Cairngorms National Park Authority

Internal Audit Report ²⁰²¹⁄₂₂

Assurance Mapping of Major Projects

January 2022

A AZETS CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 3 Annex 1 11/02/22

Page 2

Cairngorms National Park Authority Internal Audit Report ²⁰²¹⁄₂₂ Assurance Mapping of Major Projects


Executive Summary	1
Management Action Plan	5
Appendix A – Definitions	10

Audit Sponsor: David Cameron, Director of Corporate Services and Deputy Chief Executive

Key Contacts:

William Munro, Board Member
Carolyn Caddick, Board Member
Vicky Walker, Governance and Reporting Manager
Andy Ford, Director of Nature and Climate Change
Carolyn Robertson, Cairngorms Capercaillie Project Manager

Audit Team:

Elizabeth Young, Engagement Lead
Stephanie Hume, Senior Manager
Lorna Munro, Internal Auditor

Page 3

Executive Summary

Conclusion

We have confirmed that Cairngorms National Park Authority (CNPA) has identified all major projects and programmes and that assurance is being provided to the Board through the Performance Committee and the Resources Committee.

However, we have identified that CNPA had only partially implemented its major project/programme approach with a number of key actions still to be completed, including the development of templates, tools to improve monitoring and reporting (including financial assurance) and provision of Programme Office support. Furthermore, we noted a project plan for the implementation of this new approach is yet to be documented.

Background and scope

The Cairngorms National Park Authority (CNPA) is the accountable body financially for four out of five of the major projects taken forward by the organisation in the past five years, with a total funding for these projects of £15 million. Whilst the Authority is the accountable body financially, the delivery of these projects is spread across multiple partners who also contribute financially and provide project staff resources.

In accordance with the ²⁰²¹⁄₂₂ Internal Audit Plan, we reviewed the assurance of major projects within Cairngorms National Park Authority.

Page 4

Control assessment

There is an agreed governance and reporting framework in place for major projects, with comprehensive and regular updates provided to the Board on projects’ progress and performance. (Yellow)
Financial monitoring reports provide the Board with sufficient information on project costs and how each individual project is performing in relation to its allocated budget. (Yellow)
Board members sit on Programme Boards for all major projects and there are clear roles and responsibilities for Board members in terms of exception reporting and escalating issues of concern to the Board. (Green)
An assurance mapping exercise has been carried out for major projects to confirm that appropriate and risk-based assurance is being received across the organisation. (Yellow)

Improvement actions by type and priority

(Chart showing 2 actions under “Control Design”)

Two improvement actions have been identified from this review, both of which relate to the design of controls. See Appendix A for definitions of colour coding.

Page 5

Key findings

Good practice

CNPA’s procedures reflect good practice in a number of areas:

CNPA identified the need for a consistent approach to project and programme management and have taken action to address this.
All extant major projects and programmes within CNPA have been identified, and all new projects and programmes will be approved by the Senior Management Team.
The Board has allocated responsibility to one of its sub-committees, the Performance Committee, to provide oversee major projects/programme performance, with updates being provided to each meeting. This ensures sufficient scrutiny is taking place at a senior level.
CNPA has established programme boards for all current major programmes, that consist of LEADER Programme, Capercaillie Project and Peatland Action. These boards review progress and performance, ensuring that timely corrective action is taken in relation to any issues.
Although not mandatory, we noted that currently a Board member sits on the programme board for all the current major programmes.

Areas for improvement

We have identified a small number of areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:

Fully implementing the major project/programme management approach, including provision of templates and clarifying key terminology.
Developing a tool to support project (including financial) assurance for the Performance Committee.

These are further discussed in the Management Action Plan below.

Impact on risk register

The CNPA corporate risk register included the following risks relevant to this review:

Risk A11.1: Resourcing: Role as Lead / Accountable body for major programmes (e.g. LEADER, Landscape Partnership) has risk of significant financial clawback should expenditure prove to be not eligible for funding, while CNPA carries responsibilities as employer for programme staff.
Risk A11.2: Resourcing: the end of major programme investments (Tomintoul and Glenlivet, LEADER) requires significant ongoing staffing to manage audit and legacy which the Authority finds difficult to resource.

The results of our review will not affect the impact or likelihood of either of these risks.

Page 6

Acknowledgements

We would like to thank all staff consulted during this review for their assistance and co-operation.

Page 7

Management Action Plan

Control Objective 1: There is an agreed governance and reporting framework in place for major projects, with comprehensive and regular updates provided to the Board on projects’ progress and performance. (Yellow)

1.1 Project management approach

At the time of fieldwork management were in the process of developing an outline programme management approach that can be tailored to each project. The most significant change to date has been the introduction of the Performance Committee, who maintain oversight of all major projects and programmes through regular assurance reports. They will be supported by the Resources Committee who has oversight of the overall CNPA budget. In addition, work remains ongoing to develop project development documentation including project initiation documents and assurance reports.

The project plan for this work has not been fully scoped or documented and therefore progress and outcomes will be difficult to monitor and report on.

Further, during discussions with staff and Board members we also noted that ‘project’ and ‘programme’ was used interchangeably, when specific meanings apply.

Risk: There is a risk the organisation does not implement a new project management approach effectively as a result of plans not being fully developed, leading to the CNPA not identifying issues early enough and therefore not achieving its objectives.

Recommendation: Management should put in place a project plan for implementation of the new project management approach. This may include the use of stage plans to help with maintaining flexibility over how the overall approach develops. In addition, management should ensure that this plan includes appropriate communications to explain any jargon or specific terminology.

Management Action: Recommendation agreed, while noting the work to communicate the work and its implantation and seek to improve consistency in terminology and language use is likely to be a separate action flowing from the project plan rather than an integral part of the plan itself. (Grade 2 (Design))

Action owner: Governance and Reporting Manager Due date: 30 September 2022

Page 9

Control Objective 2: Financial monitoring reports provide the Board with sufficient information on project costs and how each individual project is performing in relation to its allocated budget. (Yellow)

2.1 Financial Assurance

A decision has been taken that the Performance Committee will review the documentation produced for existing Programme Boards and external funders (e.g. Scottish Government, National Lottery) to ensure sufficient assurance can be taken on Programme delivery on behalf of the Board.

However, we noted in Performance Committee reports that the budget forecast position was missing from the Capercaillie project and projects at the planning or development stage were insufficiently detailed, with no summary of budgets, actuals, forecast or RAG rating included even though resources are being used during these stages.

It is noted that the Resources Committee receives regular financial reporting, which is broken down by project with these reports and minutes available to all Board members, including those in the Performance Committee. CNPA are also investigating a dashboard tool to support presentation of project assurance to the Performance Committee over a number of areas, including the financial management.

Risk: There is a risk that the Board are receiving insufficient financial assurance, resulting in Board members not having a clear and sufficient understanding of the financial position to support decision making.

Recommendation: Management should ensure the budget forecast position on the Capercaillie project is included in reporting to the Performance Committee when considering the level of assurance which can be taken on Programme delivery. In addition management should introduce a RAG rating or statement on financial performance into all highlight reports to the Performance Committee.

Management Action: Recommendation agreed. We will review the template cover paper for the Performance Committee with a view to ensuring these key elements of programme and project assurance are made explicit and transparent to the Committee. (Grade 2 (Design))

Action owner: Director of Corporate Services and Clerk to the Board Due date: 30 April 2022

Page 10

Control Objective 3: Board members sit on Programme Boards for all major projects and there are clear roles and responsibilities for Board members in terms of exception reporting and escalating issues of concern to the Board. (Green)

No weaknesses identified

Each proposed new major project or programme is assessed by the Senior Management Team who decide whether there is a need for Board members to sit on the project/programme board. The roles and responsibilities will be detailed in Project Initiation Documents being developed by the Programme Support Office.

All major projects and programmes are now also overseen by the Performance Committee. Their remit is to provide assurance over activity of major programmes and projects in supporting achievement of strategic outcomes and not posing unmitigated corporate risk.

In addition to standard escalation processes to the main Board, the Chair of the Performance Committee can highlight any issues to the Governance Committee or through informal discussions with other Board members.

Page 11

Control Objective 4: An assurance mapping exercise has been carried out for major projects to confirm that appropriate and risk-based assurance is being received across the organisation. (Yellow)

4.1 Assurance reporting

All new projects/programmes will be approved by the Senior Management Team and be taken forward through the new approach, which includes project initiation documentation, highlight reports and reporting to the Performance Committee. In addition, a structured assessment of assurance was undertaken for a developing programme — Heritage Horizons, and a similar approach to documenting and agreeing assurance will be taken forward for all major projects/programmes.

Existing live major projects/programmes will continue with the current documentation and board structures but provide assurance reports to the Performance Committee at the agreed frequency.

The Board Members spoken to felt that information presented was broadly sufficient for assurance purposes at this early stage of the new approach to project governance and assurance, though this would likely develop and improve over time.

However as highlighted in MAP 2.1 financial assurance is not being adequately provided for all projects as standard to the Performance Committee. A further recommendation has not been made but the control is assessed as yellow in line with MAP 2.1

Page 12

Appendix A – Definitions

Control assessments

Rating	Description
R	Fundamental absence or failure of key controls.
A	Control objective not achieved — controls are inadequate or ineffective.
Y	Control objective achieved — no major weaknesses but scope for improvement.
G	Control objective achieved — controls are adequate, effective and efficient.

Management action grades

Grade	Description
4	Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
3	High risk exposure — absence / failure of key controls that create significant risks within the organisation.
2	Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
1	Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.

Page 13

Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.

220211AuCtteePaper3Annex1MajorProjectAssuranceCNPAMgtResponses

Cairngorms Nation­al Park Authority

Intern­al Audit Report 2021⁄22

Assur­ance Map­ping of Major Projects

Exec­ut­ive Summary

Con­clu­sion

Back­ground and scope

Con­trol assessment

Key find­ings

Good prac­tice

Areas for improvement

Impact on risk register

Acknow­ledge­ments

Man­age­ment Action Plan

1.1 Pro­ject man­age­ment approach

2.1 Fin­an­cial Assurance

No weak­nesses identified

4.1 Assur­ance reporting