DRAFT MINUTES OF THE AUDIT AND RISK COM­MIT­TEE MEETING

of

THE CAIRNGORMS NATION­AL PARK AUTHORITY

held via Lifes­ize Video Conferencing

on 11 Feb­ru­ary 2022 at 1pm

PRESENT

• Judith Webb (Chair)
• John Kirk
• John Lath­am
• Elean­or Mackintosh
• Fiona McLean (Vice-Chair)
• Gaen­er Rodger

In Attend­ance:

• John Boyd, Grant Thornton
• Eliza­beth Young, Azets
• Dav­id Camer­on, Dir­ect­or of Cor­por­ate Services
• Grant Moir, CEO
• Kate Christie, Head of Organ­isa­tion­al Development
• Danie Ral­ph, Fin­ance Manager
• Helen Mason, Minute-taker

Apo­lo­gies:

None.

Wel­come & Apologies

1. The Chair wel­comed every­one to the meet­ing and there were no apologies.

Declar­a­tions of Interest

1. There were no interests declared.

Minutes of Last Meeting

1. The draft Minutes of the meet­ings on 29 Octo­ber 2021 were approved with no amendments.

Mat­ters Arising

1. Judith Webb, the Chair asked that thanks be passed to the Clerk to the Board for provid­ing an update on actions which will be included when we send round agen­das in the future.

2. Dav­id Camer­on (Dir­ect­or of Cor­por­ate Ser­vices) ran through the Actions Log:

Ref	Action Detail	Who	When	Status
10/09/2021 (Para 3)	Ongo­ing Dis­cus­sion at Board and Gov­ernance Com­mit­tee on risk appet­ite. Dis­cus­sions are to be had with intern­al audit on sup­port­ing this work.	Dav­id Camer­on / Intern­al Auditors	Sched­uled late Q3 or Q4 22⁄23	In Hand
10/09/2021 (Para 3)	Once Her­it­age Hori­zons pro­gramme had com­menced, it to become a stand­ing item on AR Committee’s Agenda	Dav­id Cameron	For next AR Com­mit­tee meeting	Closed
29/10/2021 (Para 8i)	Bring les­sons learned on LEAD­ER back as Agenda item to a future AR Committee.	Dav­id Cameron	After the pro­gramme had finished	Open
29/10/2021 (Para 20i)	Provide AR Com­mit­tee with timetable for for­ward plan­ning of meetings.	Dav­id Cameron		Open
29/10/2021 (Para 4i)	Pri­or­ity to be giv­en to com­pleted a detailed VAT review dur­ing the remainder of 2021 – 22.	Dav­id Cameron	By end March 2022	In Hand

²⁰²¹⁄₂₂ Extern­al Audit Plan (Paper 1)

1. John Boyd, Grant Thornton intro­duced the paper which presents the draft final plan for the audit of the 2021/2022 annu­al report and accounts. This is the last year of Grant Thornton as the appoin­ted aud­it­or. He high­lighted the fol­low­ing points:

a) The Plan was sim­il­ar to last year, estab­lish­ing a risk-based approach com­mon across all pub­lic sec­tor bod­ies. b) Includes plan­ning mater­i­al­ity: to revis­it on receipt of draft fin­an­cial state­ments. c) Note audit time line page 11. Does not expect any sig­ni­fic­ant dif­fer­ences to this plan. Will com­plete audit with tar­geted sign off by end of September.

1. Chair expressed her thanks and noted the timeline remains the same, though Com­mit­tee meet­ing dates may differ.

2. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Dir­ect­or of Cor­por­ate Ser­vices advised that there would be an Audit & Risk Com­mit­tee meet­ing on 9^th Septem­ber to enable sign off by end of Septem­ber. b) A mem­ber asked what does trivi­al mater­i­al­ity mean? John Boyd explained this rep­res­ents a threshold below which the fin­an­cial level is not sig­ni­fic­ant, and is not con­sidered to have an impact on fin­an­cial state­ments. c) Clar­ity sought on the over­all mater­i­al­ity stated as any­thing above £143,000. John Boyd explained that the mater­i­al­ity to users of the accounts, with the main user being the Scot­tish Gov­ern­ment estab­lished the levels at which report­ing mat­ters were con­sidered of sig­ni­fic­ance. d) Trivi­al mater­i­al­ity was then explained as any­thing below this wouldn’t have any sig­ni­fic­ance to the reader’s under­stand­ing of the fin­an­cial pos­i­tion of the organ­isa­tion. John Boyd sum­mar­ised that the extern­al aud­it­or can­not audit to the nearest pound, but robust assur­ance was needed for the user of the accounts that the inform­a­tion gives a true and fair view of the over­all fin­an­cial pos­i­tion. These con­cepts helped the aud­it­or estab­lish this position.

1. The Audit and Risk Committee:

a) Agreed the final extern­al audit plan for the extern­al audit of the ²⁰²⁰⁄₂₁ annu­al report and accounts; b) Noted the fee for the audit will be resolved fol­low­ing final audit pre­par­at­ory review as set out in the plan.

1. Action Point Arising:

i. Aud­it­or agreed to com­plete audit with tar­geted sign off by end of Septem­ber 2022.

Intern­al Audit: Fin­an­cial Man­age­ment and Report­ing (Paper 2)

1. Eliza­beth Young, Azets, intro­duced Paper 2 which presents the review of the Cairngorms NPA’s approaches to, and con­trols in place for our fin­an­cial man­age­ment and report­ing. The review has been under­taken as part of the agreed Intern­al Audit Plan for ²⁰²¹⁄₂₂.

2. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Chair noted use­ful style and lay­out of reports presen­ted and all man­age­ment actions have been agreed. b) Dir­ect­or of Cor­por­ate Ser­vices wel­comed the report and noted the restruc­tur­ing of the fin­ance team with new staff resources. c) Mem­ber asked to cla­ri­fy wheth­er agenda items were for decision or dis­cus­sion. Dir­ect­or of Cor­por­ate Ser­vice thought this a mis­take and this item should be re-titled as a decision item. He cla­ri­fied that all intern­al audit reports were always presen­ted for decision by Com­mit­tee, as it was a respons­ib­il­ity of the Com­mit­tee to con­sider the audit recom­mend­a­tions and man­age­ment responses to those recom­mend­a­tions to ensure mem­bers were sat­is­fied, on behalf of the board, that man­age­ment were oper­at­ing appro­pri­ate intern­al con­trol sys­tems. d) Mem­ber asked about cla­ri­fy­ing man­age­ment levels of del­eg­ated author­ity. Dir­ect­or of Cor­por­ate Ser­vices advised that the scheme of del­eg­a­tion has to be renewed and train­ing car­ried out on the back of revised policies and organ­isa­tion­al restruc­tur­ing. e) Dir­ect­or of Cor­por­ate Ser­vices cla­ri­fied fur­ther they are look­ing at each man­age­ment level to sign off fin­an­cial com­mit­ments at an appro­pri­ate level with regard to each tier of respons­ib­il­ity. Then all staff will be trained on the time line indic­ated. The urgency of the mat­ter was recognised.

1. The Audit and Risk Committee:

a) Con­sidered the intern­al aud­it­ors report and find­ings; b) Endorsed the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

1. Action Points Arising:

i. None.

Intern­al Audit: Assur­ance Map­ping of Major Pro­jects (Paper 3)

1. Eliza­beth Young, Azets, intro­duced Paper 3 which presents the review of the Cairngorms NPA’s approaches to assur­ance over major pro­jects. The review has been under­taken as part of the agreed Intern­al Audit Plan for ²⁰²¹⁄₂₂. It was noted that the CNPA has recog­nised need to firm up arrange­ments over this area of work and had imple­men­ted a num­ber of new con­trols. High­lighted pro­gress on good prac­tice. Some improve­ments were still needed as this remained work in progress:

a) Over­all man­age­ment approach to ensure imple­ment­a­tion of sys­tem is final­ised on a timely basis. b) Reports to per­form­ance com­mit­tee; some were not com­plete with adequate fin­an­cial inform­a­tion: this should be tightened up.

1. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) The Chair wel­comed the report and advised it was timely with help­ful recom­mend­a­tions. b) Dir­ect­or of Cor­por­ate Ser­vices praised the help­ful guide and report. He informed Com­mit­tee that has taken an amend­ment to the report­ing tem­plate to the man­age­ment team in order to take for­ward the need for con­sist­ency and cov­er­age of fin­an­cial indic­at­ors. He repor­ted that they would be using the revised cov­er paper for Per­form­ance Com­mit­tee mov­ing for­wards, and con­firmed that man­age­ment were still review­ing and adapt­ing our sys­tems. c) CEO high­lighted the pos­it­ive over­all report on major pro­jects and recog­nised that it was a good basis for mov­ing for­wards. d) Mem­ber wel­comed recom­men­ded improve­ment in con­sist­ency in ter­min­o­logy and lan­guage. How would this be com­mu­nic­ated to the Board and across the organ­isa­tion? Dir­ect­or of Cor­por­ate Ser­vices noted that Vicky Walk­er (Gov­ernance and Report­ing Man­ager) would be tak­ing for­ward stand­ard­isa­tion of pro­ced­ures and ter­min­o­logy. He advised that it would be brought back to the Com­mit­tee to ensure sure that lan­guage was clear to Board members.

1. The Audit & Risk Committee:

a) Con­sidered the intern­al aud­it­ors report and find­ings; b) Endorsed the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

1. Action Point arising:

i. Vicky Walk­er (Gov­ernance and Report­ing Man­ager) to take for­ward stand­ard­isa­tion of pro­ject man­age­ment pro­ced­ures and ter­min­o­logy. This to be brought back to the ARC to ensure the appro­pri­ate lan­guage was used.

Intern­al Audit Pro­gress Report (Paper 4)

1. Eliza­beth Young, Azets, intro­duced Paper 4 which presents the Intern­al Auditor’s Pro­gress Report.

2. The Audit & Risk Com­mit­tee con­sidered and agreed the intern­al auditor’s pro­gress report.

3. Action Point arising:

i. None.

Intern­al Audit Stra­tegic Intern­al Audit Plan ²⁰²²⁄₂₃ (Paper 5)

1. Eliza­beth Young, Azets intro­duced Paper 5 which presents the stra­tegic intern­al audit plan includ­ing the pro­posed intern­al audit work for the ²⁰²²⁄₂₃ fin­an­cial and oper­a­tion­al year.

2. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Mem­bers agreed that this wider approach is a prag­mat­ic approach to the Authority’s evolving work and key areas of risk man­age­ment and con­trol. b) A mem­ber asked what is the think­ing around the LEAD­ER approach to annu­al audits when there are many oth­er aspects of our activ­it­ies which could be reviewed? Cla­ri­fic­a­tion sought into the think­ing behind the sum­mary of checks and bal­ances. Dir­ect­or of Cor­por­ates Ser­vices advised that it was a require­ment of Scot­tish Gov­ern­ment around LEAD­ER for all pub­lic bod­ies to under­take intern­al audit whenev­er there is spend in a European fin­an­cial year (16^th to 15^th Octo­ber). He had dis­cussed with Scot­tish Govt if we have to put an intern­al audit in place, and this had been con­firmed. For the com­ing year, we will focus audit time on the clos­ure of the LEAD­ER scheme to add value and assur­ance to the Authority’s pos­i­tion as account­able body for clos­ure pro­cesses. c) Mem­ber asked for cla­ri­fic­a­tion around payroll expenses, what was 100% sampling? It was explained that this covered 100% of the pop­u­la­tion which was considered.

1. The Audit & Risk Committee:

a) Con­sidered the intern­al auditor’s stra­tegic intern­al audit plan; b) Con­sidered the spe­cif­ic intern­al audit plan for ²⁰²²⁄₂₃ intern­al audit work and the appro­pri­ate­ness of that plan for the Authority’s needs; c) Agreed the intern­al audit plan for ²⁰²²⁄₂₃.

1. Action Points arising:

i. None.

Stra­tegic Risk Man­age­ment Over­view (Paper 6)

1. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices, intro­duced Paper 6 which presents the most recent update to the Authority’s stra­tegic risk register, fol­low­ing review of risk man­age­ment action and pos­i­tion by the Seni­or Man­age­ment Team in Janu­ary 2022. He added that it had been agreed that Her­it­age Hori­zons will be a sep­ar­ate ongo­ing agenda item for the Committee.

2. The paper also presents an update on hand­ling the risks in deliv­ery of the Her­it­age Hori­zons pro­gramme, togeth­er with an update on man­age­ment of COVID19 busi­ness con­tinu­ity risks to allow the Com­mit­tee to take assur­ance over the man­age­ment of these pro­gramme spe­cif­ic risks and adequacy of cov­er­age of the stra­tegic risk register with regard to these stra­tegic programmes.

3. The Dir­ect­or of Cor­por­ate Ser­vices high­lighted a new risk added from a Man­age­ment per­spect­ive to Risk Register — the risk of secur­ing staff with the rel­ev­ant expert­ise and know­ledge in the con­text of an increas­ingly dif­fi­cult recruit­ment market.

4. The Dir­ect­or of Cor­por­ate Ser­vices also pro­posed that it was now time to reduce the pri­or­ity of busi­ness con­tinu­ity plan­ning and COV­ID man­age­ment risks and now end the con­sid­er­a­tion of the BCP risk register by the Com­mit­tee. His over­all assess­ment on the basis of the latest risk register now presen­ted to the Com­mit­tee is that all risks are under effect­ive mit­ig­a­tion man­age­ment or over­taken. The Com­mit­tee would be informed, or could decide, if events changed and there was a need to again con­sider busi­ness con­tinu­ity man­age­ment risks.

5. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) There was dis­cus­sion about the format of the three registers and wheth­er the Stra­tegic Risk register be put into the same format as the Her­it­age Hori­zons one? This has a dif­fer­ent approach and does not use mul­ti­pli­ers. This approach pre­vents some of the prob­lems of using mul­ti­pli­ers. Dir­ect­or of Cor­por­ate Ser­vices would like to get to some form of stand­ard­isa­tion of format but the Stra­tegic risk register has worked well over time, help­ing focus dis­cus­sion on actu­al risk and mit­ig­a­tion and not on for­mu­laic assess­ments of rel­at­ive like­li­hood and impact. He agreed the format has his­tor­ic­ally changed a lot over time and could be tidied up. b) Con­cern expressed about Her­it­age Hori­zons (HH) appear­ing on agenda and the Per­form­ance Com­mit­tee also look­ing at it. The CEO cla­ri­fied that the pro­gramme Board included him­self as the Chair and Board Deputy Con­vener, Car­o­lyn Cad­dick as mem­bers and they report quarterly to the Per­form­ance Com­mit­tee. Per­form­ance Com­mit­tee can escal­ate any issues to the CNPA Board if it wishes. He added that the Gov­ernance is well set out. CEO added that it was a Part­ner­ship Pro­ject with a lot of dif­fer­ent parts to it. The over­all con­trol by the CNPA’s Head of Her­it­age Hori­zons was also a key con­trol mech­an­ism for the Author­ity as the respons­ible body. c) The Chair advised HH does need to be in the CNPA Risk Register. d) Com­ment made that if the pro­gramme man­age­ment times­cales were not suf­fi­cient, could it be cla­ri­fied what was hap­pen­ing giv­en that there was no pre­vent­at­ive mit­ig­a­tion avail­able. CEO explained that there was a fixed time scale on the devel­op­ment phase to be fin­ished by March 2023 and to sub­mit the applic­a­tion by June 2023. The CEO explained the Mit­ig­a­tion meas­ures: pro­ject man­agers had been advised on the need to tail­or their pro­ject plans to avail­able time and test wheth­er out­comes as ori­gin­ally envis­aged could be real­ised; we had man­aged to recruit staff quick­er than thought; tenders were about to go out; we are put­ting in more resource into over­all man­age­ment the CEO explained that over­all, the pro­gramme is in as good a pos­i­tion as can be, while recog­nising that 12 months was a tight time scale for coordin­a­tion and devel­op­ment of 25 pro­jects. We have caught up a bit but there is pres­sure of times­cale and amount of work. Dir­ect­or of Cor­por­ate Ser­vices added that there was noth­ing that could be done to change the time line so no pre­vent­at­ive mit­ig­a­tion meas­ures could be put in place, while the CEO had just out­lined all the remedi­al mit­ig­a­tion actions now in place. Con­tin­gency plan­ning also through a close rela­tion­ship between Dav­id Clyne, Her­it­age Head of Hori­zons and Pro­gramme Man­ager and Nation­al Lot­tery Her­it­age Fund (NLHF) as key fun­der. Over­all, if we have to cur­tail expect­a­tion of our inform­a­tion base sup­port­ing the Deliv­ery Phase applic­a­tion towards the dead­line date that will be known well in advance and can be dis­cussed with NLHF. e) Dir­ect­or of Cor­por­ate Ser­vices advised that the reas­on HH has been brought to this com­mit­tee is that if the Com­mit­tee has any con­cerns which need to be escal­ated, this can go back to the full Board and / or the Authority’s stra­tegic risk register can be amended. f) John Boyd, Grant Thornton, advised that hav­ing reg­u­lar look at risks of HH will become busi­ness as usu­al. Regard­ing the risk register format, the key con­sid­er­a­tion is what works for the organ­isa­tion and high­lights the stra­tegic risks. John Boyd high­lighted the poten­tial to use the risk register to con­sider oppor­tun­ity as well as risks: for example recruit­ment and the poten­tial for remote work­ing to attract people from fur­ther afield. g) Eliza­beth Young, Azets, advised to use the mod­el that works for you. Eliza­beth noted the pos­sib­il­ity of middle ground: 20 risks was a lot with the aspir­a­tions to bring down to 15, and maybe cat­egor­ising risks would allow some con­sol­id­a­tion and sim­pli­fic­a­tion while planned con­sid­er­a­tion of risk appet­ite may help remove some where the appet­ite is high­er. h) Dis­cus­sion about not being able to recruit prop­erly qual­i­fied staff. A lot of our staff have moved to HH, so we need to fill the gaps – there­fore a ques­tion of wheth­er this should this be on the Stra­tegic Risks register? Com­ment made that this was a huge risk going for­ward with our oth­er work. CEO cla­ri­fied that only 3 of 10 intern­al staff have made the move into HH roles. The main con­sid­er­a­tion and risk for us is that we used to get 40 or 50 applic­a­tions per post now in some cases that is only 3 or 4 applic­a­tions. Hous­ing avail­ab­il­ity to let people to move here is a major issue. For example, Com­munity Devel­op­ment Man­age­ment Post needed re-advert­ising as the per­son appoin­ted did not wish to move. This is a much more gen­er­al issue and not dir­ectly linked to HH. We need to mit­ig­ate these risks. i) Dir­ect­or of Cor­por­ate Ser­vices explained that HH allows the oppor­tun­ity for intern­al moves so we are also still retain­ing trained staff while giv­ing oppor­tun­ity for per­son­al devel­op­ment which was a com­mon issue in staff sur­vey feed­back. He recog­nised that pro­jects do mean vacan­cies to fill in a reduced employ­ment mar­ket. j) With ref­er­ence to the Stra­tegic risks register namely the two red risks: Wild­life Crime and Peat­land Pro­gram, could it be explained what the organ­isa­tion could do to mit­ig­ate the risks? k) On the risk asso­ci­ated with Peat­land, Dir­ect­or of Cor­por­ate Ser­vices explained some of the remedi­al mit­ig­a­tions actions:

i. Phasing of works – less technical jobs done first and new contractors can learn the craft
ii. Training:
iii. Financial profiling: working with Scottish Government to reprofile the use of capital so it can be used when there is a healthier contractor supply coming through.

l) Cla­ri­fic­a­tion sought around Peat­land Res­tor­a­tion and who was ulti­mately respons­ible if any­thing goes wrong? CEO explained that it was a con­trac­tu­al rela­tion­ship, the estate that does the work is respons­ible as a rule for a peri­od of time. There are mit­ig­a­tion meas­ures in place and there is ongo­ing mon­it­or­ing. m) On the risk asso­ci­ated with Wild­life crime, resound­ing feel­ing that this was get­ting worse and a repu­ta­tion­al risk. How could we work with the estates to encour­age bet­ter atti­tude to wild­life? CEO there is a lot of work that is going on. Satel­lite mon­it­or­ing as well as licen­cing and legis­la­tion. Crimes are com­mit­ted, there is police involve­ment and licence restric­tions by NatureScot. CEO meets with Police Scot­land wild­life crime officers on a quarterly basis to dis­cuss ongo­ing actions. n) The Com­mit­tee noted that now NatureScot has now done a restric­tion and that might make a difference.

1. The Audit & Risk Committee:

a) Reviewed the Authority’s stra­tegic risk register, agree­ing any required amend­ments or mit­ig­a­tion actions; b) Agreed any stra­tegic risk man­age­ment implic­a­tions and their poten­tial mit­ig­a­tion arising from the her­it­age Hori­zons pro­gramme devel­op­ment phase; c) Agreed that the COVID19 Busi­ness Con­tinu­ity Risk Register may be reduced to oper­a­tion­al man­age­ment and mon­it­or­ing status.

1. Action Points arising:

i. None.

Gov­ernance: Con­sid­er­a­tion of Board Elec­tion Pro­cesses (Paper 7)

1. Motion to take this item in Con­fid­en­tial Ses­sion: con­sid­er­a­tion of devel­op­ment of gov­ernance pro­cesses which will be put into the pub­lic domain when finalised.

AOCB

1. There were no items raised.

Date of Next Meeting

1. The next sched­uled Audit and Risk Com­mit­tee meet­ing will take place on Fri­day 13^th May 2022.

2. The pub­lic meet­ing fin­ished at 2.40 pm.

Draft ver­sion 0.3 Dir­ect­or of Cor­por­ate Ser­vices & Deputy Chief Exec­ut­ive review