CAIRNGORMS NATIONAL PARK AUTHORITY

Formal Board Paper 4 Annex I 28 May 2021

AUDIT & RISK COMMITTEE ANNUAL REPORT

Background

The Audit & Risk Committee is required to report to the full Board on its activities over the year, and on the reports presented to the Committee by the Authority’s internal and external auditors.
This Annual Report is presented on behalf of the Audit & Risk Committee to cover the period of its operations from October 2019 to March 2021. The extended period of this report reflects delays in development of the report as a consequence of prioritisation of other areas of work during the Authority’s implementation of its COVID19 Business Continuity Plan and development of internal and external responses to the impacts of the pandemic.

Overview

The period of this Annual Report covers consideration of final accounts for ²⁰¹⁹⁄₂₀ (at the Committee’s meeting of August 2020), together with associated reports from Grant Thornton, the Authority’s external auditors.
The Committee has also continued to have oversight of the work of the Authority’s internal auditors and consider reports issued by them.
The period of this report covers the completion of delivery of internal audit services by BDO, and commencement of a new internal audit service by Scott-Moncrieff which subsequently renamed to Azets. Both internal audit contracts were procured jointly under a contract let jointly by NatureScot in conjunction with the Cairngorms and a number of other public bodies.
The Committee met seven times over the period covered by this report.

Key Activities

In addition to management reports from the Authority’s Internal and External Auditors, considered in further detail below, the Committee considered the following issues during the course of the year:
- a) Risk management: the Audit & Risk Committee has continued to take a strategic oversight of the Authority’s risk management strategy and regularly considered the strategic risk register. The Committee has considered the appropriateness of coverage of the strategic risk register supporting delivery of the Corporate Plan for ²⁰¹⁸⁄₂₀₂₂ throughout the year, and scrutinised adequacy of mitigation action, in periods between full Board considerations of risk management.
- b) Business Continuity Plan (BCP) Deployment, Adaptation and Risk Management: the Committee has taken oversight throughout ²⁰²⁰⁄₂₁ of managements deployment of the Authority’s BCP and has undertaken regular reviews of the BCP Risk Register to ensure appropriate mitigation of risks in BCP deployment had been designed and implemented, and that positive effects of risk management have been realised as intended.
- c) Detailed Risk Analysis: the Committee has continued the practice in the year of considering more in depth analysis of key risks from senior management. This practice has been adopted at the suggestion on the internal auditors from their experience with other clients, and provides an opportunities to explore key or increasing strategic risks in more detail and evaluate the adequacy of mitigation actions. The Committee has considered a detailed analysis of the risks associated with the Authority’s business continuity arrangements on a number of occasions during the BCP implementation period. The Committee has also considered a detailed analysis of our reputational risks, refining the strategic risk register as a consequence this deep dive risk analysis; and has undertaken a detailed review of the risks associated with the Heritage Horizons programme should that bid prove to be successful.
- d) LEADER: the Authority, as lead body for the management and administration of EU LEADER funding within Cairngorms, has a responsibility to arrange for appropriate internal audit of its LEADER activities under the terms of the service level agreement with the Scottish Government. The Committee has considered internal audit reports on the LEADER programme. The Committee can provide assurance on the effective administration of the LEADER grants from these internal audit reports, and of the management of the Authority’s potential financial liabilities arising from our Accountable Body role from scrutiny of reporting on strategic risk management.
- e) Accounting Policy: the Committee reviews and agrees accounting policies as part of its consideration of final accounts prior to their signature by the Accountable Officer. There were no significant variations to accounting policy required in the year.
- f) Governance Statement: review and approval of this statement, prior to its inclusion in the annual accounts and prior to signature by the Accountable Officer.
- g) Governance considerations: within the Committee’s responsibilities for Governance, we have begun consideration of actions around governance changes toward the end of this reporting period. In addition to the consideration of handling complaints made which refer to governance issues referred to elsewhere, the Committee has begun consideration of the Scottish Government Framework Agreement and on actions following up recommendations made in the internal audit of the Authority’s governance arrangements.
- h) Updates on progress in implementing previous audit recommendations: the internal auditors have undertaken a formal follow-up review of action taken on previous audit recommendations and reported progress on this to Committee at its meeting on 12 March 2021. This most recent report highlighted a number of outstanding actions and recommendations in progress or not yet implemented. However, the internal auditors and Committee noted their satisfaction on the attention given to audit recommendations and progress made particularly in the context of resource pressures created by COVID responses since March 2020.
- i) Consideration and agreement of forward audit activity plans: the Committee, has agreed a forward plan of internal audit activity and has monitored progress in delivery of the internal audit plan for ²⁰²⁰⁄₂₁ with a plan for ²⁰²¹⁄₂₂ together with forward internal audit plans and analysis of the audit universe agreed at the meeting of 12 March 2021.
- j) Best Value: the Committee has agreed a set out criteria developed by management to support appraisal of any private finance investments offered to support work in the Cairngorms National Park.
- k) Best Value and Complaints Handling: the Committee has also undertaken a regular overview of the Authority’s complaints handling to ensure improved service provision in this area following on from an internal audit review highlighting some areas of improvement in practice was required. The Committee’s oversight of complaints handling and governance also covered taking responsibility for oversight of handling of a number of complaints against a Board member over the period, together with approving a lessons learned review of that process and forward action in amendments to the Authority’s complaints procedure. This highlights that once again the Committee has sought to ensure that the work of the Committee on internal controls is fully integrated with the Authority’s wider commitment to Best Value and continuous improvement in service provision.
- l) Letter of representation: the Committee considered the draft letter of representation from the Authority to Grant Thornton, the external auditor, prior to its signature by the Accountable Officer as an appropriate reflection of the Authority’s position for preparation of the accounts for ²⁰¹⁹⁄₂₀ and conduct of the Authority’s financial and wider control procedures over the course of the year.
- m) Freedom of Information (Scotland) Act (FOISA) and Data Subject Access Requests (DSAR): the Committee has provided oversight of the Authority’s management and handling of information requests made under FOISA and DSAR regulations, including the outcome of a small number of referrals made by applicant to the Scottish Information Commissioner. With both an assurance and Best Value focus, the Committee’s oversight of these matters has provided confirmation on behalf of the Board of the adequacy and efficacy of arrangements implemented by management to handle information requests and continually learn from experience and outcomes of processes.

Internal Audit

The Committee agree an annual internal audit work programme presented by the internal auditor.
Table One presents a summary of the number and degree of significance of internal audit findings over the period of this report and compares this with historic levels. The definitions used for significance of internal audit recommendations have changed slightly with the change in internal audit provider from BDO to Azets. These definitions are given after the table. The areas audited are also classified in terms of overall effectiveness of the internal audit control systems reviews and these classifications are also explained below the table.

Table One: Summary of Internal Audit Findings

Internal Audit Study	Number of Recommendations
	Critical High Moderate Low
²⁰¹¹⁄₁₂ Total (7 studies)	0 3 4 9
²⁰¹²⁄₁₃ Total (4 studies)	0 0 0 10
²⁰¹³⁄₁₄ Total (7 studies)	0 1 9 11
²⁰¹⁴⁄₁₅ Total (4 studies)	0 0 5 13
²⁰¹⁵⁄₁₆ Total (9 studies)	0 0 9 10
²⁰¹⁶⁄₁₇ Total (8 studies)	n/a 0 1 11
²⁰¹⁷⁄₁₈ Total (3 studies)	n/a 0 3 7
²⁰¹⁸⁄₁₉ Total (9 studies)	n/a 1 6 10
²⁰¹⁹⁄₂₁ Total (9 studies)	0 5 16 21

	High Medium Low
The ²⁰¹⁹⁄₂₁ studies were:
By BDO
Payroll Administration (Dec 19)	0 2 4
Expense Claim Processes (Dec 19)	0 2 5
Staff Objective Setting and Appraisal (Mar 20)	0 1 3
Freedom of Information (Mar 20)	0 1 5
Project Financing (Mar 20)	0 2 3

	Very High	High	Moderate	Limited
By Azets
LEADER Administration (Sep 20)	0	0	0	0
Corporate Governance (Feb 21)	0	2	4	0
COVID19 BCP Recovery (Feb 21)	0	0	2	1
Data Management (Mar 21)	0	3	2	0


Total for period	0	5	16	21

Key — BDO definition of significance of audit recommendations:

a) High: A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently.
b) Moderate: A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action.
c) Low: Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and/or efficiency. Azets definition of grades for management action recommendations:
d) Very High Risk Exposure: major concerns requiring immediate senior attention that create fundamental risks within the organisation
e) High Risk Exposure: absence / failure of key controls that create significant risks within the organisation
f) Moderate Risk Exposure: controls are not working effectively and efficiently and may create moderate risks within the organisation
g) Limited Risk Exposure: controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.

The Committee welcomes the fact that once again there have been highest grade recommendations raised by internal audit over the course of the period covered by this report on either of the risk categorisations used. The Committee has noted a number of high risk exposure recommendations in the more recent reports and is aware that these reflect areas where either there is already some internal awareness of improvement requirements and work in underway to address matters, or our internal risk management has detected the development of matters requiring resolution with delay in action caused by COVID disruptions.
In line with the Authority’s values of transparency, the Committee is made aware of all recommendations made by the internal auditors, through consideration of full management reports following each audit review.
The Committee has agreed management responses to all recommendations made and continues to monitor progress made. The internal auditors have also conducted follow-up reports and report back to the Committee on their findings.
The Committee has considered the Internal Auditors’ Annual Report for ²⁰²⁰⁄₂₁. The internal auditor’s annual report for the year gives the following overall opinion: “In our opinion CNPA has a framework of controls in place that provides reasonable assurance regarding the organisation’s governance framework, internal controls, effective and efficient achievement of objectives and the management of key risks, subject to the implementation of specific high risk actions raised in relation to corporate governance processes and data management control improvements throughout ²⁰²⁰⁄₂₁.”

External Audit

The Authority’s accounts for ²⁰¹⁹⁄₂₀ received a clear, unqualified external auditor’s report and opinion from Grant Thornton, our external auditors.
The accounts and external auditor’s report for ²⁰¹⁹⁄₂₀ were considered and approved by the Committee at its meeting on 11 September 2020. The accounts were signed by the Chief Executive as Accountable Officer on 21 October 2020, and passed to Audit Scotland for signature and onward submission to Auditor General and Scottish Parliament.
The Audit & Risk Committee considered Audit Scotland’s report to those charged with governance on the audit of the ²⁰¹⁹⁄₂₀ accounts at its meeting of II September 2020. The report highlighted only one action point, referencing the requirement to revisit longer term financial planning scenarios in the context of COVID19 impacts and recovery actions from COVID19 impacts. This action was accepted by management and the Committee and was an action which management were already progressing and had been the subject of specific reports to the Board in terms of the Green Recovery Plan and associated budget discussions.
The external audit report noted that complete draft financial statements, including the Performance Report, Accountability Report and Governance Statement within the agreed timescales.

Strategic Risk Management

The Authority’s strategic risk register has now been revised during the year by the Committee and full Board, ensuring it reflects the delivery priorities and strategic environment of the Authority in its delivery of our new Corporate Plan for 2018 to 2022. The Board has sight of the strategic risk register and is able to comment on it twice each year, while considering wider corporate performance reports. The Audit & Risk Committee will continue to review the coverage and adequacy of the strategic risk register in those quarters where it is not presented to the full Board.

Conclusions

The Audit & Risk Committee considers that it has been successful in progressing the Board’s governance and internal control priorities during the period covered by this annual report.
The Committee welcomes the work of the Authority’s finance team in maintaining a high quality and professional financial accounting service within agreed audit timescales despite the varied pressures of remote working and other BCP and COVID19 impacts. The Committee also greatly appreciates the work of the internal and external auditors in adapting their working practices to deal with the impacts of COVID19 over the last year.
The Committee has engaged through the year with issues identified by the Authority’s internal and external auditors, and also by the Authority’s officers. The Committee has received full reports on issues raised; considered recommendations made; and approved responses and actions. The Committee has shaped and approved the overall audit plan and guided the direction and approach of the internal auditors and their programme of work. The Committee has also monitored delivery against approved action plans.
Both the internal and external auditors’ findings provide assurance to the Committee and Board that the Authority’s internal control and governance objectives are being met effectively by management.
It is also reassuring for Committee members to see once again that audit recommendations have typically been of a low or moderate risk level. It is accepted that there will always be a range of improvements than can be made to services and controls; that these controls must continue to adapt to changing operating and strategic environments; and as such a number of recommendations for improvement from internal audit will always be expected. The Committee warmly welcomes the evidence of generally effective control systems evidenced by the reports and very low level of improvement recommendations arising from audits over the year.
The Committee will continue to address key, basic issues of internal control and the development of appropriate processes within the Authority.
The Committee will also seek to continue to have oversight of the Authority’s approach to and handling of risk management, and of wider aspects of corporate governance such as the approach to Best Value and value for money. In particular, members will seek to ensure that lessons are learned from operational experience and that wherever possible reviews of working practices and learning from them lead to improvements in our systems.

David Cameron, for Audit & Risk Committee members: Judith Webb (Chair) Gaener Rodger (Vice Chair) Peter Argyle Pippa Hadley Janet Hunter John Latham

20 April 2021 davidcameron@cairngorms.co.uk

210528FormalBdPaper4Annex1AuditCtteeAnnualReport

CAIRNGORMS NATION­AL PARK AUTHORITY

AUDIT & RISK COM­MIT­TEE ANNU­AL REPORT

Back­ground

Over­view

Key Activ­it­ies

Intern­al Audit

Table One: Sum­mary of Intern­al Audit Findings

Extern­al Audit

Stra­tegic Risk Management

Con­clu­sions

We want your feedback