190503AuCtteePaper3Annex1 1819 Internal Audit Plan 2018-19
Cairngorms National Park Authority
Internal Audit Annual Report 2018 – 19
April 2019
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 3 Annex I 03/05/18
Contents
- Executive Summary (Page 3)
- Review of 2018 – 19 work (Page 7)
- Annual statement of assurance (Page 8)
- Performance against operational plan (Page 9)
- Audit performance (Page 10)
- Appendices:
- Definitions (Page 11)
Restrictions of use
The matters raised in this report are only those which came to our attention during the course of our audit and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. The report has been prepared solely for the management of the organisation and should not be quoted in whole or in part without our prior written consent. BDO LLP neither owes nor accepts any duty to any third party whether in contract or in tort and shall not be liable, in respect of any loss, damage or expense which is caused by their reliance on this report.
Executive Summary
Background
Our role as internal auditors is to provide an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. Our approach, as set out in BDO’s Internal Audit Manual, is to help the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Internal Audit Plan 2018 – 19
BDO LLP has been appointed as internal auditors to Cairngorms National Park Authority to provide the Board (via the Audit Committee) and Management Team with assurance on the adequacy of the following arrangements:
- Risk Management;
- Corporate Governance; and
- Internal Control.
Responsibility for these arrangements remains fully with management, who should recognise that internal audit can only provide ‘reasonable assurance’ and cannot provide any guarantee against material errors, loss or fraud. Our role at Cairngorms National Park Authority is also aimed at helping management to improve risk management, governance and internal control, so reducing the effects of any significant risks facing the organisation.
Our risk evaluations and tests are designed to ensure that controls are sound both in design and effective in operation. Our conclusions are based on evidence obtained during the course of our audit work, verification tests and samples selected from the year’s transactions to date. However, our conclusions should not be taken to mean that all transactions have been properly authorised and processed or that all elements of systems have been tested.
Audit Approach
We have reviewed the control policies and procedures employed by Cairngorms National Park Authority to manage risks in business areas identified by management set out in the 2018 – 19 Annual Internal Audit Plan approved by the Audit Committee. This report is made solely in relation to those business areas and risks reviewed in the year and does not relate to any of the other operations of the organisation.
Our approach complies with best professional practice, in particular, Public Sector Internal Audit Standards and the Chartered Institute of Internal Auditors’ Position Statement on Risk Based Internal Auditing.
We discharge our role, as detailed within the audit planning documents agreed with Cairngorms National Park Authority management for each review, by:
- Considering the risks that have been identified by management as being associated with the processes under review
- Reviewing the written policies and procedures and holding discussions with management to identify process controls
- Evaluating the risk management activities and controls established by management to address the risks it is seeking to manage
- Performing walkthrough tests to determine whether the expected risk management activities and controls are in place
- Performing compliance tests (where appropriate) to determine whether the risk management activities and controls are operating as expected.
The assurance statement provided on page 8 of this report is based on historical information and the projection of any information or conclusions contained in our assurance statement to any future periods is subject to the risk that changes may alter its validity.
Coverage
During 2018 – 19 BDO LLP has reviewed and evaluated Cairngorms National Park Authority’s processes in the following areas:
- Partnership Management
- Resource planning
- LEADER Review
- Strategic Planning
- Business Continuity Planning
- Financial Planning
Recommendations
To assist management in addressing our findings, we categorise our recommendations according to their level or priority. The recommendations made in the completed reviews totalled 13.
Summary of Recommendations (SEE APPENDIX I)
- High: 1
- Medium: 6
- Low: 6
- Total number of recommendations: 13
Reporting mechanisms and practices
Our initial draft reports are sent to the key officer responsible for the area under review in order to gather management responses. In every instance there is an opportunity to discuss the draft report in detail. Therefore, any issues or concerns can be discussed with management before finalisation of the reports. Our method of operating with the Audit Committee is to agree reports with management and then present and discuss the matters arising at the Audit Committee meetings.
Management action on our recommendations
Management have been conscientious in review and commenting on our reports. For the reports which have been finalised, management have responded positively. The responses indicate that appropriate steps to implement our recommendations are being put in place.
Relationship with external audit
All our final reports are available to the external auditors through the Audit Committee papers and are available on request. Our files are also available to External Audit should they wish to review working papers in order to place reliance on the work of Internal Audit.
Follow up
During the year we undertook independent exercises to assess the progress made by Cairngorms National Park Authority in implementing internal audit recommendations made in previous years.
Implementation of recommendations is a key determinant of our annual assurance statement. If recommendations are not implemented on a timely basis then weaknesses in control and governance frameworks will remain in place. Furthermore, an unwillingness or inability to implement recommendations reflects poorly on management’s commitment to the maintenance of a robust control environment. Within Cairngorms National Park Authority we found an adequate level of commitment and effort in clearing as many outstanding recommendations as possible from previous audit reports, however continued focus is necessary to ensure the remaining outstanding recommendations are implemented within a reasonable timeframe.
We followed up 43 recommendations from 2018 – 19 and prior years. At the time of our work, we noted that 17 of these recommendations had been fully implemented, 7 had been partially implemented, 7 recommendations were not implemented and 1 recommendation was superseded. 11 recommendations were not yet due for implementation.
On the basis of follow up work and additional commentary provided by management on planned implementation actions we can take reasonable assurance that management’s resolve to implement previously agreed recommendations is sound.
Summary of work performed
Details of the six internal audit reviews and the follow up review have been reported to the Audit Committee throughout the year and have been discussed at length with consideration and scrutiny of management responses and timescales proposed.
For the purpose of this annual report, we set out in the following pages our summary of recommendations and assessment of the design and effectiveness of the risk assurance for each of the audit areas reviewed.
Review of 2018 – 19 Work
| Reports Issued | High | Medium | Low | Design | Operational Effectiveness |
|---|---|---|---|---|---|
| Partnership Management | 0 | 0 | 2 | Substantial | Substantial |
| Resource Planning | 0 | 0 | 3 | Moderate | Moderate |
| LEADER Review | 0 | 1 | 0 | Substantial | Moderate |
| Strategic Planning | 0 | 0 | 0 | Substantial | Substantial |
| Business Continuity Planning | 1 | 5 | 1 | Limited | Limited |
| Financial Planning | 0 | 0 | 0 | Substantial | Substantial |
| Follow Up | n/a | n/a | n/a | n/a | n/a |
Annual Statement of Assurance
Report by BDO LLP to Cairngorms National Park Authority
As the internal auditors of Cairngorms National Park Authority we are required to provide the Board, via the Audit Committee, and the Senior Management Team with a view on the adequacy and effectiveness of Cairngorms National Park Authority’s risk management, governance and internal control processes.
In giving our view it should be noted that assurance can never be absolute. The internal audit service provides Cairngorms National Park Authority with reasonable assurance that, there are no major weaknesses in the internal control system for the areas reviewed in 2018 – 19. Therefore, the statement of assurance is not a guarantee that all aspects of the internal control system are adequate and effective. The statement of assurance should confirm that, based on the evidence of the audits conducted, there are no signs of material weakness in the framework of control.
In assessing the level of assurance to be given, we have taken into account:
- All internal audit reviews undertaken by BDO LLP during 2018 – 19;
- Any follow-up action taken in respect of audits from previous periods for these audit areas;
- Whether any significant recommendations have not been accepted by management and the consequent risks;
- The effects of any significant changes in the organisation’s objectives or systems;
- The requirements of the Public Sector Internal Audit Standards; and
- Any limitations which may have been placed on the scope of internal audit (no restrictions were placed on our work).
Conclusion
In our view, based on the reviews undertaken during the period, and in the context of materiality:
- The risk management activities and controls in the areas which we examined were found to be suitably designed to achieve the specific risk management, control and governance arrangements, with the exception of the business continuity plan, where further work is required.
- Based on our verification reviews and sample testing, risk management, control and governance arrangements were operating with sufficient effectiveness to provide reasonable, but not absolute assurance that the related risk management, control and governance objectives were achieved for the period under review, in all areas except business continuity.
Performance Against Operational Plan
| Visit | Date of visit | Proposed Audit | Planned Days | Actual Days | Status |
|---|---|---|---|---|---|
| 1 | July 2018 | Partnership Management | 5 | 5 | Complete |
| 2 | July 2018 | Resource Planning | 5 | 5 | Complete |
| 3 | August 2018 | LEADER Review | 6 | 6 | Complete |
| 4 | November 2018 | Strategic Planning | 5 | 5 | Complete |
| 5 | December 2018 | Financial Planning | 5 | 5 | Complete |
| 6 | February 2019 | Business Continuity Planning | 4 | 4 | Complete |
| 7 | August 2018 | Follow Up | 3 | 3 | Complete |
Audit Performance
| AUDIT | COMPLETION OF FIELDWORK/DEBRIEF MEETING | DRAFT REPORT | FINAL MANAGEMENT RESPONSES | FINAL REPORT |
|---|---|---|---|---|
| Partnership Management | 18 July 2018 | 2 October 2018 | 26 October 2018 | 26 October 2018 |
| Resource Planning | 19 July 2018 | 3 October 2018 | 26 October 2018 | 26 October 2018 |
| LEADER Review | 14 September 2018 | 28 September 2018 | 16 October 2018 | 18 October 2018 |
| Strategic Planning | 7 November 2018 | 29 November 2018 | 13 December 2018 | 13 December 2018 |
| Business Continuity Planning | 15 February 2019 | 22 February 2019 | 10 April 2019 | 12 April 2019 |
| Financial Planning | 14 December 2018 | 21 December 2018 | 10 January 2019 | 10 January 2019 |
| Follow up | 16 April 2019 | 16 April 2019 | 26 April 2019 | 26 April 2019 |
On average:
- All reports were issued in draft within 10 working days of completion of our fieldwork and debrief meetings with management, allowing for staff sickness and annual leave.
- Initial responses were received within 10 working days of the draft report being issued.
- Final reports were issued within 1 working day of final management responses being received.
Appendix I — Definitions
| LEVEL OF ASSURANCE | DESIGN of internal control framework | OPERATIONAL EFFECTIVENESS of internal controls |
|---|---|---|
| Substantial | Appropriate procedures and controls in place to mitigate the key risks. | No, or only minor, exceptions found in testing of the procedures and controls. The controls that are in place are being consistently applied. |
| Moderate | In the main there are appropriate procedures and controls in place to mitigate the key risks reviewed albeit with some that are not fully effective. | A small number of exceptions found in testing of the procedures and controls. Evidence of non compliance with some controls, that may put some of the system objectives at risk. |
| Limited | A number of significant gaps identified in the procedures and controls in key areas. Where practical, efforts should be made to address in-year. | A number of reoccurring exceptions found in testing of the procedures and controls. Where practical, efforts should be made to address in-year. Non-compliance with key procedures and controls places the system objectives at risk. |
| No | For all risk areas there are significant gaps in the procedures and controls. Failure to address in-year affects the quality of the organisation’s overall internal control framework. | Due to absence of effective controls and procedures, no reliance can be placed on their operation. Failure to address in-year affects the quality of the organisation’s overall internal control framework. |
| Recommendation Significance | Description |
|---|---|
| High | A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently. |
| Medium | A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action. |
| Low | Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and/or efficiency. |
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. A list of members’ names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the international BDO network of independent member firms.
Copyright ©2019 BDO LLP. All rights reserved. www.bdo.co.uk