220527AuCtteePaper3AAFollow Up Report May 2022 FINAL
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up – 2021⁄22
May 2022
A AZETS CAIRNGORMS NATIONAL PARK AUTHORITY Audit & Risk Committee Paper 3 27/05/22
Introduction and background
Introduction
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope
We have reviewed all open management actions and liaised with Cairngorm National Park Authority staff to obtain an update on their implementation progress. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress
The table below shows the movement in the audit actions in the period from November 2021 to May 2022:
| Number of Actions |
|---|
| 43 |
| 9 |
| 52 |
| 3 |
| 8 |
| 2 |
| 39 |
Open actions brought forward Actions added to tracker Total actions to follow-up Superseded or No Longer Applicable Actions closed Actions complete pending evidence Open actions carried forward
Status of Actions as at May 2022
(Chart showing: Complete (23), Complete pending evidence (2), No Longer Applicable (3), Partially Complete (7), Incomplete (9), Not Yet Due (8))
We have confirmed that eight actions (15%) were competed in the period to May 2022, with a further two complete pending the provision of evidence (4%). Three actions (6%) are no longer applicable, 23 actions (44%) have been assessed as partially complete, seven (14%) are incomplete and nine actions (17%) were not yet due at the time of our validation work.
Further detail on all actions that have passed their current due dates for completion is included at Appendix 2.
Particular attention should be paid to those that have passed their original due date and those which will pass their due date for completion over the next quarter, notably the higher graded aged items.
A summary of the status of actions by report is shown at Appendix 1.
(Chart showing Status by Grading)
Appendix 2 sets out the current status of actions which have passed their current due dates.
Open Internal audit actions
Of the 39 outstanding actions 34 (87%) have passed their original completion date, with the remaining five not yet due.
37 of these actions have been assessed as a grade 1 or 2 (limited or moderate risk exposure), which we consider a high number of outstanding actions. As a result, management should take a view on whether the organisation has the appropriate resource in place to move these actions forward, or are willing to accept the risk in place, in particular for those assessed as grade 1.
Appendix 1: Action status by report
| Report Title | Complete | Complete Pending Evidence | NLA | Partially complete | Incomplete | Not Yet Due | Total |
|---|---|---|---|---|---|---|---|
| Risk Management | |||||||
| Financial Processes | |||||||
| Grant Funding & Management | 1 | 2 | |||||
| IT General Controls | 2 | 2 | 2 | ||||
| 2016⁄17 sub total | 1 | 2 | 2 | 1 | 6 | ||
| Project Management | 1 | 1 | |||||
| Communications & Social Media Strategy | 1 | ||||||
| 2017⁄18 sub total | 2 | ||||||
| Partnership Management | 2 | 2 | |||||
| Business Continuity Planning | 2 | 2 | |||||
| Resource Planning | 1 | 1 | |||||
| 2018⁄19 sub total | 5 | 5 | |||||
| Payroll Administration | 1 | 3 | |||||
| Risk Management | 1 | 1 | 2 | 2 | |||
| Expense Claims Process | 1 | 1 | 3 | 7 | |||
| Staff Objective Setting & Appraisal | 2 | 2 | |||||
| FOISA and EIR Requests | 1 | 3 | 1 | 5 | |||
| Project Finance | 2 | 10 | 3 | 3 | 2 | ||
| 2019⁄20 sub total | 4 | 1 | 10 | 3 | 3 | 21 | |
| COVID Recovery | 1 | 1 | 2 | ||||
| Corporate Governance | 1 | 1 | 2 | ||||
| Data Management | 1 | 2 | 1 | 5 | |||
| 2020⁄21 sub total | 1 | 2 | 2 | 3 | 1 | 9 | |
| LEADER Programme | 2 | 4 | |||||
| Financial Management and Reporting | 3 | 3 | |||||
| Assurance | 2 | 2 | |||||
| Mapping of Major Projects | 2 | ||||||
| 2021⁄22 sub total | 2 | 2 | 5 | 9 | |||
| Grand totals | 8 | 2 | 3 | 23 | 7 | 9 | 52 |
Appendix 2: Summary of outstanding actions past their current due date
| Report / Action | Recommendation | Action Owner | Grade | Original timescale | Revised timescale | Update May 22 Follow Up | Status |
|---|---|---|---|---|---|---|---|
| 2016⁄17 Risk Management | We recommend that, on development of a risk management policy, staff with risk management responsibilities are required to sign a checklist to confirm whether they are aware of the organisation’s risk management approach or require further training in this area. | Governance and Information Officer | Medium (2) | Mar-17 | Dec-22 | Training requirements continue to be covered through standard performance development conversations. The specific element of corresponding directly with staff on risk management responsibility; their understanding of it; and their specific training requirements is yet to be progressed. | Partially Complete |
| 2016⁄17 Financial Processes | We recommend that the Finance Management schedule is updated to provide detailed policies and guidance on all financial processes. These should be reviewed on an annual basis. We also recommend that clear roles and responsibilities demonstrating segregation of duties are documented within the guidance notes for all financial processes. | Finance Manager | Low (1) | Jun-17 | Dec-22 | Financial regulations need to be comprehensively reviewed in contact of new management structures and finance team operations. | Incomplete |
| 2016⁄17 Grant Funding & Management | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording, and monitoring of grant funding. The toolkit should also clearly define the following: — Actions to be taken when grant conditions are not being met or terms and conditions are breached; — The process for consideration of the risk and value of grant funding applications to determine the proportion of resource required to evaluate these; and — Review and scrutiny arrangements for progress reports provided by grantees. | Director of Corporate Services | Medium (2) | Sep-17 | Dec-22 | No further work able to be prioritised to the development of the grant toolkit in light of other pressures. Templates supplied by Harper Macleod initially for peatland programme are being deployed across other areas of the organisation. More detailed work on toolkit remains to be resourced. | Partially Complete |
| 2017⁄18 Project Management | We recommend that roles and responsibilities are fully documented for all key people and groups with responsibilities for each project. | Director of Corporate Services | Low (1) | Jul-18 | Dec-22 | Remains underway through the Project Management Office, which has been approved by Senior Management Team and now in progress of implementation with appointment of staff resources and identification of project management software. Specific design elements of our approach to project management will follow over the second half of 2021⁄22. | Partially Complete |
| 2017⁄18 Communications & Social Media Strategy | We recommend that feedback on the effectiveness of key digital communications is sought and responded to from stakeholders. We recommend that the Communications and Engagement team considers conducting a stakeholder survey campaign to gain feedback on the digital platforms and accounts which are currently in use by CNPA. We also recommend that management consider conducting this process prior to the completion of the communications and social media strategy. | Digital Content Manager | Low (1) | Apr-18 | Mar-23 | As part of a detailed website redevelopment tender exercise, we will be conducting a series of focus groups with key audiences across the National Park (residents, businesses, land managers, visitors etc) to better understand what they need from our digital channels, and how well our channels meet these needs at present. We also intend to host a survey on our website to gather further feedback on the usability and functionality of the website, and both exercises will feed into the development of a new CNP website in late 2022/early 2023. We conducted a full accessibility audit of the CNP website in late 2021 via accessibility experts DAC, which included specific user testing from visitors with a variety of access requirements. | Partially Complete |
| 2018⁄19 Partnership Management | We recommend that the Authority issue a questionnaire or feedback request on an annual basis to all key partners to seek feedback and thoughts on how the partnership, communication methods and ways of working could be further improved. We further recommend that feedback provided is collated and actions recorded. | Chief Executive with Head of Planning and Rural Development | Low (1) | Jun-19 | Mar-23 | Over 50 organisations and partners submitted responses to our National Park Partnership Plan consultation, helped by a series of over 40 in-person and online events targeting key audiences (including members of organisations like NFUS and SGA). We created a dedicated Partnership Plan advisory group — made up of a dozen or so organisations across the spectrum of our work — to provide direct feedback into the development, consultation and delivery of the plan and will continue to engage this group as we go forward. A similar mechanism has been created for our 7‑year Heritage Horizons: Cairngorms 2030 project, which looks to tackle the climate emergency and biodiversity crisis by empowering the people and organisations who live and work in the Park. | Partially Complete |
| 2018⁄19 Partnership Management | We understand that there are already plans to improve the engagement process further by implementing a Customer Relationship Management System (CRM). We recommend that the Authority continues with plans for implementing a CRM. | Director of Corporate Services | Low (1) | Jun-19 | Dec-22 | The full implementation of the CRM remains on hold pending the relaxation of the COVID Business Continuity Plan and ability for staff laptops and desktops to be upgraded with relevant software. There is a dependency for finalisation of this work on fuller office access for staff. | Partially Complete |
| 2018⁄19 Resource Planning | We recommend that a formal framework is put in place for identifying critical roles and developing succession plans for critical roles identified. | Director of Corporate Services and Head of Organisational Development | Low (1) | May-19 | Sep-22 | Chief Executive / Deputy Chief Executive / Head of Organisational Development have further considered this matter and concluded it is impossible to single out “critical” roles and the focus for all service leaders needs to be around continuity of processes and services in the context of potential staff turnover / absence rather than on key staff. We are working on a model for this approach in the context of the existing, agreed Workforce Management Strategy. | Partially Complete |
| 2018⁄19 Business Continuity Planning | We recommend that CNPA develops a testing plan/schedule for BCP which should be reviewed regularly to ensure a strategic approach to testing is developed and implemented. | Director of Corporate Services to coordinate team | Medium (2) | Nov-19 | Mar-23 | In progress of implementation and will be picked up through work being taken forward on more recent Azets review of BCP implementation. | Partially Complete |
| 2018⁄19 Business Continuity Planning | We recommend that the Authority implements business continuity training for all staff. Regular refresher training should be provided going forward, and the Authority should ensure it records all training for each staff member | Director of Corporate Services to coordinate team | Medium (2) | Nov-19 | Mar-23 | A full review of our BCP implementation and BCP Planning, including staff training, will be undertaken after fuller exit from current BCP arrangements. We are now suggesting, given ongoing COVID and new operational arrangements | Partially Complete |
| 2019⁄20 Staff Objective Setting & Appraisal | We recommend that line managers are reminded of the importance of properly recording their review and approval of job plans. Random spot checks should be carried out by HR to check that job plans are in place and have been appropriately reviewed and signed off by management, including the date of sign off. | Head of Organisational Development | Low (1) | Immediate and ongoing | Dec-22 | As part of our evolving Organisational Development Strategy, we will be looking to completely review our Performance Management approach. Anecdotal feedback over the last year is that the new procedure is working for some, but not all. We aim to consult with staff more broadly about the approach, seek formal feedback and implement change in response to that feedback. we expect this will be completed by November 2022 | Partially Complete |
| 2019⁄20 Staff Objective Setting & Appraisal | It is our recommendation that the Senior Management Team outline what their expectations are in respect of the outcomes of the performance management process and produce an annual report on the outcomes of the objective setting and appraisal process for presentation to the Recruitment Committee. This report should cover the degree of compliance with the process and details of any concerns identified in order to assess the ongoing effectiveness of the performance management process. | Head of Organisational Development | Low (1) | December will be the report schedule | Nov-22 | A We have discussed the approach to Performance Development Conversations at SMT. As part of our evolving Organisational Development Strategy, we will be looking to completely review our Performance Management approach. Anecdotal feedback over the last year is that the new procedure is working for some, but not all. We aim to consult with senior management to get their views of expectations of objective and target setting, and then to consult with staff more broadly about the existing approach, seek formal feedback and implement change in response to both that feedback and SMT expectations. | Partially Complete |
| 2019⁄20 Expenses Claim Processes | We recommend that the Travel & Subsistence Policy is further developed to include the elements noted within our finding. | Director of Corporate Services | Medium (2) | Jan-20 | Jun-22 | Approved through Staffing and Recruitment Committee and Staff Consultative Forum. Not implemented yet as a consequence of homeworking / travel restrictions | Partially Complete |
| 2019⁄20 Expenses Claim Processes | To address the issues noted and to gain assurance on the consistent application of the policy, we recommend that CNPA reviews and revises the policy to more clearly define the approval procedures that are required prior to incurring costs and the evidence of authorisation required for seeking re-imbursement. | Director of Corporate Services | Medium (2) | Jan-20 | Jun-22 | Policy has been revised and reviewed by both Staffing and Recruitment Committee and Staff Consultative Forum. Implementation of revised policy due from 1 April 2020, though delayed during COVID BCP period. Will be launched as part of “new normal” organisational development programme. | Partially Complete |
| 2019⁄20 Expenses Claim Processes | We recommend that that the Finance team’s review of expense claims and credit card documentation is enhanced and evidenced, for example, via signature. This will support a two-step approval process, which is good practice. | Finance Manager | Low (1) | Apr-20 | Jun-22 | No action pending exit from BCP status. No further progress has been made due to staffing shortages. | Incomplete |
| 2019⁄20 Expenses Claim Processes | We recommend that CNPA ensures a travel & subsistence/expenses Policy is developed which formally applies to Board members. As the current Travel & Subsistence Policy applies to Board members in practice, management may consider amending the current Policy to ensure the application to Board members is formally documented. Authority to approve Board member expenses should also be clearly documented. | Director of Corporate Services | Low (1) | Jan-20 | Jun-22 | Revised policy was explicitly applicable to Board members. Sign off procedures to be developed and implemented on return to office-based operations. | Partially Complete |
| 19⁄20 Payroll Administration | We recommend that in addition to the payroll report and BACS reports run each month, CNPA produce a post payment report which should be reviewed and signed by the Director of Corporate Services. | Director of Corporate Services/Payroll & Finance Officer | Low (1) | Nov-19 | Sep-22 | Reporting from new payroll system remains in design. As yet, we have not developed a post payroll report to be reviewed / reconciled. A new Payroll Officer is taking up post in May 2022 and this can be completed between that officer and the Management Accountant or Finance Manager. | Partially Complete |
| 19⁄20 Payroll Administration | We recommend that CNPA conduct a regular peer review of the desk instructions to ensure that they remain accurate and up to date. Evidence of the review should be seen on the instructions with version control and the date reviewed noted. | Director of Corporate Services/Head of Organisational Development | Low (1) | Apr-20 | Dec-22 | With staffing changes in the finance team, we have gone through a period of training new staff on payroll processes. A new lead payroll officer has bene recruited. Following induction and initial training, we will seek to have the lead payroll officer take forward this recommendation. | Incomplete |
| 19⁄20 Payroll Administration | It is our recommendation that the Authority investigate the potential for making use of automatic exception reporting. This may be within the capabilities of the current payroll system; a report would be generated of all the differences from the previous months payroll which could be reviewed and authorised. | Payroll and Finance Officer | Low (1) | Mar-20 | Dec-22 | Exception reporting from the new payroll system is being investigated and will be take forward alongside the drafting of payroll processes and procedures. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA update their procedures which include asking the requestor whether the request can be narrowed to allow the deadline to be met. | Office Services Manager | Low (1) | Jul-20 | Sep-22 | Process has been adopted and is part of working practice and included in part of reviewing the request on receipt. The FOISA policy has not yet been updated to reflect this. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend the FOI policy and guidance are updated on a regular basis and document the policy owner and when it is next due to be reviewed. We recommend the Policy and Guidance are updated, refer to job titles and explain acronyms. | Office Services Manager | Low (1) | Jul-20 | Dec-22 | Not yet updated, delay due to Covid and office return pressures. Policy review to be a priority for incoming Governance and Reporting Manager — currently under recruitment. | Incomplete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA creates guidelines for staff when searching for information for FOISA & EIR requests, such as how to undertake keyword searches in records | Office Services Manager | Low (1) | Jul-20 | Dec-22 | These currently form part of working practices as a number of complex requests have been received during 2021 – 22 and details of searches have been shared with requesters and kept in the event of any request for review. This will form part of the refreshed FOISA policy to be completed by incoming Governance and Reporting Manager. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA review and update its Publication Scheme. We recommend CNPA reviews all information it holds with an aim to publish as much as possible to ensure transparency and reduce FOI requests. | Office Services Manager | Low (1) | Dec-20 | Dec-22 | Publication scheme due to be updated with support from National Records Scotland. Work is underway with NRS to understand new requirements for publication scheme which requires updating in 2022. | Partially Complete |
| 2020⁄21 Corporate Governance | Management should ensure all Board members have received risk management training. We support the proposed finance training programme by the Finance and Delivery Committee and recommend that all board members attend this training. | Director of Corporate Services with Clerk to the Board | Medium (3) | Sept-21 | Mar-23 | Insufficient resource and board time to implement this training over 2021⁄22. It will be incorporated into board training plans for 2022⁄23. | Incomplete |
| 2020⁄21 COVID Recovery | Management should: • Continue to work through the BCP cycle. • Ensure staff have a sufficient knowledge of the BCP process and terminology to adequately complete the stages associated with risk assessments. • Expand the BCP content in relation to the governance structure and scope, in line with the points identified above. | Office Services Manager | Medium (2) | Mar-21 | Sep-22 | This action is ongoing as we move through our Covid response and return to the office. Risk assessment templates have been developed for Covid arrangements, final BCP governance structures yet to be included in revised BCP – for completion by end of Sept 2022. | Partially Complete |
| 2020⁄21 COVID Recovery | An outline communication strategy should be developed, which includes centralised and non-centralised channels, as well as support for staff who are unable to access systems. | Office Services Manager | Medium (2) | Jul-21 | Dec-22 | We have revised this assessment to “not implemented” as previous work undertaken needs reviewed in light of the evolving functionality of Microsoft 365 implementation and associated facilities for remote working and communication channels. A wider review of the communications strategy within BCP arrangements will be completed following fuller implementation of the updated IT infrastructure. | Incomplete |
| 2020⁄21 Data Management | We recommend that the organisation reviews and updates all three policies to ensure that they reflect the latest data protection legislation and reflect current organisational practices. Specifically, the Authority should ensure that information contained within each policy is consistent. The Authority should ensure that the owner for each policy is updated, recorded, and going forward, it should ensure that policies are reviewed annually in line with the review frequency documented. | Office Services Manager | Medium (2) | May-21 | Dec-22 | These policies remain to be reviewed and updated. The movement to Microsoft 365 and enabling of SharePoint will change the nature of these policy documents and they will be rewritten in tandem with the development of the design of the SharePoint records management system and associated metadata. | Incomplete |
| 2020⁄21 Data Management | We recommend that the Authority ensure that data audits are conducted annually in line with the policy. These audits should sample various directorates to ensure that storage and management of files adhere to the Records Management Policy. Specifically, this audit should consider compliance with data retention and disposal requirements, version control requirements and access and security requirements. The output of this audit should be documented and the Head of Service for each area should be given recommended actions, as necessary. We also recommend that directorates each take ownership of their own folders and conduct more regular compliance checks within their own teams to ensure that their files comply with the Records Management Policy. The data owner for each file should be responsible for these checks. | Head of Organisational Development | Medium (3) | May-21 | Dec-22 | We have initiated a data audit as part of the implementation of SharePoint within the migration to MS365. The process is underway, is likely to be impacted by short-term interruption during 2022⁄23 as a consequence of staff turnover; and will be prioritised following recruitment. | Partially Complete |
| 2021⁄22 Leader Programme | Management should undertake a risk assessment over the controls in place for access and editability in relation to electronic LEADER files. In addition management should ensure that LEADER programme records remain accessible and readable for the identified retention period. | Governance and Reporting Manager | Medium (2) | Dec-21 | Sep-22 | Electronic files access is restricted to Head of Corporate Services as the service lead for the SLA with Scottish Government; and 2 LEADER staff who are retained to work on future CLLD and any residual LEADER work as required. We are investigating whether setting all files to ‘read only’ or a mass PDF conversion of existing word files is the best next step to finalise the process. | Partially Complete |
| 2021⁄22 Leader Programme | Management should ensure that feedback on CNPA internal processes is obtained and, where appropriate, fed into Scottish Government reviews on programme processes. In addition, management should develop a lessons learned action log and ensure this is monitored by a relevant person(s) within the CNPA management structure. | LEADER Programme Manager | Grade 2 | Mar-21 | Dec-23 | Both LEADER Programme Manager and Director of Corporate Services are involved in various national groups and are feeding back lessons learned from current LEADER operations into the evolution of new community-led local development processes. Formal written “capture” of these points has still to be finalised, which will be undertaken in part through evolution of Heritage Horizons Community Grants project development work and internal structured closure of the LEADER Programme. | Partially Complete |
Appendix 3: Audit risk categorisations
Management action grades
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general housekeeping issues.
© Azets 2022. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.