Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

220930AuCtteePaper7AAAuditCtteeAnnualReport

CAIRNGORMS NATION­AL PARK AUTHORITY

Audit & Risk Com­mit­tee Paper 7 30/09/22

FOR DECISION

Title: AUDIT & RISK COM­MIT­TEE ANNU­AL REPORT

Pre­pared by: DAV­ID CAMER­ON, DIR­ECT­OR OF COR­POR­ATE SERVICES

Pur­pose

To present the draft Audit & Risk Com­mit­tee Report to the Board.

Recom­mend­a­tion

The Audit & Risk Com­mit­tee is reques­ted to:

a) Con­sider the report and; b) Agree any amend­ments to it pri­or to cir­cu­la­tion to the Board.

Exec­ut­ive Summary

The Audit & Risk Com­mit­tee is required to report annu­ally to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from April 2021 to August 2022. The exten­ded peri­od of this report reflects the new timetable which seeks to con­sol­id­ate all com­mit­tees’ annu­al reports to the Board around August to Septem­ber each year.

Back­ground

  1. The Audit & Risk Com­mit­tee is required to report to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

  2. This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from April 2021 to August 2022. The exten­ded peri­od of this report reflects the new timetable which seeks to con­sol­id­ate all com­mit­tees’ annu­al reports to the board around August to Septem­ber each year.

Over­view

  1. The peri­od of this Annu­al Report cov­ers con­sid­er­a­tion of final accounts for 202021 (at the Committee’s meet­ing of Septem­ber 2021), togeth­er with asso­ci­ated reports from Grant Thornton, the Authority’s extern­al auditors.

  2. The Com­mit­tee has also con­tin­ued to have over­sight of the work of the Authority’s intern­al aud­it­ors and con­sider reports issued by them.

  3. The Com­mit­tee has been sup­por­ted over the dur­a­tion of this report­ing peri­od by Azets in the pro­vi­sion of intern­al audit services.

  4. The terms of ref­er­ence of the Com­mit­tee were broadly unchanged in the restruc­ture of the Cairngorms NPA board’s com­mit­tees agreed in June 2021. The Com­mit­tee met five times over the peri­od covered by this report.

Key Activ­it­ies

  1. In addi­tion to man­age­ment reports from the Authority’s Intern­al and Extern­al Aud­it­ors, con­sidered in fur­ther detail below, the Com­mit­tee con­sidered the fol­low­ing issues dur­ing the course of the year:

a) Risk man­age­ment: the Audit & Risk Com­mit­tee has con­tin­ued to take a stra­tegic over­sight of the Authority’s risk man­age­ment strategy and reg­u­larly con­sidered the stra­tegic risk register. The Com­mit­tee has con­sidered the appro­pri­ate­ness of cov­er­age of the stra­tegic risk register sup­port­ing deliv­ery of the Cor­por­ate Plan for 20182022 and trans­ition­al plan for 202223 through­out the peri­od, and scru­tin­ised adequacy of mit­ig­a­tion action, in peri­ods between full Board con­sid­er­a­tions of risk management.

b) Busi­ness Con­tinu­ity Plan (BCP) Deploy­ment, Adapt­a­tion and Risk Man­age­ment: the Com­mit­tee has con­tin­ued to take over­sight of man­age­ments deploy­ment of the Authority’s BCP and has under­taken reg­u­lar reviews of the BCP Risk Register to ensure appro­pri­ate mit­ig­a­tion of risks in BCP deploy­ment had been designed and imple­men­ted, and that pos­it­ive effects of risk man­age­ment have been real­ised as inten­ded. This pro­cess was signed off as no longer mer­it­ing stra­tegic over­sight by the Com­mit­tee as the organ­isa­tion began the move from BCP deploy­ment into hybrid working.

c) Detailed Risk Ana­lys­is: the Com­mit­tee has con­tin­ued the prac­tice in the year of con­sid­er­ing more in depth ana­lys­is of key risks from seni­or man­age­ment. This prac­tice provides an oppor­tun­ity to explore key or increas­ing stra­tegic risks in more detail and eval­u­ate the adequacy of mit­ig­a­tion actions. The Com­mit­tee has con­sidered detailed ana­lys­is of the risks asso­ci­ated with the Her­it­age Hori­zons pro­gramme as it moves through its Devel­op­ment Phase.

d) LEAD­ER: the Author­ity, as lead body for the man­age­ment and admin­is­tra­tion of EU LEAD­ER fund­ing with­in Cairngorms, has a respons­ib­il­ity to arrange for appro­pri­ate intern­al audit of its LEAD­ER activ­it­ies under the terms of the ser­vice level agree­ment with the Scot­tish Gov­ern­ment. The Com­mit­tee has con­sidered intern­al audit reports on the LEAD­ER pro­gramme. The Com­mit­tee can provide assur­ance on the effect­ive admin­is­tra­tion of the LEAD­ER grants from these intern­al audit reports, and of the man­age­ment of the Authority’s poten­tial fin­an­cial liab­il­it­ies arising from our Account­able Body role from scru­tiny of report­ing on stra­tegic risk management.

e) Account­ing Policy and Estim­ates: the Com­mit­tee reviews and agrees account­ing policies and con­siders any sig­ni­fic­ant estim­ates required in the final­isa­tion of the annu­al accounts as part of its con­sid­er­a­tion of final accounts pri­or to their sig­na­ture by the Account­able Officer. There were no sig­ni­fic­ant vari­ations to account­ing policy required in the year, nor were any estim­ates causes of concern.

f) Gov­ernance State­ment: review and approv­al of this state­ment, pri­or to its inclu­sion in the annu­al accounts and pri­or to sig­na­ture by the Account­able Officer.

g) Gov­ernance con­sid­er­a­tions: the Com­mit­tee has con­sidered the devel­op­ment of the Park Authority’s Gov­ernance Respons­ib­il­ity Frame­work and feed­back on the board’s elec­tion process.

h) Best Value and Gov­ernance: the Com­mit­tee con­sidered the review of the terms of ref­er­ence of all board Com­mit­tees fol­low­ing the review of com­mit­tee struc­ture in 2021, and its fit with­in that new struc­ture in order to ensure effect­ive ser­vice deliv­ery with­in the con­text of the work of the wider gov­ernance arrangements.

i) Updates on pro­gress in imple­ment­ing pre­vi­ous audit recom­mend­a­tions: the Com­mit­tee has now imple­men­ted a twice yearly audit review of action taken on pre­vi­ous audit recom­mend­a­tions, sup­ple­men­ted from time to time by man­age­ment reports.

j) Con­sid­er­a­tion and agree­ment of for­ward audit activ­ity plans: the Com­mit­tee, has agreed a for­ward plan of intern­al audit activ­ity and has mon­itored pro­gress in suc­cess­ful deliv­ery of the intern­al audit plan for 202122 with a plan for 202223 agreed and cur­rently under delivery.

k) Let­ter of rep­res­ent­a­tion: the Com­mit­tee con­sidered the draft let­ter of rep­res­ent­a­tion from the Author­ity to Grant Thornton, the extern­al aud­it­or, pri­or to its sig­na­ture by the Account­able Officer as an appro­pri­ate reflec­tion of the Authority’s pos­i­tion for pre­par­a­tion of the accounts for 201920 and con­duct of the Authority’s fin­an­cial and wider con­trol pro­ced­ures over the course of the year.

l) Free­dom of Inform­a­tion (Scot­land) Act (FOISA) and Data Sub­ject Access Requests (DSAR): the Com­mit­tee has provided over­sight of the Authority’s man­age­ment and hand­ling of inform­a­tion requests made under FOISA and DSAR reg­u­la­tions, includ­ing the out­come of a small num­ber of refer­rals made by applic­ant to the Scot­tish Inform­a­tion Com­mis­sion­er. With both an assur­ance and Best Value focus, the Committee’s over­sight of these mat­ters has provided con­firm­a­tion on behalf of the Board of the adequacy and effic­acy of arrange­ments imple­men­ted by man­age­ment to handle inform­a­tion requests and con­tinu­ally learn from exper­i­ence and out­comes of processes.

Intern­al Audit

  1. The Com­mit­tee agree an annu­al intern­al audit work pro­gramme presen­ted by the intern­al auditor.

  2. Over the course of the peri­od of this report, Azets have presen­ted eight man­age­ment reports to the Com­mit­tee. Their find­ings and con­sequent recom­mend­a­tions for action are graded accord­ing to the intern­al aud­it­ors’ assess­ment of the sig­ni­fic­ance of the under­ly­ing weak­ness to the effect­ive man­age­ment of the organisation.

  3. Table One presents a sum­mary of the num­ber and degree of sig­ni­fic­ance of intern­al audit find­ings over the peri­od of this report and com­pares this with his­tor­ic levels. The defin­i­tions used for sig­ni­fic­ance of intern­al audit recom­mend­a­tions have changed slightly with the change in intern­al audit pro­vider from KPMG to BDO. These defin­i­tions are giv­en after the table. The areas audited are also clas­si­fied in terms of over­all effect­ive­ness of the intern­al audit con­trol sys­tems reviews and these clas­si­fic­a­tions are also explained below the table.

Table One: Sum­mary of Intern­al Audit Findings

Intern­al Audit StudyCrit­ic­alHighMod­er­ateLow
201112 Total (7 studies)03149
201213 Total (4 studies)00010
201314 Total (7 studies)01911
201415 Total (4 studies)00513
201516 Total (9 studies)00910
201617 Total (8 studies)n/​a01111
201718 Total (3 studies)n/​a037
201819 Total (9 studies)n/​a1610
201921 Total (9 studies)051621
202122 Total (5 studies)04102

The 202122 stud­ies were:

Very HighHighMod­er­ateLim­ited
LEAD­ER Admin­is­tra­tion (Oct 21)0022
Fin­an­cial Man­age­ment Report­ing (Feb 22)0030
Major Pro­ject Assur­ance (Feb 22)0020
ICT Strategy (May 22)0220
Cyber Secur­ity (May 22)0210
Total for period04102

Key -

Azets defin­i­tion of grades for man­age­ment action recommendations:

a) Very High Risk Expos­ure: major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organ­isa­tion b) High Risk Expos­ure: absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organ­isa­tion c) Mod­er­ate Risk Expos­ure: con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organ­isa­tion d) Lim­ited Risk Expos­ure: con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

  1. The Com­mit­tee wel­comes the fact that once again there have been no highest grade recom­mend­a­tions raised by intern­al audit over the course of the peri­od covered by this report. The Com­mit­tee has noted a num­ber of high risk expos­ure recom­mend­a­tions in the more recent reports and will mon­it­or res­ol­u­tion of these mat­ters with­in agreed timetables.

  2. In line with the Authority’s val­ues of trans­par­ency, the Com­mit­tee is made aware of all recom­mend­a­tions made by the intern­al aud­it­ors, through con­sid­er­a­tion of full man­age­ment reports fol­low­ing each audit review.

  3. The Com­mit­tee has agreed man­age­ment responses to all recom­mend­a­tions made and con­tin­ues to mon­it­or pro­gress made. The intern­al aud­it­ors have also con­duc­ted fol­low-up reports and report back to the Com­mit­tee on their findings.

  4. The Com­mit­tee has con­sidered the Intern­al Aud­it­ors’ Annu­al Report for 202122. The intern­al auditor’s annu­al report for the year gives the fol­low­ing over­all opin­ion: In our opin­ion CNPA has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of objectives”.

Extern­al Audit

  1. The Authority’s accounts for 202021 received a clear, unqual­i­fied extern­al auditor’s report and opin­ion from Grant Thornton, our extern­al auditors.

  2. The accounts and extern­al auditor’s report for 201920 were con­sidered and approved by the Com­mit­tee at its meet­ing on 10 Septem­ber 2021. The accounts were signed by the Chief Exec­ut­ive as Account­able Officer and passed to Audit Scot­land for sig­na­ture and onward sub­mis­sion to Aud­it­or Gen­er­al and Scot­tish Parliament.

  3. The Audit & Risk Com­mit­tee con­sidered Grant Thornton’s draft report to those charged with gov­ernance on the audit of the 202021 accounts at its meet­ing of 10 Septem­ber 2020. The report high­lighted only one action point, ref­er­en­cing the require­ment to ensure appro­pri­ate pro­cesses and resources were put in place to admin­is­ter and claim the size­able Nation­al Lot­tery Fund Her­it­age Hori­zons grant. This action was accep­ted by man­age­ment and the Com­mit­tee and was an action which man­age­ment were already progressing.

  4. The extern­al audit report noted that the single action point noted in the pri­or year had been fully closed.

  5. The extern­al audit report noted that com­plete draft fin­an­cial state­ments, includ­ing the Per­form­ance Report, Account­ab­il­ity Report and Gov­ernance State­ment with­in the agreed timescales.

Stra­tegic Risk Management

  1. The Authority’s stra­tegic risk register has con­tin­ued to be reviewed and revised as neces­sary through­out this report­ing peri­od by the Com­mit­tee and full Board, ensur­ing it reflects the deliv­ery pri­or­it­ies and stra­tegic envir­on­ment of the Author­ity in its deliv­ery of our new Cor­por­ate Plan for 2018 to 2022 and trans­ition­al plan for 202223. The Board reviews the stra­tegic risk register twice each year, while con­sid­er­ing wider cor­por­ate per­form­ance reports. The Audit & Risk Com­mit­tee will con­tin­ue to review the cov­er­age and adequacy of the stra­tegic risk register in those quar­ters where it is not presen­ted to the full Board.

Con­clu­sions

  1. The Audit & Risk Com­mit­tee con­siders that it has been suc­cess­ful in pro­gress­ing the Board’s gov­ernance and intern­al con­trol pri­or­it­ies dur­ing the peri­od covered by this annu­al report.

  2. The Com­mit­tee wel­comes the work of the Authority’s fin­ance team in once again main­tain­ing a high qual­ity and pro­fes­sion­al fin­an­cial account­ing ser­vice with­in agreed audit times­cales des­pite the var­ied pres­sures of remote work­ing and oth­er BCP and COVID19 impacts. The Com­mit­tee also greatly appre­ci­ates the work of the intern­al and extern­al aud­it­ors in adapt­ing their work­ing prac­tices to deal with the impacts of COVID19 over the last year.

  3. The Com­mit­tee has engaged through the year with issues iden­ti­fied by the Authority’s intern­al and extern­al aud­it­ors, and also by the Authority’s officers. The Com­mit­tee has received full reports on issues raised; con­sidered recom­mend­a­tions made; and approved responses and actions. The Com­mit­tee has shaped and approved the over­all audit plan and guided the dir­ec­tion and approach of the intern­al aud­it­ors and their pro­gramme of work. The Com­mit­tee has also mon­itored deliv­ery against approved action plans.

  4. Both the intern­al and extern­al aud­it­ors’ find­ings provide assur­ance to the Com­mit­tee and Board that the Authority’s intern­al con­trol and gov­ernance object­ives are being met effect­ively by management.

  5. It is also reas­sur­ing for Com­mit­tee mem­bers to see once again that audit recom­mend­a­tions have typ­ic­ally been of a low or mod­er­ate risk level. It is accep­ted that there will always be a range of improve­ments than can be made to ser­vices and con­trols; that these con­trols must con­tin­ue to adapt to chan­ging oper­at­ing and stra­tegic envir­on­ments; and as such a num­ber of recom­mend­a­tions for improve­ment from intern­al audit will always be expec­ted. The Com­mit­tee warmly wel­comes the evid­ence of gen­er­ally effect­ive con­trol sys­tems evid­enced by the reports and very low level of improve­ment recom­mend­a­tions arising from audits over the year.

  6. The Com­mit­tee will con­tin­ue to address key, basic issues of intern­al con­trol and the devel­op­ment of appro­pri­ate pro­cesses with­in the Authority.

  7. The Com­mit­tee will also seek to con­tin­ue to have over­sight of the Authority’s approach to and hand­ling of risk man­age­ment, and of wider aspects of cor­por­ate gov­ernance such as the approach to Best Value and value for money. In par­tic­u­lar, mem­bers will seek to ensure that les­sons are learned from oper­a­tion­al exper­i­ence and that wherever pos­sible reviews of work­ing prac­tices and learn­ing from them lead to improve­ments in our systems.

Dav­id Camer­on, for Audit & Risk Com­mit­tee members:

23 Septem­ber 2022

davidcameron@​cairngorms.​co.​uk

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback