Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

200327 Paper 4 Annex 2 CNPA- Internal Audit Annual Report 2019-20 FINAL

Cairngorm Nation­al Park Authority

INTERN­AL AUDIT ANNU­AL REPORT 2019 — 20 March 2020

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

BDO

CON­TENTS

Exec­ut­ive Sum­mary 3 Review of 2019 – 20 work 7 Annu­al state­ment of assur­ance 8 Per­form­ance against oper­a­tion­al plan 9 Audit per­form­ance 10

Appen­dices: I Defin­i­tions 11

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Restric­tions of use The mat­ters raised in this report are only those which came to our atten­tion dur­ing the course of our audit and are not neces­sar­ily a com­pre­hens­ive state­ment of all the weak­nesses that exist or all improve­ments that might be made. The report has been pre­pared solely for the man­age­ment of the organ­isa­tion and should not be quoted in whole or in part without our pri­or writ­ten con­sent. BDO LLP neither owes nor accepts any duty to any third party wheth­er in con­tract or in tort and shall not be liable, in respect of any loss, dam­age or expense which is caused by their reli­ance on this report.

2

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Back­ground Our role as intern­al aud­it­or is to provide an inde­pend­ent, object­ive assur­ance and con­sult­ing activ­ity designed to add value and improve an organisation’s oper­a­tions. Our approach, as set out in BDO’s Intern­al Audit Manu­al, is to help the organ­isa­tion accom­plish its object­ives by bring­ing a sys­tem­at­ic, dis­cip­lined approach to eval­u­ate and improve the effect­ive­ness of risk man­age­ment, con­trol and gov­ernance processes.

Respons­ib­il­it­ies BDO LLP has been appoin­ted as intern­al aud­it­or to Cairngorm Nation­al Park Author­ity (CNPA) to provide the Board (via the Audit Com­mit­tee), the Account­able Officer and oth­er man­agers with assur­ance on the adequacy of the fol­low­ing arrangements:

  • Risk Man­age­ment;
  • Cor­por­ate Gov­ernance; and
  • Intern­al Control.

Respons­ib­il­ity for these arrange­ments remains fully with man­age­ment, which should recog­nise that intern­al audit can only provide reas­on­able assur­ance’ and can­not provide any guar­an­tee against mater­i­al errors, loss or fraud. Our role at CNPA is also aimed at help­ing man­age­ment to improve risk man­age­ment, gov­ernance and intern­al con­trol, so redu­cing the effects of any sig­ni­fic­ant risks facing the organisation.

Our risk eval­u­ations and tests are designed to ensure that con­trols are sound both in design and effect­ive in oper­a­tion. Our con­clu­sions are based on evid­ence obtained dur­ing the course of our audit work, veri­fic­a­tion tests and samples selec­ted from the year’s trans­ac­tions to date. How­ever, our con­clu­sions should not be taken to mean that all trans­ac­tions have been prop­erly author­ised and pro­cessed or that all ele­ments of sys­tems have been tested.

3

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Audit Approach We have reviewed the con­trol policies and pro­ced­ures employed by CNPA to man­age risks in busi­ness areas iden­ti­fied by man­age­ment set out in the 2019 – 20 Annu­al Intern­al Audit Plan approved by the Audit Com­mit­tee. This report is made solely in rela­tion to those busi­ness areas and risks reviewed in the year and does not relate to any of the oth­er oper­a­tions of the organisation.

Our approach com­plies with best pro­fes­sion­al prac­tice, in par­tic­u­lar, Pub­lic Sec­tor Intern­al Audit Stand­ards and the Chartered Insti­tute of Intern­al Aud­it­ors’ Pos­i­tion State­ment on Risk Based Intern­al Auditing.

We dis­charge our role, as detailed with­in the audit plan­ning doc­u­ments agreed with CNPA man­age­ment for each review, by:

  • Con­sid­er­ing the risks that have been iden­ti­fied by man­age­ment as being asso­ci­ated with the pro­cesses under review
  • Review­ing the writ­ten policies and pro­ced­ures and hold­ing dis­cus­sions with man­age­ment to identi­fy pro­cess controls
  • Eval­u­at­ing the risk man­age­ment activ­it­ies and con­trols estab­lished by man­age­ment to address the risks it is seek­ing to manage
  • Per­form­ing com­pli­ance tests (where appro­pri­ate) to determ­ine wheth­er the risk man­age­ment activ­it­ies and con­trols are oper­at­ing as expected.
  • Per­form­ing walk­through tests to determ­ine wheth­er the expec­ted risk man­age­ment activ­it­ies and con­trols are in place

The assur­ance state­ment provided on page 8 of this report is based on his­tor­ic­al inform­a­tion and the pro­jec­tion of any inform­a­tion or con­clu­sions con­tained in our opin­ion to any future peri­ods is sub­ject to the risk that changes may alter its validity.

Cov­er­age Dur­ing 2019 – 20 BDO LLP has reviewed and eval­u­ated Audit Scotland’s pro­cesses in the fol­low­ing areas:

  • LEAD­ER Administration
  • Payroll Admin­is­tra­tion
  • Risk Man­age­ment
  • Expense Claims Process

4

  • Staff Object­ive Set­ting and Appraisal
  • Pro­ject Financing
  • FOISA

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Recom­mend­a­tions To assist man­age­ment in address­ing our find­ings, we cat­egor­ise our recom­mend­a­tions accord­ing to their level or pri­or­ity. The recom­mend­a­tions made in the sev­en com­pleted reviews totalled 31.

Sum­mary of Recom­mend­a­tions (SEE APPENDIX I)

High Medi­um Low

Total num­ber of recom­mend­a­tions: 31

8 23

Report­ing mech­an­isms and prac­tices Our ini­tial draft reports are sent to the key officer respons­ible for the area under review in order to gath­er man­age­ment responses. In every instance there is an oppor­tun­ity to dis­cuss the draft report in detail. There­fore, any issues or con­cerns can be dis­cussed with man­age­ment before final­isa­tion of the reports.

Our meth­od of oper­at­ing with the Audit Com­mit­tee is to agree reports with man­age­ment and then present and dis­cuss the mat­ters arising at the Audit Com­mit­tee meetings.

Man­age­ment action on our recom­mend­a­tions Man­age­ment have been con­scien­tious in review­ing and com­ment­ing on our reports, and have respon­ded pos­it­ively. The responses indic­ate that appro­pri­ate steps to imple­ment our recom­mend­a­tions are being put in place.

5

EXEC­UT­IVE SUMMARY

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Rela­tion­ship with extern­al audit All our final reports are avail­able to the extern­al aud­it­ors through the Audit Com­mit­tee papers and are avail­able on request. Our files are also avail­able to Extern­al Audit should they wish to review work­ing papers in order to place reli­ance on the work of Intern­al Audit.

Fol­low up Dur­ing the year we under­took inde­pend­ent exer­cises to assess the pro­gress made by CNPA in imple­ment­ing intern­al audit recom­mend­a­tions made in pre­vi­ous years, and in the cur­rent year where applicable.

Imple­ment­a­tion of recom­mend­a­tions is a key determ­in­ant of our annu­al opin­ion. If recom­mend­a­tions are not imple­men­ted on a timely basis then weak­nesses in con­trol and gov­ernance frame­works will remain in place. Fur­ther­more, an unwill­ing­ness or inab­il­ity to imple­ment recom­mend­a­tions reflects poorly on management’s com­mit­ment to the main­ten­ance of a robust con­trol envir­on­ment. With­in CNPA we found a strong level of com­mit­ment and effort in clear­ing as many out­stand­ing recom­mend­a­tions as pos­sible from pre­vi­ous audit reports.

We fol­lowed up 44 recom­mend­a­tions from the cur­rent and pre­vi­ous years. We noted that 8 of these recom­mend­a­tions had been fully imple­men­ted, 19 had been par­tially imple­men­ted, 9 recom­mend­a­tions were not yet imple­men­ted and 8 had not yet reached the agreed date for imple­ment­a­tion of the agreed action.

On that basis we recog­nise that man­age­ment and staff have inves­ted time and effort in imple­ment­ing the recom­mend­a­tions and we took assur­ance that management’s resolve to imple­ment pre­vi­ously agreed recom­mend­a­tions is sound.

Sum­mary of work per­formed Details of the sev­en intern­al audit reviews and the fol­low up review have been repor­ted to the Audit Com­mit­tee through­out the year and have been dis­cussed at length with con­sid­er­a­tion and scru­tiny of man­age­ment responses and times­cales proposed.

For the pur­pose of this annu­al report, we set out in the fol­low­ing pages our sum­mary of recom­mend­a­tions and assess­ment of the design and effect­ive­ness of the risk assur­ance for each of the audit areas reviewed.

6

REVIEW OF 2019 – 20 WORK

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Reports Issued

Over­all Report Con­clu­sions see appendix I Design Oper­a­tion­al Effect­ive­ness LEAD­ER Admin­is­tra­tion 0 0 0 Sub­stan­tial Sub­stan­tial Payroll Admin­is­tra­tion 0 2 4 Mod­er­ate Mod­er­ate Risk Man­age­ment 0 0 3 Sub­stan­tial Sub­stan­tial Expense Claims Pro­cess 0 2 5 Mod­er­ate Mod­er­ate Staff Object­ive Set­ting and Apprais­al 0 1 3 Mod­er­ate Mod­er­ate Pro­ject Fin­an­cing 0 2 3 Mod­er­ate Mod­er­ate FoISA 0 1 5 Mod­er­ate Moderate

7

ANNU­AL STATE­MENT OF ASSURANCE

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Report by BDO LLP to Audit Scot­land As the intern­al aud­it­ors of CNPA we are required to provide the Board, via the Audit Com­mit­tee, and oth­er man­age­ment with a view on the adequacy and effect­ive­ness of Audit Scotland’s risk man­age­ment, gov­ernance and intern­al con­trol processes.

In giv­ing our view it should be noted that assur­ance can nev­er be abso­lute. The intern­al audit ser­vice provides CNPA with reas­on­able assur­ance that there are no major weak­nesses in the intern­al con­trol sys­tem for the areas reviewed in 2019 – 20. There­fore, the state­ment of assur­ance is not a guar­an­tee that all oth­er aspects of the intern­al con­trol sys­tem are adequate and effect­ive. The state­ment of assur­ance should con­firm that, based on the evid­ence of the audits con­duc­ted, there are no oth­er signs of mater­i­al weak­ness in the frame­work of control.

In assess­ing the level of assur­ance to be giv­en, we have taken into account:

  • All intern­al audits under­taken by BDO LLP dur­ing 2019 – 20;
  • Any fol­low-up action taken in respect of audits from pre­vi­ous peri­ods for these audit areas;
  • Wheth­er any sig­ni­fic­ant recom­mend­a­tions have not been accep­ted by man­age­ment and the con­sequent risks;
  • The effects of any sig­ni­fic­ant changes in the organisation’s object­ives or systems;
  • The require­ments of the Pub­lic Sec­tor Intern­al Audit Stand­ards; and
  • Any lim­it­a­tions which may have been placed on the scope of intern­al audit (no restric­tions were placed on our work).

Con­clu­sion In our view, based on the reviews under­taken dur­ing the peri­od, and in the con­text of materiality:

  • The risk man­age­ment activ­it­ies and con­trols in the areas which we examined were found to be suit­ably designed to achieve the spe­cif­ic risk man­age­ment, con­trol and gov­ernance arrangements.
  • Based on our veri­fic­a­tion reviews and sample test­ing, risk man­age­ment, con­trol and gov­ernance arrange­ments were oper­at­ing with suf­fi­cient effect­ive­ness to provide reas­on­able, but not abso­lute assur­ance that the related risk man­age­ment, con­trol and gov­ernance object­ives were achieved for the peri­od under review.

8

PER­FORM­ANCE AGAINST OPER­A­TION­AL PLAN

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

Vis­it Date of vis­it Pro­posed Audit Planned Days Actu­al Days Status 1 May 2019 LEAD­ER Admin­is­tra­tion 6 6 Com­plete 2 July 2019 Payroll Admin­is­tra­tion 6 6 Com­plete 3 August 2019 Risk Man­age­ment 5 5 Com­plete 4 August 2019 Expense Claims Pro­cess 5 5 Com­plete 5 Novem­ber 2019 Staff Object­ive Set­ting and Apprais­al 5 5 Com­plete 6 Decem­ber 2019 Pro­ject Fin­an­cing 5 5 Com­plete 7 Janu­ary 2020 FoISA 5 5 Com­plete 8 Janu­ary 2020 Fol­low Up 3 3 Work ongo­ing Indir­ect Audit Activ­ity — Audit Plan 1 1 Com­plete devel­op­ment Indir­ect Audit Activ­ity — Cli­ent liais­on 1 1 Com­plete Indir­ect Audit Activ­ity — Audit 1 1 Com­plete Com­mit­tee Indir­ect Audit Activ­ity — Annu­al 1 1 Com­plete Reporting

9

AUDIT PER­FORM­ANCE

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

AUDIT COM­PLE­TION OF FIELD­WORK DRAFT REPORT MAN­AGE­MENT RESPONSES FINAL REPORT LEAD­ER Admin­is­tra­tion 3/5/19 21/5/19 22/5/19 24/5/19 Payroll Admin­is­tra­tion 5/7/19 24/9/19 9/10/19 10/10/19 Risk Man­age­ment 7/8/19 16/8/19 18/8/19 19/8/19 Expense Claims Pro­cess 19/8/19 30/8/19 9/10/19 10/10/19 Staff Object­ive Set­ting and 15/11/19 27/11/19 16/1/19 17/1/19 Apprais­al Pro­ject Fin­an­cing 12/12/19 16/12/19 22/1/20 23/1/20 FoISA 21/1/20 29/1/20 27/2/20 28/2/20 Fol­low Up 17/3/20 23/3/20 23/3/20 23/3/20

*date of debrief meeting

On aver­age:

  • All reports were issued in draft with­in 10 work­ing days of com­ple­tion of our field­work and a debrief meet­ing with management.
  • Ini­tial responses were received with­in 10 work­ing days of the draft report being issued.
  • Final reports were issued with­in 1 work­ing day of final man­age­ment responses being received.

10

APPENDIX I — DEFINITIONS

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

LEVEL OF DESIGN of intern­al con­trol frame­work ASSUR­ANCE Find­ings from review Design Opin­ion OPER­A­TION­AL EFFECT­IVE­NESS of intern­al con­trols Find­ings from review Effect­ive­ness Opin­ion Sub­stan­tial Appro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks. There is a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives. No, or only minor, excep­tions found in test­ing of the pro­ced­ures and con­trols. The con­trols that are in place are being con­sist­ently applied. Reas­on­able In the main there are appro­pri­ate pro­ced­ures and con­trols in place to mit­ig­ate the key risks reviewed albeit with some that are not fully effect­ive. Gen­er­ally a sound sys­tem of intern­al con­trol designed to achieve sys­tem object­ives with some excep­tions. Lim­ited A num­ber of sig­ni­fic­ant gaps iden­ti­fied in the pro­ced­ures and con­trols in key areas. Where prac­tic­al, efforts should be made to address in-year. Sys­tem of intern­al con­trols is weakened with sys­tem object­ives at risk of not being achieved. A num­ber of reoc­cur­ring excep­tions found in test­ing of the pro­ced­ures and con­trols. Where prac­tic­al, efforts should be made to address in-year. Non-com­pli­ance with key pro­ced­ures and con­trols places the sys­tem object­ives at risk. No For all risk areas there are sig­ni­fic­ant gaps in the pro­ced­ures and con­trols. Fail­ure to address in-year affects the qual­ity of the organisation’s over­all intern­al con­trol frame­work. Poor sys­tem of intern­al con­trol. Due to absence of effect­ive con­trols and pro­ced­ures, no reli­ance can be placed on their oper­a­tion. Fail­ure to address in- year affects the qual­ity of the organisation’s over­all intern­al con­trol frame­work. Non com­pli­ance and/​or com­pli­ance with inad­equate controls.

Recom­mend­a­tion Sig­ni­fic­ance High A small num­ber of excep­tions found in test­ing of the pro­ced­ures and con­trols. Evid­ence of non com­pli­ance with some con­trols, that may put some of the sys­tem object­ives at risk.

A weak­ness where there is sub­stan­tial risk of loss, fraud, impro­pri­ety, poor value for money, or fail­ure to achieve organ­isa­tion­al object­ives. Such risk could lead to an adverse impact on the busi­ness. Remedi­al action must be taken urgently. Medi­um A weak­ness in con­trol which, although not fun­da­ment­al, relates to short­com­ings which expose indi­vidu­al busi­ness sys­tems to a less imme­di­ate level of threat­en­ing risk or poor value for money. Such a risk could impact on oper­a­tion­al object­ives and should be of con­cern to seni­or man­age­ment and requires prompt spe­cif­ic action. Low Areas that indi­vidu­ally have no sig­ni­fic­ant impact, but where man­age­ment would bene­fit from improved con­trols and/​or have the oppor­tun­ity to achieve great­er effect­ive­ness and/​or efficiency.

11

BDO LLP, a UK lim­ited liab­il­ity part­ner­ship registered in Eng­land and Wales under num­ber OC305127, is a mem­ber of BDO Inter­na­tion­al Lim­ited, a UK com­pany lim­ited by guar­an­tee, and forms part of the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms. A list of mem­bers’ names is open to inspec­tion at our registered office, 55 Baker Street, Lon­don W1U 7EU. BDO LLP is author­ised and reg­u­lated by the Fin­an­cial Con­duct Author­ity to con­duct invest­ment business.

BDO is the brand name of the BDO net­work and for each of the BDO Mem­ber Firms.

BDO North­ern Ire­land, a part­ner­ship formed in and under the laws of North­ern Ire­land, is licensed to oper­ate with­in the inter­na­tion­al BDO net­work of inde­pend­ent mem­ber firms.

Copy­right ©2020 BDO LLP. All rights reserved. www​.bdo​.co​.uk

CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit and Risk Com­mit­tee Paper 4 Annex 2 27/03/2020

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback