DRAFT MINUTES OF THE AUDIT AND RISK COM­MIT­TEE MEET­ING of THE CAIRNGORMS NATION­AL PARK AUTHORITY

held via Lifes­ize Video Con­fer­en­cing on 27 May 2022 at 2.30pm

PRESENT

• Judith Webb (Chair)
• John Kirk
• John Lath­am
• Elean­or Mackintosh
• Fiona McLean (Vice-Chair)
• Gaen­er Rodger

In Attend­ance:

• John Boyd, Grant Thornton
• Stephanie Hume, Azets
• Paul Kelly, Azets
• Dav­id Camer­on, Dir­ect­or of Cor­por­ate Services
• Grant Moir, CEO

Apo­lo­gies:

• Eliza­beth Young, Azets

1. Wel­come and Apologies

The Chair wel­comed every­one to the meeting.

2. Minutes of Last Meet­ing – Approval

• The draft Minutes of the meet­ings on 11 Feb­ru­ary 2022 were approved with no amendments.
• Draft con­fid­en­tial minutes of 11 Feb­ru­ary 2022 were agreed as accur­ate. The Dir­ect­or of Cor­por­ate Ser­vice repor­ted that the mat­ter con­sidered had not yet been taken up with the Gov­ernance Com­mit­tee, as the meet­ing has been delayed.
• The Chair and Dir­ect­or of Cor­por­ate Ser­vices provided an update on the action points arising from pre­vi­ous meet­ing. (Loc­ated in the table at the end of the document)

4. Action Point Arising:

• Clerk to Board to ensure action table is appen­ded to the minutes going forward.

5. Declar­a­tion of Interests

There were no interests declared.

6. Intern­al Audit: IT Strategy Review (Paper 1)

Paul Kelly, Azets, intro­duced the paper which presents the review of the Cairngorms NPA’s approaches and con­trols in place for our ICT Strategy. The review has been under­taken as part of the agreed Intern­al Audit Plan for ²⁰²¹⁄₂₂.

7. Obser­va­tions:

• Com­ment made that it was a use­ful report.
• Slight con­cern raised around that what was being repor­ted here in terms of con­trol weak­nesses could be tak­ing place in oth­er parts of the organ­isa­tion: could this be looked at as a learn­ing point across oth­er strategies across the CNPA? Dir­ect­or of Cor­por­ate Ser­vices wel­comed the report. He com­men­ted that while the learn­ings from the report were expli­cit on what we should be doing to improve our con­trols around the devel­op­ment and imple­ment­a­tion of our IT Strategy, in many ele­ments there are actions we are doing, such as hav­ing an under­stand­ing of our fin­an­cial plans with­in wider budgets. He agreed that we need to do bet­ter at mak­ing these actions and pro­cesses more expli­cit, and detailed in writ­ing, ensur­ing all things are all doc­u­mented and set out. He advised that there were gaps in the avail­ab­il­ity of doc­u­mented evid­ence on the stra­tegic pro­cess which the report picked up, and while those who are man­aging the pro­cess know in-depth about it, oth­ers or any­one new to the organ­isa­tion might not. The Dir­ect­or of Cor­por­ate Ser­vices con­cluded that he did not feel the con­trol weak­nesses were wide­spread across the organ­isa­tion, oth­er than the pre­vi­ously recog­nised need to bet­ter doc­u­ment aspects of our pro­ject man­age­ment activ­it­ies. Paul Kelly con­firmed that was bet­ter doc­u­ment trail to sup­port it was required.

8. The Audit and Risk Committee:

• Con­sidered the intern­al aud­it­ors report and findings;
• Endorsed the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

9. Action Points Arising: None.

10. Intern­al Audit: Cyber Secur­ity Review (Paper 2)

Paul Kelly, Azets, intro­duced Paper 2 which presents the review of the Cairngorms NPA’s approaches and con­trols in place for our Cyber Secur­ity. The review had been under­taken as part of the agreed Intern­al Audit Plan for ²⁰²¹⁄₂₂.

11. Obser­va­tions:

• With ref­er­ence to Action 1: Tech­nic­al con­trols where the recom­mend­a­tion is simply noted as accep­ted, cla­ri­fic­a­tion sought as to what was required there and what the actions are. The Dir­ect­or of Cor­por­ate Ser­vices advised that the team would devel­op a sys­tem to deal with a couple of scen­ari­os of response to cyber secur­ity incid­ents, set­ting out what the IT team will do and how to com­mu­nic­ate actions being taken and any con­sequences to the whole organ­isa­tion. Fur­ther dis­cus­sion with­in the IT team requires to take place before it can be decided exactly what that will look like, hence the man­age­ment response was brief at this point.
• Query around IT train­ing: were the Author­ity look­ing at oth­er train­ing pro­vider options to ensure people are doing man­dat­ory train­ing. Dir­ect­or of Cor­por­ate Ser­vices repor­ted that the ELMS train­ing sys­tem provides good data, regard­ing staff par­ti­cip­a­tion: when they did each mod­ule and which course they have done. The Dir­ect­or of Cor­por­ate Ser­vices con­firmed he has been speak­ing to HR team to ensure staff catch up on some of the essen­tial train­ing, poten­tially over the hope­fully quieter sum­mer months. He recog­nised that so much of train­ing is online and as much of work­ing life dur­ing lock­down has also been online, under­tak­ing train­ing in this has been a big ask of staff dur­ing the cov­id peri­od. He added that he has asked about wheth­er the train­ing can be updated through the col­lect­ive NPAs ELMS system.
• Query raised in point 3, not­ing action ref­er­ences had noth­ing con­cern­ing the gov­ernance of pro­cesses? The Dir­ect­or of Cor­por­ate Ser­vices advised that this was a risk ana­lys­is point and provided reas­sur­ance that the Author­ity do take our risk man­age­ment pro­cess through Audit & Risk Com­mit­tee and the Board at a stra­tegic risk level. He advised that he will be liais­ing with the IT Team to ensure they are fully focussed on oper­a­tion­al risk man­age­ment in day-to-day work.
• The Chair sug­ges­ted an action around rein­vig­or­at­ing train­ing modules/​uptake on them and to include Board mem­ber train­ing needs. The Dir­ect­or of Cor­por­ate Ser­vices noted that only a small num­ber of board mem­bers cur­rently oper­ated with access into the Cairngorms NPA’s sys­tems and there­fore risk was mit­ig­ated to a degree.

12. The Audit and Risk Committee:

• Con­sidered the intern­al aud­it­ors report and findings;
• Endorsed the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

13. Action Points Arising: None.

14. Intern­al Audit: Man­age­ment Action Fol­low-Up ²⁰²¹⁄₂₂ (Paper 3)

Stephanie Hume, Azets, intro­duced Paper 3 which the review of the Intern­al Audit Man­age­ment Action Fol­low-Up ²⁰²¹⁄₂₂.

15. Obser­va­tions:

• Query raised around the man­age­ment review what was the pro­cess for get­ting actions signed off if they were no longer applic­able. A fur­ther ques­tion posed around wheth­er there was appro­pri­ate resource in place to move this for­ward, con­cern that there is one name in par­tic­u­lar against many items. CEO explained that there had been a lot more strain on Cor­por­ate Ser­vices over the past couple of years through Cov­id from mov­ing the organ­isa­tion off premises and sub­sequently plan­ning for new work­ing arrange­ments. He recog­nised as a res­ult some of the Audit & Risk Recom­mend­a­tions have slipped. He explained that they would be look­ing to recruit new Head of Fin­ance and Oper­a­tions and will begin recruit­ment of that post in June, fol­low­ing SG budget announce­ment on 30^th May. This addi­tion­al seni­or staff mem­ber will help to ensure the Author­ity have suf­fi­cient resource to clear out audit recom­mend­a­tions in addi­tion to sup­port­ing wider cor­por­ate work. He noted a huge amount of Board and gov­ernance work over past 2 years has put a strain on the team, while unplan­nable work­loads arising from mat­ters such as applic­a­tion of sanc­tions has taken up time in seni­or man­age­ment. The CEO agreed that man­age­ment do need to go through these recom­mend­a­tions and decide which are still rel­ev­ant and which have been super­seded by oth­er things. Agree­ment that CEO and Dir­ect­or of Cor­por­ate Ser­vices would dis­cuss and come back with a report set­ting out which out­stand­ing recom­mend­a­tions the Author­ity intend con­tin­ued focus on, and the times­cales and have some­thing in writ­ing for the ARC at the next meeting.
• Dir­ect­or of Cor­por­ate Ser­vices added that this pro­cess was fol­lowed on a bian­nu­al basis whereby Azets flag the com­pleted and super­seded recom­mend­a­tions and get them removed.
• Dir­ect­or of Cor­por­ate Ser­vices com­men­ted that there were lots of par­tially imple­men­ted recom­mend­a­tions: sev­er­al of them requir­ing the team to go through a pro­cess of devel­op­ment rather than one-off actions to resolve mat­ters, cre­at­ing a pro­cess which in some cases takes a lot of time to get from begin­ning point to end point.
• Dir­ect­or of Cor­por­ate Ser­vices advised that there had also been a delib­er­ate lower­ing of pri­or­ity for some recom­mend­a­tions – accept­ing the risk of actions remain­ing to be addressed. He sug­ges­ted the Travel and Sub­sist­ence Policy recom­mend­a­tions were a good example of this: it had not been a pri­or­ity to look at Travel and Sub­sist­ence Policy dur­ing Cov­id peri­ods when claims were min­im­al, but now start­ing to look at this again now people are begin­ning to travel again.
• Mem­ber com­men­ted that a num­ber of actions and pro­cesses tak­ing some time, make real­ist­ic times­cales, some actions are from 2016 which was before Cov­id. CEO reflec­ted that Man­age­ment have accep­ted Audit recom­mend­a­tions that they should not have had at the time: for example, recom­mend­a­tions such as doing annu­al sur­vey of stake­hold­ers on com­mu­nic­a­tions which on reflec­tion would not add value giv­en stake­hold­er engage­ment is what the CNPA does. The CEO referred to the sug­ges­ted action to go through and state which recom­mend­a­tions we will do and which we won’t do in terms of their value to CNPA as a small organisation.
• The Chair agreed that man­age­ment should look at where the focus should be, and asso­ci­ated times­cales. When tak­ing this for­ward, seni­or officers should be ask­ing do we accept the risk, is it not some­thing we feel we need to pro­por­tion­ally act on.
• Dir­ect­or of Cor­por­ate Ser­vices added that giv­en the scale of the organ­isa­tion even with addi­tion­al resource, we don’t have lots of slack in the organ­isa­tion. Demand led or unplanned actions such as FOI’s, SG ini­ti­at­ives which require response can sig­ni­fic­antly throw off resource on fol­low­ing up with recom­mend­a­tions and move response timetable. He agreed that a more fun­da­ment­al review of out­stand­ing recom­mend­a­tions would be a valu­able exer­cise at this time.
• Stephanie Hume advised that it had been a help­ful dis­cus­sion to hear and con­firmed that she would be happy to work with CEO and Dir­ect­or of Cor­por­ate Ser­vices to get the recom­mend­a­tions stream­lined and to include the per­cent­ages complete/​par­tially com­plete and reflect that back.

16. The Audit & Risk Committee:

• Con­sidered the intern­al aud­it­ors report and findings;
• Endorsed the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

17. Action Point arising:

• Dir­ect­or of Cor­por­ate Ser­vice togeth­er with CEO and Stephanie Hume to review the Fol­low-up recom­mend­a­tions and asso­ci­ated times­cales and come back to the Com­mit­tee with a report for discussion.

18. Intern­al Audit Pro­gress Report (Paper 4)

Stephanie Hume, Azets intro­duced Paper 4 which presents the Intern­al Auditor’s Pro­gress Report which provides the Com­mit­tee with a sum­mary of intern­al audit activ­ity since its last meet­ing and con­firms the reviews planned for the com­ing quarter, identi­fy­ing when required changes to the annu­al plan of which for ²⁰²²⁄₂₃ there are none.

19. The Chair thanked Stephanie for the update.

20. The Audit & Risk Com­mit­tee noted the intern­al auditor’s pro­gress report.

21. Action Points arising: None

22. Intern­al Audit Annu­al Report ²⁰²¹⁄₂₂ (Paper 5)

Stephanie Hume, Azets, intro­duced Paper 5 which presents stra­tegic intern­al audit annu­al report. Stephanie dir­ec­ted the mem­bers to the over­all audit opin­ion for ²⁰²¹⁄₂₂ set out on page 3 of the report. This is one of the key con­sid­er­a­tions for the Com­mit­tee and the report indic­ates a pos­it­ive over­all position.

23. Obser­va­tions:

• Thank you to the intern­al aud­it­ors for the report and con­grat­u­la­tions to the team for the clean bill of health.
• The Chair com­men­ted that when we have done well, ter­min­o­lo­gies used in audit such as ​“reas­on­able” tends to under­play how good the pos­i­tion is.
• Dir­ect­or of Cor­por­ate Ser­vices explained that with the addi­tion­al budget avail­able last year, hav­ing taken on Peat­land Action Pro­gramme as an evolving piece of work, man­age­ment were con­scious some things needed reviewed believe an inde­pend­ent opin­ion would be valu­able. This was why they asked Azets to carry out a review which was near com­ple­tion. Once the report was final­ised, he will liaise with the Chair and Intern­al Aud­it­ors regard­ing wheth­er an addi­tion­al meet­ing should be called to con­sider the report or wheth­er this could wait until the next sched­uled meeting.

24. The Audit & Risk Committee:

• Con­sidered the intern­al auditor’s stra­tegic intern­al audit annu­al report;
• Agreed the intern­al audit annu­al report for ²⁰²¹⁄₂₂.

25. Action Point arising: Con­sider need for addi­tion­al meet­ing on final­isa­tion of peat­land fund­ing intern­al audit report.

26. Extern­al Audit Update (Oral)

John Boyd, Grant Thornton, provided an oral update on extern­al audit. He made the fol­low­ing points:

• New Audit Scot­land appoint­ments meant that there will be a new extern­al aud­it­or for CNPA for audits of the ²⁰²²⁄₂₃ fin­an­cial year onwards.
• No emer­ging issues from extern­al audit of the ²⁰²¹⁄₂₂ finances.

27. The Chair thanked John Boyd for his input to date.

28. The Audit & Risk Com­mit­tee noted the update.

29. Action Points arising: None.

30. Stra­tegic Risk Man­age­ment Update (Paper 6)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices, presen­ted Paper 6 which presents the Audit and Risk Committee’s review of the stra­tegic risk man­age­ment pos­i­tion of the Author­ity. He added that the paper presents the most recent update to the Authority’s stra­tegic risk register, fol­low­ing review of risk man­age­ment action and pos­i­tion by the Seni­or Man­age­ment Team in May 2022.

31. Obser­va­tions:

• Query around Risk A17 and A18: were man­agers con­tent they are graded amber giv­en the earli­er paper on IT Strategy. Dir­ect­or of Cor­por­ate Ser­vices advised these risks had been reviewed with aware­ness of the pos­i­tion set out in the intern­al audit reports, which were felt to rein­force the cur­rent amber and con­tinu­ing rat­ing rather than sug­gest an escal­a­tion. The CEO added that more work on cyber secur­ity has been done in the past two years than the Author­ity has ever done. Dir­ect­or of Cor­por­ate Ser­vices advised that if the over­all per­spect­ive of the ARC is that they feel these risk areas should be escal­ated to red he was more than happy to reflect that. He advised the Com­mit­tee can also revis­it it in next cycles and gives oppor­tun­ity bring back update.
• The Chair com­men­ted that con­sid­er­ing reports looked at today with ref­er­ence to the action that links to train­ing, a slight addi­tion to the risk in the nar­rat­ive could be con­sidered and not alter the rat­ing of the risk. Dir­ect­or of Cor­por­ate Ser­vices agreed to add train­ing as expli­cit mit­ig­at­ing factor in the Stra­tegic Risk Register.
• Ques­tion raised about redu­cing the grad­ing from red to amber?
• Mem­ber com­men­ted that the tech­nic­al issues are still there. Dir­ect­or of Cor­por­ate Ser­vices explained a little about sep­ar­at­ing out the stra­tegic risk asso­ci­ated with IT and the trans­ition­al effects of mov­ing onto MS 365. He recog­nised there were some ongo­ing oper­a­tion­al issues and agreed that the risk register should be reviewed again, to ensure the risks around oper­a­tion­al mat­ters impact­ing more widely on effect­ive deliv­ery of stra­tegic out­comes was reflected.

32. The Audit & Risk Com­mit­tee reviewed the Authority’s stra­tegic risk register, agree­ing the fol­low­ing required amend­ments and mit­ig­a­tion actions:

• Risks A18 and A23 to be removed from the Stra­tegic Risk Register
• Train­ing to be added to the mit­ig­a­tion of the cyber secur­ity risk
• Review cov­er­age of IT risks to ensure poten­tial impact of oper­a­tion­al issues on achieve­ment of stra­tegic out­comes is reflected.

33. Action Points arising: As detailed in para­graph 32a‑c.

34. Draft Gov­ernance State­ment (Paper 7)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices, presen­ted Paper 7 which presents the draft Gov­ernance State­ment cov­er­ing ²⁰²¹⁄₂₂ for con­sid­er­a­tion by the Com­mit­tee pri­or to its inclu­sion in the draft Annu­al Report and Accounts.

35. Obser­va­tions:

• Query around the sec­tions of word­ing that have been high­lighted: are areas mod­i­fied from pre­vi­ously or high­lighted for a reas­on or? Dir­ect­or of Cor­por­ate Ser­vices explained that the high­lighted sec­tions indic­ated new ele­ments of con­tent, either mat­ters rel­ev­ant for this year, improve­ments cla­ri­fic­a­tion and word­ing to pri­or years con­tent, in order to help mem­bers, see what was new from last time.
• John Boyd flagged that it would be worth con­sid­er­ing some of nar­rat­ive, look­ing at what was rel­ev­ant such as chan­ging the word­ing to say ​‘the organ­isa­tion con­tin­ues to have cyber secure accred­it­a­tion’ rather than refer to dates of accred­it­a­tion. He asked that the ARC con­sider includ­ing Her­it­age Hori­zons pro­gramme and its risk man­age­ment as itis a sig­ni­fic­ant arrange­ment, worth men­tion­ing them spe­cific­ally. Dir­ect­or of Cor­por­ate Ser­vices agreed that these were help­ful sug­ges­tions and would go back through it, to rein­force the cur­rency of some of the ele­ments. He added that they have a well-developed Stra­tegic Risk Register for Her­it­age Hori­zons, and it is a good idea to draw that out and put into Gov­ernance Statement.

36. The Audit & Risk Committee:

• Con­sidered the draft Gov­ernance State­ment; and
• Sub­ject to any agreed amend­ments drawn out in dis­cus­sion, approve the Gov­ernance State­ment for inclu­sion in the Authority’s draft ²¹⁄₂₂ Annu­al Report and Accounts.

37. Action Points arising:

• Dir­ect­or of Cor­por­ate Ser­vices to amend word­ing to be more cur­rent includ­ing a sen­tence around stat­ing the HH pro­gramme has its own sep­ar­ate agreement.

38. Com­plaints Update (Paper 8)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices presen­ted Paper 8, set­ting out a sum­mary of com­plaints handled since the last update to Committee.

39. The Chair asked about the types of com­plaints and wheth­er there is an over­view taken on recur­ring themes or issues that has aris­en and which in some way may be looked at in a wider con­text across the organ­isa­tion? Dir­ect­or of Cor­por­ate Ser­vices advised that as an organ­isa­tion we still do not have a large num­ber of com­plaints. The Head of Organ­isa­tion­al Devel­op­ment has an over­view of the com­plaints com­ing in. Where any­thing com­ing in looks like a wider issue, it is then raised to the Seni­or Man­age­ment Team.

39. The Audit & Risk Com­mit­tee noted the update.

40. Action Points arising: None.

41. AOCB

A Mem­ber repor­ted that he had received com­ments about the Cairngorms Nature Big Week­end (CNBW) being held in the middle of ground bird nest­ing time, and was that a risk? CEO advised that the CNBW was a people ori­ent­ated event that had been going on for 10 years, and this was not in height of sea­son yet. He added that the Author­ity would not take people to sens­it­ive areas and the team use the event as an oppor­tun­ity to pro­mote dogs on leads.

42. The Chair thanked every­one for their con­tri­bu­tions to the meet­ing today.

43. Date of Next Meeting

The next sched­uled Audit and Risk Com­mit­tee meet­ing will take place on Fri­day 26^th August 2022.

44. The pub­lic meet­ing fin­ished at 16.10 hours.

Action Points to be appen­ded to minutes in the future

Ref	Action Detail	Who	When	Status
10/09/2021 (Para 3)	Ongo­ing Dis­cus­sion at Board and Gov­ernance Com­mit­tee on risk appet­ite. Dis­cus­sions are to be had with intern­al audit on sup­port­ing this work.	Dav­id Camer­on / Intern­al Auditors	Sched­uled late Q3 or Q4 2022⁄23	In Hand
29/10/2021 (Para 8i)	Bring les­sons learned on LEAD­ER back as Agenda item to a future AR Committee.	Dav­id Cameron	After the pro­gramme had finished	Open
29/10/2021 (Para 4i)	Pri­or­ity to be giv­en to a detailed VAT review dur­ing the remainder of 2021 – 22.	Dav­id Cameron	Next meet­ing fol­low­ing Gov­ernance Committee	In Hand
29/10/2021 (Para 20i)	Provide AR Com­mit­tee with timetable for for­ward plan­ning of meetings.	Dav­id Cameron	For May Committee	Open
11/02/22 (Para 10i)	Extern­al Aud­it­or to com­plete audit with tar­geted sign off	John Boyd	By end of Septem­ber 2022	Open
11/02/22 (Para 18i)	Stand­ard­isa­tion of pro­ject man­age­ment pro­ced­ures and ter­min­o­logy. This to be brought back to the ARC to ensure the appro­pri­ate lan­guage was used.	To be con­firmed fol­low­ing recruitment	Decem­ber 2022	Open

Ver­sion 0.2: reviewed by Dir­ect­or of Cor­por­ate Services.

Ver­sion 0.3 reviewed by Com­mit­tee Chair / Vice Chair, not yet agreed by Audit & Risk Committee