Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

200612AuCteePaper1Annex12021DraftInternal Audit Plan200527

Cairngorms Nation­al Park Author­ity Intern­al Audit Plan – 202021

DRAFT

April 2020

Table of Contents

  • Intro­duc­tion
  • Intern­al Audit Approach
  • Pro­posed Intern­al Audit Plan
  • Deliv­er­ing the Intern­al Audit Plan
  • Qual­ity Assur­ance and Improvement
  • Appendix 1 – Stra­tegic Intern­al Audit Plan 2020 – 23
  • Appendix 2 – Stra­tegic Risk Register
  • Appendix 3 – Audit Timetable
  • Appendix 4 – Intern­al Audit Universe
  • Appendix 5 – Intern­al Audit Charter

Intro­duc­tion

Intern­al audit­ing is an inde­pend­ent, object­ive assur­ance and con­sult­ing activ­ity designed to add value and improve an organisation’s oper­a­tions. It helps an organ­isa­tion accom­plish its object­ives by bring­ing a sys­tem­at­ic, dis­cip­lined approach to eval­u­ate and improve the effect­ive­ness of risk man­age­ment, intern­al con­trol and gov­ernance processes.

Sec­tion 3 – Defin­i­tion of Intern­al Audit­ing, Pub­lic Sec­tor Intern­al Audit Standards

Scott-Moncrieff’s intern­al audit meth­od­o­logy com­plies with the Pub­lic Sec­tor Intern­al Audit Stand­ards (PSI­AS), which cov­er the man­dat­ory ele­ments of the Chartered Insti­tute of Intern­al Aud­it­ors’ Inter­na­tion­al Pro­fes­sion­al Prac­tices Framework.

Intern­al Audit Plan

The PSI­AS require the Chief Intern­al Aud­it­or to pro­duce a risk-based plan, which takes into account Cairngorms Nation­al Park Authority’s risk man­age­ment frame­work, its stra­tegic object­ives and pri­or­it­ies, and the views of seni­or man­agers and the Audit and Risk Committee.

The object­ive of audit plan­ning is to dir­ect audit resources in the most effi­cient man­ner to provide suf­fi­cient assur­ance that key risks are being man­aged effect­ively and value for money is being achieved.

This paper sets out a detailed plan for 202021 in the con­text of a three-year Stra­tegic Intern­al Audit Plan.

Audit and Risk Com­mit­tee Action

The Audit and Risk Com­mit­tee are asked to review and, if con­tent to do so, approve this Intern­al Audit Plan for 202021.

Once final­ised, this plan can be reviewed and revised at any time to reflect changes in Cairngorms Nation­al Park Authority’s risk pro­file and assur­ance require­ments. Any sig­ni­fic­ant changes will be sub­ject to Audit and Risk Com­mit­tee approval.

Intern­al Audit Approach

Sup­port­ing the Gov­ernance Statement

The main pur­pose of the intern­al audit plan is to provide Cairngorms Nation­al Park Author­ity (CNPA), through the Audit and Risk Com­mit­tee, with the assur­ance it needs to pre­pare an annu­al Gov­ernance State­ment that demon­strates good prac­tice in cor­por­ate gov­ernance, risk man­age­ment and intern­al con­trol. We also aim to sup­port con­tinu­ous improve­ment in these areas by mak­ing con­struct­ive and prac­tic­al recommendations.

Risk Based Intern­al Auditing

Our meth­od­o­logy links intern­al audit activ­ity to the organisation’s risk man­age­ment frame­work. This helps deliv­er a stra­tegic, tar­geted intern­al audit func­tion that focuses on the key risk areas and deliv­ers value for money.

By focus­sing on the key risk areas, intern­al audit should be able to con­clude that:

  • Man­age­ment has iden­ti­fied, assessed and respon­ded to the key risks
  • The responses to risks are effect­ive but not excessive
  • Where resid­ual risk is unac­cept­ably high, fur­ther action is being taken
  • Risk man­age­ment pro­cesses are mon­itored by man­age­ment to ensure they con­tin­ue to oper­ate effect­ively, and
  • Risks, responses and actions are prop­erly clas­si­fied and reported.

Audit Needs Assessment

Intern­al audit plans are based on an assess­ment of audit need. Audit need” rep­res­ents the audit assur­ance required by the Audit and Risk Com­mit­tee and seni­or man­age­ment that the con­trol sys­tems estab­lished to man­age and mit­ig­ate the key inher­ent risks are adequate and oper­at­ing effect­ively. The object­ive of the audit needs assess­ment is there­fore to identi­fy these key con­trols sys­tems and determ­ine the intern­al audit resource required to provide assur­ance on their effectiveness.

Our audit needs assess­ment takes both a top-down and bot­tom-up approach fol­lowed by a reas­on­able­ness check. The top-down approach involves identi­fy­ing the areas of highest inher­ent risk and the con­trol sys­tems in place to man­age those risks. The bot­tom-up approach involves defin­ing CNPA’s audit uni­verse (poten­tial audit­able areas) and cov­er­ing all sys­tems on a cyc­lic­al basis in line with their rel­at­ive risk and sig­ni­fic­ance. The reas­on­able­ness check involves us using our exper­i­ence of sim­il­ar organ­isa­tions to ensure that all key risk areas and sys­tems have been con­sidered and the res­ult­ing intern­al audit plan is appropriate.

Our audit needs assess­ment involved the fol­low­ing activities:

  • Review­ing the cor­por­ate risk register,
  • Review­ing the CNPA cor­por­ate plan 2018 — 2022,
  • Review­ing pre­vi­ous intern­al audit reports,
  • Review­ing extern­al audit reports and plans,
  • Review­ing the CNPA web­site and intern­al policies and procedures,
  • Dis­cus­sions with the Chief Exec­ut­ive, Seni­or Man­age­ment and the Audit and Risk Committee.

The audit needs assess­ment is revised on an ongo­ing basis (at least annu­ally) to take account of any changes in CNPA’s risk pro­file. Any changes to the intern­al audit plan are approved by the Audit and Risk Committee.

Best Value

Our intern­al audit work helps CNPA to determ­ine wheth­er ser­vices are provid­ing best value. This plan con­tains reviews that focus on assess­ing wheth­er the cur­rent pro­cesses provide best value, as a core aspect of each audit. Where we identi­fy oppor­tun­it­ies for improv­ing value for money, we raise these with man­age­ment and include them in the report action plan.

Pro­posed Intern­al Audit Plan

Appendix 1 presents the intern­al audit plan for 2020÷212022÷23

As our intern­al audit approach is based on risk, the pro­posed plan is also cross-ref­er­enced to the stra­tegic risk register, which is included in Appendix 2 for reference.

We seek to com­ple­ment the areas being covered by extern­al audit. This helps us to tar­get our work in the most effect­ive man­ner, avoid­ing duplic­a­tion of effort and max­im­ising the use of the total audit resource.

The table below demon­strates how the intern­al audit plan days agreed for 202021 have been alloc­ated across each area of the audit universe:

(Insert chart from page 7 here)

Deliv­er­ing the Intern­al Audit Plan

Intern­al Audit Charter

Appendix 5 sets out our Intern­al Audit Charter, which details how we will work togeth­er to deliv­er the intern­al audit plan.

Intern­al Audit team – Indic­at­ive Staff Mix

(Insert table from page 8 here)

Con­firm­a­tion of Independence

PSI­AS require us to com­mu­nic­ate on a timely basis all facts and mat­ters that may have a bear­ing on our independence.

We can con­firm that the staff mem­bers iden­ti­fied to com­plete the reviews in the annu­al plan are inde­pend­ent and their objectiv­ity has not been compromised.

Intern­al Audit Team – Key Contacts

(Insert con­tact inform­a­tion from page 8 here)

Qual­ity Assur­ance and Improvement

Key Per­form­ance Indicators

As set out in our Intern­al Audit Charter, we assess our per­form­ance in three ways:

  • On-going intern­al mon­it­or­ing of performance
  • Peri­od­ic intern­al assessment
  • Peri­od­ic extern­al assessment.

The pro­posed KPIs we will work to are:

(Insert table from page 9 here)

Per­form­ance Reporting

We will report on any issues/​exceptions arising from the KPI mon­it­or­ing with­in the pro­gress reports presen­ted to the Audit and Risk Com­mit­tee. We will also share rel­ev­ant inform­a­tion on the peri­od­ic intern­al and extern­al qual­ity assess­ments as they are undertaken.

Appendix 1 – Intern­al Audit Plan 2020 – 23

(Insert table from pages 10 – 13 here)

Appendix 2 – Stra­tegic Risk Register

(Insert table from pages 14 – 21 here)

Appendix 3 – Audit Timetable

(Insert table from page 22 here)

Appendix 4 – Intern­al Audit Universe

(Insert table from pages 23 – 27 here)

Appendix 5 – Intern­al Audit Charter

Intern­al audit­ing is an inde­pend­ent and object­ive assur­ance and con­sult­ing activ­ity that is guided by a philo­sophy of adding value to improve the oper­a­tions of Cairngorms Nation­al Park Author­ity (CNPA).

It helps CNPA accom­plish its object­ives by bring­ing a sys­tem­at­ic, dis­cip­lined approach to eval­u­ate and improve the effect­ive­ness of risk man­age­ment, con­trol, and gov­ernance processes.

Aim

The aim of this Charter is to set out the man­age­ment by all parties of the intern­al audit pro­cess. The Charter sets out the con­text of the intern­al audit func­tion, includ­ing the place of the Audit and Risk Com­mit­tee, the key per­son­nel, times­cales and pro­cesses to be fol­lowed for each intern­al audit review.

Role

The intern­al audit activ­ity is estab­lished by the Audit and Risk Com­mit­tee on behalf of the Board. The intern­al audit activity’s respons­ib­il­it­ies are defined by the Audit and Risk Com­mit­tee as part of its over­sight role.

Pro­fes­sion­al­ism

The intern­al audit activ­ity will adhere to Pub­lic Sec­tor Intern­al Audit Stand­ards (PSI­AS), which are based on man­dat­ory guid­ance of The Chartered Insti­tute of Intern­al Aud­it­ors (CIIA) includ­ing the Defin­i­tion of Intern­al Audit­ing, the Code of Eth­ics, and the Inter­na­tion­al Stand­ards for the Pro­fes­sion­al Prac­tice of Intern­al Audit­ing. The CIIA’s Prac­tice Advisor­ies, Prac­tice Guides, and Pos­i­tion Papers will also be adhered to as applic­able to guide oper­a­tions. In addi­tion, the intern­al audit activ­ity will adhere to CNPA’s rel­ev­ant policies and pro­ced­ures and the intern­al audit activity’s stand­ard oper­at­ing pro­ced­ures manual.

Author­ity

The intern­al audit activ­ity, with strict account­ab­il­ity for con­fid­en­ti­al­ity and safe­guard­ing records and inform­a­tion, is author­ised full, free, and unres­tric­ted access to any and all of CNPA’s records, phys­ic­al prop­er­ties, and per­son­nel per­tin­ent to car­ry­ing out any engage­ment. All employ­ees are reques­ted to assist the intern­al audit activ­ity in ful­filling its roles and respons­ib­il­it­ies. The intern­al audit activ­ity will also have free and unres­tric­ted access to the Audit and Risk Committee.

Account­ab­il­ity

The Chief Intern­al Aud­it­or will be account­able to the Audit and Risk Com­mit­tee and will report admin­is­trat­ively to the Dir­ect­or of Cor­por­ate Services.

The Audit and Risk Com­mit­tee will approve all decisions regard­ing the per­form­ance eval­u­ation, appoint­ment, or remov­al of the Chief Intern­al Auditor.

The Chief Intern­al Aud­it­or will com­mu­nic­ate and inter­act dir­ectly with the Audit and Risk Com­mit­tee, includ­ing between Audit and Risk Com­mit­tee meet­ings as appropriate.

Inde­pend­ence and Objectivity

The intern­al audit activ­ity will remain free from inter­fer­ence by any ele­ment in CNPA, includ­ing mat­ters of audit selec­tion, scope, pro­ced­ures, fre­quency, tim­ing, or report con­tent. This is essen­tial in main­tain­ing the intern­al aud­it­ors’ inde­pend­ence and objectivity.

Intern­al aud­it­ors will have no dir­ect oper­a­tion­al respons­ib­il­ity or author­ity over any of the activ­it­ies audited. Accord­ingly, they will not imple­ment intern­al con­trols, devel­op pro­ced­ures, install sys­tems, pre­pare records, or engage in any oth­er activ­ity that may impair intern­al auditor’s judgment.

Intern­al aud­it­ors must exhib­it the highest level of pro­fes­sion­al objectiv­ity in gath­er­ing, eval­u­at­ing, and com­mu­nic­at­ing inform­a­tion about the activ­ity or pro­cess being examined. Intern­al aud­it­ors must make a bal­anced assess­ment of all the rel­ev­ant cir­cum­stances and not be unduly influ­enced by their own interests or by oth­ers in form­ing judgements.

The Chief Intern­al Aud­it­or will con­firm to the Audit and Risk Com­mit­tee, at least annu­ally, the organ­isa­tion­al inde­pend­ence of the intern­al audit activity.

Scope and Responsibility

The scope of intern­al audit­ing encom­passes, but is not lim­ited to, the exam­in­a­tion and eval­u­ation of the adequacy and effect­ive­ness of the organisation’s gov­ernance, risk man­age­ment, and intern­al con­trol pro­cesses in rela­tion to the organisation’s defined goals and object­ives. Intern­al con­trol object­ives con­sidered by intern­al audit include:

  • Con­sist­ency of oper­a­tions or pro­grammes with estab­lished object­ives and goals
  • Effect­ive­ness and effi­ciency of oper­a­tions and use of resources
  • Com­pli­ance with sig­ni­fic­ant policies, plans, pro­ced­ures, laws, and regulations
  • Reli­ab­il­ity and integ­rity of man­age­ment and fin­an­cial inform­a­tion pro­cesses, includ­ing the means to identi­fy, meas­ure, clas­si­fy, and report such information.
  • Safe­guard­ing of assets.

Intern­al Audit is respons­ible for eval­u­at­ing all pro­cesses (‘audit uni­verse’) of CNPA, includ­ing gov­ernance pro­cesses and risk man­age­ment pro­cesses. In doing so, intern­al audit main­tains a prop­er degree of coordin­a­tion with extern­al audit.

Intern­al audit may per­form con­sult­ing and advis­ory ser­vices related to gov­ernance, risk man­age­ment and con­trol. It may also eval­u­ate spe­cif­ic oper­a­tions at the request of the Audit and Risk Com­mit­tee or man­age­ment, as appropriate.

Based on its activ­ity, intern­al audit is respons­ible for report­ing sig­ni­fic­ant risk expos­ures and con­trol issues iden­ti­fied to the Audit and Risk Com­mit­tee and to seni­or man­age­ment, includ­ing fraud risks, gov­ernance issues, and oth­er mat­ters needed or reques­ted by CNPA.

Annu­al Intern­al Audit Plan

The audit year runs from 1 April to 31 March.

At least annu­ally, the Chief Intern­al Aud­it­or will sub­mit to the Audit and Risk Com­mit­tee an intern­al audit plan for review and approv­al. The intern­al audit plan will detail, for each sub­ject review area:

  • The out­line scope for the review,
  • The num­ber of days budgeted,
  • The tim­ing, includ­ing which Audit and Risk Com­mit­tee the final will report will go to,
  • The review sponsor.

The intern­al audit plan will be developed based on a pri­or­it­isa­tion of the audit uni­verse using a risk-based meth­od­o­logy, includ­ing input of seni­or man­age­ment. Pri­or to sub­mis­sion to the Audit and Risk Com­mit­tee for approv­al, the plan will be dis­cussed with seni­or man­age­ment. Any sig­ni­fic­ant devi­ation from the approved intern­al audit plan will be com­mu­nic­ated through the peri­od­ic activ­ity report­ing process.

Assign­ment Plan­ning and Conduct

An assign­ment plan will be draf­ted pri­or to the start of every assign­ment set­ting out the scope, object­ives, times­cales and key con­tacts for the assignment.

Spe­cific­ally, the assign­ment plan will detail the times­cales for car­ry­ing out the work, issu­ing the draft report, receiv­ing man­age­ment responses and issu­ing the final report. The assign­ment plan will also include the name of the staff mem­ber who will be respons­ible for the audit (review spon­sor) and the name of any key staff mem­bers to be con­tac­ted dur­ing the review (key audit contact).

The assign­ment plan will be agreed with the review spon­sor and the key audit con­tact (for tim­ings) before the review starts.

The intern­al aud­it­or will dis­cuss key issues arising from the audit as soon as reas­on­ably prac­tic­able with the key con­tact and/​or review spon­sor, as appropriate.

Report­ing and Monitoring

A writ­ten report will be pre­pared and issued by the Chief Intern­al Aud­it­or or design­ee fol­low­ing the con­clu­sion of each intern­al audit engage­ment and will be dis­trib­uted to the review spon­sor and key con­tacts iden­ti­fied in the assign­ment plan for man­age­ment responses and comments.

Draft reports will be issued by email with­in 15 work­ing days of field­work con­clud­ing. The cov­er­ing email will spe­cify the dead­line for man­age­ment responses, which will nor­mally be with­in a fur­ther 15 days. The man­age­ment com­ments and response to any report will be over­seen by the review sponsor.

The intern­al aud­it­ors will issue the final report to the review spon­sor and the Dir­ect­or of Cor­por­ate Ser­vices. The final report will be issued with­in 10 work­ing days of the man­age­ment responses being received. Final­ised intern­al audit reports will be presen­ted to the Audit and Risk Com­mit­tee. Final­ised intern­al audit out­puts must be in the hands of the com­mit­tee sec­ret­ary in line with the form­al papers dead­line set before each meeting.

The work­ing days set out above are max­im­um times­cales and tight­er times­cales may be set out in the assign­ment plan.

The intern­al audit activ­ity will fol­low-up on engage­ment find­ings and recom­mend­a­tions. All sig­ni­fic­ant find­ings will remain in an open issues file until cleared.

Audit and Risk Committee

The Audit and Risk Com­mit­tee meets through­out the year. Dates for Audit and Risk Com­mit­tee meet­ings will be provided to intern­al audit as soon as they are agreed. The Chief Intern­al Aud­it­or and/​or Intern­al Audit Man­ager will attend all meet­ings of the Audit and Risk Committee.

Intern­al audit will sched­ule its work so as to spread intern­al audit reports reas­on­ably evenly over the Audit and Risk Com­mit­tee meet­ings. The annu­al intern­al audit plan will detail the intern­al audit reports to be presen­ted to each Audit and Risk Com­mit­tee meeting.

The Intern­al Aud­it­or will gen­er­ally present spe­cif­ic reports to the com­mit­tee as follows:

(Insert table from page 31 here)

The Audit and Risk Com­mit­tee will meet privately with the intern­al aud­it­ors at least once a year.

Peri­od­ic Assessment

The Chief Intern­al Aud­it­or is respons­ible for provid­ing a peri­od­ic self-assess­ment on the intern­al audit activ­ity as regards its con­sist­ency with the Audit Charter (pur­pose, author­ity, respons­ib­il­ity) and per­form­ance rel­at­ive to its Plan.

In addi­tion, the Chief Intern­al Aud­it­or will com­mu­nic­ate to seni­or man­age­ment and the Audit and Risk Com­mit­tee on the intern­al audit activity’s qual­ity assur­ance and improve­ment pro­gramme, includ­ing res­ults of on-going intern­al assess­ments and extern­al assess­ments con­duc­ted at least every five years in accord­ance with Pub­lic Sec­tor Intern­al Audit Standards.

Review of Charter

This Charter will be reviewed by both parties each year and amended if appropriate.

(End of Document)

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback