For Decision

Title: Audit and Risk Com­mit­tee Annu­al Report

Pre­pared by: Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy Chief Executive

Pur­pose

To present the draft Audit & Risk Com­mit­tee Report to the Board.

Recom­mend­a­tions

The Com­mit­tee is asked to:

a) Con­sider the report and; b) Agree any amend­ments to it pri­or to cir­cu­la­tion to the Board.

Exec­ut­ive Summary

The Audit & Risk Com­mit­tee is required to report annu­ally to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2022 to Septem­ber 2023.

Back­ground

1. The Audit & Risk Com­mit­tee is required to report to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.
2. This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2022 to Septem­ber 2023.

Over­view

1. The peri­od of this Annu­al Report cov­ers con­sid­er­a­tion of final accounts for ²⁰²¹⁄₂₂. The final­isa­tion of these accounts was delayed as a con­sequence of lack of extern­al audit staff resource at Grant Thornton, the Authority’s extern­al auditors.
2. The accounts and final audit report were reviewed at an added meet­ing of the Com­mit­tee on 13 Janu­ary 2023.
3. Respons­ib­il­ity for extern­al audit has now passed to Maz­ars as a new appoint­ment estab­lished by the Aud­it­or Gen­er­al for Scot­land, with effect from the audit of the ²⁰²²⁄₂₃ accounts.
4. The Com­mit­tee has been sup­por­ted over the dur­a­tion of this report­ing peri­od by Azets in the pro­vi­sion of intern­al audit ser­vices. The Com­mit­tee has con­tin­ued to have over­sight of the work of the Authority’s intern­al aud­it­ors and con­sidered reports issued by them in full.
5. The terms of ref­er­ence of the Com­mit­tee were broadly unchanged in the restruc­ture of the Cairngorms NPA board’s com­mit­tees agreed in June 2021. The Com­mit­tee has con­tin­ued to work to these terms of ref­er­ence over the dur­a­tion of this report­ing peri­od and met six times over the peri­od covered by this report.
6. The Com­mit­tee has had prob­lems over the course of the report­ing peri­od in secur­ing a quor­um for a num­ber of its meet­ings. The Com­mit­tee recog­nises that its mem­ber­ship has been par­tic­u­larly impacted by turnover in mem­ber­ship. While the board has con­sidered the intern­al auditor’s sug­ges­tion that a reduced quor­um is con­sidered for meet­ings in line with many oth­er organ­isa­tions’ Audit and Risk Com­mit­tees, the board has instead agreed to imple­ment a sys­tem to sup­port nom­in­a­tion of sub­sti­tutes to meet­ings from with­in the board.

Key Activ­it­ies

1. In addi­tion to man­age­ment reports from the Authority’s Intern­al and Extern­al Aud­it­ors, con­sidered in fur­ther detail below, the Com­mit­tee con­sidered the fol­low­ing issues dur­ing the course of the year:

a) Risk man­age­ment: the Audit & Risk Com­mit­tee has con­tin­ued to take a stra­tegic over­sight of the Authority’s risk man­age­ment strategy and reg­u­larly con­sidered the stra­tegic risk register. The Com­mit­tee has con­sidered the appro­pri­ate­ness of cov­er­age of the stra­tegic risk register sup­port­ing deliv­ery of the trans­ition­al plan for ²⁰²²⁄₂₃ and com­mence­ment of the Cor­por­ate Plan for 2023 to 2027 in the peri­od, and scru­tin­ised adequacy of mit­ig­a­tion action, in peri­ods between full Board con­sid­er­a­tions of risk man­age­ment. b) Detailed Risk Ana­lys­is: the Com­mit­tee has con­tin­ued the prac­tice in the year of con­sid­er­ing more in depth ana­lys­is of key risks from seni­or man­age­ment. This prac­tice provides an oppor­tun­ity to explore key or increas­ing stra­tegic risks in more detail and eval­u­ate the adequacy of mit­ig­a­tion actions. The Com­mit­tee has con­sidered detailed ana­lys­is of the risks asso­ci­ated with the Her­it­age Hori­zons pro­gramme as it moves through its Devel­op­ment Phase. c) Risk Appet­ite: the Com­mit­tee con­sidered the out­come of the board’s risk appet­ite work­shop and will con­tin­ue to have over­sight of the integ­ra­tion of risk appet­ite into revised stra­tegic risk man­age­ment approaches, in advance of present­a­tion of a revised stra­tegic risk man­age­ment approach to the full board. d) Assur­ance Map­ping: the Com­mit­tee worked with the intern­al aud­it­ors in con­sid­er­ing the Park Authority’s assur­ance map­ping frame­work, to assist with estab­lish­ing appro­pri­ate gov­ernance struc­tures with­in the organ­isa­tion. e) Account­ing Policy and Estim­ates: the Com­mit­tee reviews and agrees account­ing policies and con­siders any sig­ni­fic­ant estim­ates required in the final­isa­tion of the annu­al accounts as part of its con­sid­er­a­tion of final accounts pri­or to their sig­na­ture by the Account­able Officer. There were no sig­ni­fic­ant vari­ations to account­ing policy required in the year, nor were any estim­ates causes of con­cern. f) Gov­ernance State­ment: review and approv­al of this state­ment, pri­or to its inclu­sion in the annu­al accounts and pri­or to sig­na­ture by the Account­able Officer. g) Fol­low up on extern­al audit: the Com­mit­tee has main­tained over­sight of the issues with extern­al audit resourcing and delays in timetable, com­mu­nic­at­ing with the Aud­it­or Gen­er­al for Scot­land on these mat­ters on behalf of the board. h) Updates on pro­gress in imple­ment­ing pre­vi­ous audit recom­mend­a­tions: the Com­mit­tee has main­tained a twice yearly audit review of action taken on pre­vi­ous audit recom­mend­a­tions, sup­ple­men­ted from time to time by man­age­ment reports. i) Con­sid­er­a­tion and agree­ment of for­ward audit activ­ity plans: the Com­mit­tee has agreed a for­ward plan of intern­al audit activ­ity and has mon­itored pro­gress in suc­cess­ful deliv­ery of the intern­al audit plan for ²⁰²²⁄₂₃ with a plan for ²⁰²³⁄₂₄ agreed and cur­rently under deliv­ery. j) Let­ter of rep­res­ent­a­tion: the Com­mit­tee con­sidered the draft let­ter of rep­res­ent­a­tion from the Author­ity to Grant Thornton, the extern­al aud­it­or, pri­or to its sig­na­ture by the Account­able Officer as an appro­pri­ate reflec­tion of the Authority’s pos­i­tion for pre­par­a­tion of the accounts for ²⁰²¹⁄₂₂ and con­duct of the Authority’s fin­an­cial and wider con­trol pro­ced­ures over the course of the year. k) Free­dom of Inform­a­tion (Scot­land) Act (FOISA) and Data Sub­ject Access Requests (DSAR): the Com­mit­tee has provided over­sight of the Authority’s man­age­ment and hand­ling of inform­a­tion requests made under FOISA and DSAR reg­u­la­tions, includ­ing the out­come of a small num­ber of refer­rals made by applic­ant to the Scot­tish Inform­a­tion Com­mis­sion­er. With both an assur­ance and Best Value focus, the Committee’s over­sight of these mat­ters has provided con­firm­a­tion on behalf of the Board of the adequacy and effic­acy of arrange­ments imple­men­ted by man­age­ment to handle inform­a­tion requests and con­tinu­ally learn from exper­i­ence and out­comes of processes.

Intern­al Audit

1. The Com­mit­tee agreed an annu­al intern­al audit work pro­gramme presen­ted by the intern­al auditor.
2. Over the course of the peri­od of this report, Azets have presen­ted eight man­age­ment reports to the Com­mit­tee. Their find­ings and con­sequent recom­mend­a­tions for action are graded accord­ing to the intern­al aud­it­ors’ assess­ment of the sig­ni­fic­ance of the under­ly­ing weak­ness to the effect­ive man­age­ment of the organisation.
3. Table One presents a sum­mary of the num­ber and degree of sig­ni­fic­ance of intern­al audit find­ings over the peri­od of this report and com­pares this with his­tor­ic levels. The defin­i­tions used for sig­ni­fic­ance of intern­al audit recom­mend­a­tions have changed slightly with the change in intern­al audit pro­vider from KPMG to BDO. These defin­i­tions are giv­en after the table. The areas audited are also clas­si­fied in terms of over­all effect­ive­ness of the intern­al audit con­trol sys­tems reviews and these clas­si­fic­a­tions are also explained below the table.

Table One: Sum­mary of Intern­al Audit Findings

Intern­al Audit Study	Crit­ic­al	High	Mod­er­ate	Low
2011⁄12 Total (7 studies)	0	3	14	9
2012⁄13 Total (4 studies)	0	0	0	10
2013⁄14 Total (7 studies)	0	1	9	11
2014⁄15 Total (4 studies)	0	0	5	13
2015⁄16 Total (9 studies)	0	0	9	10
2016⁄17 Total (8 studies)	n/​a	0	11	11
2017⁄18 Total (3 studies)	n/​a	0	3	7
2018⁄19 Total (9 studies)	n/​a	1	6	10
2019⁄21 Total (9 studies)	0	5	16	21
2021⁄22 Total (5 studies)	0	4	10	2
2022⁄23 Total (6 studies)	2	9	11	5

The ²⁰²²⁄₂₃ stud­ies were:

	Very High	High	Mod­er­ate	Lim­ited
Peat­land Pro­gramme (Sep 22)	2	6	1	0
Per­form­ance Man­age­ment (Sep 22)	0	0	3	0
Work­force Man­age­ment (Sep 22)	0	1	1	0
LEAD­ER Admin­is­tra­tion (Sep 22)	0	0	1	1
Data Man­age­ment (Dec 22)	0	2	0	0
Payroll and Expenses (Mar 22)	0	0	5	4
Total for period	2	9	11	5

Key — Azets defin­i­tion of grades for man­age­ment action recommendations:

a) Very High Risk Expos­ure: major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organ­isa­tion. b) High Risk Expos­ure: absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organ­isa­tion. c) Mod­er­ate Risk Expos­ure: con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organ­isa­tion. d) Lim­ited Risk Expos­ure: con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

1. The Com­mit­tee recog­nises that the risk pro­file of audit recom­mend­a­tions for action and improve­ment of intern­al con­trols has increased over the course of the year. This to a degree recog­nises the rel­at­ively new areas of ser­vice being under­taken by the Park Author­ity, such as tak­ing on full respons­ib­il­ity for the peat­land res­tor­a­tion pro­gramme, togeth­er with sig­ni­fic­ant changes to our oper­at­ing envir­on­ment as the organ­isa­tion trans­itions to a hybrid work­ing envir­on­ment. Nine of the 27 recom­mend­a­tions raised over the last 12 month peri­od relate to the rel­at­ively new and devel­op­ing peat­land res­tor­a­tion pro­gramme, high­light­ing the increased level of audit recom­mend­a­tions likely to be brought up in new or nov­el areas of oper­a­tions as opposed to in more mature oper­at­ing sys­tems. Both ​“very high risk” expos­ure recom­mend­a­tions on the peat­land res­tor­a­tion pro­gramme were acted on imme­di­ately. Indeed, man­age­ment aware­ness of the devel­op­ing con­trol sys­tems in this area led to the request through the Com­mit­tee for the review of pro­cesses in place with­in the peat­land pro­gramme to sup­port man­age­ment con­sid­er­a­tion of sys­tems improvement.
2. The Com­mit­tee has noted a num­ber of high risk expos­ure recom­mend­a­tions in the more recent reports and will mon­it­or res­ol­u­tion of these mat­ters with­in agreed timetables.
3. In line with the Authority’s val­ues of trans­par­ency, the Com­mit­tee is made aware of all recom­mend­a­tions made by the intern­al aud­it­ors, through con­sid­er­a­tion of full man­age­ment reports fol­low­ing each audit review.
4. The Com­mit­tee has agreed man­age­ment responses to all recom­mend­a­tions made and con­tin­ues to mon­it­or pro­gress made. The intern­al aud­it­ors have also con­duc­ted fol­low-up reports and report back to the Com­mit­tee on their find­ings. The Com­mit­tee is aware of some lag in man­age­ment action against out­stand­ing audit recom­mend­a­tions, as a con­sequence of the pres­sure of work in under­tak­ing remedi­al work while at the same time devel­op­ing and sup­port­ing new sys­tems and the increas­ing scale of the organ­isa­tion. The most recent update report presen­ted pos­it­ive over­all move­ment in the num­bers of out­stand­ing audit actions to be addressed. The Com­mit­tee will con­tin­ue to mon­it­or the pos­i­tion closely to ensure appro­pri­ate resources are dir­ec­ted toward address­ing audit recommendations.
5. The Com­mit­tee has con­sidered the Intern­al Aud­it­ors’ Annu­al Report for ²⁰²²⁄₂₃. The intern­al auditor’s annu­al report for the year gives the fol­low­ing over­all opin­ion: ​“In our opin­ion, Cairngorms Nation­al Park Author­ity has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of object­ives. We note how­ever a sig­ni­fic­ant num­ber of audit actions remain out­stand­ing from pre­vi­ous years, some of which are now aged”.

Extern­al Audit

1. The Authority’s accounts for ²⁰²¹⁄₂₂ received a clear, unqual­i­fied extern­al auditor’s report and opin­ion from Grant Thornton, our extern­al auditors.
2. The accounts and extern­al auditor’s report for ²⁰²¹⁄₂₂ were con­sidered and approved by the Com­mit­tee at its meet­ing on 13 Janu­ary 2023. The accounts were signed by the Chief Exec­ut­ive as Account­able Officer and passed to Audit Scot­land for sig­na­ture and onward sub­mis­sion to Aud­it­or Gen­er­al and Scot­tish Par­lia­ment. The accounts were cleared to be laid in Par­lia­ment on 20 Janu­ary 2023.
3. The Audit & Risk Com­mit­tee con­sidered Grant Thornton’s draft report to those charged with gov­ernance on the audit of the ²⁰²⁰⁄₂₁ accounts at its meet­ing of 13 Janu­ary 2023. The report high­lighted two action points: con­sid­er­a­tion of poten­tial to sim­pli­fy the accounts and ledger struc­ture and explore the poten­tial to use account­ing soft­ware func­tion­al­ity more fully; and con­sid­er­ing appro­pri­ate gov­ernance and con­trol struc­tures around the Park Authority’s cyber risks. These actions were accep­ted by man­age­ment and the Com­mit­tee and was an action which man­age­ment were already progressing.
4. The extern­al audit report noted that the single action point noted in the pri­or year had been fully closed.
5. The extern­al audit report noted that com­plete draft fin­an­cial state­ments, includ­ing the Per­form­ance Report, Account­ab­il­ity Report and Gov­ernance State­ment, were provided with­in the agreed timescales.

Stra­tegic Risk Management

1. The Authority’s stra­tegic risk register has con­tin­ued to be reviewed and revised as neces­sary through­out this report­ing peri­od by the Com­mit­tee and full Board, ensur­ing the Park Author­ity con­tin­ues to man­age its stra­tegic risk envir­on­ment while trans­ition­ing into a new Cor­por­ate Plan peri­od and revis­ing its approach to stra­tegic risk man­age­ment and risk appet­ite. The Audit & Risk Com­mit­tee has con­tin­ued to review the cov­er­age and adequacy of the stra­tegic risk register in those quar­ters where it is not presen­ted to the full Board, and has incor­por­ated assur­ance over risk man­age­ment of the Cairngorms 2030 Pro­gramme ensur­ing any stra­tegic risk implic­a­tions to the Park Author­ity as a whole are recog­nised and incor­por­ated in our risk man­age­ment framework.

Con­clu­sions

1. The Audit & Risk Com­mit­tee con­siders that it has been suc­cess­ful in pro­gress­ing the Board’s gov­ernance and intern­al con­trol pri­or­it­ies dur­ing the peri­od covered by this annu­al report.
2. The Com­mit­tee wel­comes the work of the Authority’s fin­ance team in once again main­tain­ing a high qual­ity and pro­fes­sion­al fin­an­cial account­ing service.
3. The Com­mit­tee has engaged through the year with issues iden­ti­fied by the Authority’s intern­al and extern­al aud­it­ors, and also by the Authority’s officers. The Com­mit­tee has received full reports on issues raised; con­sidered recom­mend­a­tions made; and approved responses and actions. The Com­mit­tee has shaped and approved the over­all audit plan and guided the dir­ec­tion and approach of the intern­al aud­it­ors and their pro­gramme of work. The Com­mit­tee has also mon­itored deliv­ery against approved action plans.
4. Both the intern­al and extern­al aud­it­ors’ find­ings provide assur­ance to the Com­mit­tee and Board that the Authority’s intern­al con­trol and gov­ernance object­ives are being met effect­ively by management.
5. It is also reas­sur­ing for Com­mit­tee mem­bers to see once again that audit recom­mend­a­tions have typ­ic­ally been of a low or mod­er­ate risk level, while recog­nising the cov­er­age of some of the Park Authority’s new­er ser­vice areas has pushed the risk pro­file of recom­mend­a­tions high­er over the course of the last report­ing peri­od. It is accep­ted that there will always be a range of improve­ments than can be made to ser­vices and con­trols; that these con­trols must con­tin­ue to adapt to chan­ging oper­at­ing and stra­tegic envir­on­ments; and as such a num­ber of recom­mend­a­tions for improve­ment from intern­al audit will always be expec­ted. The Com­mit­tee warmly wel­comes the evid­ence of atten­tion to intern­al con­trol sys­tems by man­age­ment and gen­er­ally effect­ive con­trol sys­tems evid­enced by the annu­al intern­al audit reports.
6. The Com­mit­tee will con­tin­ue to address key, basic issues of intern­al con­trol and the devel­op­ment of appro­pri­ate pro­cesses with­in the Authority.
7. The Com­mit­tee will also seek to con­tin­ue to have over­sight of the Authority’s approach to and hand­ling of risk man­age­ment, and of wider aspects of cor­por­ate gov­ernance such as the approach to Best Value and value for money. In par­tic­u­lar, mem­bers will seek to ensure that les­sons are learned from oper­a­tion­al exper­i­ence and that wherever pos­sible reviews of work­ing prac­tices and learn­ing from them lead to improve­ments in our systems.

Dav­id Camer­on, for Audit & Risk Com­mit­tee members:

11 Septem­ber 2023

davidcameron@​cairngorms.​co.​uk