200327Paper 5 Annex 1 Governance Statement draft
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 5 Annex 1 27/03/20
Governance Statement
Scope of Responsibility
As Accountable Officer, I am responsible for maintaining sound systems of internal control which support the achievement of Cairngorms National Park Authority’s policies, aims and objectives, whilst safeguarding the public funds and departmental assets for which I am personally responsible. These duties are in accordance with the Management Statement agreed between the Park Authority and Scottish Government, and also responsibilities assigned to me in the Scottish Public Finance Manual (SPFM).
The SPFM, issued by the Scottish Ministers, provides guidance to the Scottish Government and other relevant bodies on the proper handling of public funds, and sets out the relevant statutory, parliamentary and administrative requirements, emphasising the need for economy, efficiency and effectiveness, and promotes good practice and high standards of propriety. I am therefore responsible as Accountable Officer to ensure the Park Authority’s internal control systems comply with the requirements of the SPFM.
The Management Statement sets out the role of the Park Authority’s Board in providing leadership and governance. The governance responsibilities of the Board are supported by Standing Orders last revised and adopted in 2019 and a Code of Conduct revised and adopted in 2014. A group of professional, senior staff advisors and appropriate Board training and development processes support the good governance arrangements set out in the Standing Orders and Code of Conduct. As a public body, the Park Authority operates in an open and accountable manner, and is committed to accessibility, openness and accountability and supports the highest standards in corporate governance.
Other than the documents referred to above and the resource allocation letters issued to me over the course of the year, there are no other written authorities provided to me in 2019⁄20.
The Operation of the Board and Sub-Committees
The Board comprises 19 members: 7 appointed by five Councils with boundaries within the National Park, 7 appointed by Scottish Government, and 5 directly elected within the wards of the Park. The Board therefore reflects a blend of different experience, backgrounds and interests. The full Board meets regularly to consider strategy, and performance against the current Corporate Plan. Meetings are scheduled quarterly, with additional meetings convened as required. To enable the Board to discharge its duties, all members receive appropriate and timely information in advance of meetings with all agendas and papers also placed in the public domain. Meetings are open to the public save the occasional meeting held in private for various reasons of business and commercial confidentiality.
To ensure that the Board develops an understanding of the current and emerging issues, members also participate in informal discussion sessions to consider emerging policy issues and proposals, and a preferred strategic direction identified prior to fuller, open consideration at formal meetings.
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 5 Annex 1 27/03/20
The Board has established sub-committees: a Planning Committee (which deals with all aspects of the Park Authority’s statutory planning responsibilities), together with Committees covering Finance and Delivery, Staffing and Recruitment, and Audit and Risk. All committees have delegated duties and responsibilities set out in terms of reference agreed by the full Board to oversee and scrutinise the Park Authority’s deployment and management of resources. (The record of attendance at Board meetings can be found in Table 5.)
The Audit and Risk Committee
The Audit and Risk Committee’s role is to provide effective governance over all aspects of the Park Authority’s internal management control systems and the annual financial accounts and audit. It also takes a lead in strategic risk management ensuring that risks impacting on strategic objectives are identified and mitigated and that risk management is embedded throughout the Park Authority’s operations. It is supported by the Park Authority’s internal audit function (BDO LLP) and external auditors (Grant Thornton LLP), who both have independent access to the Committee and to its Convener. The Committee is tasked with monitoring the operation of the internal control function and bringing any material matters to the attention of the full Board. Detailed reports of all audit reviews are made available to both management and the Committee.
The Committee meets at least quarterly and reports annually to the Board on the adequacy and effectiveness of the Park Authority’s internal controls, and more widely on its work in the preceding year.
The Board has continued a process of self-evaluation of effectiveness and governance over the course of 2019⁄20 which were originally initiated under the “Leadership” element of the first Organisational Development Strategy in 2015⁄16. The Board completed a revision of its skills matrix in February 2020 and, through this process, established a priority for continuing professional development of members over the coming years. Other elements of Board governance and effectiveness are reviewed and supported by senior officers as required.
The Board has agreed a set of Corporate Performance Indicators so it may improve its oversight of delivery against key strategic objectives and the Park Authority’s Corporate Plan. A detailed performance report is submitted to the Board twice yearly on delivery key performance indicators, considered at each June and December meeting alongside a review of strategic risk management. These monitoring and control mechanisms support Board scrutiny over delivery of the Corporate Plan and National Park Partnership Plan priorities.
Periodic reports from independent internal and external auditors form a key and essential element in informing my review as Accountable Officer of the effectiveness of the systems of internal control within the Park Authority. The Board’s Audit and Risk Committee also plays a vital role in this regard, through its consideration of audit recommendations arising from reviews of internal control systems and its scrutiny of proposed management action to address any improvements required. The Audit and Risk Committee also considers both a three year plan for internal audit coverage and annually agrees an internal audit plan flowing from that three year plan.
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 5 Annex 1 27/03/20
Shared Services Delivery
The Park Authority plays an important role in providing support over a range of activities to local communities and organisation to help deliver the National Park Partnership Plan’s priorities. In the last year we have supported Cairngorms LEADER Programme Local Action Group, the Tomintoul and Glenlivet Landscape Partnership, the Great Place Badenoch Project as well as the Capercaillie Framework. Our management and internal control structures ensure that support for these community delivery entities are separated from the core activities of the Authority, while ensuring that our support helps them achieve “best practice” in their operations.
The Authority also undertakes a range of shared service arrangements with other public body partners. Over the course of the year we have provided human resource advice and organisational development support to both the Scottish Land Commission and Bord na Gaidhlig, while collaborating on a range of shared service delivery with Loch Lomond and the Trossachs National Park Authority (LLTNPA). We receive key support from LLTNPA on IT infrastructure maintenance, development and shared licence agreements for planning systems and data back-up and security arrangements. In addition to these more formal shared services with LLTNPA, both National Park Authorities continue to collaborate closely on areas of shared policy interest.
Internal Audit
The internal audit function is an integral element of scrutiny of the Park Authority’s internal control systems. BDO LLP was appointed following an open procurement process as the Park Authority’s internal auditors in 2016 and have undertaken a comprehensive review of key internal control systems since their appointment. During the year to 31 March 2020, BDO has reported to the Audit and Risk Committee on the following reviews:
Governance & risk Freedom of Information (Scotland) Act Risk management Follow up review of prior recommendations
Internal control systems Staff appraisal and objective setting LEADER administration Expenses management Payroll administration Project management
All recommendations made by BDO are considered and implemented as appropriate.
Our internal audits over the course of the year have generally resulted in positive reports, with “substantial” or at least “moderate” ratings on the design and implementation of internal control systems.
External Audit
External auditors are appointed for us by the Auditor General for Scotland through Audit Scotland. Audit Scotland appointed Grant Thornton LLP to the role for a five year period commencing in 2016⁄17. We work well with Grant Thornton, who review key systems so
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 5 Annex 1 27/03/20
they can form a view on the effectiveness of control arrangements which in turn supports their audit opinion on the financial statements.
The fees paid to Audit Scotland for the independent statutory audit for 2019⁄20 is £11,350. No fees were paid for non-audit work.
Best Value
The Audit and Risk Committee continues to monitor the Authority’s adherence to Scottish Government Best Value guidelines and our approach to continuous improvement. We launched phase three of our Organisational Development Strategy in the year to continue to improve our work processes, organisational environment, and delivery of services.
Risk Management
We have a risk management strategy in accordance with guidance issued by Scottish Ministers to identify actual and potential threats which may prevent us from delivering our statutory purpose and also to identify appropriate mitigation actions.
The Board recognises the importance of risk management and continues to monitor the Park Authority’s Strategic Risk Register. The Strategic Risk Register records risks, action taken to mitigate the identified risks and senior management’s responsibility for leading on mitigation generally. The Strategic Risk Register is reviewed by Management Team four times each year and updated by the full Board twice and by the Audit and Risk Committee twice a year.
The Audit and Risk Committee, with the Senior Management Team, leads on embedding risk management processes throughout the Park Authority. Both groups consider the management of strategic risk in line with the Risk Strategy to ensure that the required actions are appropriately reflected and incorporated in operational delivery plans. A revised Risk Management Strategy was adopted by the Audit and Risk Committee in 2016, and subsequently reviewed by the Board in 2019, with the Committee also receiving an internal audit report on the effectiveness of operations of risk management within the organisation in that year.
The Strategic Risk Register was refreshed with reference to the current Corporate Plan, covering I April 2018 to 31 March 2022 and continues to be monitored and revised when appropriate.
Data Security
Procedures are in place to ensure that information is being managed in accordance with legislation and that data is held accurately and securely. The Park Authority has no reported nor recorded instances of data loss in the year to 31 March 2020.
The second iteration of Cyber Essentials + accreditation was achieved in the year. We continue to review our digital practices and infrastructure to ensure they remain fit for purpose and that all reasonable steps are taken to minimise the risk of data loss or
CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 5 Annex 1 27/03/20
compromise of systems due to Cyber Attacks. Work is currently underway on a Cyber Security Policy and Digital Working Strategy with both to be adopted in 2020⁄21.
Conclusion
As Accountable Officer I am responsible for reviewing the effectiveness of the system of internal control. In order to do this my review is informed by:
a) The executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework and who provide assurance on systems within regular Senior Management Team meetings; b) Internal monitoring of control systems by staff against SPFM requirements; c) The work of the internal auditors, who submit regular reports to the Audit and Risk Committee which include the Head of Internal Audit’s independent and objective opinion on the adequacy and effectiveness of our systems of internal control together with recommendations for improvement; and d) Comments made by the external auditors in their management letter and other reports.
I am supported by a Corporate Services Director, who in turn is supported by the Corporate Services staff group, and provides senior management leadership on the financial management, internal controls and governance arrangements. I take assurance from the effectiveness of internal control systems, financial management and planning processes, and risk management from the assurances received from the Corporate Services Director.
I have also been advised on the effectiveness of the system of internal control by the Board and its Audit and Risk Committee. Appropriate action is taken against any weaknesses identified and to ensure continuous improvement of our systems. The internal auditor’s annual report for 2020⁄21 states that, [based on the work undertaken over the course of the year, and in the context of materiality, the Park Authority’s internal control processes provides reasonable, but not absolute assurance that the related risk management, control and governance objectives were achieved in the period under review, in all areas except business continuity where further work is required – to be updated on receipt and approval of internal audit annual report].