Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

200327 Paper 2 Annex 1 CNPA FOI

Cairngorms Nation­al Park Authority

INTERN­AL AUDIT REPORT

Free­dom Of Inform­a­tion Janu­ary 2020

LEVEL OF ASSURANCE

DesignOper­a­tion­al Effectiveness
Mod­er­ateMod­er­ate

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex I 27/03/20

CON­TENTS

Exec­ut­ive Sum­mary 3 Detailed Find­ings and Recom­mend­a­tions 9 Obser­va­tions 15

Appen­dices: I Staff Inter­viewed 16 II Defin­i­tions 17 III Terms of Ref­er­ence 18

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

REPORT STATUS

Aud­it­ors:Chloe Rid­ley
Dates work performed:13 – 21 Janu­ary 2020
Draft report issued:29 Janu­ary 2020
Final report issued:28 Feb­ru­ary 2020

DIS­TRI­BU­TION LIST

Dav­id Camer­onDir­ect­or of Cor­por­ate Services
Vicky Walk­erOffice Ser­vices Manager
Mem­bers of the Audit & Risk Committee

Restric­tions of use

The mat­ters raised in this report are only those which came to our atten­tion dur­ing the course of our audit and are not neces­sar­ily a com­pre­hens­ive state­ment of all the weak­nesses that exist or all improve­ments that might be made. The report has been pre­pared solely for the man­age­ment of the organ­isa­tion and should not be quoted in whole or in part without our pri­or writ­ten con­sent. BDO LLP neither owes nor accepts any duty to any third party wheth­er in con­tract or in tort and shall not be liable, in respect of any loss, dam­age or expense which is caused by their reli­ance on this report.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

LEVEL OF ASSUR­ANCE (SEE APPENDIX II FOR DEFINITIONS)

DesignGen­er­ally a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives with some exceptions.
Effect­ive­nessEvid­ence of non com­pli­ance with some con­trols, that may put some of the sys­tem object­ives at risk.

SUM­MARY OF RECOM­MEND­A­TIONS (SEE APPENDIX II)

High Medi­um 1 Low 5 Total num­ber of recom­mend­a­tions: 6

OVER­VIEW

Back­ground

As part of the 2019 – 20 Intern­al Audit Plan, it was agreed that we would carry out a review of the arrange­ments in place at Cairngorms Nation­al Park Author­ity (CNPA) to man­age the require­ments under the terms of the Free­dom of Inform­a­tion (Scot­land) Act (FOISA).

CNPA is required to com­ply with FOISA and Envir­on­ment­al Inform­a­tion (Scot­land) Reg­u­la­tions 2004 (EIR). These reg­u­la­tions cre­ate a pub­lic right of access’ to inform­a­tion held by pub­lic author­it­ies. EIR is a sep­ar­ate régime gov­ern­ing access to inform­a­tion defined as envir­on­ment­al’. Pub­lic Author­it­ies are required to respond to requests with­in 20 work­ing days from receipt of the request. A key dif­fer­ence between FOISA and EIR is that requests for envir­on­ment­al inform­a­tion can be made orally, they do not have to be in writ­ten format. How­ever FOISA requests must be made in writing.

The Dir­ect­or of Cor­por­ate Ser­vices (DCS) has over-arch­ing respons­ib­il­ity for FOI and EIR requests. The Office Ser­vices Man­ager (OSM) is respons­ible for the day to day man­age­ment of FOI & EIR requests and respond­ing to FOI requests. The Per­son­al Assist­ant (PA) of the DCS is respons­ible for the admin­is­trat­ive side of FOI requests.

The FOI team meet on a fort­nightly basis to dis­cuss FOI requests.

The num­ber of FOI & EIR requests which were respon­ded to in the last quarter and wheth­er they met the 20 work­ing days dead­line is repor­ted to the Board via the Cor­por­ate Per­form­ance updates in June and Decem­ber each year.

From dis­cus­sion with the FOI team it is felt there is suf­fi­cient capa­city to meet the require­ment of the Act. How­ever, resourcing can be dif­fi­cult as the level of resource taken by an FOI can be dif­fi­cult to pre­dict, espe­cially where the request is for large volumes of inform­a­tion and requires mul­tiple staff to col­late and FOI requests typ­ic­ally need to be com­pleted whilst those respons­ible for this are under­tak­ing their oth­er day to day duties, or when mul­tiple requests are received with­in a short space of time.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

OVER­VIEW

Back­ground

The num­ber of FOI requests has remained fairly stat­ic over the last four years. The num­ber of EIR requests has declined slightly over the last four years. In 2019, there were 15 FOI and 15 EIR requests. How­ever this does not take into con­sid­er­a­tion the com­plex­ity of the cases and the amount of staff time taken to com­pile the responses.

image

CNPA has a Free­dom of Inform­a­tion Policy which was last updated in Janu­ary 2019. CNPA also has FOI guid­ance notes for staff. Both are avail­able on the CNPA shared drive.

Where staff are con­tac­ted by indi­vidu­als requir­ing inform­a­tion wheth­er face to face or tele­phone and it is not inform­a­tion they can eas­ily sup­ply, the indi­vidu­al is asked to sub­mit the request in writ­ing. Around 90% of CNPA’s FOI requests come to the gen­er­al enquir­ies email and are for­war­ded on to the FOI team. Only a hand­ful of requests a year are dir­ec­ted to staff.

The PA to the DCS will log the request on the FOI or EIR Register and will send a let­ter of acknow­ledge­ment to the requestor. The OSM determ­ines wheth­er the request is FOI or EIR and will ini­tially assess any exemp­tions. The OSM will con­tact the appro­pri­ate staff member(s), and their dir­ect­ors to help identi­fy the inform­a­tion reques­ted if it is not already on CNPA’s website.

The OSM will col­late responses from staff and send the form­al reply.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

OVER­VIEW

Back­ground (con­tin­ued)

The Dir­ect­or of Cor­por­ate Ser­vices has been involved with FOI and respond­ing to requests since the Act’s enact­ment in 2002. The OSM star­ted their role in Novem­ber 2019 and has pre­vi­ous exper­i­ence work­ing with FOI and EIR and has atten­ded data pro­tec­tion and GDPR train­ing in Janu­ary 2020. As there have not been sig­ni­fic­ant recent changes to legis­la­tion in FOI, they have not iden­ti­fied any fur­ther train­ing require­ments to sup­port their spe­cif­ic role.

New starters are required to com­plete an inform­a­tion man­age­ment e‑learning course as part of their induc­tion which includes detail on FOI. All staff were required to com­plete an FOI e‑learning course in Octo­ber 2017.

If a requestor is unhappy with the way their request has been handled, the requestor can ask CNPA to com­plete an intern­al review. Most appeals are nor­mally made where an exemp­tion has been applied. An expres­sion of dis­sat­is­fac­tion or a request for review must be made in writ­ing to the DCS with­in 40 work­ing days of the form­al response to the ini­tial request for inform­a­tion and provide details of the reas­ons for request­ing the review.

Fol­low­ing a request for a review, the DCS car­ries out a full review of the ini­tial request for inform­a­tion to determ­ine wheth­er all rel­ev­ant inform­a­tion has been iden­ti­fied; the response provided is in accord­ance with the reg­u­la­tions; to invest­ig­ate the spe­cif­ic reas­ons for the applicant’s appeal and carry out any fur­ther invest­ig­a­tion deemed necessary.

If the requestor is unhappy with the out­put of the review, the requestor can appeal to the Scot­tish Inform­a­tion Com­mis­sion­er (SIC).

CNPA has had 2 cases where the requestor has appealed to the SIC. One in 2019 and one in 2015. In both cases the out­come sat with the requestor and related to EIR exemp­tions. Details of the cases are avail­able on the SIC website.

In response to the 2019 case, CNPA has added a State­ment of Assump­tions’ sec­tion in their form­al response let­ter to deal with dif­fer­ing expect­a­tions and under­stand­ings encountered between the requestor and CNPA staff.

Every quarter CNPA sub­mits a return to the Scot­tish Inform­a­tion Com­mis­sion­er (SIC) on the num­ber of FOI and EIR requests they have had, wheth­er any exemp­tions have been applied and wheth­er SIC are review­ing any requests.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

OVER­VIEW

Scope and Approach

Our review assessed whether:

  • There is suf­fi­cient capa­city in place at CNPA to meet the require­ments of the Act and the volume of FOI requests that are submitted;
  • There are clear lines of respons­ib­il­ity with­in CNPA and the gov­ernance arrange­ments are suf­fi­cient to meet the require­ments of the Act;
  • Intern­al arrange­ments are detailed and there are clear guidelines in place across CNPA regard­ing the FOISA pro­cesses and the require­ments that this places on departments;
  • Staff have been provided with suf­fi­cient levels of train­ing to allow them to deal with any FOI mat­ters that may arise and they have a clear under­stand­ing of their responsibilities;
  • Pro­ced­ures clearly out­line the pro­to­cols in place for any dis­cus­sions with the Inform­a­tion Commissioner’s Office; and
  • ICO decisions are repor­ted and remedi­al actions taken to address any issues raised.

Our approach was to con­duct inter­views to estab­lish the con­trols in oper­a­tion for each of our areas of audit work. We sought doc­u­ment­ary evid­ence that these con­trols are designed as described. We sought to gain evid­ence of the sat­is­fact­ory oper­a­tion of the con­trols to veri­fy the effect­ive­ness of the con­trol through use of a range of tools and techniques.

A de-brief meet­ing was under­taken before com­plet­ing the review to dis­cuss find­ings and ini­tial recommendations.

Good Prac­tice

Dur­ing our review, we iden­ti­fied a num­ber of areas of good prac­tice as follows:

  • New starters are required to com­plete an FOI e‑learning course as part of their induction;
  • Reg­u­lar KPI report­ing to the board includes an update on FOI requests and 20 work­ing days dead­line being met;
  • The FOI Team meet on a fort­nightly basis to dis­cuss FOI requests;
  • Clear roles and respons­ib­il­it­ies with­in the FOI Team; and
  • Use of stand­ard tem­plate let­ters for acknow­ledge­ment of requests and responding.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

OVER­VIEW

Key Find­ings

Not­with­stand­ing the areas of good prac­tice noted above, we also iden­ti­fied a num­ber of oppor­tun­it­ies for improve­ment with FOISA & EIR arrange­ments as follows:

  • FOISA & EIR Requests: A sample of 6 FOI & El requests were tested to ensure responses were provided in line with legis­la­tion and CNPA Policy. The fol­low­ing incon­sist­en­cies were found: one instance where the tem­plate acknow­ledge­ment let­ter was not used, and one request which should have been treated as a data sub­ject access request under GDPR rather than FOISA;
  • Response Time: Over the last four years there were three FOI requests and six EIR requests which did not meet the required 20 work­ing days response timeline. Four of these the responses were 1 day late, three were between 3 and 5 days, one was 12 days and one was 20 days;
  • Policy Review: The FOI policy does not doc­u­ment the policy own­er or when it is next due to be reviewed. The FOI guid­ance was last updated in Dec 2012. The Policy and guid­ance does not refer to job titles con­sist­ently. The Policy and guid­ance refers to indi­vidu­als who no longer work for CNPA and uses acronyms with no explanation;
  • Cla­ri­fic­a­tion Pro­ced­ures: There is no doc­u­mented policy regard­ing com­mu­nic­a­tion with the requestor includ­ing ask­ing for a cla­ri­fic­a­tion, con­sid­er­a­tion of wheth­er the cla­ri­fic­a­tion is reas­on­able and com­mu­nic­at­ing dead­lines for responses to cla­ri­fic­a­tions to the requestor;
  • Com­plete Inform­a­tion: There is no guid­ance in place for staff on how to per­form searches for information;
  • Pub­lic­a­tion Scheme: The Pub­lic­a­tion Scheme has not been recently reviewed, it was last updated in 2015. There are many links which are no longer avail­able or relate to older ver­sions of reports. It does not have a policy own­er or state how reg­u­larly it should be reviewed;

Con­clu­sion

We can offer mod­er­ate assur­ance over the design and oper­a­tion­al effect­ive­ness of the FOISA arrange­ments at Cairngorms Nation­al Park Author­ity, how­ever, the noted find­ings should be addressed to enhance the arrange­ments further.

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISKS REVIEWED GIV­ING RISE TO NO FIND­INGS OFHIGH OR MEDI­UM SIGNIFICANCE

  • Inad­equate capa­city to meet the require­ments of the Act;
  • Inad­equate lines of respons­ib­il­ity and gov­ernance arrange­ments to meet the require­ments of the Act;
  • Train­ing is not suf­fi­cient to inform staff and Mem­bers around their responsibilities;
  • Intern­al Review Pro­cess and/​or engage­ment with the ICO is not suf­fi­ciently robust;
  • There is no debrief of ICO decisions to determ­ine wheth­er pro­ced­ures require to be amended.

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK: Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner

Ref.Find­ingSig.Recom­mend­a­tion
1FOISA & EIR Requests CNPA has a FOI Policy in place for staff to fol­low when deal­ing with and respond­ing to FOI & EIR requests. A sample of 6 FOI & EIR requests were tested to ensure responses were provided in line with legis­la­tion and CNPA Policy. The fol­low­ing incon­sist­en­cies were found: 1. There was one instance where the tem­plate acknow­ledge­ment let­ter was not used. 2. There was one request which should have been treated as a data sub­ject access request under GDPR rather than FOISA There is a risk CNPA is not pro­cessing data sub­ject access requests cor­rectly. Addi­tion­ally there is a risk CNPA FOI pro­cesses are not con­sist­ently applied.CNPA should con­sider the use of flow charts to out­line its pro­cesses and require­ments, and com­mu­nic­at­ing these to ensure con­sist­ent applic­a­tion of the pro­cesses. We recom­mend refresh­er GDPR train­ing to under­stand the nuances between GDPR and FOI.

MAN­AGE­MENT RESPONSE Agreed.

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: July 2020

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK: Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner

Ref.Find­ingSig.Recom­mend­a­tion
2Response Time FOISA and EIR requires pub­lic author­it­ies to respond with­in 20 work­ing days from receipt of the request. Over the last four years there were three FOI requests and six EIR requests which did not meet the required 20 work­ing days response timeline. Four of these the responses were 1 day late, three were between 3 and 5 days, one was 12 days and one was 20 days. Staff who are tasked with find­ing the inform­a­tion that has been reques­ted are required to provide the inform­a­tion to the FOI team so as to give the FOI team time to col­late and review the inform­a­tion and pre­pare a response with­in the required response timeline. The Per­son­al Assist­ant to the Dir­ect­or of Cor­por­ate Ser­vices mon­it­ors staff col­lat­ing inform­a­tion and sends remind­er emails. There is a risk CNPA does not have adequate pro­ced­ures in place to enable com­pli­ance with legislation.We recom­mend CNPA update their pro­ced­ures which include ask­ing the requestor wheth­er the request can be nar­rowed to allow the dead­line to be met.

MAN­AGE­MENT RESPONSE Agreed

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: July 2020

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK: Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner

Ref.Find­ingSig.Recom­mend­a­tion
3Policy Review It is good prac­tice for policies and pro­ced­ures to be reviewed and updated on a reg­u­lar basis to ensure the expect­a­tion of staff is clear and rel­ev­ant. The FOI policy does not doc­u­ment the policy own­er or when it is next due to be reviewed. The FOI guid­ance was last updated in Dec 2012, although the FOI Policy was reviewed in Janu­ary 2019. The Policy and guid­ance does not refer to job titles con­sist­ently. The Policy and guid­ance refers to indi­vidu­als who no longer work for CNPA and uses acronyms with no explan­a­tion as to what they are, for example GIS officer and CIM. There is a risk there are not clear policies and guidelines in place regard­ing FOISA pro­cesses and requirements.We recom­mend the FOI policy and guid­ance are updated on a reg­u­lar basis and doc­u­ment the policy own­er and when it is next due to be reviewed. We recom­mend the Policy and Guid­ance are updated, refer to job titles and explain acronyms.

MAN­AGE­MENT RESPONSE Agreed

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: July 2020

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK: Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner

Ref.Find­ingSig.Recom­mend­a­tion
4Cla­ri­fic­a­tion Pro­ced­ures It is good prac­tice to have a clearly doc­u­mented policy on the pro­cess to fol­low when seek­ing a cla­ri­fic­a­tion from a requestor to ensure CNPA remains com­pli­ant with FOISA & EIR. There is no doc­u­mented policy regard­ing com­mu­nic­a­tion with the requestor includ­ing ask­ing for a cla­ri­fic­a­tion, con­sid­er­a­tion of wheth­er the cla­ri­fic­a­tion is reas­on­able and com­mu­nic­at­ing dead­lines for responses to cla­ri­fic­a­tions to the requestor. There is a risk there are not clear policies and guidelines in place regard­ing FOISA pro­cesses and requirements.We recom­mend CNPA cre­ates guid­ance for cla­ri­fy­ing requests.

MAN­AGE­MENT RESPONSE Agreed

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: July 2020

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK:: Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner

Ref.Find­ingSig.Recom­mend­a­tion
5Com­plete Inform­a­tion FOISA requires that where an indi­vidu­al requests inform­a­tion that CNPA have but do not already pub­lish they provide the requestor with the rel­ev­ant inform­a­tion (with some excep­tions). CNPA does not have sys­tems in place which allow searches for inform­a­tion to be com­pleted cent­rally. There­fore a search for the inform­a­tion needs to be done by staff who have the sys­tem access for the inform­a­tion that is being reques­ted. There is no guid­ance in place for staff on how to per­form searches for inform­a­tion. There is a risk CNPA does not provide all rel­ev­ant inform­a­tion for an EIR or FOI request and there­fore is not com­pli­ant with legislationWe recom­mend CNPA cre­ates guidelines for staff when search­ing for inform­a­tion for FOISA & EIR requests, such as how to under­take keyword searches in records

MAN­AGE­MENT RESPONSE Agreed

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: July 2020

DETAILED RECOM­MEND­A­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

RISK: Inad­equate lines of respons­ib­il­ity and gov­ernance arrange­ments to meet the require­ments of the Act

Ref.Find­ingSig.Recom­mend­a­tion
6Pub­lic­a­tion Scheme The FOISA requires every pub­lic author­ity to have a pub­lic­a­tion scheme, approved by the Inform­a­tion Commissioner’s Office (ICO), and to pub­lish inform­a­tion covered by the scheme. CNPA Pub­lic­a­tion Scheme is avail­able on its web­site. The Pub­lic­a­tion Scheme has not been recently reviewed, It was last updated in 2015. There are many links which are no longer avail­able or relate to older ver­sions of reports. It does not have a policy own­er or state how reg­u­larly it should be reviewed. There is a risk the pub­lic are not aware of the doc­u­ments which CNPA publish.We recom­mend CNPA review and update its Pub­lic­a­tion Scheme. We recom­mend CNPA reviews all inform­a­tion it holds with an aim to pub­lish as much as pos­sible to ensure trans­par­ency and reduce FOI requests.

MAN­AGE­MENT RESPONSE Agreed. Longer imple­ment­a­tion date sug­ges­ted to reflect work that may be involved in review­ing breadth of inform­a­tion publications.

RESPONS­IB­IL­ITY AND IMPLE­MENT­A­TION DATE Respons­ible Officer: Office Ser­vices Man­ager Imple­ment­a­tion Date: Decem­ber 2020

OBSER­VA­TIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

1. FOI Training

It is good prac­tice for staff to com­plete refresh­er train­ing on FOI on a reg­u­lar basis. CNPA staff com­pleted an FOISA e‑learning course in Octo­ber 2017. We recom­mend CNPA con­siders requir­ing staff to com­plete FOI refresh­er train­ing on a reg­u­lar basis for example every three years. This will assist in increas­ing staff’s aware­ness of FOISA and remind­ing them of legis­la­tion and CNPA policy.

2. Appeal Procedure

The Inform­a­tion Commissioner’s Office states it is good prac­tice for a pub­lic author­ity to have a appeal pro­cess and to ensure the review is done by someone who did not deal with the request, where pos­sible, and prefer­ably by a more seni­or mem­ber of staff. CNPA has a doc­u­mented policy in place for deal­ing with a request for review. The Dir­ect­or of Cor­por­ate Ser­vices is respons­ible for review­ing and respond­ing to any requests for reviews. Due to changes in staff over the last 6 months, the Dir­ect­or of Cor­por­ate Ser­vices has over­sight of all requests and has also been involved in respond­ing to some requests for inform­a­tion. It is good prac­tice to have a fresh set of eyes review the request for appeal. There­fore the Dir­ect­ors of Cor­por­ate Ser­vices involve­ment in the ini­tial response to FOI requests should be kept to a min­im­um where possible.

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

APPENDIX I — STAFF INTERVIEWED

NAMEJOB TITLE
Dav­id CameronDir­ect­or of Cor­por­ate Services
Vicky Walk­erOffice Ser­vices Manager
Laura ByersPer­son­al Assist­ant to the Dir­ect­or of Cor­por­ate Services

BDO LLP appre­ci­ates the time provided by all the indi­vidu­als involved in this review and would like to thank them for their assist­ance and cooperation.

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

APPENDIX II — DEFINITIONS

LEVEL OF ASSUR­ANCEDESIGN of intern­al con­trol frame­workOPER­A­TION­AL EFFECT­IVE­NESS of intern­al controls
Find­ings from reviewFind­ings from review
Sub­stan­tialAppro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks.No, or only minor, excep­tions found in test­ing of the pro­ced­ures and controls.
Mod­er­ateIn the main there are appro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks reviewed albeit with some that are not fully effective.A small num­ber of excep­tions found in test­ing of the pro­ced­ures and controls.
Lim­itedA num­ber of sig­ni­fic­ant gaps iden­ti­fied in the pro­ced­ures and con­trols in key areas. Where prac­tic­al, efforts should be made to address in-year.A num­ber of reoc­cur­ring excep­tions found in test­ing of the pro­ced­ures and con­trols. Where prac­tic­al, efforts should be made to address in-year.
NoFor all risk areas there are sig­ni­fic­ant gaps in the pro­ced­ures and con­trols. Fail­ure to address in-year affects the qual­ity of the organisation’s over­all intern­al con­trol framework.Due to absence of effect­ive con­trols and pro­ced­ures, no reli­ance can be placed on their oper­a­tion. Fail­ure to address in-year affects the qual­ity of the organisation’s over­all intern­al con­trol framework.

Recom­mend­a­tion Significance

  • High: A weak­ness where there is sub­stan­tial risk of loss, fraud, impro­pri­ety, poor value for money, or fail­ure to achieve organ­isa­tion­al object­ives. Such risk could lead to an adverse impact on the busi­ness. Remedi­al action must be taken urgently.
  • Medi­um: A weak­ness in con­trol which, although not fun­da­ment­al, relates to short­com­ings which expose indi­vidu­al busi­ness sys­tems to a less imme­di­ate level of threat­en­ing risk or poor value for money. Such a risk could impact on oper­a­tion­al object­ives and should be of con­cern to seni­or man­age­ment and requires prompt spe­cif­ic action.
  • Low: Areas that indi­vidu­ally have no sig­ni­fic­ant impact, but where man­age­ment would bene­fit from improved con­trols and/​or have the oppor­tun­ity to achieve great­er effect­ive­ness and/​or efficiency.

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

APPENDIX III — TERMS OF REFERENCE

BACK­GROUND As part of the 2019 – 20 Intern­al Audit Plan, it was agreed that we would carry out a review of the arrange­ments in place at Cairngorm Nation­al Park Author­ity (CNPA) to man­age the require­ments under the terms of the Free­dom of Inform­a­tion (Scot­land) Act (FOISA).

PUR­POSE OF REVIEW To assess and review the design of con­trols and their effect­ive­ness with regards to meet­ing FOISA requirements.

KEY RISKS Based upon the risk assess­ment under­taken dur­ing the devel­op­ment of the intern­al audit oper­a­tion­al plan, through dis­cus­sions with man­age­ment, and our col­lect­ive audit know­ledge and under­stand­ing the key risks asso­ci­ated with the area under review are:

  • Inad­equate capa­city to meet the require­ments of the Act;
  • Inad­equate lines of respons­ib­il­ity and gov­ernance arrange­ments to meet the require­ments of the Act;
  • Inef­fect­ive intern­al arrange­ments to receive inform­a­tion from depart­ments in an accur­ate and timely manner;
  • Train­ing is not suf­fi­cient to inform staff and Mem­bers around their responsibilities;
  • Intern­al Review Pro­cess and/​or engage­ment with the ICO is not suf­fi­ciently robust; and
  • There is no debrief of ICO decisions to determ­ine wheth­er pro­ced­ures require to be amended.

BDO LLP, a UK lim­ited liab­il­ity part­ner­ship registered in Eng­land and Wales under num­ber OC305127, is a mem­ber of BDO Inter­na­tion­al Lim­ited, a UK com­pany lim­ited by guar­an­tee, and forms part of the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms. A list of mem­bers’ names is open to inspec­tion at our registered office, 55 Baker Street, Lon­don W1U 7EU. BDO LLP is author­ised and reg­u­lated by the Fin­an­cial Con­duct Author­ity to con­duct invest­ment business.

BDO is the brand name of the BDO net­work and for each of the BDO Mem­ber Firms.

BDO North­ern Ire­land, a part­ner­ship formed in and under the laws of North­ern Ire­land, is licensed to oper­ate with­in the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms.

Copy­right ©2020 BDO LLP. All rights reserved.

www​.bdo​.co​.uk

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 2 Annex 1 27/03/20

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback