221205AuCteePaper1AACNPAFollowUpReportNovember2022FINAL
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up – 2022⁄23
November 2022
Introduction and background
Introduction
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope
We have reviewed all open management actions and liaised with Cairngorm National Park Authority staff to obtain an update on their implementation progress. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress
The table below shows the movement in the audit actions in the period from May 2022 to November 2022:
| Number of Actions | |
|---|---|
| Open actions brought forward | 35 |
| Actions added to tracker | 23 |
| Total actions to follow-up | 58 |
| Actions closed | 14 |
| Actions complete pending evidence | 3 |
| Open actions carried forward | 41 |
Status of Actions as at November 2022
We have confirmed that fourteen actions (24%) were competed in the period to November 2022, with a further three complete pending the provision of evidence (5%). 12 (21%) have been assessed as partially complete, 13 (22%) are incomplete and 16 actions (27%) were not yet due at the time of our validation work.
Further detail on all actions that have passed their original due date for completion is included at Appendix 2.
Particular attention should be paid to those that are assessed as high or very high risk and those which have become aged.
A summary of the status of actions by report is shown at Appendix 1.
(Insert chart here)
Open Internal audit actions
Of the 41 outstanding actions 25 (60%) have passed their original completion date.
17 of these actions have been assessed as a grade 1 or 2 (limited or moderate risk exposure), which although lower than in previous reports is still a high number of outstanding actions. As a result, management should take a view on whether the organisation has the appropriate resource in place to move these actions forward, or are willing to accept the risk in place, in particular for those assessed as grade 1.
(Insert chart here)
Appendix 1: Action status by report
| Report title | Complete | Complete Pending Evidence | NLA | Partially complete | Incomplete | Not Yet Due | Total |
|---|---|---|---|---|---|---|---|
| Financial Processes | 1 | 1 | |||||
| Grant Funding & Management | 1 | 1 | |||||
| 2016⁄17 sub-total | 1 | 1 | 2 | ||||
| Partnership Management | 1 | 1 | |||||
| Business Continuity Planning | 2 | 2 | |||||
| 2018⁄19 sub-total | 2 | 1 | 3 | ||||
| Payroll Administration | 1 | 2 | 3 | ||||
| Risk Management | 1 | 1 | |||||
| Expense Claims Process | 5 | 1 | 6 | ||||
| Staff Objective Setting & Appraisal | 1 | ||||||
| FOISA and EIR Requests | 2 | 2 | 4 | 4 | |||
| 2019⁄20 sub-total | 8 | 2 | 4 | 1 | 15 | ||
| COVID Recovery | 2 | 2 | |||||
| Corporate Governance | 1 | 1 | 2 | ||||
| Data Management | 1 | 1 | 2 | 4 | |||
| 2020⁄21 sub-total | 2 | 1 | 3 | 2 | 8 | ||
| LEADER Programme | 1 | 1 | 2 | ||||
| Financial Management and Reporting | 1 | 1 | 2 | ||||
| Assurance Mapping of Major Projects | 1 | ||||||
| Cyber Security Review | 2 | 1 | 3 | ||||
| ICT Strategy | 2 | 2 | 4 | ||||
| Peatland Action Programme Set Up | 2 | 7 | 9 | ||||
| 2021⁄22 sub-total | 3 | 2 | 8 | 10 | 23 | ||
| LEADER Programme | 2 | 2 | |||||
| Performance Management | 1 | 2 | 3 | ||||
| Workforce Management and Planning | 2 | 2 | |||||
| 2022⁄23 sub-total | 1 | 6 | 7 | ||||
| Grand totals | 14 | 3 | 12 | 13 | 16 | 58 |
Appendix 2: Summary of outstanding actions past their original due date
| Report / Action | Recommendation | Action Owner | Grade | Original timescale | Revised timescale | Update as at November 2022 | Status |
|---|---|---|---|---|---|---|---|
| 2016⁄17 Financial Processes | We recommend that the Finance Management schedule is updated to provide detailed policies and guidance on all financial processes. These should be reviewed on an annual basis. We also recommend that clear roles and responsibilities demonstrating segregation of duties are documented within the guidance notes for all financial processes. We recognise that management have made progress in developing the schedule and that completion of this was delayed due to the implementation of the new Sage system. | Finance Manager | 1 | Jun 17 | Dec 22 | Finance Manual to be completed by Oct 22 | Partially Complete |
| 2016⁄17 Grant | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, | Director of Corporate Services | 2 | Sep 17 | Mar 23 | Draw together grant toolkit info plus associated documents, e.g. subsidy | Incomplete |
| Funding & Management | recording and monitoring of grant funding. The toolkit should also clearly define the following: — Actions to be taken when grant conditions are not being met or terms and conditions are breached; — The process for consideration of the risk and value of grant funding applications to determine the proportion of resource required to evaluate these; and — Review and scrutiny arrangements for progress reports provided by grantees. | control guidance. Complete by Mar 23 | |||||
| 2018⁄19 Partnership Management | We understand that there are already plans to improve the engagement process further by implementing a Customer Relationship Management System (CRM). We recommend that the | Director of Corporate Services | 1 | Jun 19 | Sep 23 | Development and implementation of SharePoint within our records management policy direction is the immediate priority for work from Q2 22⁄23. Implementation of CRM will follow on from that. | Incomplete |
| 2018⁄19 Business Continuity Planning | We recommend that CNPA develops a testing plan/schedule for BCP which should be reviewed regularly to ensure a strategic approach to testing is developed and implemented. This plan should ensure that varying categories of events are scheduled to be tested on a regular basis based upon likelihood and overall risk. A formal testing schedule should also be developed for the DRP. We note that the BCP states that testing of the BCP and DRP should be annual, with consideration given to a daily ‘table top’ exercise. However, from discussions with management, it is understood that this is not achievable due to the size of the organisation. Therefore, Management should decide on the most suitable frequency of testing, and this should be detailed within the BCP. In addition, we recommend that the outcomes, lessons learned and required actions are formally documented, and thereafter reflected within the plan for each test. | Director of Corporate Services to coordinate team | 2 | Nov 19 | Aug 23 | Initial focus with resources available will be on continuing process of developing hybrid working arrangements as we establish new operating norms. Will work to review BCP in light of experience and test systems by summer of 2023. | Partially Complete |
| 2018⁄19 Business Continuity Planning | We recommend that the Authority implements business continuity training for all staff. Regular refresher training should be provided going forward, and the Authority should ensure it records all training for each staff member and obtains sufficient evidence of attendance/completion. | Director of Corporate Services to coordinate team | 2 | Nov 19 | Nov 23 | BCP training should follow review and testing therefore schedule for Autumn 2023 | Partially Complete |
| 2019⁄20 Risk Management | We recommend that on a periodic basis, for example every two years to align with the start and mid-point of the Corporate Plan cycle, for management to carry out a full-scale risk identification process for the risk register. | Director of Corporate Services | 1 | May 20 | Jun 23 | Risk register to be established from first principles as part of 2023 to 2027 Corporate Plan process | Partially Complete |
| 2019⁄20 Expense Claims Process | We recommend that CNPA assesses the costs vs benefits of introducing an electronic expense system, which will allow for expense claims to be effectively processed. An expense system should allow for the full process to be handled electronically, from creating claims and attaching supporting documentation (photos/scans/electronic versions) to the approval and payment of claims. Approvals can also be provided remotely, which would reduce delays in obtaining approval on hard copy claim forms. | Finance Manager | 1 | Aug 20 | Jun 23 | We will investigate by June 23 within functionality of current HR and Finance systems and take landing on possibility of a digitised expenses system by this date. | Incomplete |
| 2019⁄20 Staff Objective Setting & Appraisal | We recommend that line managers are reminded of the importance of properly recording their review and approval of job plans. | Kate Christie | 1 | Immediate and on going | Mar-23 | Review of policy in hand — now likely to be completed in Q4 | Partially complete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA creates guidelines for staff when searching for information for FOISA & EIR requests, such as how to undertake keyword searches in records | Vicky Walker | 1 | Jul 20 | Dec 22 | New guidelines for searching for information will be developed alongside the SharePoint user guide and implementation. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA review and update its Publication Scheme. We recommend CNPA reviews all information it holds with an aim to publish as much as possible to ensure transparency and reduce FOI requests. | Vicky Walker | 1 | Dec 20 | Dec-22 | This will be reviewed in line with the Records Management plan which needs updated and resubmitted to NRS by Summer 2023. | Partially Complete |
| 2020⁄21 Corporate Governance | Management should ensure that all Board members have received risk management training. We support the proposed finance training programme by the Finance and Delivery Committee and recommend that all board members attend this training. | Director of Corporate Services | 3 | Sep 21 | Mar 23 | In hand for Mar 23 | Partially Complete |
| 2020⁄21 COVID Recovery | Management should: • Continue to work through the BCP cycle. • Ensure staff have a sufficient knowledge of the BCP process and terminology to adequately complete the stages associated with risk assessments. • Expand the BCP content in relation to the governance structure and scope, in line with the points identified above. | Office Services Manager | 2 | Mar 21 | Aug 23 | Initial focus with resources available will be on continuing process of developing hybrid working arrangements as we establish new operating norms. Will work to review BCP in light of experience and test systems by summer of 2023. | Incomplete |
| 2020⁄21 COVID Recovery | An outline communication strategy should be developed, which includes centralised and non-centralised channels, as well as support for staff who are unable to access systems. | Office Services Manager | 1 | Jul 21 | Aug 23 | Initial focus with resources available will be on continuing process of developing hybrid working arrangements as we establish new operating norms. Will work to review BCP in light of experience and test systems by summer of 2023. | Incomplete |
| 2020⁄21 Data Management | We recommend that the organisation reviews and updates all three policies to ensure that they reflect the latest data protection legislation and reflect current organisational practices. Specifically, the Authority should ensure that information contained within each policy is consistent. The Authority should ensure that the owner for each policy is updated, recorded, and going forward, it should ensure that policies are reviewed annually in line with the review frequency documented. | Office Services Manager | 2 | May 21 | Aug 23 | Records management policy will be updated in line with SharePoint implementation (Jan 22) and the revised Records Management Plan which is to be submitted to NRS by Summer 2023. | Partially Complete |
| 2020⁄21 Data Management | We recommend that the Authority ensure that data audits are conducted annually in line with the policy. These audits should sample various directorates to ensure that storage and management of files adhere to the Records Management Policy. Specifically, this audit should consider compliance with data retention and disposal requirements, version control requirements and access and security requirements. The output of this audit should be documented and the Head of Service for each area should be given recommended actions, as necessary. We also recommend that directorates each take ownership of their own folders and conduct more regular compliance checks within their own teams to ensure that their files comply with the Records Management Policy. | Head of Organisational Development | 3 | May 21 | Dec 22 | We have initiated a data audit as part of the implementation of SharePoint within the migration to MS365. This process is underway, is likely to be impacted by short-term interruption during 2022⁄23 as a consequence of staff turnover; and will be prioritised following recruitment. | Partially Complete |
| 2021⁄22 Leader Programme | Management should ensure that feedback on CNPA internal processes is obtained and, where appropriate, fed into Scottish Government reviews on programme processes. In addition, management should develop a lessons learned action log and ensure this is monitored by a relevant person(s) within the CNPA management structure. | LEADER Programme Manager | 2 | Mar 22 | Apr 23 | Nov 2022 — as stated in April 2022 we are still in the process of collating lessons learned from previous LEADER programme, two x Cairngorms Trust grant programmes which are running until Sept 23 and the Community Led Vision Fund which runs until Mar 23. A report will be written which will encompass all of the above and submitted as part of our work for the Heritage Horizons 2030 programme Development phase. | Partially Complete |
| 2021⁄22 Financial Management and Reporting | Management should document and communicate the financial responsibilities of staff with financial authority, ensuring that all staff formally acknowledge their responsibilities. | Finance Manager and Management Accountant | 2 | Jun 22 | Jan 23 | Scheme of delegation approved. Acknowledgement processes to be implemented. Currently in draft. | Partially Complete |
| 2021⁄22 Financial Management and Reporting | Recommendation agreed. Budget Management Policy will be developed, approved and circulated to relevant staff. | Finance Manager and Management Accountant | 2 | Sep 22 | Dec 22 | Finance Manual to be completed by Oct 22. | Incomplete |
| 2021⁄22 Assurance Mapping of Major Projects | Management should put in place a project plan for implementation of the new project management approach. This may include the use of stage plans to help with maintaining flexibility over how the overall approach develops. In addition, management should ensure that this plan includes appropriate communications to explain any jargon or specific terminology. | Governance and Reporting Manager | 2 | 30/09/2022 | No update received | Incomplete | |
| 2021⁄22 Peatland Action Programme Set Up | Management should ensure that contract award responsibility is included within MAP 2.1 and CNPA Project Officers obtain | Deputy Chief Executive for instruction to enforce terms and conditions requirements | 3 | Sep 22 | No update received | Incomplete | |
| 2021⁄22 Peatland Action Programme Set Up | Management should update the programme monitoring tools to provide sufficient information to manage the programme effectively including detailing progress with each of the stages within the core grant process for each project. Programme and action trackers used in other | Peatland Action Programme Managers | 3 | Oct 22 | No update received | Incomplete | |
| 2021⁄22 ICT Strategy | We recommend that the action plan within the IT and Data Strategy is updated to include action owners and delivery dates. There should | Project plan Information Systems Manager | 3 | Project Plan — 30 June 2022 | Data | No update received | Incomplete |
| 2021⁄22 ICT Strategy | be regular reporting to the SMT on the progress of the completion of actions. We recommend that when the new CNPA Corporate Plan is established a new IT and Data Strategy should be developed aligned with the corporate plan. The Strategy should also be reviewed with the approval of the Strategy by the appropriate oversight group, fully documented and included within the document’s version control. | New IT Data Strategy = Director of Corporate Services | Strategy — 30 September 2022 | ||||
| 2021⁄22 ICT Strategy | We recommend that annual operational plans are developed which sets out a workplan for each financial year. This should include core operational tasks associated with maintaining a functioning IT environment as well as improvement and change activities relating to delivering the IT and Data Strategy. Planning in this manner will ensure that there are appropriate financial and human resources available to meet agreed IT and data priorities. We also recommend that there is regular monitoring of delivery of the IT operational plan to allow management to gain assurance that it is being delivered in line with expectations. This monitoring will also allow management to identify and implement actions where plans are not tracking as expected. | Information Systems Manager with Head of Finance | 3 | Jun 22 | No update received | Incomplete | |
| 2021⁄22 Cyber Security Review | We recommend that management should update and refresh the mandatory cybersecurity training annually for all staff and that the training should form part of induction training for new | Head of Organisational Development | 3 | Aug 22 | No update received | Incomplete | |
| 2021⁄22 Cyber Security Review | We recommend that CNPA should perform a risk assessment as well as a gap analysis of the current technology, policy and business environment, to identify the key cyber security risks. In conducting that risk assessment and gap analysis, CNPA should refer to recognised leading cyber security frameworks including the Scottish Government Cyber Resilience Framework. We recommend the introduction of a cyber risk register informed by the risk assessment and gap analysis, which includes input from all | Information Systems Manager | 3 | Aug 22 | No update received | Incomplete |
Appendix 3: Audit risk categorisations
Management action grades
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
© Azets 2022. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.