Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

220527AuCtteePaper3AAFollow Up Report May 2022 FINAL

Cairngorms Nation­al Park Authority

Intern­al Audit Report

Man­age­ment Action Fol­low-up – 202122

May 2022

A AZETS CAIRNGORMS NATION­AL PARK AUTHOR­ITY Audit & Risk Com­mit­tee Paper 3 27/05/22


Intro­duc­tion and background

Intro­duc­tion

As part of the intern­al audit pro­gramme we have under­taken a fol­low up review to provide the Audit & Risk Com­mit­tee with assur­ance that man­age­ment actions agreed in pre­vi­ous intern­al audit reports have been imple­men­ted appro­pri­ately. This report sum­mar­ises the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions.

Scope

We have reviewed all open man­age­ment actions and liaised with Cairngorm Nation­al Park Author­ity staff to obtain an update on their imple­ment­a­tion pro­gress. For recom­mend­a­tions graded pri­or­ity 3 or above, we request evid­ence to val­id­ate com­ple­tion of any actions marked for clos­ure by management.

For all actions raised by the pri­or Intern­al Aud­it­or (BDO) we have aligned their risk assess­ments to the Azets risk grad­ing struc­ture (per Appendix 3).

Action for Audit & Risk Committee

The Com­mit­tee is asked to note the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions. The Com­mit­tee is also asked to con­sider and approve those actions for which revised times­cales have been provided by man­age­ment (these are detailed at Appendix 2).


Sum­mary of progress

The table below shows the move­ment in the audit actions in the peri­od from Novem­ber 2021 to May 2022:

Num­ber of Actions
43
9
52
3
8
2
39

Open actions brought forward Actions added to tracker Total actions to follow-up Super­seded or No Longer Applicable Actions closed Actions com­plete pending evidence Open actions car­ried forward

Status of Actions as at May 2022

(Chart show­ing: Com­plete (23), Com­plete pending evid­ence (2), No Longer Applic­able (3), Par­tially Com­plete (7), Incom­plete (9), Not Yet Due (8))

We have con­firmed that eight actions (15%) were com­peted in the peri­od to May 2022, with a fur­ther two com­plete pending the pro­vi­sion of evid­ence (4%). Three actions (6%) are no longer applic­able, 23 actions (44%) have been assessed as par­tially com­plete, sev­en (14%) are incom­plete and nine actions (17%) were not yet due at the time of our val­id­a­tion work.

Fur­ther detail on all actions that have passed their cur­rent due dates for com­ple­tion is included at Appendix 2.

Par­tic­u­lar atten­tion should be paid to those that have passed their ori­gin­al due date and those which will pass their due date for com­ple­tion over the next quarter, not­ably the high­er graded aged items.

A sum­mary of the status of actions by report is shown at Appendix 1.


(Chart show­ing Status by Grading)

Appendix 2 sets out the cur­rent status of actions which have passed their cur­rent due dates.

Open Intern­al audit actions

Of the 39 out­stand­ing actions 34 (87%) have passed their ori­gin­al com­ple­tion date, with the remain­ing five not yet due.

37 of these actions have been assessed as a grade 1 or 2 (lim­ited or mod­er­ate risk expos­ure), which we con­sider a high num­ber of out­stand­ing actions. As a res­ult, man­age­ment should take a view on wheth­er the organ­isa­tion has the appro­pri­ate resource in place to move these actions for­ward, or are will­ing to accept the risk in place, in par­tic­u­lar for those assessed as grade 1.


Appendix 1: Action status by report

Report TitleCom­pleteCom­plete Pending Evid­enceNLAPar­tially com­pleteIncom­pleteNot Yet DueTotal
Risk Man­age­ment
Fin­an­cial Processes
Grant Fund­ing & Management12
IT Gen­er­al Controls222
201617 sub total12216
Pro­ject Management11
Com­mu­nic­a­tions & Social Media Strategy1
201718 sub total2
Part­ner­ship Management22
Busi­ness Con­tinu­ity Planning22
Resource Plan­ning11
201819 sub total55
Payroll Admin­is­tra­tion13
Risk Man­age­ment1122
Expense Claims Process1137
Staff Object­ive Set­ting & Appraisal22
FOISA and EIR Requests1315
Pro­ject Finance210332
201920 sub total41103321
COV­ID Recovery112
Cor­por­ate Governance112
Data Man­age­ment1215
202021 sub total122319
LEAD­ER Programme24
Fin­an­cial Man­age­ment and Reporting33
Assur­ance22
Map­ping of Major Projects2
202122 sub total2259
Grand totals823237952

Appendix 2: Sum­mary of out­stand­ing actions past their cur­rent due date

Report / ActionRecom­mend­a­tionAction Own­erGradeOri­gin­al times­caleRevised times­caleUpdate May 22 Fol­low UpStatus
201617 Risk ManagementWe recom­mend that, on devel­op­ment of a risk man­age­ment policy, staff with risk man­age­ment respons­ib­il­it­ies are required to sign a check­list to con­firm wheth­er they are aware of the organisation’s risk man­age­ment approach or require fur­ther train­ing in this area.Gov­ernance and Inform­a­tion OfficerMedi­um (2)Mar-17Dec-22Train­ing require­ments con­tin­ue to be covered through stand­ard per­form­ance devel­op­ment con­ver­sa­tions. The spe­cif­ic ele­ment of cor­res­pond­ing dir­ectly with staff on risk man­age­ment respons­ib­il­ity; their under­stand­ing of it; and their spe­cif­ic train­ing require­ments is yet to be progressed.Par­tially Complete
201617 Fin­an­cial ProcessesWe recom­mend that the Fin­ance Man­age­ment sched­ule is updated to provide detailed policies and guid­ance on all fin­an­cial pro­cesses. These should be reviewed on an annu­al basis. We also recom­mend that clear roles and respons­ib­il­it­ies demon­strat­ing segreg­a­tion of duties are doc­u­mented with­in the guid­ance notes for all fin­an­cial processes.Fin­ance ManagerLow (1)Jun-17Dec-22Fin­an­cial reg­u­la­tions need to be com­pre­hens­ively reviewed in con­tact of new man­age­ment struc­tures and fin­ance team operations.Incom­plete
201617 Grant Fund­ing & ManagementWe recom­mend that the Grant Toolkit is com­pleted, encom­passing all pro­cesses in place for the award­ing, record­ing, and mon­it­or­ing of grant fund­ing. The toolkit should also clearly define the fol­low­ing: — Actions to be taken when grant con­di­tions are not being met or terms and con­di­tions are breached; — The pro­cess for con­sid­er­a­tion of the risk and value of grant fund­ing applic­a­tions to determ­ine the pro­por­tion of resource required to eval­u­ate these; and — Review and scru­tiny arrange­ments for pro­gress reports provided by grantees.Dir­ect­or of Cor­por­ate ServicesMedi­um (2)Sep-17Dec-22No fur­ther work able to be pri­or­it­ised to the devel­op­ment of the grant toolkit in light of oth­er pres­sures. Tem­plates sup­plied by Harp­er Macleod ini­tially for peat­land pro­gramme are being deployed across oth­er areas of the organ­isa­tion. More detailed work on toolkit remains to be resourced.Par­tially Complete
201718 Pro­ject ManagementWe recom­mend that roles and respons­ib­il­it­ies are fully doc­u­mented for all key people and groups with respons­ib­il­it­ies for each project.Dir­ect­or of Cor­por­ate ServicesLow (1)Jul-18Dec-22Remains under­way through the Pro­ject Man­age­ment Office, which has been approved by Seni­or Man­age­ment Team and now in pro­gress of imple­ment­a­tion with appoint­ment of staff resources and iden­ti­fic­a­tion of pro­ject man­age­ment soft­ware. Spe­cif­ic design ele­ments of our approach to pro­ject man­age­ment will fol­low over the second half of 202122.Par­tially Complete
201718 Com­mu­nic­a­tions & Social Media StrategyWe recom­mend that feed­back on the effect­ive­ness of key digit­al com­mu­nic­a­tions is sought and respon­ded to from stake­hold­ers. We recom­mend that the Com­mu­nic­a­tions and Engage­ment team con­siders con­duct­ing a stake­hold­er sur­vey cam­paign to gain feed­back on the digit­al plat­forms and accounts which are cur­rently in use by CNPA. We also recom­mend that man­age­ment con­sider con­duct­ing this pro­cess pri­or to the com­ple­tion of the com­mu­nic­a­tions and social media strategy.Digit­al Con­tent ManagerLow (1)Apr-18Mar-23As part of a detailed web­site redevel­op­ment tender exer­cise, we will be con­duct­ing a series of focus groups with key audi­ences across the Nation­al Park (res­id­ents, busi­nesses, land man­agers, vis­it­ors etc) to bet­ter under­stand what they need from our digit­al chan­nels, and how well our chan­nels meet these needs at present. We also intend to host a sur­vey on our web­site to gath­er fur­ther feed­back on the usab­il­ity and func­tion­al­ity of the web­site, and both exer­cises will feed into the devel­op­ment of a new CNP web­site in late 2022/​early 2023. We con­duc­ted a full access­ib­il­ity audit of the CNP web­site in late 2021 via access­ib­il­ity experts DAC, which included spe­cif­ic user test­ing from vis­it­ors with a vari­ety of access requirements.Par­tially Complete
201819 Part­ner­ship ManagementWe recom­mend that the Author­ity issue a ques­tion­naire or feed­back request on an annu­al basis to all key part­ners to seek feed­back and thoughts on how the part­ner­ship, com­mu­nic­a­tion meth­ods and ways of work­ing could be fur­ther improved. We fur­ther recom­mend that feed­back provided is col­lated and actions recorded.Chief Exec­ut­ive with Head of Plan­ning and Rur­al DevelopmentLow (1)Jun-19Mar-23Over 50 organ­isa­tions and part­ners sub­mit­ted responses to our Nation­al Park Part­ner­ship Plan con­sulta­tion, helped by a series of over 40 in-per­son and online events tar­get­ing key audi­ences (includ­ing mem­bers of organ­isa­tions like NFUS and SGA). We cre­ated a ded­ic­ated Part­ner­ship Plan advis­ory group — made up of a dozen or so organ­isa­tions across the spec­trum of our work — to provide dir­ect feed­back into the devel­op­ment, con­sulta­tion and deliv­ery of the plan and will con­tin­ue to engage this group as we go for­ward. A sim­il­ar mech­an­ism has been cre­ated for our 7‑year Her­it­age Hori­zons: Cairngorms 2030 pro­ject, which looks to tackle the cli­mate emer­gency and biod­iversity crisis by empower­ing the people and organ­isa­tions who live and work in the Park.Par­tially Complete
201819 Part­ner­ship ManagementWe under­stand that there are already plans to improve the engage­ment pro­cess fur­ther by imple­ment­ing a Cus­tom­er Rela­tion­ship Man­age­ment Sys­tem (CRM). We recom­mend that the Author­ity con­tin­ues with plans for imple­ment­ing a CRM.Dir­ect­or of Cor­por­ate ServicesLow (1)Jun-19Dec-22The full imple­ment­a­tion of the CRM remains on hold pending the relax­a­tion of the COV­ID Busi­ness Con­tinu­ity Plan and abil­ity for staff laptops and desktops to be upgraded with rel­ev­ant soft­ware. There is a depend­ency for final­isa­tion of this work on fuller office access for staff.Par­tially Complete
201819 Resource PlanningWe recom­mend that a form­al frame­work is put in place for identi­fy­ing crit­ic­al roles and devel­op­ing suc­ces­sion plans for crit­ic­al roles identified.Dir­ect­or of Cor­por­ate Ser­vices and Head of Organ­isa­tion­al DevelopmentLow (1)May-19Sep-22Chief Exec­ut­ive / Deputy Chief Exec­ut­ive / Head of Organ­isa­tion­al Devel­op­ment have fur­ther con­sidered this mat­ter and con­cluded it is impossible to single out crit­ic­al” roles and the focus for all ser­vice lead­ers needs to be around con­tinu­ity of pro­cesses and ser­vices in the con­text of poten­tial staff turnover / absence rather than on key staff. We are work­ing on a mod­el for this approach in the con­text of the exist­ing, agreed Work­force Man­age­ment Strategy.Par­tially Complete
201819 Busi­ness Con­tinu­ity PlanningWe recom­mend that CNPA devel­ops a test­ing plan/​schedule for BCP which should be reviewed reg­u­larly to ensure a stra­tegic approach to test­ing is developed and implemented.Dir­ect­or of Cor­por­ate Ser­vices to coordin­ate teamMedi­um (2)Nov-19Mar-23In pro­gress of imple­ment­a­tion and will be picked up through work being taken for­ward on more recent Azets review of BCP implementation.Par­tially Complete
201819 Busi­ness Con­tinu­ity PlanningWe recom­mend that the Author­ity imple­ments busi­ness con­tinu­ity train­ing for all staff. Reg­u­lar refresh­er train­ing should be provided going for­ward, and the Author­ity should ensure it records all train­ing for each staff memberDir­ect­or of Cor­por­ate Ser­vices to coordin­ate teamMedi­um (2)Nov-19Mar-23A full review of our BCP imple­ment­a­tion and BCP Plan­ning, includ­ing staff train­ing, will be under­taken after fuller exit from cur­rent BCP arrange­ments. We are now sug­gest­ing, giv­en ongo­ing COV­ID and new oper­a­tion­al arrangementsPar­tially Complete
201920 Staff Object­ive Set­ting & AppraisalWe recom­mend that line man­agers are reminded of the import­ance of prop­erly record­ing their review and approv­al of job plans. Ran­dom spot checks should be car­ried out by HR to check that job plans are in place and have been appro­pri­ately reviewed and signed off by man­age­ment, includ­ing the date of sign off.Head of Organ­isa­tion­al DevelopmentLow (1)Imme­di­ate and ongoingDec-22As part of our evolving Organ­isa­tion­al Devel­op­ment Strategy, we will be look­ing to com­pletely review our Per­form­ance Man­age­ment approach. Anec­dot­al feed­back over the last year is that the new pro­ced­ure is work­ing for some, but not all. We aim to con­sult with staff more broadly about the approach, seek form­al feed­back and imple­ment change in response to that feed­back. we expect this will be com­pleted by Novem­ber 2022Par­tially Complete
201920 Staff Object­ive Set­ting & AppraisalIt is our recom­mend­a­tion that the Seni­or Man­age­ment Team out­line what their expect­a­tions are in respect of the out­comes of the per­form­ance man­age­ment pro­cess and pro­duce an annu­al report on the out­comes of the object­ive set­ting and apprais­al pro­cess for present­a­tion to the Recruit­ment Com­mit­tee. This report should cov­er the degree of com­pli­ance with the pro­cess and details of any con­cerns iden­ti­fied in order to assess the ongo­ing effect­ive­ness of the per­form­ance man­age­ment process.Head of Organ­isa­tion­al DevelopmentLow (1)Decem­ber will be the report scheduleNov-22A We have dis­cussed the approach to Per­form­ance Devel­op­ment Con­ver­sa­tions at SMT. As part of our evolving Organ­isa­tion­al Devel­op­ment Strategy, we will be look­ing to com­pletely review our Per­form­ance Man­age­ment approach. Anec­dot­al feed­back over the last year is that the new pro­ced­ure is work­ing for some, but not all. We aim to con­sult with seni­or man­age­ment to get their views of expect­a­tions of object­ive and tar­get set­ting, and then to con­sult with staff more broadly about the exist­ing approach, seek form­al feed­back and imple­ment change in response to both that feed­back and SMT expectations.Par­tially Complete
201920 Expenses Claim ProcessesWe recom­mend that the Travel & Sub­sist­ence Policy is fur­ther developed to include the ele­ments noted with­in our finding.Dir­ect­or of Cor­por­ate ServicesMedi­um (2)Jan-20Jun-22Approved through Staff­ing and Recruit­ment Com­mit­tee and Staff Con­sultat­ive For­um. Not imple­men­ted yet as a con­sequence of home­work­ing / travel restrictionsPar­tially Complete
201920 Expenses Claim ProcessesTo address the issues noted and to gain assur­ance on the con­sist­ent applic­a­tion of the policy, we recom­mend that CNPA reviews and revises the policy to more clearly define the approv­al pro­ced­ures that are required pri­or to incur­ring costs and the evid­ence of author­isa­tion required for seek­ing re-imbursement.Dir­ect­or of Cor­por­ate ServicesMedi­um (2)Jan-20Jun-22Policy has been revised and reviewed by both Staff­ing and Recruit­ment Com­mit­tee and Staff Con­sultat­ive For­um. Imple­ment­a­tion of revised policy due from 1 April 2020, though delayed dur­ing COV­ID BCP peri­od. Will be launched as part of new nor­mal” organ­isa­tion­al devel­op­ment programme.Par­tially Complete
201920 Expenses Claim ProcessesWe recom­mend that that the Fin­ance team’s review of expense claims and cred­it card doc­u­ment­a­tion is enhanced and evid­enced, for example, via sig­na­ture. This will sup­port a two-step approv­al pro­cess, which is good practice.Fin­ance ManagerLow (1)Apr-20Jun-22No action pending exit from BCP status. No fur­ther pro­gress has been made due to staff­ing shortages.Incom­plete
201920 Expenses Claim ProcessesWe recom­mend that CNPA ensures a travel & subsistence/​expenses Policy is developed which form­ally applies to Board mem­bers. As the cur­rent Travel & Sub­sist­ence Policy applies to Board mem­bers in prac­tice, man­age­ment may con­sider amend­ing the cur­rent Policy to ensure the applic­a­tion to Board mem­bers is form­ally doc­u­mented. Author­ity to approve Board mem­ber expenses should also be clearly documented.Dir­ect­or of Cor­por­ate ServicesLow (1)Jan-20Jun-22Revised policy was expli­citly applic­able to Board mem­bers. Sign off pro­ced­ures to be developed and imple­men­ted on return to office-based operations.Par­tially Complete
1920 Payroll AdministrationWe recom­mend that in addi­tion to the payroll report and BACS reports run each month, CNPA pro­duce a post pay­ment report which should be reviewed and signed by the Dir­ect­or of Cor­por­ate Services.Dir­ect­or of Cor­por­ate Services/​Payroll & Fin­ance OfficerLow (1)Nov-19Sep-22Report­ing from new payroll sys­tem remains in design. As yet, we have not developed a post payroll report to be reviewed / recon­ciled. A new Payroll Officer is tak­ing up post in May 2022 and this can be com­pleted between that officer and the Man­age­ment Account­ant or Fin­ance Manager.Par­tially Complete
1920 Payroll AdministrationWe recom­mend that CNPA con­duct a reg­u­lar peer review of the desk instruc­tions to ensure that they remain accur­ate and up to date. Evid­ence of the review should be seen on the instruc­tions with ver­sion con­trol and the date reviewed noted.Dir­ect­or of Cor­por­ate Services/​Head of Organ­isa­tion­al DevelopmentLow (1)Apr-20Dec-22With staff­ing changes in the fin­ance team, we have gone through a peri­od of train­ing new staff on payroll pro­cesses. A new lead payroll officer has bene recruited. Fol­low­ing induc­tion and ini­tial train­ing, we will seek to have the lead payroll officer take for­ward this recommendation.Incom­plete
1920 Payroll AdministrationIt is our recom­mend­a­tion that the Author­ity invest­ig­ate the poten­tial for mak­ing use of auto­mat­ic excep­tion report­ing. This may be with­in the cap­ab­il­it­ies of the cur­rent payroll sys­tem; a report would be gen­er­ated of all the dif­fer­ences from the pre­vi­ous months payroll which could be reviewed and authorised.Payroll and Fin­ance OfficerLow (1)Mar-20Dec-22Excep­tion report­ing from the new payroll sys­tem is being invest­ig­ated and will be take for­ward along­side the draft­ing of payroll pro­cesses and procedures.Par­tially Complete
201920 FOISA and EIR RequestsWe recom­mend CNPA update their pro­ced­ures which include ask­ing the requestor wheth­er the request can be nar­rowed to allow the dead­line to be met.Office Ser­vices ManagerLow (1)Jul-20Sep-22Pro­cess has been adop­ted and is part of work­ing prac­tice and included in part of review­ing the request on receipt. The FOISA policy has not yet been updated to reflect this.Par­tially Complete
201920 FOISA and EIR RequestsWe recom­mend the FOI policy and guid­ance are updated on a reg­u­lar basis and doc­u­ment the policy own­er and when it is next due to be reviewed. We recom­mend the Policy and Guid­ance are updated, refer to job titles and explain acronyms.Office Ser­vices ManagerLow (1)Jul-20Dec-22Not yet updated, delay due to Cov­id and office return pres­sures. Policy review to be a pri­or­ity for incom­ing Gov­ernance and Report­ing Man­ager — cur­rently under recruitment.Incom­plete
201920 FOISA and EIR RequestsWe recom­mend CNPA cre­ates guidelines for staff when search­ing for inform­a­tion for FOISA & EIR requests, such as how to under­take keyword searches in recordsOffice Ser­vices ManagerLow (1)Jul-20Dec-22These cur­rently form part of work­ing prac­tices as a num­ber of com­plex requests have been received dur­ing 2021 – 22 and details of searches have been shared with requesters and kept in the event of any request for review. This will form part of the refreshed FOISA policy to be com­pleted by incom­ing Gov­ernance and Report­ing Manager.Par­tially Complete
201920 FOISA and EIR RequestsWe recom­mend CNPA review and update its Pub­lic­a­tion Scheme. We recom­mend CNPA reviews all inform­a­tion it holds with an aim to pub­lish as much as pos­sible to ensure trans­par­ency and reduce FOI requests.Office Ser­vices ManagerLow (1)Dec-20Dec-22Pub­lic­a­tion scheme due to be updated with sup­port from Nation­al Records Scot­land. Work is under­way with NRS to under­stand new require­ments for pub­lic­a­tion scheme which requires updat­ing in 2022.Par­tially Complete
202021 Cor­por­ate GovernanceMan­age­ment should ensure all Board mem­bers have received risk man­age­ment train­ing. We sup­port the pro­posed fin­ance train­ing pro­gramme by the Fin­ance and Deliv­ery Com­mit­tee and recom­mend that all board mem­bers attend this training.Dir­ect­or of Cor­por­ate Ser­vices with Clerk to the BoardMedi­um (3)Sept-21Mar-23Insuf­fi­cient resource and board time to imple­ment this train­ing over 202122. It will be incor­por­ated into board train­ing plans for 202223.Incom­plete
202021 COV­ID RecoveryMan­age­ment should: • Con­tin­ue to work through the BCP cycle. • Ensure staff have a suf­fi­cient know­ledge of the BCP pro­cess and ter­min­o­logy to adequately com­plete the stages asso­ci­ated with risk assess­ments. • Expand the BCP con­tent in rela­tion to the gov­ernance struc­ture and scope, in line with the points iden­ti­fied above.Office Ser­vices ManagerMedi­um (2)Mar-21Sep-22This action is ongo­ing as we move through our Cov­id response and return to the office. Risk assess­ment tem­plates have been developed for Cov­id arrange­ments, final BCP gov­ernance struc­tures yet to be included in revised BCP – for com­ple­tion by end of Sept 2022.Par­tially Complete
202021 COV­ID RecoveryAn out­line com­mu­nic­a­tion strategy should be developed, which includes cent­ral­ised and non-cent­ral­ised chan­nels, as well as sup­port for staff who are unable to access systems.Office Ser­vices ManagerMedi­um (2)Jul-21Dec-22We have revised this assess­ment to not imple­men­ted” as pre­vi­ous work under­taken needs reviewed in light of the evolving func­tion­al­ity of Microsoft 365 imple­ment­a­tion and asso­ci­ated facil­it­ies for remote work­ing and com­mu­nic­a­tion chan­nels. A wider review of the com­mu­nic­a­tions strategy with­in BCP arrange­ments will be com­pleted fol­low­ing fuller imple­ment­a­tion of the updated IT infrastructure.Incom­plete
202021 Data ManagementWe recom­mend that the organ­isa­tion reviews and updates all three policies to ensure that they reflect the latest data pro­tec­tion legis­la­tion and reflect cur­rent organ­isa­tion­al prac­tices. Spe­cific­ally, the Author­ity should ensure that inform­a­tion con­tained with­in each policy is con­sist­ent. The Author­ity should ensure that the own­er for each policy is updated, recor­ded, and going for­ward, it should ensure that policies are reviewed annu­ally in line with the review fre­quency documented.Office Ser­vices ManagerMedi­um (2)May-21Dec-22These policies remain to be reviewed and updated. The move­ment to Microsoft 365 and enabling of Share­Point will change the nature of these policy doc­u­ments and they will be rewrit­ten in tan­dem with the devel­op­ment of the design of the Share­Point records man­age­ment sys­tem and asso­ci­ated metadata.Incom­plete
202021 Data ManagementWe recom­mend that the Author­ity ensure that data audits are con­duc­ted annu­ally in line with the policy. These audits should sample vari­ous dir­ect­or­ates to ensure that stor­age and man­age­ment of files adhere to the Records Man­age­ment Policy. Spe­cific­ally, this audit should con­sider com­pli­ance with data reten­tion and dis­pos­al require­ments, ver­sion con­trol require­ments and access and secur­ity require­ments. The out­put of this audit should be doc­u­mented and the Head of Ser­vice for each area should be giv­en recom­men­ded actions, as neces­sary. We also recom­mend that dir­ect­or­ates each take own­er­ship of their own folders and con­duct more reg­u­lar com­pli­ance checks with­in their own teams to ensure that their files com­ply with the Records Man­age­ment Policy. The data own­er for each file should be respons­ible for these checks.Head of Organ­isa­tion­al DevelopmentMedi­um (3)May-21Dec-22We have ini­ti­ated a data audit as part of the imple­ment­a­tion of Share­Point with­in the migra­tion to MS365. The pro­cess is under­way, is likely to be impacted by short-term inter­rup­tion dur­ing 202223 as a con­sequence of staff turnover; and will be pri­or­it­ised fol­low­ing recruitment.Par­tially Complete
202122 Lead­er ProgrammeMan­age­ment should under­take a risk assess­ment over the con­trols in place for access and edit­ab­il­ity in rela­tion to elec­tron­ic LEAD­ER files. In addi­tion man­age­ment should ensure that LEAD­ER pro­gramme records remain access­ible and read­able for the iden­ti­fied reten­tion period.Gov­ernance and Report­ing ManagerMedi­um (2)Dec-21Sep-22Elec­tron­ic files access is restric­ted to Head of Cor­por­ate Ser­vices as the ser­vice lead for the SLA with Scot­tish Gov­ern­ment; and 2 LEAD­ER staff who are retained to work on future CLLD and any resid­ual LEAD­ER work as required. We are invest­ig­at­ing wheth­er set­ting all files to read only’ or a mass PDF con­ver­sion of exist­ing word files is the best next step to final­ise the process.Par­tially Complete
202122 Lead­er ProgrammeMan­age­ment should ensure that feed­back on CNPA intern­al pro­cesses is obtained and, where appro­pri­ate, fed into Scot­tish Gov­ern­ment reviews on pro­gramme pro­cesses. In addi­tion, man­age­ment should devel­op a les­sons learned action log and ensure this is mon­itored by a rel­ev­ant person(s) with­in the CNPA man­age­ment structure.LEAD­ER Pro­gramme ManagerGrade 2Mar-21Dec-23Both LEAD­ER Pro­gramme Man­ager and Dir­ect­or of Cor­por­ate Ser­vices are involved in vari­ous nation­al groups and are feed­ing back les­sons learned from cur­rent LEAD­ER oper­a­tions into the evol­u­tion of new com­munity-led loc­al devel­op­ment pro­cesses. Form­al writ­ten cap­ture” of these points has still to be final­ised, which will be under­taken in part through evol­u­tion of Her­it­age Hori­zons Com­munity Grants pro­ject devel­op­ment work and intern­al struc­tured clos­ure of the LEAD­ER Programme.Par­tially Complete

Appendix 3: Audit risk categorisations

Man­age­ment action grades

  • 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
  • 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
  • 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
  • 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house­keep­ing issues.

© Azets 2022. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales Registered No. 09652677. VAT Regis­tra­tion No. 219 0608 22.

Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!