Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

190920CNPAPaper3ARCAnnualReport

CAIRNGORMS NATION­AL PARK AUTHORITY

AUDIT & RISK COM­MIT­TEE ANNU­AL REPORT

Paper 3 20th Septem­ber 2019

FOR INFORM­A­TION

Title: AUDIT & RISK COM­MIT­TEE ANNU­AL REPORT

Pre­pared by: DAV­ID CAMER­ON, DIR­ECT­OR OF COR­POR­ATE SERVICES

Pur­pose

To present the Audit & Risk Com­mit­tee Annu­al Report to the Board.

Recom­mend­a­tion

The Board is reques­ted to:

a) Con­sider and note the report.

Exec­ut­ive Summary

The Audit & Risk Com­mit­tee is required to report annu­ally to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2018 to Septem­ber 2019.

Back­ground

  1. The Audit & Risk Com­mit­tee is required to report annu­ally to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

  2. This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2018 to Septem­ber 2019.

Over­view

  1. The peri­od of this Annu­al Report cov­ers con­sid­er­a­tion of final accounts for 201819, togeth­er with asso­ci­ated reports from Grant Thornton, the Authority’s extern­al auditors.

  2. The Com­mit­tee has also con­tin­ued to have over­sight of the work of the Authority’s intern­al aud­it­ors and con­sider reports issued by them.

  3. The peri­od of this report cov­ers the ongo­ing deliv­ery of intern­al audit ser­vices by BDO, under a con­tract let jointly by Scot­tish Nat­ur­al Her­it­age (SNH) in con­junc­tion with the Cairngorms and a num­ber of oth­er pub­lic bodies.

  4. The Com­mit­tee met four times over the peri­od covered by this report.

Key Activ­it­ies

  1. In addi­tion to man­age­ment reports from the Authority’s Intern­al and Extern­al Aud­it­ors, con­sidered in fur­ther detail below, the Com­mit­tee con­sidered the fol­low­ing issues dur­ing the course of the year:

a) Risk man­age­ment: the Audit & Risk Com­mit­tee has con­tin­ued to take a stra­tegic over­sight of the Authority’s risk man­age­ment strategy and reg­u­larly con­sidered the stra­tegic risk register. The Com­mit­tee has con­sidered the appro­pri­ate­ness of cov­er­age of the stra­tegic risk register through­out the year, and adequacy of mit­ig­a­tion action, in peri­ods between full Board con­sid­er­a­tions of risk management.

b) Detailed Risk Ana­lys­is: the Com­mit­tee has con­tin­ued the prac­tice in the year of con­sid­er­ing more in-depth ana­lyses of key risks from seni­or man­age­ment. This prac­tice has been adop­ted at the sug­ges­tion on the intern­al aud­it­ors from their exper­i­ence with oth­er cli­ents, and provides an oppor­tun­it­ies to explore key or increas­ing stra­tegic risks in more detail and eval­u­ate the adequacy of mit­ig­a­tion actions. The Com­mit­tee has con­sidered a detailed ana­lys­is of the risks asso­ci­ated with the Authority’s risk pos­i­tion regard­ing the UK’s planned exit from the EU; Work­force Man­age­ment Risks and IT Man­age­ment Risks dur­ing this report­ing period.

c) LEAD­ER: the Author­ity, as lead body for the man­age­ment and admin­is­tra­tion of EU LEAD­ER fund­ing with­in Cairngorms, has a respons­ib­il­ity to arrange for appro­pri­ate intern­al audit of its LEAD­ER activ­it­ies under the terms of the ser­vice level agree­ment with the Scot­tish Gov­ern­ment. The Com­mit­tee has con­sidered intern­al audit reports on the LEAD­ER pro­gramme, and also reviewed the ongo­ing rela­tion­ships between the Author­ity as Account­able Body for Cairngorms LEAD­ER and the Scot­tish Gov­ern­ment teams respons­ible for nation­al LEAD­ER deliv­ery and review.

d) Account­ing Policy: the Com­mit­tee reviews and agrees account­ing policies as part of its con­sid­er­a­tion of final accounts pri­or to their sig­na­ture by the Account­able Officer. There were no sig­ni­fic­ant vari­ations to account­ing policy required in the year.

e) Gov­ernance State­ment: review and approv­al of this state­ment, pri­or to its inclu­sion in the annu­al accounts and pri­or to sig­na­ture by the Account­able Officer.

f) Updates on pro­gress in imple­ment­ing pre­vi­ous audit recom­mend­a­tions: the intern­al aud­it­ors have under­taken a form­al fol­low-up review of action taken on pre­vi­ous audit recom­mend­a­tions and repor­ted pro­gress on this to Com­mit­tee at its meet­ing on 3 May 2019. This report high­lighted good pro­gress in deal­ing with a back­log of actions address­ing audit imple­ment­a­tion from 201718, built up while the Authority’s staff pre­pared for the EURO­PARC 2018 Con­fer­ence amongst oth­er pri­or­it­ies. Of the audit recom­mend­a­tions made, 59% had been fully or par­tially imple­men­ted, or action had been super­seded as a con­sequence of oth­er work with­in the Author­ity, while a fur­ther 26% were not yet due for com­ple­tion. There­fore, only 15% of audit recom­mend­a­tions did not have expec­ted action taken on them – rep­res­ent­ing 2 medi­um” pri­or­ity and five low” pri­or­ity recommendations.

g) Con­sid­er­a­tion and agree­ment of for­ward audit activ­ity plans: the Com­mit­tee has agreed a for­ward plan of intern­al audit activ­ity for 201920 with BDO, with­in a risk-based, rolling, three year intern­al audit pro­gramme. The Com­mit­tee also agreed the plan for the 201819 annu­al accounts extern­al audit and over­saw pro­gress in deliv­ery of that extern­al audit plan.

h) Best Value and Com­plaints Hand­ling: the Com­mit­tee has also under­taken a reg­u­lar over­view of the Authority’s com­plaints hand­ling. This high­lights that the Com­mit­tee has sought to ensure that the work of the Com­mit­tee on intern­al con­trols is fully integ­rated with the Authority’s wider com­mit­ment to Best Value and con­tinu­ous improve­ment in ser­vice provision.

i) Let­ter of rep­res­ent­a­tion: the Com­mit­tee con­sidered the draft let­ter of rep­res­ent­a­tion from the Author­ity to Grant Thornton, the extern­al aud­it­or, pri­or to its sig­na­ture by the Account­able Officer as an appro­pri­ate reflec­tion of the Authority’s pos­i­tion for pre­par­a­tion of the accounts for 201819 and con­duct of the Authority’s fin­an­cial and wider con­trol pro­ced­ures over the course of the year.

Intern­al Audit

  1. The Com­mit­tee agree an annu­al intern­al audit work pro­gramme presen­ted by the intern­al auditor.

  2. Over the course of the peri­od of this report, BDO have presen­ted eight man­age­ment reports to the Com­mit­tee. Their find­ings and con­sequent recom­mend­a­tions for action are graded accord­ing to the intern­al aud­it­ors’ assess­ment of the sig­ni­fic­ance of the under­ly­ing weak­ness to the effect­ive man­age­ment of the organisation.

  3. Table One presents a sum­mary of the num­ber and degree of sig­ni­fic­ance of intern­al audit find­ings over the peri­od of this report and com­pares this with his­tor­ic levels. The defin­i­tions used for sig­ni­fic­ance of intern­al audit recom­mend­a­tions have changed slightly with the change in intern­al audit pro­vider from KPMG to BDO. These defin­i­tions are giv­en after the table. The areas audited are also clas­si­fied in terms of over­all effect­ive­ness of the intern­al audit con­trol sys­tems reviews and these clas­si­fic­a­tions are also explained below the table.

Table One: Sum­mary of Intern­al Audit Findings

Intern­al Audit StudyCrit­ic­alHighMod­er­ateLow
201112 Total (7 studies)03149
201213 Total (4 studies)00010
201314 Total (7 studies)01911
201415 Total (4 studies)00513
201516 Total (9 studies)00910
201617 Total (8 studies)n/​a01111
201718 Total (3 studies)n/​a037
201819 Total (9 studies)n/​a1610
Over­all Effect­ive­nessHighMedi­umLow
The 201819 stud­ies were:
Busi­ness Per­form­ance Man­age­ment (Nov 18)1--1
LEAD­ER Admin­is­tra­tion Pro­cesses (Nov 18)1-1-
Part­ner­ship Man­age­ment (Nov 18)1--2
Resource Plan­ning (Nov 18)2--3
Stra­tegic Plan­ning (Mar 19)1---
Fin­an­cial Plan­ning (Mar 19)1---
Busi­ness Con­tinu­ity (May 19)3151
LEAD­ER Admin­is­tra­tion Pro­cesses (Sep 19)1---
Risk Man­age­ment Pro­cesses (Sep 19)1--3
Total for periodn/​a1610

Key — BDO defin­i­tion of sig­ni­fic­ance of audit recommendations:

a) High: A weak­ness where there is sub­stan­tial risk of loss, fraud, impro­pri­ety, poor value for money, or fail­ure to achieve organ­isa­tion­al object­ives. Such risk could lead to an adverse impact on the busi­ness. Remedi­al action must be taken urgently.

b) Mod­er­ate: A weak­ness in con­trol which, although not fun­da­ment­al, relates to short­com­ings which expose indi­vidu­al busi­ness sys­tems to a less imme­di­ate level of threat­en­ing risk or poor value for money. Such a risk could impact on oper­a­tion­al object­ives and should be of con­cern to seni­or man­age­ment and requires prompt spe­cif­ic action.

c) Low: Areas that indi­vidu­ally have no sig­ni­fic­ant impact, but where man­age­ment would bene­fit from improved con­trols and/​or have the oppor­tun­ity to achieve great­er effect­ive­ness and/​or efficiency.

Intern­al Con­trol Effect­ive­ness Categories

d) 1 = Sub­stan­tial: There is a sound sys­tem of intern­al con­trol designed to achieve sys­tem objectives.

e) 2 = Mod­er­ate: Gen­er­ally a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives with some exceptions.

f) 3 = Lim­ited: Sys­tem of intern­al con­trols is weakened with sys­tem object­ives at risk of not being achieved.

g) 4 = No Assur­ance: Poor sys­tem of intern­al control

  1. The Com­mit­tee wel­comes the fact that, while there has been a high level recom­mend­a­tion raised in this report­ing peri­od, the num­ber of recom­mend­a­tions over a wide range of intern­al audit review areas remain low in num­ber and typ­ic­al pri­or­ity. Design and imple­ment­a­tion of con­trol sys­tems are typ­ic­ally rated as sub­stan­tial or moderate.

  2. In many organ­isa­tions, only high pri­or­ity recom­mend­a­tions which are typ­ic­ally con­sidered to have stra­tegic import­ance are brought to the atten­tion of the Audit & Risk Com­mit­tee. In prac­tice, and in line with the Authority’s val­ues of trans­par­ency, the Com­mit­tee is made aware of all recom­mend­a­tions made by the intern­al aud­it­ors, through con­sid­er­a­tion of full man­age­ment reports fol­low­ing each audit review.

  3. The Com­mit­tee also wel­comes the con­tinu­ation of a rel­at­ively small num­ber of total recom­mend­a­tions for improve­ment in sys­tems and con­trols arising from the vari­ous reviews con­duc­ted, which has con­tin­ued a trend seen by the Com­mit­tee in recent years.

  4. The Com­mit­tee has agreed man­age­ment responses to all recom­mend­a­tions made and con­tin­ues to mon­it­or pro­gress made. The intern­al aud­it­ors have also con­duc­ted fol­low-up reports and report back to the Com­mit­tee on their findings.

  5. The Com­mit­tee has con­sidered the Intern­al Aud­it­ors’ Annu­al Report for 201819. In terms of the Authority’s engage­ment with intern­al audit, the report notes that Man­age­ment have been con­scien­tious in review and com­ment­ing on our reports. For the reports which have been final­ised, man­age­ment have respon­ded pos­it­ively. The responses indic­ate that appro­pri­ate steps to imple­ment our recom­mend­a­tions are being put in place.”

  6. The intern­al auditor’s annu­al report for the year gives the fol­low­ing over­all opin­ion: The risk man­age­ment activ­it­ies and con­trols in the areas which we examined were found to be suit­ably designed to achieve the spe­cif­ic risk man­age­ment, con­trol and gov­ernance arrange­ments, with the excep­tion of the busi­ness con­tinu­ity plan, where fur­ther work is required. Based on our veri­fic­a­tion reviews and sample test­ing, risk man­age­ment, con­trol and gov­ernance arrange­ments were oper­at­ing with suf­fi­cient effect­ive­ness to provide reas­on­able, but not abso­lute assur­ance that the related risk man­age­ment, con­trol and gov­ernance object­ives were achieved for the peri­od under review, in all areas except busi­ness continuity.”

Extern­al Audit

  1. The Authority’s accounts for 201819 received a clear, unqual­i­fied extern­al auditor’s report and opin­ion from Grant Thornton, our extern­al auditors.

  2. Grant Thornton were appoin­ted as the Authority’s extern­al aud­it­ors with effect of audit of the 201617 accounts for a 5 year term by the Aud­it­or Gen­er­al for Scotland.

  3. The accounts and extern­al auditor’s report for 201819 were con­sidered and approved by the Com­mit­tee at its meet­ing of 6 Septem­ber 2019. The accounts were signed by the Chief Exec­ut­ive as Account­able Officer on 6 Septem­ber 2019, and passed to Audit Scot­land for sig­na­ture and onward sub­mis­sion to Aud­it­or Gen­er­al and Scot­tish Par­lia­ment. This main­tained the accel­er­ated accounts sign off by around one month com­pared with the 201617 timetable.

  4. The Audit & Risk Com­mit­tee con­sidered Grant Thornton’s report to those charged with gov­ernance on the audit of the 201819 accounts at its meet­ing of 6 Septem­ber 2019. The report high­lighted only one action point, not­ing that ongo­ing work is required to devel­op the per­form­ance report accom­pa­ny­ing the accounts. This action was accep­ted by man­age­ment and indeed is an action which man­age­ment were already also pro­gress­ing. There is an expect­a­tion that as the Author­ity pro­gresses through the cur­rent 4 years of Cor­por­ate Plan deliv­ery, there will be oppor­tun­ity to focus more on Key Per­form­ance Indic­at­ors and make the per­form­ance report more con­cise. The Dir­ect­or of Cor­por­ate Ser­vices is aware that the con­tent and struc­ture of the per­form­ance report is a mat­ter that is under review by a num­ber of organ­isa­tions and their Audit and Risk Com­mit­tees, and there­fore the Author­ity is not alone in facing this action.

  5. The extern­al audit report also high­lights that the single action arising from the pri­or year extern­al audit had been sat­is­fact­or­ily closed. This had also been the case in the audit of the 201718 fin­an­cial state­ments, con­tinu­ing to high­light appro­pri­ate man­age­ment atten­tion to audit recom­mend­a­tions for improvement.

Stra­tegic Risk Management

  1. The Authority’s stra­tegic risk register has con­tin­ued to be revised dur­ing the year by the Com­mit­tee and full Board, ensur­ing it reflects the deliv­ery pri­or­it­ies and stra­tegic envir­on­ment of the Author­ity in its deliv­ery of our Cor­por­ate Plan for 2018 to 2022. The Board has sight of the stra­tegic risk register and is able to com­ment on it twice each year, while con­sid­er­ing wider cor­por­ate per­form­ance reports. The Audit & Risk Com­mit­tee will con­tin­ue to review the cov­er­age and adequacy of the stra­tegic risk register in those quar­ters where it is not presen­ted to the full Board.

Con­clu­sions

  1. The Audit & Risk Com­mit­tee con­siders that it has been suc­cess­ful in pro­gress­ing the Board’s gov­ernance and intern­al con­trol pri­or­it­ies dur­ing the peri­od covered by this annu­al report.

  2. The Com­mit­tee has engaged through the year with issues iden­ti­fied by the Authority’s intern­al and extern­al aud­it­ors, and also by the Authority’s officers. The Com­mit­tee has received full reports on issues raised; con­sidered recom­mend­a­tions made; and approved responses and actions. The Com­mit­tee has shaped and approved the over­all audit plan and guided the dir­ec­tion and approach of the intern­al aud­it­ors and their pro­gramme of work. The Com­mit­tee has also mon­itored deliv­ery against approved action plans.

  3. The Com­mit­tee has also led on the pri­or­it­isa­tion of aspects of the Authority’s Stra­tegic Risk envir­on­ment which have mer­ited detailed, deep dive” stra­tegic risk reviews.

  4. Both the intern­al and extern­al aud­it­ors’ find­ings provide assur­ance to the Com­mit­tee and Board that the Authority’s intern­al con­trol and gov­ernance object­ives are being met effect­ively by management.

  5. It is also reas­sur­ing for Com­mit­tee mem­bers to see once again that only a few typ­ic­ally low pri­or­ity recom­mend­a­tions have been raised by the intern­al aud­it­ors over the course of the year. While it is accep­ted that there will always be a range of improve­ments than can be made to ser­vices and con­trols, and as such a num­ber of recom­mend­a­tions for improve­ment from intern­al audit will always be expec­ted, the Com­mit­tee warmly wel­comes the evid­ence of gen­er­ally effect­ive con­trol sys­tems evid­enced by the reports and very low level of improve­ment recom­mend­a­tions arising from audits over the year.

  6. The Com­mit­tee will con­tin­ue to address key, basic issues of intern­al con­trol and the devel­op­ment of appro­pri­ate pro­cesses with­in the Authority.

  7. The Com­mit­tee will also seek to con­tin­ue to have over­sight of the Authority’s approach to and hand­ling of risk man­age­ment, and of wider aspects of cor­por­ate gov­ernance such as the approach to Best Value and value for money. In par­tic­u­lar, mem­bers will seek to ensure that les­sons are learned from oper­a­tion­al exper­i­ence and that wherever pos­sible reviews of work­ing prac­tices and learn­ing from them lead to improve­ments in our systems.

Dav­id Camer­on, for Audit & Risk Com­mit­tee members:

Judith Webb (Chair) Gaen­er Rodger (Vice Chair) Peter Argyle John Lath­am Janet Hunter

6 Septem­ber 2019 davidcameron@​cairngorms.​co.​uk

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback