220527AuCtteePaper5AA202122 Annual Report FINAL
Cairngorms National Park Authority Internal Audit Annual Report 2021⁄22
May 2022
Contents
- Introduction — 2
- Overall internal audit opinion — 3
- Internal audit work performed — 4
- Appendix 1 – Planned v actual days 2021⁄22 — 10
- Appendix 2 — Summary of Internal Quality Assurance Assessment — 11
Introduction
The Public Sector Internal Audit Standards (PSIAS) state that:
“The Chief Audit Executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.”
“The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.”
To meet the above requirements, this Annual Report summarises our conclusions and key findings from the internal audit work undertaken at Cairngorms National Park Authority during the year ended 31 March 2022, including our overall opinion on Cairngorms National Park’s internal control system.
Acknowledgement
We would like to take this opportunity to thank all members of management and staff for the help, courtesy and co-operation extended to us during the year.
Overall internal audit opinion
Basis of opinion
As the Internal Auditor of Cairngorms National Park Authority, we are required to provide the Audit and Risk Committee with assurance on the whole system of internal control. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the whole system of internal control.
In assessing the level of assurance to be given, we have taken into account:
- All reviews undertaken as part of the 2021⁄22 internal audit plan;
- Any scope limitations imposed by management;
- Matters arising from previous reviews and the extent of follow-up action taken including in year audits;
- Expectations of senior management, the Audit and Risk Committee and other stakeholders;
- The extent to which internal controls address the client’s risk management /control framework;
- The effect of any significant changes in Cairngorms National Park Authority objectives or systems; and
- The internal audit coverage achieved to date.
In my professional judgement as Head of Internal Audit, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the basis and the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the entity examined. The evidence gathered meets professional audit standards and is sufficient to provide senior management with proof of the conclusions derived from the internal audit work.
Internal Audit Opinion
In our opinion, Cairngorms National Park Authority has a framework of governance, risk management and controls that provides reasonable assurance regarding the effective and efficient achievement of objectives.
Azets
May 2022
Internal audit work performed
Scope and responsibilities
Management
It is management’s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems and processes established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:
- risk management;
- the effectiveness of operations;
- the economic and efficient use of resources;
- compliance with applicable policies, procedures, laws and regulations;
- safeguards against losses, including those arising from fraud, irregularity or corruption; and
- the integrity and reliability of information and data.
Internal auditor
The Internal Auditor assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, the Internal Auditor should:
- analyse the internal control system and establish a review programme;
- identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner;
- report findings and conclusions and, where appropriate, make recommendations for improvement;
- provide an opinion on the reliability of the controls in the system under review; and
- provide an assurance based on the evaluation of the internal control system within the organisation as a whole.
Planning process
Our strategic and annual internal audit plans are designed to provide the Audit and Risk Committee with assurance that Cairngorms National Park Authority’s internal control system is effective in managing the key risks and best value is being achieved. The plans are therefore informed by Cairngorms National Park Authority’s risk management system and linked to the Corporate Risk Register.
The Strategic Internal Audit Plan was agreed in consultation with senior management and formally approved by the Audit and Risk Committee.
The Annual Internal Audit Plan is subject to revision throughout the year to reflect changes in Cairngorms National Park Authority’s risk profile. However no changes were made to the 2021⁄22 plan.
We planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held responsible for internal control failures.
Cover achieved
The 2021⁄22 Internal Audit Plan comprised 51 days of audit work and we completed the full programme. A comparison of actual coverage against the 2021⁄22 plan is attached at Appendix 1.
We confirm that there were no resource limitations that impinged on our ability to meet the full audit needs of Cairngorms National Park Authority and no restrictions were placed on our work by management.
We did not rely on the work performed by a third party during the period.
Reports
We prepared a report from each review and presented these reports to the Audit and Risk Committee. The reports are summarised in the table below.
Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were fully discussed and agreed with management prior to submission to the Audit and Risk Committee. We made no significant recommendations that were not accepted by management.
Summary of reports by control assessment and action grade
Review | Control objective assessment | 4 | 3 | 2 | 1 |
---|---|---|---|---|---|
A1. Financial Management and Reporting | 3 | ||||
B1. Assurance Mapping of Major Projects | 2 | ||||
D1. ICT Strategy | 2 | 2 | |||
D3. Cyber Security | 2 | 1 | |||
E1. LEADER Administration | 2 | 2 | |||
E2. Follow Up Part 1 | N/A | ||||
E2. Follow Up Part 2 | N/A |
Control objective assessment definitions
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved — controls are inadequate or ineffective.
- Y: Control objective achieved — no major weaknesses but scope for improvement.
- G: Control objective achieved — controls are adequate, effective and efficient.
Management action prioritisation definitions
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
Progress in implementing previous internal audit actions
Over the course of 2021⁄22 management continued to implement agreed actions from previous internal audit reports. We reviewed 59 actions across 2021⁄22 and obtained sufficient evidence to close 17 (29%) actions with a further three (5%) superseded or no longer applicable. Of the remaining 39 outstanding actions, 23 (59%) have been assessed as partially complete, seven (18%) are incomplete and nine (23%) were not yet due at the time of our validation work.
(Diagram showing status of recommendations)
Although management have made progress in completing actions the number of outstanding actions are considered high with 37 of the outstanding actions assessed as grade 1 or 2 (limited or moderate risk exposure).
Key themes from audit work in 2021⁄22
Financial management and reporting
We identified that there was no documented guidance provided to staff on their financial responsibilities within CNPA and that staff are not required to sign any documentation acknowledging their responsibility. Further, we noted that the Finance Manual was out of date, no Budget Management Policy was in place and there were no audit trails to evidence active engagement by budget holders with the budget review process. Management have agreed to document staff financial responsibilities, develop a Budget Management Policy and outline budget management responsibilities and are on course to implement these as planned by September 2022.
Project and programme management
We identified that the LEADER programme tracker was not fully up to date with payment information for closed projects and closure letters not being sent for any projects, contrary to CNPA guidance. In addition we noted that improvements were required to ensure the integrity and availability of records in future and that lessons learned are being actively used to benefit CNPA. We have confirmed management have fully updated the programme tracker and that a closure letter at Programme end was sent to all successful applicants. Work remains ongoing on records retention and lessons learned; however we have confirmed progress has been made and management continue to take action to address the recommendations.
During our audit of Assurance Mapping of Major Programmes, we noted that CNPA were in the process of developing an outline programme management approach that could be tailored to each project, however a project plan for this had not yet been documented. Further we identified some examples of insufficient progress reporting on projects. Over the course of 2021⁄22 we also identified control weaknesses related to the programme management approach for the Peatland Action Fund with management working to conclude on the issues identified.
Management have agreed to develop a project plan for the implementation of the project management approach and update the reporting to the Performance Committee; these actions remain on course to be implemented by September 2022.
ICT strategy
At the time of fieldwork we identified that an IT and Data Strategy was established in June 2021; this was aligned to the ‘New Normal’ project introduced in May 2021. However, the strategy does not contain clearly defined objectives or outcomes other than migration to cloud-hosted solutions. Further, we also identified that there has not been any operational plans documented that sets out delivery tasks in support of the IT and Data Strategy. Management have agreed to develop a project plan to update the strategy and implement formal operational plans in line with the recommendations raised.
Cyber security
We identified that while CNPA has cyber security training in place which includes cyber security, data security and data protections courses. However, we identified completion of training is low with only 58% of staff having completed the course and there is no process to monitor the completion of mandatory training courses. Further, training is not required to be refreshed. In addition, we noted that the organisation could enhance the cyber risk management practices to further support the management of cyber security risks and while positive steps have been taken to improve the management of cyber security risks through the Strategic Risk Register, there are limited processes for documenting and managing lower-level cyber risks. Management have agreed to reinvigorate training and ensure training is completed and ensure training is refreshed and will undertake a risk analysis of cyber risk and address any issues identified.
Independence
PSIAS require us to communicate on a timely basis all facts and matters that may have a bearing on our independence.
We can confirm that the staff members involved in each 2021⁄22 internal audit review were independent of Cairngorms National Park Authority and their objectivity was not compromised in any way.
Covid-19 impact
In response to the Covid-19 pandemic, the UK Public Sector Internal Audit Standards Advisory Board (IASAB) published guidance to Heads of Internal Audit to support ongoing compliance with PSIAS alongside managing the impact of the pandemic[1]. This guidance includes reference to a number of challenges associated with undertaking internal audit work in the current circumstances, including:
- Diversion of internal audit staff to other work
- Diversion of operational staff to other duties
- Home-working of the majority of staff
- Increased levels of sickness absence/sick leave
We have maintained regular dialogue with both management and the Audit and Risk Committee to ensure our audit plan focuses on key risks to the organisation, whilst recognising the impact of the pandemic on Cairngorms National Park Authority staff. More generally, we have taken a flexible approach to delivering our internal audit plan over the year to allow us to provide support to management where necessary.
In line with government guidance, our whole internal audit team has worked remotely since March 2020, however, these arrangements have not impacted our ability to deliver audits in line with PSIAS. We have conducted all meetings via video-conferencing and have used electronic file protocols for the transmission of audit evidence and working papers. As such, our audit team has also been able to avoid resourcing challenges due to Covid-related sickness absence.
[1] COVID-19 | CIPFA (iasab.org)
Conformance with Public Sector Internal Audit Standards
Having considered the impact of Covid-19, as outlined above, we confirm that our internal audit service conforms to the Public Sector Internal Audit Standards, which are based on the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice against the standards.
A summary of the results of our most recent internal assessment is provided at Appendix 2.
Appendix 1 – Planned v actual days 2021⁄22
Ref and Name of report | Planned Days | Actual Days |
---|---|---|
A1. Financial Management and Reporting | 8 | 8 |
B1. Assurance Mapping of Major Projects | 8 | 8 |
D1. ICT Strategy | 7 | 7 |
D3. Cyber Security | 7 | 7 |
E1. LEADER Administration | 7 | 7 |
E2. Follow Up Part 1 | 1.5 | 1.5 |
E2. Follow Up Part 2 | 1.5 | 1.5 |
Internal Audit Management and Administration | 2 | 2 |
Audit and Risk Planning, reporting and attendance | 3 | 3 |
Audit needs analysis – strategic and operational IA planning | 3 | 3 |
Contract Management | 2 | 2 |
Annual IA Report | 1 | 1 |
Total | 51 | 51 |
Appendix 2 – Summary of Internal Quality Assurance Assessment
We are pleased to disclose the outcome of our regular internal and external quality assessments with our clients to provide you with assurance that the service you receive is of high quality and fully compliant with internal audit standards.
Our most recent annual internal quality assessment (completed August 2021) was used to assess the extent to which our internal audit methodology conforms to the standards. This assessment comprised a quality review of a sample of audit files from across our client base.
In addition, every five years we commission a full External Quality Assessment, the most recent of which was completed in July 2018.
Overall, our service conforms to the requirements of the PSIAS. Our assessment is based on the overall service that is delivered to each client. We are happy to provide Cairngorms National Park members with further details of the information set out above and the assessment process, if required.
Azets 2022. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.