210203AuCtteePaper1Annex1CorporateGovernanceIAReport - Final
Cairngorms National Park Authority
Internal Audit Report 2020⁄21
Corporate Governance
December 2020
Page 2
Cairngorms National Park Authority Internal Audit Report 2020⁄21 Corporate Governance
Executive Summary 1 Management Action Plan 4 Appendix A – Definitions 14
| Audit Sponsor | Key Contacts | Audit team |
|---|---|---|
| David Cameron, Director of Corporate Services | Xander McDade, Board Convener Carolyn Caddick, Deputy Board Convener Grant Moir, Chief Executive Judith Webb, Non-executive Director Gaener Rodgers, Non-executive Director Alix Harkness, Board Clerk | Chris Brown, Audit Partner Stephanie Hume, Audit Manager Maria Wright, Assistant Manager |
Page 3
Executive Summary
Conclusion
We have identified many areas of good practice in relation to corporate governance arrangements at Cairngorms National Park Authority (CNPA). The overall governance structure complies with the Scottish Government’s ‘On Board’ guidance and is proportionate to the organisation’s need. There are effective strategy setting and planning processes in place and these are aligned with the legislative requirements of the National Parks (Scotland) Act 2000. We acknowledge that there is a relatively small staff resource and that capacity has impacted on some of the governance controls not being progressed as expected. We were advised that a review of the management structure is being conducted to help address this.
The following improvements would strengthen governance controls: roles and responsibilities for decision making should be agreed and formalised in a Governance Responsibility Framework, committee terms of reference should be regularly reviewed and reporting arrangements from committees to the Board should be formalised, and strengthened in relation to major projects.
Background and scope
Corporate governance is concerned with the structure and processes for decision making and accountability, controls and behaviours at the top of organisations. These processes and structures are implemented by the board to inform, direct, manage and monitor the activities of the organisation towards the achievement of its objectives. There are various sources of guidance on good governance in the public sector, including On Board — A Guide for Members of Statutory Boards published by the Scottish Government and CIPFA’s Good Governance in the Public Sector. Small public bodies face particular challenges in this area as they are expected to maintain the same standards of governance as large bodies but with far fewer resources to support the governance structure.
In accordance with the 2020⁄21 Internal Audit plan we have reviewed the governance arrangements in place to ensure they follow best practice and are proportionate to the needs of CNPA. This review has included interviews with a selection of senior management and board members.
Page 4
Control assessment
| 1 — Green | 1. The overall governance structure complies with Scottish Government ‘On Board’ guidance and is proportionate to the organisation’s needs. |
| 2 — Amber | 2. The roles and responsibilities of the board, governance committees and management are clearly defined and supported through documented policies and procedures (e.g. Terms of Reference, Scheme of Delegation), which are subject to regular review. |
| 3 — Green | 3. A clear and effective strategy setting and planning framework is in place involving all key stakeholders. |
| 4 — Amber | 4. An efficient and effective performance and risk reporting framework is in place between management, governance committees and the board. |
| 5 — Yellow | 5. The board completes a robust annual evaluation of its own performance and that of its committees, incorporating feedback from key stakeholders. |
Improvement actions by type and priority
Six improvement actions have been identified from this review, all of which relate to the design of controls. We have also raised one advisory finding relating to the design of the controls in place. See Appendix A for definitions of colour coding.
Page 5
Key findings
Good practice
- Board members informed us that they were very satisfied with the quality of induction provided.
- A skills matrix has been developed to capture board member skillsets and identify development needs.
- Over the last 18 months systems and processes have been put in place to strengthen controls around corporate governance as follows;
- Increasing resilience and succession planning for the board committees by creating a Deputy Committee Chair role.
- Increasing board member attendance at committee meetings.
- All board members now receive minutes for all Board Committees.
- Pre-meetings have been introduced for board committees to ensure the papers can be viewed and discussed by the chairs prior to the meetings.
Areas for improvement
Improvement opportunities include:
- Formalising roles and responsibilities for decision making between the Board and Executive Management in the Governance Responsibility Framework.
- Reviewing committee terms of reference annually.
- Producing an annual report from each committee.
- Conducting assurance mapping in relation to major projects to validate and address assurance gaps for the Board.
- Ensuring that all Board members receive risk management training.
- Completing annual board and committee effectiveness reviews and monitoring any improvement actions through the Audit and Risk Committee.
These are further discussed in the Management Action Plan below.
Impact on risk register
This review is linked to all risks on the Corporate Risk Register.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Page 6
Management Action Plan
Control Objective 1: The overall governance structure complies with Scottish Government ‘On Board’ guidance and is proportionate to the organisation’s needs.
Green
No reportable weaknesses identified
The following board committees have been established;
- Audit & Risk Committee
- Finance & Delivery Committee
- Staffing & Recruitment Committee
When deciding on the board committees to put in place, management reviewed the ‘On Board’ Scottish Government guidance and the Scottish Public Finance Manual (SPFM). The Terms of Reference were then drawn up and reporting was mapped against the guidance. We confirmed, for example, that risk management and internal control framework reviews are reported to the Audit & Risk Committee, financial performance and delivery against corporate and operational plans is reported via the Finance & Delivery Committee and HR systems, recruitment and annual pay awards are dealt with by the Staffing & Recruitment Committee.
In our opinion, this approach is proportionate to the size of the organisation and in line with Scottish Government guidance.
Page 7
Control Objective 2: The roles and responsibilities of the board, governance committees and management are clearly defined and supported through documented policies and procedures (e.g. Terms of Reference, Scheme of Delegation), which are subject to regular review.
Amber
2.1 Roles and responsibilities
There is no Scheme of Delegated Authority or equivalent document in place to clarify decision-making responsibilities between the Board and Executive Management. This has manifested itself as follows:
- Board members and management have advised they feel responsibilities are not clear and the right balance is not being achieved with regards to decision making.
- There is a lack of mutual understanding between the Board Members and Executive Management on the level of assurance required by the Board.
- Committee Chairs advised they felt there is a heavy reliance on Executive Management to drive committee agendas.
We note that the Board agreed for a Governance Responsibility Framework to be developed in March 2018, however this has not yet been completed with the delays caused by a number of factors such as key person dependency, capacity challenges and COVID-19. We were advised that the Deputy Board Convener and Director of Corporate Services are currently in the process of developing this scheme which will be referred to as the Governance Responsibility Framework.
Further, we identified the Management Statement/Financial Memorandum (MS/FM) states that it shall be reviewed and updated periodically by the Scottish Government normally at least every 2 – 3 years. We noted that it has not been updated since September 2010. However, there has also been no internal review of the document conducted to ensure that the roles and responsibilities are aligned with current organisational practices. Management advised that work is ongoing in relation to the framework agreement template from the Scottish Government which will replace the MS/FM in the first half of 2021. The Director of Corporate Services advised us that a first set of comments on the template Framework Agreement has been submitted from a CNPA perspective.
Risk
There is a risk that decisions are made inefficiently or at inappropriate levels, due to a lack of clarity over where authority sits within the organisation.
Recommendations
Management and the Board should agree a completion date for the Governance Responsibility Framework. Management should progress with the review and implementation of the updated Framework Agreement within the first half of 2021.
Page 8
Management Action
Grade 3 (Design)
Recommendation agreed. We will work over the first half of 2021 to establish a Governance Responsibility Framework in tandem with work to implement a Framework Agreement with Scottish Government.
Action owner: Director of Corporate Services Due date: 30 June 2021
Page 9
2.2 Committee terms of reference
There is currently no formal schedule in place to ensure that the Terms of Reference (TOR) for Board committees are reviewed regularly. We were advised by management and board members that they are reviewed at the end of the three-year cycle of the Committee or when any changes to committee remits are made, however this is not documented. It is noted that the TOR were last reviewed in March 2019.
Further, we identified the following gaps in the Board committee TORs:
- The Audit and Risk Committee TOR does not refer to the Committee’s responsibilities for anti-fraud, whistleblowing, special investigations and complaints.
- The Staffing and Recruitment Committee TOR does not refer to the Committee’s responsibilities for assurance around Health & Safety.
- The committees’ reporting responsibilities to the Board and the committee information requirements are not documented within the TOR.
Risk
There is a risk that governance documentation is not aligned with good practice guidance, which could result in Board/Committee arrangements undermining the quality of the governance exercised.
Recommendations
In line with good practice, Board committee TOR should be reviewed on an annual basis and as and when any changes are made to committee remits.
The Committee TOR should be updated to ensure they outline the key area of responsibilities as noted above, information requirements and reporting to the Board.
Management Action
Grade 2 (Design)
Recommendation agreed. We will adapt the Terms of References to update for the omissions helpfully identified through this review and to include any other required amendments. We will also schedule an annual review of the terms of reference thereafter.
Action owner: Director of Corporate Services with Clerk to the Board Due date: 30 September 2021
Page 10
2.3 Committee reporting to the Board
It is good practice for all committees to provide an annual report summarising their activities and attendance at meetings to provide assurance to the Board that they are performing in line with their delegated remit. While we confirmed that the Audit and Risk Committee provides an annual report to the Board, the Finance and Delivery Committee and the Staffing and Recruitment Committee do not. Further, we identified that in September 2019 the Audit and Risk Committee provided an annual report for 2018⁄19, however at the time of fieldwork the annual report for 2019⁄20 had not yet been written.
In addition, we reviewed Board meeting minutes and agendas and confirmed that committee chair updates and committee minutes are not included as a standing agenda item for Board meetings. Committee minutes are however shared with all board members and they can raise questions from the minutes under any other business at the Board meeting.
Risk
There is a risk the Board does not receive sufficient evidence that governance committees are operating as expected, resulting in a lack of oversight of key issues.
Recommendations
In line with good practice, all governance committees should provide an annual report to the Board to provide assurance that they are operating as expected, in line with their delegated remit.
The Board agenda should include a standing item for committee chair updates. This should not be a discussion on the meeting minutes but rather an opportunity for the committee chair to provide a brief report on the committee’s key activities, decisions and outcomes.
Management Action
Grade 2 (Design)
Recommendation agreed. We aim to complete the Audit and Risk Committee Annual Report and Chair updates on Board agendas by March 21 and act on other Committee Annual Reports in the first half of 2021⁄22.
Action owner: Director of Corporate Services with Clerk to the Board Due date: 30 September 2021
Page 11
Control Objective 3: A clear and effective strategy setting and planning framework is in place involving all key stakeholders.
Green
No reportable weaknesses identified
We confirmed there is a five-year collective National Park Partnership Plan (2017−2022) in place. In addition, CNPA has its own specific corporate plan which links to the national partnership plan. We confirmed that there are targets associated with these plans which link to the strategic objectives.
The National Park Partnership Plan is written in statute and the legislation (Section 12 of the National Parks (Scotland) Act 2000) instructs CNPA on what is required with regards to stakeholder consultation and engagement. We confirmed that the planning approach taken by CNPA is aligned with the legislation.
Planning for the statutory park plan usually starts 18 months prior to the report being published. There are workshop sessions where the Board discuss which themes they would like to see in the plan. Management advised they also reflect on the review of the current plan to see where they are in relation to overall delivery and take that into account in decision making. The draft plan is then developed with partners and it goes out for public consultation then back to the board multiple times during the planning process. Public consultation is carried out via a variety of means such as online public meetings, presentations at community councils and social media.
We confirmed planning has commenced for the new Partnership Plan and that a paper was presented to the Board in November 2020 with a timetabled plan of work.
Page 12
Control Objective 4: An efficient and effective performance and risk reporting framework is in place between management, governance committees and the board.
Amber
4.1 Assurance on major projects
Board members confirmed they are satisfied with the level of detail in reports on strategic risks, performance against strategic objectives and financial targets. However, board members noted there may be an assurance gap in relation to major projects and that there should be more Board oversight of large scale, externally funded projects including those where CNPA is the Accountable Body.
We confirmed that programme boards are put in place for the governance of major projects and the role of the CNPA Board is to gain assurance that the Authority’s financial and risk management positions are not adversely impacted by major projects. However, programme boards only report directly to the Board on an exception basis and there is no regular, explicit assurance reporting to the Board. We noted that the financial monitoring reports from the Finance and Delivery Committee to the Board provide information on project costs, however the costs are aggregated and as such assurance on how each individual project is performing in relation to its allocated budget is not provided. There is also no reporting to the Finance & Delivery Committee in relation to how projects are progressing regarding the agreed delivery objectives.
Risk
There is a risk that the Board may not have proper visibility of major projects, hampering their ability to effectively scrutinise and challenge and leading to the organisation’s strategic objectives not being met.
Recommendations
Management should work with Board members to review the assurance arrangements for major projects and address any perceived gaps, including project financials.
Management Action
Grade 3 (Design)
Recommendation agreed. We will develop an assurance review of major project reporting and governance and establish appropriate scrutiny and assurance measures.
Action owner: Director of Corporate Services Due date: 30 September 2021
Page 13
4.2 Risk management and finance training
We confirmed that, while the induction programme covers roles and responsibilities of the Board and board members, standards of conduct and ‘On Board’ training, it does not specifically cover risk management or financial reporting.
We noted that all Board Members were invited to a risk management training session at the beginning of 2020, however we were informed that it was predominantly members of the Audit and Risk Committee who attended.
A skills matrix has been recently developed to capture board member skillsets and identify development needs. Management advised us that this matrix will be used to ensure that risk management training is completed where it is identified as a training need.
Further, to date, there has been no specific board development provided in relation to financial reporting. However, we noted in the minutes of the most recent Finance and Delivery Committee that a proposed programme has been developed for finance training covering governance, Scottish Government funding, Accountable Body role in significant projects, budgeting, expenditure and controls and procurement.
Risk
There is a risk that Board members may not have adequate skills and knowledge on risk management and financial reporting to provide effective scrutiny and challenge and to set the board’s risk appetite
Recommendations
Management should ensure that all Board members have received risk management training.
We support the proposed finance training programme by the Finance and Delivery Committee and recommend that all board members attend this training.
Management Action
Grade 2 (Design)
Recommendation agreed. We note with regard to training that members often are involved with a range of public bodies and may have received appropriate training through those routes. We will combine our skills matrix work with annual feedback from our members on the need for bespoke training on our specific approaches to risk management and financial management.
Action owner: Director of Corporate Services Due date: 30 September 2021
Page 14
4.3 Deep dives on key strategic risks
The Chair of the Audit and Risk Committee expressed a concern that the scheduling of the Committee meetings may be impacting on the ability of the members to undertake a thorough and detailed discussion of the agenda items. The Audit and Risk Committee is currently scheduled to take place quarterly, immediately before the full board meeting, therefore there is a limited ability for in depth discussion on items which may cause the meeting to overrun. However, it is noted the members have the ability to call additional meetings at any time should items not be covered.
We did note from our review of the Audit and Risk Committee minutes and evidence provided that strategic risks are being discussed by the Committee and management have provided deep dives into specific risks or projects, however committee members advised us that there is an appetite to do more deep dives and that the meeting scheduling results in them not undertaking as many deep dives of key strategic risks as they would like.
Risk
There is a risk that the Board does not have full visibility of the management of corporate risks, hampering the ability to achieve the organisation’s strategic objectives
Recommendation
Management should:
- Review the scheduling of the Audit and Risk Committee to ensure the meetings are of sufficient length to allow a detailed discussion.
- Undertake a discussion with Audit and Risk Committee members on what additional information is required on strategic risks. We recommend this discussion also considers the staff resources required to provide any additional assurance requested.
- Ensure members are reminded of the importance of regularly considering whether they have had sufficient time to consider each agenda item, agree key issues for reporting up to the board and the ability to call additional meetings if required.
Management Action
Advisory
While noting the advisory status of this recommendation, we believe this provides a very helpful framework on which to review the running of the Audit and Risk Committee, the objectives of the Committee for each year and also the capacity of the staff group to support those objectives in light of other priorities. Suggest this discussion is undertaken at the same time as the Annual Internal Audit Plan discussion to establish a holistic plan for the Committees work over the year.
Page 15
Control Objective 5: The board completes a robust annual evaluation of its own performance and that of its committees, incorporating feedback from key stakeholders.
Yellow
5.1 Appraisal and self-assessment
The Scottish Government ‘On Board’ guidance states that it is the responsibility of the Board Chair/Convener to ensure that the work of the Board and any committees is subject to regular self-assessment to be assured that the Board is operating strategically and effectively.
We were advised by Board members that there have been no annual reviews of committee effectiveness or board member appraisals carried out to date. At the time of the audit fieldwork new processes for self-assessment and appraisals had just been implemented and board member appraisals were being undertaken. A questionnaire for board self-assessment has been developed and a template document has been drawn up to support board development discussions.
Consideration has not yet been given to how the outcomes of self-assessment will be examined and how improvement action plans will be formally monitored.
Risk
The Board does not carry out self-evaluation resulting in poor performance and development needs not being addressed.
Recommendations
Board member appraisals and committee effectiveness reviews should be scheduled to take place annually.
The outcomes of board self-assessment should be reported to the Audit and Risk Committee and improvement actions should be captured and regularly monitored.
Management Action
Grade 2 (Design)
Recommendation agreed. At time of response the Board questionnaire has been completed as has initial analysis of results. Board discussions are also near completion. Management will work with the Board Convener, Board Deputy Convener and Chair of Audit and Risk Committee along with other members in designing a timetable for consideration of this and other linked aspects of governance review
Action owner: Director of Corporate Services Due date: 30 June 2021
Page 16
Appendix A – Definitions
Control assessments
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved — controls are inadequate or ineffective.
- Y: Control objective achieved — no major weaknesses but scope for improvement.
- G: Control objective achieved — controls are adequate, effective and efficient.
Management action grades
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
Page 17
© Azets 2021. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.