CAIRNGORMS NATIONAL PARK AUTHORITY

Audit & Risk Committee Paper 7 Annex 1 27/05/2022

Governance Statement

Scope of responsibility

As Accountable Officer, I am responsible for maintaining sound systems of internal control which support the achievement of Cairngorms National Park Authority’s policies, aims and objectives, whilst safeguarding the public funds and departmental assets for which I am personally responsible. These duties are in accordance with the Management Statement agreed between the Park Authority and Scottish Government, and also responsibilities assigned to me in the Scottish Public Finance Manual (SPFM).

The SPFM, issued by the Scottish Ministers, provides guidance to the Scottish Government and other relevant bodies on the proper handling of public funds, and sets out the relevant statutory, parliamentary and administrative requirements, emphasising the need for economy, efficiency and effectiveness, and promotes good practice and high standards of propriety. I am responsible as Accountable Officer to ensure the Park Authority’s internal control systems comply with the requirements of the SPFM.

The Management Statement sets out the role of the Park Authority’s Board in providing leadership and governance. The governance responsibilities of the Board are supported by Standing Orders last revised and adopted in 2019 and a Code of Conduct revised and adopted in [2022]. The Board agreed a “Governance Responsibility Framework” document in 2021, setting out the respective roles and responsibilities of the board and non-executive board members and senior managers in decision making to give added clarity and understanding to this aspect of the Cairngorms NPA’s governance. Our group of professional, senior staff advisors, complemented by appropriate Board training and development processes, support the good governance arrangements set out in the Standing Orders and Code of Conduct.

As a public body, the Park Authority operates in an open and accountable manner, and is committed to accessibility, openness and accountability and supports the highest standards in corporate governance.

Other than the documents referred to above and the resource allocation letters issued to me over the course of the year, there are no other written authorities provided to me in ²⁰²¹⁄₂₂.

The operation of the Board and sub-committees

The Board comprises 19 members: 7 appointed by Ministers following nomination by five Councils with boundaries within the National Park, 7 appointed by Scottish Government through public appointments processes, and 5 directly elected within the wards of the Park. The Board therefore reflects a blend of different experience, backgrounds and interests. The full Board meets regularly to consider strategy, and performance against the current Corporate Plan. Meetings are scheduled quarterly, with additional meetings convened as required. To enable the Board to discharge its duties, all members receive appropriate and timely information in advance of meetings with all agendas and papers also placed in the public domain. Meetings are open to the public save the occasional meeting held in private for various reasons of business and commercial confidentiality.

To ensure that the Board develops an understanding of the current and emerging issues, members also participate in informal discussion sessions to consider evolving policy issues and proposals, and a preferred strategic direction identified prior to fuller, open consideration at formal meetings.

The Board has established sub-committees: a Planning Committee (which deals with all aspects of the Park Authority’s statutory planning responsibilities), together with Committees covering Governance, Resources, Performance, and Audit and Risk. This new Committee structure was adopted over the course of ²⁰²¹⁄₂₂. The revised structure was adopted to augment the governance of the Authority and enhance the Board’s assurance role as the Authority’s scale of activities and support of significant programmes continues to increase. The Governance Committee has been created to support the board and Convener maintain oversight of the effectiveness of governance arrangements across the organisation, including the effectiveness of the committee structure itself. All committees have delegated duties and responsibilities set out in terms of reference agreed by the full Board to oversee and scrutinise the Park Authority’s deployment and management of resources. The record of attendance at Board meetings can be found elsewhere in the Annual Report and Accounts.

The Audit and Risk Committee

The Audit and Risk Committee’s role is to provide effective governance over all aspects of the Park Authority’s internal management control systems and the annual financial accounts and audit. It also takes a lead in strategic risk management, ensuring that risks impacting on strategic objectives are identified and mitigated, and that risk management is embedded throughout the Park Authority’s operations. It is supported by the Park Authority’s internal audit function, Azets, and external auditors, Grant Thornton LLP, who both have independent access to the Committee and to its Convener. The Committee is tasked with monitoring the operation of the internal control function and bringing any material matters to the attention of the full Board. Detailed reports of all audit reviews are made available to both management and the Committee.

The Committee meets at least quarterly and reports to the Board on the adequacy and effectiveness of the Park Authority’s internal controls, and more widely on its work in the preceding year.

The Board has continued a process of self-evaluation of effectiveness and governance over the course of ²⁰²¹⁄₂₂ which were originally initiated under the “Leadership” element of the first Organisational Development Strategy in ²⁰¹⁵⁄₁₆. The Board completed a revision of its skills matrix in February 2020 and, through this process, established a priority for continuing professional development of members over the following years. A refresh of the board skills matrix and self-evaluation of members against that matrix is scheduled for the early part of ²⁰²²⁄₂₃ to complement public appointments rounds for member appointments which are expected to take place in 2022. The Board has completed a self-assessment of Board effectiveness in December 2020 and considered the results of this in February 2021. The Convener and Deputy Convener have undertaken a complementary series of “Board member development conversations” with all board members in ²⁰²⁰⁄₂₁. This focus on Board effectiveness and development of governance systems was complemented by an internal audit of governance systems, the improvement actions from which have been implemented in part by the work mentioned here and through wider action over the course of the last year.

The Board has agreed a set of Corporate Performance Indicators so it may improve its oversight of delivery against key strategic objectives and the Park Authority’s Corporate Plan. A detailed performance report is submitted to the Board twice yearly on delivery against key performance indicators, considered typically at each June and December meeting, alongside a review of strategic risk management. These monitoring and control mechanisms support Board scrutiny over delivery of the Corporate Plan and National Park Partnership Plan priorities.

Periodic reports from independent internal and external auditors form a key and essential element in informing my review as Accountable Officer of the effectiveness of the systems of internal control within the Park Authority. The Board’s Audit and Risk Committee also plays a vital role in this regard, through its consideration of audit recommendations arising from reviews of internal control systems and its scrutiny of proposed management action to address any improvements required. The Audit and Risk Committee also considers both a three year plan for internal audit coverage and annually agrees an internal audit plan flowing from that three year plan.

Shared services delivery

The Park Authority plays an important role in providing support over a range of activities to local communities and organisation to help deliver the National Park Partnership Plan’s priorities. In the last year we have supported Cairngorms LEADER Programme Local Action Group, the Tomintoul and Glenlivet Landscape Partnership, the Great Place Badenoch Project as well as the Capercaillie Framework as significant, community and partner led programmes of activity. Our management and internal control structures ensure that support for these community based delivery entities are separated from the core activities of the Authority, while ensuring that our support helps them achieve “best practice” in their operations.

The Authority also undertakes a range of shared service arrangements with other public body partners. Over the course of the year we have provided human resource advice and organisational development support to the Scottish Land Commission, while collaborating on a range of shared service delivery with Loch Lomond and the Trossachs National Park Authority (LLTNPA). We receive key support from LLTNPA on IT infrastructure maintenance, development and shared licence agreements for planning systems and data back-up and security arrangements. In addition to these more formal shared services with LLTNPA, both National Park Authorities continue to collaborate closely on areas of shared policy interest.

Internal audit

The internal audit function is an integral element of scrutiny of the Park Authority’s internal control systems. Azets was appointed following an open procurement process as the Park Authority’s internal auditors in 2020 and have undertaken a comprehensive assessment of key internal control systems since their appointment in determining annual and three-year internal audit plans. During the year to 31 March 2022, Azets has reported to the Audit and Risk Committee on the following reviews:

Governance & risk

Assurance Mapping of Major Projects
Follow up review of prior recommendations
LEADER administration
IT and Data Strategy
Cyber Security Arrangements
Peatland Restoration Programme

Internal control systems Finance

VAT Arrangements
Financial Management and Reporting

All recommendations made by Azets are considered; given management responses which are considered by the Audit and Risk Committee; and implemented as appropriate. There were no instances of internal audit recommendations not being accepted by management in the year.

External audit

External auditors are appointed for us by the Auditor General for Scotland through Audit Scotland. Audit Scotland appointed Grant Thornton LLP to the role for a five year period commencing in ²⁰¹⁶⁄₁₇ which was extended for a further year to cover the ²⁰²¹⁄₂₂ audit as a consequence of COVID limitations and restrictions to the auditor appointment process. We have formed an effective and efficient audit relationship with Grant Thornton, who review key systems so they can form a view on the effectiveness of control arrangements which in turn supports their audit opinion on the financial statements.

No fees were paid for any non-audit work undertaken by Grant Thornton LLP.

Best value

The Audit and Risk Committee continues to monitor the Authority’s adherence to Scottish Government Best Value guidelines and our approach to continuous improvement. We launched phase three of our Organisational Development Strategy in ²⁰²⁰⁄₂₁ to continue to improve our work processes, organisational environment, and delivery of services. We have also completed our most recent independent staff survey, held every 2 years, and the analysis of the results of that process. This information will build toward development of the internal organisational focus of our next Corporate Plan from 2023 to 2027 and the underpinning Organisational Development Strategy supporting delivery of continuous organisational improvement.

Risk management

We have a risk management strategy in accordance with guidance issued by Scottish Ministers to identify actual and potential threats which may prevent us from delivering our statutory purpose and also to identify appropriate mitigation actions.

The Board recognises the importance of risk management and continues to monitor the Park Authority’s Strategic Risk Register. The Strategic Risk Register records risks, action taken to mitigate the identified risks and senior management’s responsibility for leading on each risk and its mitigation. The Strategic Risk Register is reviewed by Senior Management Team four times each year and updated by the full Board twice and by the Audit and Risk Committee twice a year.

The Audit and Risk Committee, with the Senior Management Team, leads on embedding risk management processes throughout the Park Authority. Both groups consider the management of strategic risk in line with the Risk Strategy to ensure that the required actions are appropriately reflected and incorporated in operational delivery plans. A revised Risk Management Strategy was adopted by the Audit and Risk Committee in 2016, and subsequently reviewed by the Board in 2019, with the Committee also receiving an internal audit report on the effectiveness of operations of risk management within the organisation in that year.

Data security

Procedures are in place to ensure that information is being managed in accordance with legislation and that data is held accurately and securely. The Park Authority has no reported nor recorded instances of data loss in the year to 31 March 2022.

The second iteration of Cyber Essentials + accreditation was achieved in ²⁰¹⁹⁄₂₀. We continue to review our digital practices and infrastructure to ensure they remain fit for purpose and that all reasonable steps are taken to minimise the risk of data loss or compromise of systems due to Cyber Attacks.

The Authority’s Senior Management Team approved a IT and Data Management Strategy in 2021 which approved our transition toward cloud based service infrastructure. We also made additional investment in cyber security protection over the course of the year.

As noted elsewhere in this statement, our IT Strategy and Cyber Security arrangements have each been subject to internal audit review as part of the ²⁰²¹⁄₂₂ internal audit programme. Actions arising from these audits will be addressed over the course of the coming year.

Response to COVID19 Pandemic

The Authority implemented its Business Continuity Plan (BCP) processes on 17 March 2020 in response to the COVID19 pandemic and continued to apply that BCP process throughout ²⁰²¹⁄₂₂. The BCP has prioritised the maintenance and evolution of systems to support dispersed working while maintaining maximum focus on delivery of the Authority’s strategic outcomes. Our BCP has also placed an emphasis on staff welfare and ensuring our people remain as physically and mentally healthy as possible throughout this period of BCP operations.

The Board also approved BCP measures to support effective governance throughout the pandemic. This included adapting Board Standing Orders to remote working and meetings held by video conference and telephone and ensuring appropriate Board and Senior Management succession plans are in place.

The Cairngorms NPA is now progressing its movement from these BCP arrangements into revised, hybrid working arrangements from the commencement of ²⁰²²⁄₂₃. The majority of our staff will continue to work part time from home and dispersed locations and part time in the office. Our board will also commence hybrid public meetings, with some participants physically present and others joining by video conference. The Authority will monitor and review the evolution of our new working arrangements throughout the course of ²⁰²²⁄₂₃ with the aim of adopting final arrangements by the end of March 2023.

Conclusion

As Accountable Officer I am responsible for reviewing the effectiveness of the system of internal control. In order to do this my review is informed by:

a) the executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework and who provide assurance on systems within regular Senior Management Team meetings; b) internal monitoring of control systems by staff against SPFM requirements; c) the work of the internal auditors, who submit regular reports to the Audit and Risk Committee which include the Head of Internal Audit’s independent and objective opinion on the adequacy and effectiveness of our systems of internal control together with recommendations for improvement; d) comments made by the external auditors in their management letter and other reports.

I am supported by a Director of Corporate Services and Deputy Chief Executive, who in turn is supported by the Corporate Services staff group, and provides senior management leadership on the financial management, internal controls and governance arrangements. I take assurance from the effectiveness of internal control systems, financial management and planning processes, and risk management from the assurances received from the Director of Corporate Services and Deputy Chief Executive.

I have also been advised on the effectiveness of the system of internal control by the Board and its Audit and Risk Committee. Appropriate action is taken against any weaknesses identified and to ensure continuous improvement of our systems.

The internal auditor’s annual report for ²⁰²¹⁄₂₂ states that, [“….”. Action is underway on implementing improvements required to mitigate these high risk areas identified by internal audit and as such I also take assurance on the adequacy and effectiveness of the Authority’s internal controls from the independent internal auditor’s report for the year.]

Version 0.1 5 May DFC initial draft 0.2 5 May D Ralph comment amendments

220527AuCtteePaper7Annex1GovernanceStatementDraft v02

CAIRNGORMS NATION­AL PARK AUTHORITY

Audit & Risk Com­mit­tee Paper 7 Annex 1 27/05/2022

Gov­ernance Statement

Scope of responsibility

The oper­a­tion of the Board and sub-committees

The Audit and Risk Committee

Shared ser­vices delivery

Intern­al audit

Extern­al audit