Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

220527AuCtteePaper1Annex1ICT_Strategy_FINAL

Cairngorms Nation­al Park Authority

Intern­al Audit Report 202122

ICT Strategy Review

March 2022


Cairngorms Nation­al Park Authority

Intern­al Audit Report 202122

Cyber Secur­ity Review

Exec­ut­ive Sum­mary 1

Man­age­ment Action Plan 4

Appendix A – Defin­i­tions 8

Audit Spon­sor

Dav­id Camer­on — Dir­ect­or of Cor­por­ate Services

Key Con­tacts

Sandy Allan — Inform­a­tion Sys­tems Man­ager Daniel Ral­ph — Fin­ance Manager

Audit team

Paul Kelly — IT Audit Dir­ect­or Ash­ley Bick­er­staff — IT Audit Man­ager Domin­ic O’Neill — IT Aud­it­or Nata­sha Wil­li­ams — IT Auditor


Exec­ut­ive Summary

Con­clu­sion

Our review has iden­ti­fied sev­er­al areas for improve­ment in rela­tion to ICT strategy with­in the organ­isa­tion. When updat­ing the IT & Data Strategy in future, man­age­ment should define object­ives and/​or out­comes to be achieved from its imple­ment­a­tion. This should be used as the basis of devel­op­ing annu­al IT oper­a­tion­al plans.

As part of future devel­op­ment of the IT & Data Strategy, man­age­ment should devel­op a fin­an­cial strategy which sets out, at a high-level, the expec­ted cap­it­al and rev­en­ue invest­ment needed to sup­port its implementation.

Back­ground and scope

The Cairngorms Nation­al Park Author­ity (CNPA) is reli­ant on its tech­no­lo­gic­al infra­struc­ture to sup­port the deliv­ery of its key busi­ness object­ives. It is cru­cial that the infra­struc­ture, sys­tems and devices are main­tained at a level cap­able of sup­port­ing the Authority’s busi­ness plans and strategy. For that reas­on, it is essen­tial that an ICT strategy is in place which adequately defines tech­no­lo­gic­al direction.

It is essen­tial that organ­isa­tions have clar­ity over medi­um and longer term planned ICT invest­ments that provide a robust infra­struc­ture and sys­tems which meet the needs of the business.

Our review has sought to con­firm the effect­ive­ness of pro­cesses and gov­ernance in place for the imple­ment­a­tion of the Authority’s ICT strategy.


Con­trol assessment

  1. There is align­ment between the ICT Strategy and Author­ity cor­por­ate strategy.

  2. There has been adequate plan­ning activ­ity to trans­late the ICT Strategy into oper­a­tion­al plans.

  3. The ICT Strategy is sup­por­ted by a fin­an­cial strategy.

  4. There is adequate gov­ernance in place to over­see devel­op­ment, approv­al and deliv­ery of the ICT Strategy.

Con­trol DesignCon­trol Operation
4 — Yellow1 — Amber
3 — Yellow2 — Amber

Improve­ment actions by type and priority

Four improve­ment actions have been iden­ti­fied from this review, all of which relate to the design of con­trols them­selves. See Appendix A for defin­i­tions of col­our coding.

Grade
Grade 4
Grade 3
Grade 2
Grade 1

Key find­ings

Areas for improvement

We have iden­ti­fied areas for improve­ment which, if addressed, would strengthen CNPA’s con­trol frame­work. These include:

  • The IT and Data Strategy does not con­tain clearly defined object­ives and/​or out­comes. In addi­tion, the action plan included with­in the doc­u­ment does not clearly set out the time­frame for the deliv­ery of the actions and suc­cess meas­ures are not documented.
  • There are no IT oper­a­tion­al plans in place which set out how the IT & Data Strategy will be delivered.
  • The IT & Data Strategy does not con­tain a high-level fin­an­cial strategy which sets out the expec­ted cap­it­al and rev­en­ue require­ments over its duration.

These are fur­ther dis­cussed in the Man­age­ment Action Plan below.

Acknow­ledge­ments

We would like to thank all staff con­sul­ted dur­ing this review for their assist­ance and co-operation.


Man­age­ment Action Plan

Con­trol Object­ive 1: There is align­ment between the ICT Strategy and Author­ity cor­por­ate strategy.

1.1 ICT Strategy

Amber

Cairngorms Nation­al Park Author­ity (CNPA) estab­lished an IT and Data Strategy in June 2021, with a focus on a two-year time­frame of deliv­er­ables. This was designed to be aligned with the New Nor­mal” pro­ject that was intro­duced in May 2021 which aims to imple­ment a blen­ded mod­el of work­ing (part-home and part-office work­ing). The CNPA IT and Data Strategy doc­u­ments the link with this pro­ject and the deliv­er­ables cre­ate the envir­on­ment for the suc­cess of the project.

Our review iden­ti­fied that the IT and Data Strategy does not con­tain clearly defined object­ives or out­comes, oth­er than migra­tion to cloud-hos­ted solu­tions. In addi­tion, whilst an action plan is set out in an appendix to the strategy, this does not detail deliv­ery dates or action owners.

Risk

Without clear time­frames for deliv­ery there is a risk that the object­ives will not be delivered in align­ment with the needs of the busi­ness. This may impact on the deliv­ery of cor­por­ate objectives.

Recom­mend­a­tion

We recom­mend that the action plan with­in the IT and Data Strategy is updated to include action own­ers and deliv­ery dates. There should be reg­u­lar report­ing to the SMT on the pro­gress of the com­ple­tion of actions.

We recom­mend that when the new CNPA Cor­por­ate Plan is estab­lished a new IT and Data Strategy should be developed aligned with the cor­por­ate plan.

The Strategy should also be reviewed with the approv­al of the Strategy by the appro­pri­ate over­sight group fully doc­u­mented and included with­in the document’s ver­sion control.

Man­age­ment ActionGrade 3 (Design)
Recom­mend­a­tion agreed. We will devel­op a 202223 pro­ject plan to update the strategy. We will sep­ar­ately put in place a new IT and Data Strategy to align with the new Cor­por­ate Plan.
Action own­er:Due date:
Pro­ject plan = Inform­a­tion Sys­tems Manager30 June 2022
New IT Data Strategy = Dir­ect­or of Cor­por­ate Services30 Septem­ber 2023

Con­trol Object­ive 2: There has been adequate plan­ning activ­ity to trans­late the ICT Strategy into oper­a­tion­al plans.

2.1 IT Oper­at­ing Plans

Amber

Our review iden­ti­fied that there has not been any oper­a­tion­al plans doc­u­mented which set out deliv­ery tasks in sup­port of the IT and Data Strategy.

Risk

Without a form­al oper­a­tion­al plans, man­age­ment will not be able to gain assur­ance that all rel­ev­ant tasks and activ­it­ies asso­ci­ated with the deliv­ery of the IT and Data Strategy are appro­pri­ately planned. This could res­ult in the organ­isa­tion not hav­ing suf­fi­cient fin­an­cial and human resources avail­able to deliv­er stra­tegic imperatives.

Recom­mend­a­tion

We recom­mend that annu­al oper­a­tion­al plans are developed which sets out a work­plan for each fin­an­cial year. This should include core oper­a­tion­al tasks asso­ci­ated with main­tain­ing a func­tion­ing IT envir­on­ment as well as improve­ment and change activ­it­ies relat­ing to deliv­er­ing the IT and Data Strategy. Plan­ning in this man­ner will ensure that there are appro­pri­ate fin­an­cial and human resources avail­able to meet agreed IT and data priorities.

We also recom­mend that there is reg­u­lar mon­it­or­ing of deliv­ery of the IT oper­a­tion­al plan to allow man­age­ment to gain assur­ance that it is being delivered in line with expect­a­tions. This mon­it­or­ing will also allow man­age­ment to identi­fy and imple­ment actions where plans are not track­ing as expected.

Man­age­ment ActionGrade 3 (Design)
Recom­mend­a­tion agreed. We recog­nise that in mov­ing away from what has been a steady state” oper­a­tion mode for sev­er­al years that the scale of change in the organ­isa­tion and in the IT oper­a­tions needed to sup­port it require form­al oper­a­tion­al plans to estab­lish required tasks and timelines and allow enhanced man­age­ment con­trol around delivery.
Action own­er:Due date:
Inform­a­tion Sys­tems Man­ager with Head of Finance30 June 2022

Con­trol Object­ive 3: The ICT Strategy is sup­por­ted by a fin­an­cial strategy.

3.1 IT Fin­an­cial Planning

Yel­low

The IT and Data Strategy is not sup­por­ted by a fin­an­cial strategy.

We did note that the CNPA budget for 202122 (March 2021) set out budget require­ments to deliv­er a pro­gramme of trans­form­a­tion work which developed into the New Nor­mal pro­ject. We also noted that the CNPA spend­ing review in Septem­ber 2021 set out the budget changes required to deliv­er the New Nor­mal pro­ject, with this includ­ing some ele­ments of the IT and Data Strategy. These include Cyber Secur­ity soft­ware, web­site and records man­age­ment aug­ment­a­tion and cloud-based ICT licensing.

Risk

There is a risk that, without an under­pin­ning and agreed fin­an­cial strategy, the IT and Data Strategy may not be fin­an­cially sus­tain­able. This could res­ult in expec­ted enabling tech­no­lo­gies and improve­ments in IT that are neces­sary to sup­port flex­ible work­ing not being fun­ded due to a lack of fin­an­cial planning.

Recom­mend­a­tion

We recom­mend that the next devel­op­ment of the IT and Data Strategy includes a fin­an­cial strategy. This should set out, at a high-level, indic­at­ive cap­it­al and rev­en­ue costs asso­ci­ated with achiev­ing expec­ted out­comes from the strategy. This should be alloc­ated for each fin­an­cial year. This will allow man­age­ment to make an informed assess­ment of the fin­an­cial viab­il­ity of the strategy and to ensure that fin­an­cial require­ments of the strategy are fed into annu­al budgeting/​spending reviews.

Man­age­ment ActionGrade 2 (Design)
Recom­mend­a­tion accep­ted. We will more clearly link the pro­vi­sions of the IT and Data Strategy to the pro­vi­sions of the budget / for­ward fin­an­cial fore­casts and define the fin­an­cial implic­a­tions of decisions inher­ent in the strategy.
Action own­er:Due date:
Dir­ect­or of Cor­por­ate Services30 Septem­ber 2023

Con­trol Object­ive 4: There is adequate gov­ernance in place to over­see approv­al and deliv­ery of the ICT Strategy.

4.1 Gov­ernance arrangements

Yel­low

The IT and Data Strategy was presen­ted to Seni­or Man­age­ment Team (SMT) in June 2021. The dis­cus­sion of the strategy, includ­ing feed­back, is doc­u­mented in the minutes of the meet­ing; how­ever, the approv­al is not expli­citly noted.

We did note that the Cor­por­ate Ser­vices Man­age­ment Group (CSMG) issues log records SMT approv­al of the strategy in June 2021. We also noted that the Strategy does not con­tain any doc­u­ment con­trol to detail ver­sions and approvals.

We also noted that there are no form­al arrange­ments for over­sight of deliv­ery of the IT & Data Strategy. We did identi­fy that the Organ­isa­tion­al Devel­op­ment Pro­gramme Board provides some ele­ments of this.

Risk

There is a risk that the organ­isa­tion does not have appro­pri­ate arrange­ments in place to doc­u­ment the approv­al and over­see deliv­ery of the IT & Data Strategy. This could res­ult in the organ­isa­tion not tak­ing appro­pri­ate action to achieve expec­ted outcomes.

Recom­mend­a­tion

We recom­mend that man­age­ment expli­citly doc­u­ment approvals of strategies with­in minutes of meetings.

We recom­mend that man­age­ment estab­lishes form­al gov­ernance arrange­ments for the approv­al of updates to the strategy as well as over­sight of deliv­ery. Gov­ernance over the IT & Data Strategy should be the respons­ib­il­ity of an exist­ing intern­al gov­ernance group.

Man­age­ment ActionGrade 2 (Design)
We will con­tin­ue to recog­nise the Seni­or Man­age­ment Team as the gov­ernance body with respons­ib­il­ity for over­sight of deliv­ery of the IT and Data Strategy and for future revi­sions to it.
Action own­er:Due date:
Dir­ect­or of Cor­por­ate Services31 March 2023

Appendix A – Definitions

Con­trol assessments

Rat­ingDefin­i­tion
RFun­da­ment­al absence or fail­ure of key controls.
ACon­trol object­ive not achieved — con­trols are inad­equate or ineffective.
YCon­trol object­ive achieved — no major weak­nesses but scope for improvement.
GCon­trol object­ive achieved — con­trols are adequate, effect­ive and efficient.

Man­age­ment action grades

GradeDefin­i­tion
4Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
3High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
2Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
1Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

© Azets 2022. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales. Registered No. 09652677. VAT Regis­tra­tion No. 219 0608 22.

Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!