CAIRNGORMS NATIONAL PARK AUTHORITY
Audit & Risk Committee Paper 6 | 30/09/22
Table:
| Audit Finding | Recommendation | Revised Date | July 2022 Review Update And Action | Responsible Officer(s) | Update / Comment | Risk Management |
|---|
| Staff involved in risk management do not receive mandatory risk management training. Management and staff are provided with the opportunity to identify any training needs as part of the formal appraisal process. Whilst a requirement for risk management training could be raised as part of this process, staff with risk management responsibilities are not routinely required to confirm whether they are aware of the organisation’s risk management principles and practices. There is a risk that Cairngorms NPA may not be providing appropriate risk management training. | We recommend that, on development of a risk management policy, staff with risk management responsibilities are required to sign a checklist to confirm whether they are aware of the organisation’s risk management approach or require further training in this area. | Remove | Not being taken forward. Counter to CNPA culture to have staff sign off on individual job responsibility elements. Performance Development Conversations always open to identify any training needs or uncertainty on processes. | n/a | | |
| Audit Finding | Recommendation | Revised Date | July 2022 Review Update And Action | Responsible Officer(s) | Update / Comment | Risk Management |
|---|
| CNPA’s Financial regulations are supported by a number of financial policies and process notes. The Finance Management Excel schedule is being developed by management to provide detailed policies and guidance to staff on all key financial processes. However, a number of financial processes, including debtors reconciliations, purchase ledger reconciliations, requisitions and petty cash, still require to be documented within the Finance Management Excel schedule. In addition, step-by-step procedure notes are provided for a number of financial processes within CNPA’s Financial Management Procedures and our walkthrough testing confirmed that key financial processes are operating as described by management. However, there is an opportunity to outline roles and responsibilities within the guidance notes for all processes to clearly document the segregation of duties. There is a risk that procedures and controls in place for key financial processes, including roles and responsibilities, have not been documented appropriately. | We recommend that the Finance Management schedule is updated to provide detailed policies and guidance on all financial processes. These should be reviewed on an annual basis. We also recommend that clear roles and responsibilities demonstrating segregation of duties are documented within the guidance notes for all financial processes. We recognise that management have made progress in developing the schedule and that completion of this was delayed due to the implementation of the new Sage system. | Oct-22 | Finance Manual to be completed by Oct 22 | Finance Manager | | |
| Audit Finding | Recommendation | Revised Date | July 2022 Review Update And Action | Responsible Officer(s) | Update / Comment | Risk Management |
|---|
| A well documented and up to date procedure is crucial for ensuring that current and future staff have guidance on how to perform their roles in line with best practice. Whilst management are in the process of developing a Grant Toolkit to provide guidance to staff on the awarding, recording and monitoring of grants, this is not yet in place. In addition, whilst a Grant Risk Assessment Matrix template is provided as an appendix to the grant toolkit which is used to the determine the level of evaluation and due diligence required for funding applications, this had not been completed for 9 out of the 10 grant awards tested. There is a risk that the process for evaluating and awarding applications for grant funding may not be clearly documented, and staff may not be following the process as a result. | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording and monitoring of grant funding. The toolkit should also clearly define the following: — Actions to be taken when grant conditions are not being met or terms and conditions are breached; — The process for consideration of the risk and value of grant funding applications to determine the proportion of resource required to evaluate these; and — Review and scrutiny arrangements for progress reports provided by grantees. | Dec-22 | Draw together grant toolkit info plus associated documents, e.g. subsidy control guidance. Complete by Dec 22 | Finance Manager & Director Corporate Services | | |
| Audit Finding | Recommendation | Revised Date | July 2022 Review Update And Action | Responsible Officer(s) | Update / Comment | Risk Management |
|---|
| Our audit found that the process for data backups can be further improved to ensure the resilience and availability of the network and business data. We noted that currently there is no testing of data backups in line with requirements set out in the IT Security Policy. This requires that backups should be tested “regularly in accordance with an agreed backup plan”. However a formal backup plan has not been defined and there has been no full restore testing of backups from tape media. Also, our testing identified more than one instance of repeat failed backups over a period of several days. There is currently no formal process in place to ensure repeat failures are root-cause investigated and re run to ensure there are no gaps in data backup availability. There is a risk that business systems and data may not be recoverable following system failure or data corruption. The risk in this area has increased given the growing threat from ransomware attacks. Ransomware works by encrypting files/directories that can then only be unlocked by an attacker. In this situation, an organisation will generally have to default to their offline backups to recover their systems. | We recommend that, as per the requirements of the Security Policy, there is regular full-restore testing of backups i.e. the full recovery of systems on a bare-metal server using backup media. We also recommend that a formal backup plan/policy is developed to ensure a consistent approach is taken to managing backups including implementation, monitoring over their success/failure, rerunning failed backups and regular testing. | Mar-23 | IT Policies to be revised to reflect cloud based services as elements of ICT infrastructure, with back up arrangements and testing procedures incorporated into those updates. | IT Manager, liaising with Governance, Data and Reporting Manager | | |
(Table continues for multiple pages with similar structure. Due to the length of the table, I will not reproduce the entire table here. The provided OCR text contains the complete table data.)
