Cairngorms Nation­al Park Author­ity Intern­al Audit Annu­al Report ²⁰²¹⁄₂₂

May 2022

Con­tents

• Intro­duc­tion — 2
• Over­all intern­al audit opin­ion — 3
• Intern­al audit work per­formed — 4
• Appendix 1 – Planned v actu­al days ²⁰²¹⁄₂₂ — 10
• Appendix 2 — Sum­mary of Intern­al Qual­ity Assur­ance Assess­ment — 11

Intro­duc­tion

The Pub­lic Sec­tor Intern­al Audit Stand­ards (PSI­AS) state that:

“The Chief Audit Exec­ut­ive must deliv­er an annu­al intern­al audit opin­ion and report that can be used by the organ­isa­tion to inform its gov­ernance statement.”

“The annu­al intern­al audit opin­ion must con­clude on the over­all adequacy and effect­ive­ness of the organisation’s frame­work of gov­ernance, risk man­age­ment and control.”

To meet the above require­ments, this Annu­al Report sum­mar­ises our con­clu­sions and key find­ings from the intern­al audit work under­taken at Cairngorms Nation­al Park Author­ity dur­ing the year ended 31 March 2022, includ­ing our over­all opin­ion on Cairngorms Nation­al Park’s intern­al con­trol system.

Acknow­ledge­ment

We would like to take this oppor­tun­ity to thank all mem­bers of man­age­ment and staff for the help, cour­tesy and co-oper­a­tion exten­ded to us dur­ing the year.

Over­all intern­al audit opinion

Basis of opinion

As the Intern­al Aud­it­or of Cairngorms Nation­al Park Author­ity, we are required to provide the Audit and Risk Com­mit­tee with assur­ance on the whole sys­tem of intern­al con­trol. In giv­ing our opin­ion it should be noted that assur­ance can nev­er be abso­lute. The most that the intern­al audit ser­vice can provide is reas­on­able assur­ance that there are no major weak­nesses in the whole sys­tem of intern­al control.

In assess­ing the level of assur­ance to be giv­en, we have taken into account:

• All reviews under­taken as part of the ²⁰²¹⁄₂₂ intern­al audit plan;
• Any scope lim­it­a­tions imposed by management;
• Mat­ters arising from pre­vi­ous reviews and the extent of fol­low-up action taken includ­ing in year audits;
• Expect­a­tions of seni­or man­age­ment, the Audit and Risk Com­mit­tee and oth­er stakeholders;
• The extent to which intern­al con­trols address the client’s risk man­age­ment /​control framework;
• The effect of any sig­ni­fic­ant changes in Cairngorms Nation­al Park Author­ity object­ives or sys­tems; and
• The intern­al audit cov­er­age achieved to date.

In my pro­fes­sion­al judge­ment as Head of Intern­al Audit, suf­fi­cient and appro­pri­ate audit pro­ced­ures have been con­duc­ted and evid­ence gathered to sup­port the basis and the accur­acy of the con­clu­sions reached and con­tained in this report. The con­clu­sions were based on a com­par­is­on of the situ­ations as they exis­ted at the time against the audit cri­ter­ia. The con­clu­sions are only applic­able for the entity examined. The evid­ence gathered meets pro­fes­sion­al audit stand­ards and is suf­fi­cient to provide seni­or man­age­ment with proof of the con­clu­sions derived from the intern­al audit work.

Intern­al Audit Opinion

In our opin­ion, Cairngorms Nation­al Park Author­ity has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of objectives.

Azets

May 2022

Intern­al audit work performed

Scope and responsibilities

Man­age­ment

It is management’s respons­ib­il­ity to estab­lish a sound intern­al con­trol sys­tem. The intern­al con­trol sys­tem com­prises the whole net­work of sys­tems and pro­cesses estab­lished to provide reas­on­able assur­ance that organ­isa­tion­al object­ives will be achieved, with par­tic­u­lar ref­er­ence to:

• risk man­age­ment;
• the effect­ive­ness of operations;
• the eco­nom­ic and effi­cient use of resources;
• com­pli­ance with applic­able policies, pro­ced­ures, laws and regulations;
• safe­guards against losses, includ­ing those arising from fraud, irreg­u­lar­ity or cor­rup­tion; and
• the integ­rity and reli­ab­il­ity of inform­a­tion and data.

Intern­al auditor

The Intern­al Aud­it­or assists man­age­ment by examin­ing, eval­u­at­ing and report­ing on the con­trols in order to provide an inde­pend­ent assess­ment of the adequacy of the intern­al con­trol sys­tem. To achieve this, the Intern­al Aud­it­or should:

• ana­lyse the intern­al con­trol sys­tem and estab­lish a review programme;
• identi­fy and eval­u­ate the con­trols which are estab­lished to achieve object­ives in the most eco­nom­ic and effi­cient manner;
• report find­ings and con­clu­sions and, where appro­pri­ate, make recom­mend­a­tions for improvement;
• provide an opin­ion on the reli­ab­il­ity of the con­trols in the sys­tem under review; and
• provide an assur­ance based on the eval­u­ation of the intern­al con­trol sys­tem with­in the organ­isa­tion as a whole.

Plan­ning process

Our stra­tegic and annu­al intern­al audit plans are designed to provide the Audit and Risk Com­mit­tee with assur­ance that Cairngorms Nation­al Park Authority’s intern­al con­trol sys­tem is effect­ive in man­aging the key risks and best value is being achieved. The plans are there­fore informed by Cairngorms Nation­al Park Authority’s risk man­age­ment sys­tem and linked to the Cor­por­ate Risk Register.

The Stra­tegic Intern­al Audit Plan was agreed in con­sulta­tion with seni­or man­age­ment and form­ally approved by the Audit and Risk Committee.

The Annu­al Intern­al Audit Plan is sub­ject to revi­sion through­out the year to reflect changes in Cairngorms Nation­al Park Authority’s risk pro­file. How­ever no changes were made to the ²⁰²¹⁄₂₂ plan.

We planned our work so that we have a reas­on­able expect­a­tion of detect­ing sig­ni­fic­ant con­trol weak­nesses. How­ever, intern­al audit can nev­er guar­an­tee to detect all fraud or oth­er irreg­u­lar­it­ies and can­not be held respons­ible for intern­al con­trol failures.

Cov­er achieved

The ²⁰²¹⁄₂₂ Intern­al Audit Plan com­prised 51 days of audit work and we com­pleted the full pro­gramme. A com­par­is­on of actu­al cov­er­age against the ²⁰²¹⁄₂₂ plan is attached at Appendix 1.

We con­firm that there were no resource lim­it­a­tions that impinged on our abil­ity to meet the full audit needs of Cairngorms Nation­al Park Author­ity and no restric­tions were placed on our work by management.

We did not rely on the work per­formed by a third party dur­ing the period.

Reports

We pre­pared a report from each review and presen­ted these reports to the Audit and Risk Com­mit­tee. The reports are sum­mar­ised in the table below.

Where rel­ev­ant, all reports con­tained action plans detail­ing respons­ible officers and imple­ment­a­tion dates. The reports were fully dis­cussed and agreed with man­age­ment pri­or to sub­mis­sion to the Audit and Risk Com­mit­tee. We made no sig­ni­fic­ant recom­mend­a­tions that were not accep­ted by management.

Sum­mary of reports by con­trol assess­ment and action grade

Review	Con­trol object­ive assess­ment	4	3	2	1
A1. Fin­an­cial Man­age­ment and Reporting				3
B1. Assur­ance Map­ping of Major Projects				2
D1. ICT Strategy			2	2
D3. Cyber Security			2	1
E1. LEAD­ER Administration				2	2
E2. Fol­low Up Part 1	N/A
E2. Fol­low Up Part 2	N/A

Con­trol object­ive assess­ment definitions

• R: Fun­da­ment­al absence or fail­ure of key controls.
• A: Con­trol object­ive not achieved — con­trols are inad­equate or ineffective.
• Y: Con­trol object­ive achieved — no major weak­nesses but scope for improvement.
• G: Con­trol object­ive achieved — con­trols are adequate, effect­ive and efficient.

Man­age­ment action pri­or­it­isa­tion definitions

• 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
• 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
• 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
• 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

Pro­gress in imple­ment­ing pre­vi­ous intern­al audit actions

Over the course of ²⁰²¹⁄₂₂ man­age­ment con­tin­ued to imple­ment agreed actions from pre­vi­ous intern­al audit reports. We reviewed 59 actions across ²⁰²¹⁄₂₂ and obtained suf­fi­cient evid­ence to close 17 (29%) actions with a fur­ther three (5%) super­seded or no longer applic­able. Of the remain­ing 39 out­stand­ing actions, 23 (59%) have been assessed as par­tially com­plete, sev­en (18%) are incom­plete and nine (23%) were not yet due at the time of our val­id­a­tion work.

(Dia­gram show­ing status of recommendations)

Although man­age­ment have made pro­gress in com­plet­ing actions the num­ber of out­stand­ing actions are con­sidered high with 37 of the out­stand­ing actions assessed as grade 1 or 2 (lim­ited or mod­er­ate risk exposure).

Key themes from audit work in ²⁰²¹⁄₂₂

Fin­an­cial man­age­ment and reporting

We iden­ti­fied that there was no doc­u­mented guid­ance provided to staff on their fin­an­cial respons­ib­il­it­ies with­in CNPA and that staff are not required to sign any doc­u­ment­a­tion acknow­ledging their respons­ib­il­ity. Fur­ther, we noted that the Fin­ance Manu­al was out of date, no Budget Man­age­ment Policy was in place and there were no audit trails to evid­ence act­ive engage­ment by budget hold­ers with the budget review pro­cess. Man­age­ment have agreed to doc­u­ment staff fin­an­cial respons­ib­il­it­ies, devel­op a Budget Man­age­ment Policy and out­line budget man­age­ment respons­ib­il­it­ies and are on course to imple­ment these as planned by Septem­ber 2022.

Pro­ject and pro­gramme management

We iden­ti­fied that the LEAD­ER pro­gramme track­er was not fully up to date with pay­ment inform­a­tion for closed pro­jects and clos­ure let­ters not being sent for any pro­jects, con­trary to CNPA guid­ance. In addi­tion we noted that improve­ments were required to ensure the integ­rity and avail­ab­il­ity of records in future and that les­sons learned are being act­ively used to bene­fit CNPA. We have con­firmed man­age­ment have fully updated the pro­gramme track­er and that a clos­ure let­ter at Pro­gramme end was sent to all suc­cess­ful applic­ants. Work remains ongo­ing on records reten­tion and les­sons learned; how­ever we have con­firmed pro­gress has been made and man­age­ment con­tin­ue to take action to address the recommendations.

Dur­ing our audit of Assur­ance Map­ping of Major Pro­grammes, we noted that CNPA were in the pro­cess of devel­op­ing an out­line pro­gramme man­age­ment approach that could be tailored to each pro­ject, how­ever a pro­ject plan for this had not yet been doc­u­mented. Fur­ther we iden­ti­fied some examples of insuf­fi­cient pro­gress report­ing on pro­jects. Over the course of ²⁰²¹⁄₂₂ we also iden­ti­fied con­trol weak­nesses related to the pro­gramme man­age­ment approach for the Peat­land Action Fund with man­age­ment work­ing to con­clude on the issues identified.

Man­age­ment have agreed to devel­op a pro­ject plan for the imple­ment­a­tion of the pro­ject man­age­ment approach and update the report­ing to the Per­form­ance Com­mit­tee; these actions remain on course to be imple­men­ted by Septem­ber 2022.

ICT strategy

At the time of field­work we iden­ti­fied that an IT and Data Strategy was estab­lished in June 2021; this was aligned to the ​‘New Nor­mal’ pro­ject intro­duced in May 2021. How­ever, the strategy does not con­tain clearly defined object­ives or out­comes oth­er than migra­tion to cloud-hos­ted solu­tions. Fur­ther, we also iden­ti­fied that there has not been any oper­a­tion­al plans doc­u­mented that sets out deliv­ery tasks in sup­port of the IT and Data Strategy. Man­age­ment have agreed to devel­op a pro­ject plan to update the strategy and imple­ment form­al oper­a­tion­al plans in line with the recom­mend­a­tions raised.

Cyber secur­ity

We iden­ti­fied that while CNPA has cyber secur­ity train­ing in place which includes cyber secur­ity, data secur­ity and data pro­tec­tions courses. How­ever, we iden­ti­fied com­ple­tion of train­ing is low with only 58% of staff hav­ing com­pleted the course and there is no pro­cess to mon­it­or the com­ple­tion of man­dat­ory train­ing courses. Fur­ther, train­ing is not required to be refreshed. In addi­tion, we noted that the organ­isa­tion could enhance the cyber risk man­age­ment prac­tices to fur­ther sup­port the man­age­ment of cyber secur­ity risks and while pos­it­ive steps have been taken to improve the man­age­ment of cyber secur­ity risks through the Stra­tegic Risk Register, there are lim­ited pro­cesses for doc­u­ment­ing and man­aging lower-level cyber risks. Man­age­ment have agreed to rein­vig­or­ate train­ing and ensure train­ing is com­pleted and ensure train­ing is refreshed and will under­take a risk ana­lys­is of cyber risk and address any issues identified.

Inde­pend­ence

PSI­AS require us to com­mu­nic­ate on a timely basis all facts and mat­ters that may have a bear­ing on our independence.

We can con­firm that the staff mem­bers involved in each ²⁰²¹⁄₂₂ intern­al audit review were inde­pend­ent of Cairngorms Nation­al Park Author­ity and their objectiv­ity was not com­prom­ised in any way.

Cov­id-19 impact

In response to the Cov­id-19 pan­dem­ic, the UK Pub­lic Sec­tor Intern­al Audit Stand­ards Advis­ory Board (IASAB) pub­lished guid­ance to Heads of Intern­al Audit to sup­port ongo­ing com­pli­ance with PSI­AS along­side man­aging the impact of the pandemic[1]. This guid­ance includes ref­er­ence to a num­ber of chal­lenges asso­ci­ated with under­tak­ing intern­al audit work in the cur­rent cir­cum­stances, including:

• Diver­sion of intern­al audit staff to oth­er work
• Diver­sion of oper­a­tion­al staff to oth­er duties
• Home-work­ing of the major­ity of staff
• Increased levels of sick­ness absence/​sick leave

We have main­tained reg­u­lar dia­logue with both man­age­ment and the Audit and Risk Com­mit­tee to ensure our audit plan focuses on key risks to the organ­isa­tion, whilst recog­nising the impact of the pan­dem­ic on Cairngorms Nation­al Park Author­ity staff. More gen­er­ally, we have taken a flex­ible approach to deliv­er­ing our intern­al audit plan over the year to allow us to provide sup­port to man­age­ment where necessary.

In line with gov­ern­ment guid­ance, our whole intern­al audit team has worked remotely since March 2020, how­ever, these arrange­ments have not impacted our abil­ity to deliv­er audits in line with PSI­AS. We have con­duc­ted all meet­ings via video-con­fer­en­cing and have used elec­tron­ic file pro­to­cols for the trans­mis­sion of audit evid­ence and work­ing papers. As such, our audit team has also been able to avoid resourcing chal­lenges due to Cov­id-related sick­ness absence.

[1] COV­ID-19 | CIPFA (iasab​.org)

Con­form­ance with Pub­lic Sec­tor Intern­al Audit Standards

Hav­ing con­sidered the impact of Cov­id-19, as out­lined above, we con­firm that our intern­al audit ser­vice con­forms to the Pub­lic Sec­tor Intern­al Audit Stand­ards, which are based on the Inter­na­tion­al Stand­ards for the Pro­fes­sion­al Prac­tice of Intern­al Audit­ing. This is con­firmed through our qual­ity assur­ance and improve­ment pro­gramme, which includes cyc­lic­al intern­al and extern­al assess­ments of our meth­od­o­logy and prac­tice against the standards.

A sum­mary of the res­ults of our most recent intern­al assess­ment is provided at Appendix 2.

Appendix 1 – Planned v actu­al days ²⁰²¹⁄₂₂

Ref and Name of report	Planned Days	Actu­al Days
A1. Fin­an­cial Man­age­ment and Reporting	8	8
B1. Assur­ance Map­ping of Major Projects	8	8
D1. ICT Strategy	7	7
D3. Cyber Security	7	7
E1. LEAD­ER Administration	7	7
E2. Fol­low Up Part 1	1.5	1.5
E2. Fol­low Up Part 2	1.5	1.5
Intern­al Audit Man­age­ment and Administration	2	2
Audit and Risk Plan­ning, report­ing and attendance	3	3
Audit needs ana­lys­is – stra­tegic and oper­a­tion­al IA planning	3	3
Con­tract Management	2	2
Annu­al IA Report	1	1
Total	51	51

Appendix 2 – Sum­mary of Intern­al Qual­ity Assur­ance Assessment

We are pleased to dis­close the out­come of our reg­u­lar intern­al and extern­al qual­ity assess­ments with our cli­ents to provide you with assur­ance that the ser­vice you receive is of high qual­ity and fully com­pli­ant with intern­al audit standards.

Our most recent annu­al intern­al qual­ity assess­ment (com­pleted August 2021) was used to assess the extent to which our intern­al audit meth­od­o­logy con­forms to the stand­ards. This assess­ment com­prised a qual­ity review of a sample of audit files from across our cli­ent base.

In addi­tion, every five years we com­mis­sion a full Extern­al Qual­ity Assess­ment, the most recent of which was com­pleted in July 2018.

Over­all, our ser­vice con­forms to the require­ments of the PSI­AS. Our assess­ment is based on the over­all ser­vice that is delivered to each cli­ent. We are happy to provide Cairngorms Nation­al Park mem­bers with fur­ther details of the inform­a­tion set out above and the assess­ment pro­cess, if required.

Azets 2022. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales Registered No. 09652677. VAT Regis­tra­tion No. 219 0608 22. Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.