all Heads of Service on 31 May 2017 highlighting the approach to risk management and seeking staff training requirements. We accept that we have not developed a checklist for staff to sign — however, the email approach was intended to act as a surrogate for a separate checklist.
Ref. 2
Original Recommendation
>We recommend that all project risk registers should be developed using a consistent approach aligned to the Strategic Risk Register.
Management Response
>Original Agreed. While the key point remains to ensure that risks and recognised, documented and managed, we accept that risk registers should ideally be in a consistent format to aid review and escalation processes. We will reinforce the need for use of the template to support consistency of practice in our project management communications and internal reviews.
August 2018
>The entirety of the project management support system is currently under review, and this low level risk will be captured within that review. We will aim to complete this work by January 2019.
Responsibility & Implementation Date
- Responsible Officer: Governance and Information Officer
- Implementation Due Date: 31/03/2017
Status at April 2019 & Revised Recommendation
Partially Implemented
A revised risk register template has been included within the Authority’s Project Toolkit; however, as this has not yet been applied to projects, Internal Audit are unable to verify the consistent adoption of the risk register within projects.
Management Response at April 2019
>As noted in the above status update, this recommendation is substantially complete within revised timetable. The risk template is included within updated project management toolkit and we simply have not had an opportunity yet to trial on projects. The first trial is currently underway for the Customer Records Management System implementation project.
RECOMMENDATION STATUS — FINANCIAL PROCESSES 2016⁄17
Ref. 3
Original Recommendation
>We recommend that the Finance Management schedule is updated to provide detailed policies and guidance on all financial processes. These should be reviewed on an annual basis. We also recommend that clear roles and responsibilities demonstrating segregation of duties are documented within the guidance notes for all financial processes. We recognise that management have made progress in developing the schedule and that completion of this was delayed due to the implementation of the new Sage system.
Management Response
>Original Accepted. We are currently reviewing and updating all procedures.
August 2018
>High level tasks relating to month end and year end routines and procedures are in place. Documentation of lower level tasks to implemented by 31 December as part of general review of policies, procedures and responsibilities. It should be noted that when a specific spreadsheet is developed for either reporting or financial management notes are imbedded stating the reason for the spreadsheet and how it is to be prepared. These are usually high level and currently maintained by the finance manager, specifically for recording and tracking LEADER claims.
Responsibility & Implementation Date
- Responsible Officer: Finance Manager
- Implementation Due Date: 31/06/2017
Status at April 2019 & Revised Recommendation
Not Implemented
The Finance Management schedule and guidance notes are yet to be updated in line with our recommendation. Management have advised that processes will be reviewed and thereafter documented accordingly.
Management Response at April 2019
>Review and updating of documentation will be carried out before the 18⁄19 audit in June, ie by 16th June.
RECOMMENDATION STATUS — GRANT FUNDING & MANAGEMENT 2016⁄17
Ref. 4
Original Recommendation
>We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording and monitoring of grant funding. The toolkit should also clearly define the following: — Actions to be taken when grant conditions are not being met or terms and conditions are breached; — The process for consideration of the risk and value of grant funding applications to determine the proportion of resource required to evaluate these; and — Review and scrutiny arrangements for progress reports provided by grantees.
Management Response
>Original Accepted. Finalisation of the toolkit has been delayed by other priority activities and will now be accelerated.
August 2018
>Work to recommence in October and linked to project management: To be implemented by January 2019. The intention is to complete this in parallel with work on projects to ensure a commonality in a risk based approach to project and grant management.
Responsibility & Implementation Date
- Responsible Officer: Director of Corporate Services
- Implementation Due Date: 30 September 2017
Status at April 2019 & Revised Recommendation
Not Implemented
This recommendation is yet to be implemented.
Management Response at April 2019
>Revised date for completion 30 September 2019
Ref. 5
Original Recommendation
>We recommend that management develops and maintains a grant register which records all grant funding provided. The performance requirements detailed within each grant award terms and conditions should be recorded and monitored within the tracker. The register should be reviewed on a regular basis to ensure funds are used effectively and agreed objectives are achieved.
Management Response
>Original Agreed. This is a sensible recommendation and one which mirrors recent thinking within the Finance Team that we should establish and maintain a central register of live grant funding initiatives.
August 2018
>Performance requirements to be back loaded for all 2018⁄19 grants by 31 October; performance requirements for all subsequent grants to be loaded when entered in register when a grant offer is made.
Responsibility & Implementation Date
- Responsible Officer: Finance Manager
- Implementation Due Date: 30/11/2017
Status at August 2018 & Revised Recommendation
Partially Implemented
The Authority is in the process of populating its grant register. The register does not yet detail the performance requirements included in the terms and conditions and performance against these.
Management Response at August 2018
>Priority will be given to populating the 19⁄20 register and then back filling previous 2 years by 30 September with all relevant terms and conditions.
RECOMMENDATION STATUS — TOMINTOUL & GLENLIVET PARTNERSHIP MANAGEMENT 2016⁄17
Ref. 6
Original Recommendation
>We recommend that all project management templates are completed for the delivery phase of the TGLP project. We also recommend that more detailed project management protocols are defined within the Project Management Guidance and Process documents. The protocols should clearly define the process to be followed for the following stages of a project: — Option selection and prioritisation; — Collaboration with partners; — Solution development; — Delivery (including monitoring and reporting); and — Changes (including time, cost, quality and risk changes). The change management process for the delivery phase of the project should be clearly documented, including the identification of defined limits outlining at which point HLF approval is required.
Management Response
>Original Agreed. The Programme Manager has now been recruited for this programme and will be charged with completing all project management templates to enhance robustness of management controls. As the documentation will be completed and owned by the Programme Manager this will also enhance lines of management responsibility.
August 2018
>To be fully implemented by 30 November 2018.
Responsibility & Implementation Date
- Responsible Officer: Tomintoul & Glenlivet Programme Manager with Head of Land Management and Conservation
- Implementation Due Date: 31 July 2017
Status at April 2019 & Revised Recommendation
Partially Implemented
Management have advised that the guidance and process documents are yet to be completed in line with our recommendation. We note that a selection of project management templates are now in place; however, Internal Audit were unable to retrieve evidence to support that all project management templates are now being used for the TGLP project. For example, a large project plan, privacy impact assessments, and issues logs were not provided. We do however acknowledge that staff are making progress in adopting the project management templates.
Management Response at April 2019
>Further evidence will be provided by 30 June, 2019.
Ref. 7
Original Recommendation
>We recommend that changes in spend profile exceeding an agreed threshold are reported to the TGLP Board on a monthly basis.
Management Response
>Original Agreed.
August 2018
>Finance risk is now being considered in more detail by the board as more major projects are either due to start or project plans are revised. To date, as only 1 major project has been undertaken, and is currently showing a £6k underspend, there has been no need to set a variance against project budgets, especially as the Museum Refurbishment was closely monitored by the Project manager. What has been agreed is that in September a comprehensive review of all project costs will be undertaken and the recast project costs and profiled spend will then be used as the bench mark for cash management, cost monitoring on a monthly basis. This will then be included in the monthly finance paper and supplemented by any specific concerns by the Project manager. As a first step a Contingency Request form has been introduced. This is a request to the Board for contingency funding where cost overruns have been identified on review. Secondly post September review variances against plan will be reported to the Board monthly. No reporting level has been set but greater emphasis will be placed on the high value construction projects.
Responsibility & Implementation Date
- Responsible Officer: CNPA Finance Manager
- Implementation Due Date: 30 September 2017
Status at April 2019 & Revised Recommendation
Not Implemented
Continuation requests are now in place where approval for further project expenditure is sought from the TGLP Board. However, changes in spend profile exceeding an agreed threshold have not yet been reported to the TGLP Board on a monthly basis.
Management Response at April 2019
>Reporting to the Project Board in May will include the revised projected spend and funding from “contingency” funding agreed to date. There is likely to be a revision on how variances are now identified and communicated to the Board.
RECOMMENDATION STATUS — IT GENERAL CONTROLS 2016⁄17
Ref. 8
Original Recommendation
>We recommend that all security and critical patches are implemented as a matter of course, in order to minimise known malware, ransomware etc.. However, we recommend that less critical, for example, design orientated patches are first tested on a smaller group of non-business critical servers (or test servers that mirror the live environment) to assess whether these result in any adverse consequences to Authority systems before they are rolled out across the rest of the server estate.
Management Response
>Original Agreed.
August 2018
>We have implemented what we believe to be the most security critical element of this recommendation, i.e. immediate update of critical patches. We have not yet had the time or resource availability to design appropriate test server infrastructure in which to test “design oriented” patches. We will discuss this aspect of the recommendation further with IT colleagues from Loch Lomond and the Trossachs NPA. Priority will be given in the first instance to other aspects of outstanding recommendations as regards IT and cyber security and disaster recovery testing. The Finance Manager and IT Manager will aim to resolve this remaining matter by end of May 2019, to inform the 2018⁄19 year end audit follow up.
Responsibility & Implementation Date
- Responsible Officer: IT Manager
- Implementation Due Date: 31 January 2018
Status at April 2019 & Revised Recommendation
Partially Implemented
Management Response at April 2019
>Neither CNPA or LLTNPA have the resources to “sand box” updates for a period of time before implementation. We will install critical updates when advised by the software vendor. Other less critical patches will be applied at some point and we believe that the risk of malware. Ransomware etc will diminish by this delay as other users implement and report on any installation issues. Additionally, post implementation there are other compensating controls in place that will help identify risks eg Sophos filtering. We therefore suggest that this recommendation has been applied as fully as we are capable of.
Ref. 9
Original Recommendation
>We recommend that, as per the requirements of the Security Policy, there is regular full-restore testing of backups i.e. the full recovery of systems on a bare-metal server using backup media. We also recommend that a formal backup plan/policy is developed to ensure a consistent approach is taken to managing backups including implementation, monitoring over their success/failure, rerunning failed backups and regular testing.
Management Response
>Original Agreed.
August 2018
>Planning for office extension and associated IT systems development, followed by staff turnover in summer 2018 has prevented this work from being taken forward as planned and originally timetabled. We will aim to develop this in the second half of 2018⁄19. Director of Corporate Services to take forward, supported by Corporate Management Group, to complete by end February 2019.
Responsibility & Implementation Date
- Responsible Officer: Governance and Corporate Performance Manager with IT Manager
- Implementation Due Date: 31 January 2018
Status at April 2019 & Revised Recommendation
Not Implemented
This recommendation is yet to be implemented.
Management Response at April 2019
>There are no current plans to attempt a full-restore of backups.
Ref. 10
Original Recommendation
>We recommend that an IT disaster recovery plan with supporting technical recovery plans are developed to support the recovery of business critical systems following an IT disaster. The plans should be sufficiently detailed to allow engineers that are not familiar with Authority systems to rebuild and recover servers and network hardware i.e. plans should include current configuration and systems setting information.
Management Response
>Original Agreed.
August 2018
>Revised date for completion 31 December 2018. Planning for office extension and associated IT systems development, followed by staff turnover in summer 2018 has prevented this work from being taken forward as planned and originally timetabled.
Responsibility & Implementation Date
- Responsible Officer: Governance and Corporate Performance Manager with IT Manager
- Implementation Due Date: 31 January 2018
Status at April 2019 & Revised Recommendation
Superseded
Recommendation now superseded by the BDO Business Continuity Planning audit report.
Management Response at April 2019
>Noted.
Ref. 11
Original Recommendation
>We recommend that all network devices are configured with reference to recognised security baselines to ensure that all active network components have met a minimum security standard.
Management Response
>Original Agreed.
August 2018
>To be completed by 31 December 2018.
Responsibility & Implementation Date
- Responsible Officer: IT Manager
- Implementation Due Date: 31 March 2018
Status at April 2019 & Revised Recommendation
Not Implemented
This recommendation is yet to be implemented.
Management Response at April 2019
>Revised date for implementation 31 December 2019.
Ref. 12
Original Recommendation
>We recommend that the Authority consider developing and implementing a network security monitoring and logging strategy to ensure that areas of the network that are used to store or process sensitive data are subject to proactive monitoring controls. Also, we recommend that management consider introducing a syslog for securely capturing and retaining log information to ensure the availability and integrity of log data is maintained.
Management Response
>Original Agreed.
August 2018
>The first phase of the Cyber Essentials certification is in progress and the initial report is awaited.
Responsibility & Implementation Date
- Responsible Officer: IT Manager
- Implementation Due Date: 31 March 2018
Status at April 2019 & Revised Recommendation
Not Implemented
This recommendation is yet to be implemented.
Management Response at April 2019
>Cyber Essentials+ certification has been gained — completion was in December 2018.
RECOMMENDATION STATUS — PROJECT MANAGEMENT 2017⁄18
Ref. 13
Original Recommendation
>We recommend that all project management templates are completed for future projects in line with the project management guidelines. We also recommend that a process for requesting and approving changes to defined limits relating to cost, time, quality and risk is documented and applied. We also recommend that all changes are recorded within a project change log.
Management Response
>Original Recommendation accepted. The Operational Management Group, comprising all Heads of Service, have additionally commenced an internal review of the adequacy of the project management templates and whether the approach to project management approval and governance can be streamlined without compromising internal control standards. The results of this review will be applied while also ensuring the current recommendation is implemented: ensuring that the revised project toolkit is used fully and appropriately.
August 2018
>The entirety of the project management support system is currently under review, and this action will be captured within that review. We will aim to complete this work by January 2019.
Responsibility & Implementation Date
- Responsible Officer: Director of Corporate Services with Head of Organisational Development
- Implementation Due Date: 30 June 2018
Status at April 2019 & Revised Recommendation
Partially Implemented
A project management toolkit is now in place which aims to ensure a consistent approach to project management. Management have advised that this toolkit is currently being rolled out to projects.
Management Response at March 2019
>As noted above, the updated project toolkit is complete and being rolled out. We are still to complete processes around change requests, being mindful of one of the Authority’s key attributes of being flexible and adaptable. We will consider these final elements as we review the roll out of project management over 2019.
Ref. 14
Original Recommendation
>We recommend that roles and responsibilities are fully documented for all key people and groups with responsibilities for each project.
Management Response
>Original Agreed.
August 2018
>Management will revisit the register of projects and detail those significant and large scale projects for which the roles and responsibilities of all key people and groups should be documented.
Responsibility & Implementation Date
- Responsible Officer: Director of Corporate Services
- Implementation Due Date: 31 July 2018
Status at April 2019 & Revised Recommendation
Partially Implemented
As reported in our 2017 – 18 follow up report, anticipated staff resources have been detailed within the Authority’s register of projects. This details the staff members involved for each project, and the approximate amount of time required from each. However, detailed project responsibilities have not been documented for each project. Management have advised that there is a need to further capture roles and responsibilities within the project planning toolkit.
Management Response at April 2019
>As noted above in status update. How we best capture roles and responsibilities within the revised toolkit is under review.
RECOMMENDATION STATUS — COMMUNICATIONS & SOCIAL MEDIA STRATEGY 2017⁄18
Ref. 15
Original Recommendation
>We recommend that feedback on the effectiveness of key digital communications is sought and responded to from stakeholders. We recommend that the Communications and Engagement team considers conducting a stakeholder survey campaign to gain feedback on the digital platforms and accounts which are currently in use by CNPA. We also recommend that management consider conducting this process prior to the completion of the communications and social media strategy.
Management Response
>Original We agree with this recommendation and will carry out a short survey on our digital communications and social media activity with our stakeholders prior to the completion of the social media strategy.
August 2018
>We have initiated a review of our stakeholder communications, with an initial focus on residents, over July and August with a workshop held on 14 August to review initial results of this exercise and explore options for future activity.
Responsibility & Implementation Date
- Responsible Officer: Sian Jamieson
- Implementation Due Date: 30 April 2018
Status at April 2019 & Revised Recommendation
Not Implemented
Within our 2017 – 18 follow up review it was reported that an external consultant had been recruited to review communications and engagement practices with Park residents and develop recommendations for future engagement. However, since this exercise there has been no formal stakeholder engagement survey or activities. Internal Audit have been advised that the Authority aims to conduct formal stakeholder surveys throughout the remainder of 2019.
Management Response at April 2019
>A new communications approach has been adopted (The Communications Grid) which is a more structured approach to our communications, including digital. A programme of work has been agreed commencing in May resulting in implementation in December 2012.
APPENDIX I — STAFF INTERVIEWED
| NAME | JOB TITLE |
|---|---|
| Daniel Ralph | Finance Manager |
| David Cameron | Director of Corporate Services |
| Sandy Allan | IT Manager |
BDO LLP appreciates the time provided by all the individuals involved in this review and would like to thank them for their assistance and co-operation.
APPENDIX II — DEFINITIONS
| LEVEL OF ASSURANCE | DESIGN of internal control framework | OPERATIONAL EFFECTIVENESS of internal controls |
|---|---|---|
| Substantial | Appropriate procedures and controls in place to mitigate the key risks. | No, or only minor, exceptions found in testing of the procedures and controls. |
| Reasonable | In the main there are appropriate procedures and controls in place to mitigate the key risks reviewed albeit with some that are not fully effective. | A small number of exceptions found in testing of the procedures and controls. |
| Limited | A number of significant gaps identified in the procedures and controls in key areas. Where practical, efforts should be made to address in-year. | A number of reoccurring exceptions found in testing of the procedures and controls. Where practical, efforts should be made to address in-year. |
| No | For all risk areas there are significant gaps in the procedures and controls. Failure to address in-year affects the quality of the organisation’s overall internal control framework. | Due to absence of effective controls and procedures, no reliance can be placed on their operation. Failure to address in-year affects the quality of the organisation’s overall internal control framework. |
| Recommendation Significance | ||
| High | A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently. | |
| Medium | A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action. | |
| Low | Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and/or efficiency. |
APPENDIX III — TERMS OF REFERENCE
BACKGROUND
As part of the 2018 – 19 Internal Audit plan for Cairngorms National Park Authority, it was agreed that internal audit will follow up on previously agreed recommendations made in Internal Audit reports in previous years, and where relevant during the current year.
PURPOSE OF REVIEW
The aim is to provide assurance to management and the Audit Committee that previous internal audit recommendations have been implemented effectively and within targeted timescales.
KEY RISKS
The key risk associated with the area under review is:
- Action is not taken to implement recommendations resulting in weaknesses in control and subsequent loss, fraud or error.
SCOPE OF REVIEW
We will review management’s action taken to implement internal audit recommendations. This will involve the review of recommendations made in each of the internal audit reports issued during 2018 – 19, and a follow up of any outstanding recommendations from previous years. We will also review any recommendations made in the 2018 – 19 internal audit reports which are due for implementation.
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. A list of members’ names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the international BDO network of independent member firms.
Copyright ©2019 BDO LLP. All rights reserved.
www.bdo.co.uk