Cairngorms National Park Authority

Internal Audit Report ²⁰²¹⁄₂₂

LEADER Programme

September 2021

A AZETS

Page 3

Cairngorms National Park Authority Internal Audit Report ²⁰²¹⁄₂₂ LEADER Programme

Executive Summary 1 Management Action Plan 5 Appendix A – Definitions 10

Audit Sponsor	Key Contacts	Audit team
David Cameron, Director of Corporate Services	Bridget Trussell, LEADER Programme Manager Samantha Masson, Programme Supervisor	Chris Brown, Partner Stephanie Hume, Senior Manager Lorna Munro, Internal Auditor

Page 5

Executive Summary

Conclusion

We have gained assurance that the procedures for the LEADER programme closure within Cairngorms National Park Authority (CNPA) reflect good practice. There is clear guidance for claim and closure processes covering inspection visits, inspection reports, updating the Local Actions in Rural Communities system (LARCs), reviewing grantees’ files, and we confirmed these are being complied with.

However, we did note the LEADER programme tracker was not fully up to date with payment information for closed projects and closure letters were not being sent for any projects, contrary to CNPA guidance. We also noted that, whilst CNPA has made progress in addressing both records management retention and lessons learned, there are some improvements required to ensure the integrity and availability of records in future, and that lessons learned are being activity used to benefit CNPA.

Background and scope

The LEADER programme forms part of the Scottish Rural Development Programme 2014 – 2020 for which Cairngorms National Park Authority (CNPA) is an Accountable Body. The LEADER programme is an initiative which aims to increase support to rural community and business networks to tackle local development objectives.

It is a requirement of the Service Level Agreement (SLA) between the Scottish Government and CNPA that an annual internal audit takes place to review the functions and services provided by the organisation in their role as Accountable Body, and to assess the extent to which they are meeting the requirements outlined in the SLA. The LEADER programme is due to close at the end of December 2021.

In accordance with the ²⁰²¹⁄₂₂ Internal Audit plan we reviewed the project, claim and programme closure processes to ensure compliance with the SLA for the LEADER programme and the effectiveness of project and programme closure.

Page 6

Control assessment


5 — Yellow	1 — Green
4 — Yellow	2 — Green
3 — Green

Final claims submitted to the Scottish Government are in line with eligibility criteria and review/approved prior to payment, with all outstanding grant claims being monitored to ensure that they will be paid out and monies reimbursed to CNPA by 31 Dec
Project visits and final inspection reports have been completed prior to final project claims being paid.
Internal administration closure procedures have been undertaken with a letter of project closure to each applicant being issued.
Procedures are in place to ensure that all records held by CNPA are maintained and accessible for the periods identified in the Service Level Agreement.
CNPA has put in place measures to capture lessons learned for inclusion in future grant programmes.

Improvement actions by type and priority

Grade 4
Grade 3
Grade 2
Grade 1

Four improvement actions have been identified from this review, two of which relate to compliance with existing procedures, rather than the design of controls themselves. See Appendix A for definitions of colour coding.

Page 7

Key findings

Good practice

Eligibility criteria is clearly outlined in the guidance available to both applicants and staff within CNPA.
All claims made by applicants are subject to review to ensure they are eligible, and that appropriate evidence of the expenditure incurred has been provided.
We confirmed there is clear segregation of duties throughout the processes in place.
The LEADER programme is monitored to ensure all projects are on schedule to have claims processed prior to the 31 December 2021 deadline.
All projects had an ‘in-situ’ inspection report completed regardless of whether there is a physical site involved.
Adjustments to working practices were made during COVID-19 which still ensured that processes were completed in compliance with the Service Level Agreement.
There are a range of internal closure procedures in place, including updating LARCs, in-situ reports and grantee file reviews.
Each project must complete a ‘Case Study’ to highlight the experience of delivering the programme and the benefits achieved.
A programme evaluation report¹, containing lessons learned, has been delivered on programme outcome achievement and programme delivery, using feedback and completed case studies

Areas for improvement

We have identified a small number of areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:

Ensuring the CNPA records management retention schedules are fully aligned with the Service Level Agreement and that document integrity and readability is maintained in future years.
Adding an internal process-focussed review to existing lessons learned activities and ensuring that lessons are taken forward into monitored action plans.

These are further discussed in the Management Action Plan below.

¹Covering the period 2014 – 2020, at which 85% of projects had been fully completed.

Page 8

Impact on risk register

The CNPA corporate risk register (dated November 2020) included the following risks relevant to this review:

A11.1: Resourcing: Role as Lead / Accountable body for major programmes (e.g. LEADER, Landscape Partnership) has risk of significant financial clawback should expenditure prove to be not eligible for funding, while CNPA carries responsibilities as employer for programme staff.
A11.2 Resourcing: the end of major programme investments (Tomintoul and Glenlivet, LEADER) requires significant ongoing staffing to manage audit and legacy which the Authority finds difficult to resource.

Resourcing risks will continue for some time following the project, due to obligations related to records retention, though the likelihood of ineligibility (A11.1) will continue to diminish as projects are closed and reimbursed by the Scottish Government.

Acknowledgements

We would like to thank all staff consulted during this review for their assistance and co-operation.

Page 9

Management Action Plan

Control Objective 1: Final claims submitted to the Scottish Government are in line with eligibility criteria and review/approved prior to payment, with all outstanding grant claims being monitored to ensure that they will be paid out and monies reimbursed to CNPA before the 31 December 2021 deadline.

Green

1.1 Programme Tracker

CNPA maintain a spreadsheet which tracks project milestones, claims and payments for the LEADER programme. 38 projects are noted on the tracker, with 31 closed and seven open.

We reviewed three projects closed in this financial year and confirmed that the final claim information was up to date and reflected the evidence provided; however we noted that the payment date of the final claim associated with one of these projects was incomplete. Of the 28 remaining projects closed in the tracker we noted that five projects had payment information – date received, date approved, or date paid missing.

Risk

There is a risk that the audit trail for closed projects is not accurately recorded in the main tracker, which could result in confusion or additional resources being required to source the correspondence evidence at a future date.

Recommendation

The LEADER programme tracker should be reviewed, and the missing data entered following review of the underlying payment evidence. All projects on the tracker should be checked for completeness as part of standard closure processes.

Management Action

Grade 1 (Operation)

Recommendation accepted; tracker will be reviewed and updated with complete information and included in the LEADER Delivery Team’s standard monthly update.

Action owner: LEADER Manager Due date: 30 November 21

Page 10

Control Objective 2: Project visits and final inspection reports have been completed prior to final project claims being paid.

Green

No reportable weaknesses identified

CNPA and Scottish Government guidance identifies that a site inspection must take place, where appropriate, and this would normally be carried out in line with the final payment unless an inspection has taken place recently. This was carried out as expected in two of the three projects sampled, with minor changes to working practices given COVID-19. This included ‘virtual’ site visits and the use of photographs, and we confirmed the third project did not have a physical site. In all three cases an ‘in-situ’ inspection report was also completed for all projects.

Page 11

Control Objective 3: Internal administration closure procedures have been undertaken with a letter of project closure to each applicant being issued.

Green

3.1 Closure Letter

CNPA internal guidance and flow charts state that a closure letter should be issued to each grantee on completion of the project, however management confirmed that this has not been the case in practice. They noted that there may be some examples of an email or letter being issued to the grantee, however these are not standard practice, and we did not identify this in the three projects sample tested.

Members of the LEADER Team felt that it would be helpful to issue a closure letter once the project has been marked as closed in the Scottish Government LARC system, as a reminder to grantees of their future obligations to the European Union (EU) and Scottish Government with regards to records and site management. They also identified that it would be useful to include a contact point within CNPA for any questions which may occur after the LEADER programme closure.

Risk

There is a risk that grantees are not fully aware of their continuing obligations as a result of the funding received and that project funding files are not compliant with extant processes.

Recommendation

Management should determine whether closure letters should be issued to all programme participants in line with extant guidance. Where this is not the case an addendum should be added to the document to indicate the period during which the step was not in place and include a suitable justification for the non-compliance.

Management Action

Grade 1 (Operation)

Recommendation agreed. We will review the position with the expectation that a closure letter will be issued to all grantees setting out, among other things, their ongoing obligations to maintain records and respond to any information requests.

Action owner: LEADER Manager Due date: 31 December 2021

Page 12

Control Objective 4: Procedures are in place to ensure that all records held by CNPA are maintained and accessible for the periods identified in the Service Level Agreement.

Yellow

4.1 Records Management

The CNPA Service Level Agreement with the Scottish Government states that all CNPA records should be maintained for six years with those related to heritable property maintained for 10 years. Our review of CNPA records management retention schedules confirmed that six years was noted for ‘funding applications’ and ‘management of government funding’ however the 10 years for heritable property was not mentioned within the description or notes associated with each of these types of records.

We confirmed that documents are securely stored in both paper and electronic forms with access restricted to the LEADER Team and the Director of Corporate Services. However we did note that electronic documents are not restricted for editing in Windows Explorer (file management system), impacting the availability of a clear audit trail as documents could be changed and only the last version retained.

In addition, we noted that CNPA is planning to migrate to storage on the Cloud and this may impact access to electronic documents, should the Scottish Government or EU wish to access them. This risk is partially mitigated by using the LARCs as the main document repository, however CNPA could be non-compliant with the Service Level Agreement.

Risk

There is a risk that LEADER retention periods are not aligned with the CNPA records retention guidance and could result in documents being destroyed early and non-compliance with the Service Level Agreement. There is also a risk that LEADER documents are no longer available or readable for the length of the retention period, due to changes in technology.

Recommendation

Management should undertake a risk assessment over the controls in place for access and editability in relation to electronic LEADER files. In addition management should ensure that LEADER programme records remain accessible and readable for the identified retention period.

Management Action

Grade 2 (Design)

Recommendation agreed. We will integrate this matter with the wider work on our Records and Data Management work to ensure robustness and accuracy of records over the long term.

Action owner: Governance and Reporting Manager Due date: 31 March 2022

Page 13

Control Objective 5: CNPA has put in place measures to capture lessons learned for inclusion in future grant programmes.

Yellow

5.1 Lessons Learned

CNPA captured lessons learned from individual LEADER projects and the overarching programme, however these activities were substantially focussed on programme outcomes and achievements, with less emphasis on processes and feedback from Cairngorm Local Action Group (CLAG) Members and staff.

We have been advised that process feedback has been provided through a range of forums including Scottish Government Accountable Officer Meetings, LEADER Programme Manager and CNPA Leader Team Meetings and implemented as the programme has progressed. However, unless key members of staff and CLAG members are available in the future, the knowledge of lessons learned will be lost as this type of feedback is not documented.

We also noted that, whilst lessons learned are being captured, there is no methodology, such as an action plan, for ensuring that these are disseminated and action taken or actively used in future work.

Risk

There is a risk that identified lessons learned are not fully managed and documented, resulting in a lack of oversight of all changes made, policies and procedures not being updated and potentially issues being repeated in the future.

Recommendation

Management should ensure that feedback on CNPA internal processes is obtained and, where appropriate, fed into Scottish Government reviews on programme processes. In addition, management should develop a lessons learned action log and ensure this is monitored by a relevant person(s) within the CNPA management structure.

Management Action

Grade 2 (Design)

Recommendation agreed. Workloads have been such that this wider lessons learned review of the LEADER Programme has not been possible to undertake to date and will be programmed for completion by the end of the operational year (point 1). A wider lessons learned action log (point2) will be undertaken as part of the developing Project Management Office.

Action owner: Point 1 LEADER Manager Due date: 31 March 2022 Point 2 Governance and Reporting Manager

Page 14

Appendix A – Definitions

Control assessments

Grade	Description
R	Fundamental absence or failure of key controls.
A	Control objective not achieved — controls are inadequate or ineffective.
Y	Control objective achieved — no major weaknesses but scope for improvement.
G	Control objective achieved — controls are adequate, effective and efficient.

Management action grades

Grade	Description
4	Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
3	High risk exposure — absence / failure of key controls that create significant risks within the organisation.
2	Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
1	Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.

Page 15

Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.

211029AuCtteePaper1Annex1LEADERReportWithManagementResponses

Cairngorms Nation­al Park Authority

Intern­al Audit Report 2021⁄22

LEAD­ER Programme

Exec­ut­ive Summary

Con­clu­sion

Back­ground and scope

Con­trol assessment

Improve­ment actions by type and priority

Key find­ings

Good prac­tice

Areas for improvement

Impact on risk register

Acknow­ledge­ments

Man­age­ment Action Plan

1.1 Pro­gramme Tracker

3.1 Clos­ure Letter

4.1 Records Management

5.1 Les­sons Learned

Appendix A – Definitions

Con­trol assessments

Man­age­ment action grades

We want your feedback

Cairngorms National Park Authority

Internal Audit Report ²⁰²¹⁄₂₂

LEADER Programme

Executive Summary

Conclusion

Background and scope

Control assessment

Improvement actions by type and priority

Key findings

Good practice

Acknowledgements

Management Action Plan

1.1 Programme Tracker

3.1 Closure Letter

5.1 Lessons Learned

Control assessments

Management action grades