Cairngorms National Park Authority Internal Audit Plan ²⁰²²⁄₂₃

February 2022

Introduction

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and governance processes.

Section 3 – Definition of Internal Auditing, Public Sector Internal Audit Standards

The PSIAS require the Chief Internal Auditor to produce a risk-based plan, which takes into account Cairngorm National Park Authority’s risk management framework, its strategic objectives and priorities and the views of senior managers and the Audit & Risk Committee. The objective of audit planning is to direct audit resources in the most efficient manner to provide sufficient assurance that key risks are being managed effectively and value for money is being achieved.

Internal audit is only one source of assurance for the Audit & Risk Committee. Assurance on the management of risk is provided from a number of other sources, including the senior management team, external audit and the risk management framework itself.

This document addresses these requirements by setting out an internal audit plan for ²⁰²²⁄₂₃ in the context of a three-year plan for ²⁰²¹⁄₂₂ to ²⁰²³⁄₂₄.

Audit & Risk Committee action

This latest version of the audit plan reflects discussions with the Chief Executive and the Director of Corporate Services and Deputy Chief Executive in January 2022. All feedback received to date has been factored into the plan to ensure internal audit work is as relevant and targeted to CNPA’s needs as possible, and that it is supporting management and the Board in addressing the organisation’s key risks.

The Audit & Risk Committee is asked to review and approve the proposed Internal Audit Plan for ²⁰²²⁄₂₃.

Internal Audit Plan ²⁰²²⁄₂₃

Audit area	²⁰²¹⁄₂₂	²⁰²²⁄₂₃	²⁰²³⁄₂₄	Risk Register Ref	Audit objectives
A. Financial systems
A.1 Financial management and reporting	8	6	7	Financial risks	Review of financial planning, budget management and reporting to management and the board.
A.2 Payroll and expenses	6	6	7	Financial risks	Review of the controls in place for the payment of staff salaries and expenses. Potential to utilise data analytics to undertake 100% sampling.
A.3 Expenditure and Creditors		7		Financial risks	Review of the controls over the processing and monitoring of expenditure and creditor payments.
Subtotal A:	8	6	7
B. Governance and Corporate Systems
B.1 Assurance Mapping of Major Projects	8	8	15	All	Review of the mechanisms in place to ensure the Board are being provided with assurance over projects where CNPA acts as accountable body.
B.2 Performance Management	8	8		A23, A21	Review of the monitoring and evaluation framework in place to monitor and evaluate performance against the National Park Partnership Plan and CNPA Corporate Plan.
B.3 Risk Management		7		All	Review of the policies, procedures and practices in place to support robust risk management within CNPA. Work will build on the Risk Appetite work being undertaken by the Board.
B.4 Partnership Management		8		A26	Review of the policies, procedures and mechanisms in place to work with CPNA partners and provide assurance on partnership arrangements. To be undertaken towards the end of ²⁰²¹⁄₂₂ and will consider how CRM is aiding in partnership management.
Subtotal B:	8	8	15
C. Operational
C.1 Health and Safety	7	11	23		To review the operation and reporting on Health and Safety policies and procedures.
C.2 Workforce Management and Planning		11		A12.2, A9.3, A28	Review of the arrangements in place for planning future workforce needs to deliver strategies and corporate plans. Will also consider the recruitment and retention arrangements in place for staff and ongoing staff wellbeing initiatives, particularly in the context of covid-19 impact.
C.3 Procurement		8		Financial Risk	Review of the arrangements in place over the procurement of services.
C.4. Heritage Horizons		8			A review of the governance and reporting arrangements for the Heritage Horizons programme to ensure the processes in place are suitable for the delivery phase of the programme and that lessons learned from the development phase have been implemented.
Subtotal C:		11	23
D. Information technology
D.1 ICT Strategy	7	7		A17, A13	Review to ensure an up-to-date ICT strategy is in place and being actively maintained.
D.2 Data Management		7		A17, A13	A review of the adequacy of current data management processes in place that support the organisation, with particular consideration over processes emerging from COVID-19 and changes to CNPA’s IT Infrastructure.
D.3 Cyber Security	7			A18	Review of the arrangements in place to mitigate cyber security risks.
Subtotal D:	14	7
E. Compliance and Regulatory
E.1 LEADER Administration	7	5		A11.1	To provide assurance on compliance with SLA between CNPA and Scottish Government on administration of EU LEADER funding.
E.2 Follow Up	3	3	3		To provide independent assurance to the audit and risk committee that agreed actions from previous internal audit reports are implemented as planned.
Subtotal E:	10	8	3
F. Management
Internal audit management and administration	2	2	2
Audit and Risk Committee planning, reporting and attendance	3	3	3
Audit needs analysis — strategic and operational IA planning	3	3	3
Contract management	2	2	2		For coordination and efficiency
Annual internal audit report	1	1	1
Subtotal F:	11	11	11
TOTAL	51	51	59

Allocation of audit days

(Pie chart showing allocation of audit days)

Internal audit approach

Supporting the Governance Statement

Our Internal Audit Plan is designed to provide Cairngorms National Park Authority, through the Audit & Risk Committee, with the assurance it needs to prepare an annual Governance Statement that complies with best practice in corporate governance. We also aim to contribute to the improvement of governance, risk management and internal control processes by using a systematic and disciplined evaluation approach.

Compliance with best practice

Azets’ internal audit methodology complies fully with the Public Sector Internal Audit Standards (PSIAS), which cover the mandatory elements of the Chartered Institute of Internal Auditors’ International Professional Practices Framework.

Risk based internal auditing

Our methodology links internal audit activity to the organisation’s risk management framework. The main benefit to Cairngorms National Park Authority is a strategic, targeted internal audit function that focuses on the key risk areas and provides maximum value for money.

By focussing on the key risk areas, internal audit should be able to conclude that:

Management has identified, assessed and responded to Cairngorms National Park Authority’s key risks;
The responses to risks are effective but not excessive;
Where residual risk is unacceptably high, further action is being taken;
Risk management processes, including the effectiveness of responses, are being monitored by management to ensure they continue to operate effectively; and
Risks, responses and actions are being properly classified and reported.

We have reviewed Cairngorm National Park Authority’s risk management arrangements and have confirmed that they are sufficiently robust for us to place reliance on the risk register as one source of the information we use to inform our audit needs assessment.

Audit needs assessment

Our internal audit plans are based on an assessment of audit need. “Audit need” represents the assurance required by the Audit & Risk Committee from internal audit that the control systems established to manage and mitigate the key inherent risks are adequate and operating effectively. The objective of the audit needs assessment is therefore to identify these key controls systems and determine the internal audit resource required to provide assurance on their effectiveness.

Our audit needs assessment involved the following activities:

Reviewing Cairngorms National Park Authority’s risk register,
Reviewing Cairngorms National Park Authority’s corporate operational plan,
Reviewing previous internal audit reports,
Reviewing external audit reports and plans,
Reviewing the Cairngorms National Park Authority’s website and internal policies and procedures,
Utilising our experience at similar organisations, and
Discussions with senior management and the Audit & Risk Committee

The plan has also been cross-referenced to the Cairngorm National Park Authority’s risk register as at September 2021. The audit universe is included at Appendix 2.

Best value

Our work helps Cairngorms National Park Authority to determine whether services are providing best value. Every report includes an assessment of value for money; i.e. whether the controls identified to mitigate risks are working efficiently and effectively. Where we identify opportunities for improving value for money, we raise these with management and include them in the report action plan.

Liaison with external audit

We seek to complement the areas being covered by Cairngorms National Park Authority’s external auditor. We welcome comments on the internal audit plan from Grant Thornton at any time. This will help us to target our work in the most effective manner, avoiding duplication of effort and maximising the use of total audit resource.

Delivering the internal audit plan

Internal Audit Charter

At Appendix 3 we have set out our Internal Audit Charter, which details how we will work together to deliver the internal audit programme.

Internal Audit team – indicative staff mix

Grade	²⁰²²⁄₂₃ Input (days)	Grade mix (%)
Partner / Director	6	12%
Manager	11	22%
Auditors	34	66%
Total	51	100%

Internal Audit Team Contacts

(Contact details for Elizabeth Young and Stephanie Hume)

Appendix 1 – Corporate Risk Register

(Table showing Corporate Risk Register)

Appendix 2 – Internal Audit Universe

(Table showing Internal Audit Universe)

Appendix 3 – Internal Audit Charter

The mission for internal auditing is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

Definition

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve Cairngorms National Park Authority operations. It helps Cairngorm’s National Park Authority accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Aim

The aim of this Charter is to set out the management by all parties of the internal audit process. The Charter sets out the context of the internal audit function, including the place of the Audit Committee, the key personnel, timescales and processes to be followed for each internal audit review.

Role

The internal audit activity is established by the Board of Directors or oversight body (hereafter referred to as the Board). The internal audit activity’s responsibilities are defined by the Board as part of their oversight role.

Professionalism

The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Core Principles of Professional Practice of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.

The IIA’s Practice Advisories, Implementation Guidance, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to Cairngorms National Park Authority’s relevant policies and procedures and the internal audit activity’s standard operating procedures manual.

Authority

The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, and unrestricted access to any and all of the organisation’s records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Board.

Accountability

The Chief Internal Auditor will be accountable to the Audit & Risk Committee and will report administratively to the Director of Corporate Services.

The Audit & Risk Committee will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Internal Auditor.

The Chief Internal Auditor will communicate and interact directly with the Audit & Risk Committee, including between Audit & Risk Committee meetings as appropriate.

Independence and objectivity

The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content. This is essential in maintaining the internal auditors’ independence and objectivity.

Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, manage risks, prepare records, or engage in any other activity that may impair internal auditor’s judgment.

Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.

The Chief Internal Auditor will confirm to the Audit & Risk Committee, at least annually, the organisational independence of the internal audit activity. Any interference experienced should be disclosed by the Chief Internal Auditor to the Board and the implications discussed.

Scope and responsibility

The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation’s governance, risk management, and internal control processes in relation to the organisation’s defined goals and objectives. Internal control objectives considered by internal audit include:

Consistency of operations or programs with established objectives and goals and effective performance.
Effectiveness and efficiency of operations and employment of resources.
Compliance with significant policies, plans, procedures, laws, and regulations.
Reliability and integrity of management and financial information processes, including the means to identify, measure, classify, and report such information.
Safeguarding of assets.

Internal Audit is responsible for evaluating all processes (‘audit universe’) of Cairngorms National Park Authority, including governance processes and risk management processes. In doing so, internal audit maintains a proper degree of coordination with external audit and where practical other assurance providers.

Internal audit may perform consulting and advisory services related to governance, risk management and control as appropriate for the organisation. It may also evaluate specific operations at the request of the Audit & Risk Committee or management, as appropriate.

Based on its activity, internal audit is responsible for reporting significant risk exposures and control issues identified to the Audit & Risk Committee and to senior management, including fraud risks, governance issues, and other matters needed or requested by Cairngorms National Park Authority.

Annual internal audit plan

The audit year runs from 1 April to 31 March.

At least annually, the Chief Internal Auditor will submit to the audit committee an internal audit plan for review and approval. The internal audit plan will detail, for each subject review area:

The outline scope for the review,
The number of days budgeted,
The timing, including which Audit & Risk Committee the final will report will go to,
The review sponsor.

The Chief Internal Auditor will communicate the impact of resource limitations and significant interim changes to senior management and the Board.

The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based methodology, including input of senior management. Prior to submission to the Audit & Risk Committee for approval, the plan will be discussed with appropriate senior management. Any significant deviation from the approved internal audit plan will be communicated through the periodic activity reporting process.

Assignment Planning and Conduct

An assignment plan will be drafted prior to the start of every assignment setting out the scope, objectives, timescales and key contacts for the assignment.

Specifically, the assignment plan will detail the timescales for carrying out the work, issuing the draft report, receiving management responses and issuing the final report. The assignment plan will also include the name of the staff member who will be responsible for the audit (review sponsor) and the name of any key staff members to be contacted during the review (key audit contact).

The assignment plan will be agreed with the review sponsor and the key audit contact (for timings) before the review starts.

Reporting and Monitoring

The internal auditor will discuss key issues arising from the audit as soon as reasonably practicable with the key contact and/or review sponsor, as appropriate.

A written report will be prepared and issued by the Chief Internal Auditor or designee following the conclusion of each internal audit engagement and will be distributed to the review sponsor and key contacts identified in the assignment plan for management responses and comments.

Draft reports will be issued by email within 15 working days of fieldwork concluding. The covering email will specify the deadline for management responses, which will normally be within a further 10 days. The management comments and response to any report will be overseen by the review sponsor. Internal Audit will make time after issuing the draft report to discuss the report and, if necessary, meet with the review sponsor and/or key contact to ensure the report is factually accurate and the agreed actions are clear, practical, achievable and valuable.

The internal auditors will issue the final report to the review sponsor and the Director of Corporate Services. The final report will be issued within 10 working days of the management responses being received. Finalised internal audit reports will be presented to the Audit & Risk Committee. Finalised internal audit outputs must be in the hands of the Director of Corporate Services by prescribed dates annually.

The working days set out above are maximum timescales and tighter timescales may be set out in the assignment plan.

The internal audit activity will follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.

Audit & Risk Committee

The Audit & Risk Committee meets four times a year, normally in February, May, September and November. Dates for Audit & Risk Committee meetings will be provided to internal audit as soon as they are agreed. The Chief Internal Auditor and/or Internal Audit Manager will attend all meetings of the Audit & Risk Committee.

Internal audit will schedule its work so as to spread internal audit reports reasonably evenly over Audit & Risk Committee meetings. The annual internal audit plan will detail the internal audit reports to be presented to each Audit & Risk Committee meeting.

The internal auditor will generally present specific reports to the committee as follows:

Output	Meeting
Annual internal audit plan	February
Follow-up report	November and May
Annual report	May
Progress report	All meetings

The Audit & Risk Committee will meet privately with the internal auditors at least once a year.

Periodic Assessment

The Chief Internal Auditor is responsible for providing a periodic self-assessment on the internal audit activity as regards its consistency with the Audit Charter (purpose, authority, responsibility) and performance relative to its Plan.

In addition, the Chief Internal Auditor will communicate to senior management and the Audit & Risk Committee on the internal audit activity’s quality assurance and improvement programme, including results of on-going internal assessments and external assessments conducted at least every five years in accordance with Public Sector Internal Audit Standards.

Review of Charter

This Charter will be reviewed by both parties each year and amended if appropriate.

220211AuCtteePaper5Annex122-23IAPlanFINAL

Cairngorms Nation­al Park Author­ity Intern­al Audit Plan 2022⁄23

Intro­duc­tion

Intern­al Audit Plan 2022⁄23

Alloc­a­tion of audit days

Intern­al audit approach

Deliv­er­ing the intern­al audit plan

Appendix 1 – Cor­por­ate Risk Register

Appendix 2 – Intern­al Audit Universe

Appendix 3 – Intern­al Audit Charter

We want your feedback