Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

221205AuCteePaper1AACNPAFollowUpReportNovember2022FINAL

Cairngorms Nation­al Park Authority

Intern­al Audit Report

Man­age­ment Action Fol­low-up – 202223

Novem­ber 2022

Intro­duc­tion and background

Intro­duc­tion

As part of the intern­al audit pro­gramme we have under­taken a fol­low up review to provide the Audit & Risk Com­mit­tee with assur­ance that man­age­ment actions agreed in pre­vi­ous intern­al audit reports have been imple­men­ted appro­pri­ately. This report sum­mar­ises the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions.

Scope

We have reviewed all open man­age­ment actions and liaised with Cairngorm Nation­al Park Author­ity staff to obtain an update on their imple­ment­a­tion pro­gress. For recom­mend­a­tions graded pri­or­ity 3 or above, we request evid­ence to val­id­ate com­ple­tion of any actions marked for clos­ure by management.

For all actions raised by the pri­or Intern­al Aud­it­or (BDO) we have aligned their risk assess­ments to the Azets risk grad­ing struc­ture (per Appendix 3).

Action for Audit & Risk Committee

The Com­mit­tee is asked to note the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions. The Com­mit­tee is also asked to con­sider and approve those actions for which revised times­cales have been provided by man­age­ment (these are detailed at Appendix 2).

Sum­mary of progress

The table below shows the move­ment in the audit actions in the peri­od from May 2022 to Novem­ber 2022:

Num­ber of Actions
Open actions brought forward35
Actions added to tracker23
Total actions to follow-up58
Actions closed14
Actions com­plete pending evidence3
Open actions car­ried forward41

Status of Actions as at Novem­ber 2022

We have con­firmed that four­teen actions (24%) were com­peted in the peri­od to Novem­ber 2022, with a fur­ther three com­plete pending the pro­vi­sion of evid­ence (5%). 12 (21%) have been assessed as par­tially com­plete, 13 (22%) are incom­plete and 16 actions (27%) were not yet due at the time of our val­id­a­tion work.

Fur­ther detail on all actions that have passed their ori­gin­al due date for com­ple­tion is included at Appendix 2.

Par­tic­u­lar atten­tion should be paid to those that are assessed as high or very high risk and those which have become aged.

A sum­mary of the status of actions by report is shown at Appendix 1.

(Insert chart here)

Open Intern­al audit actions

Of the 41 out­stand­ing actions 25 (60%) have passed their ori­gin­al com­ple­tion date.

17 of these actions have been assessed as a grade 1 or 2 (lim­ited or mod­er­ate risk expos­ure), which although lower than in pre­vi­ous reports is still a high num­ber of out­stand­ing actions. As a res­ult, man­age­ment should take a view on wheth­er the organ­isa­tion has the appro­pri­ate resource in place to move these actions for­ward, or are will­ing to accept the risk in place, in par­tic­u­lar for those assessed as grade 1.

(Insert chart here)

Appendix 1: Action status by report

Report titleCom­pleteCom­plete Pending Evid­enceNLAPar­tially com­pleteIncom­pleteNot Yet DueTotal
Fin­an­cial Processes11
Grant Fund­ing & Management11
201617 sub-total112
Part­ner­ship Management11
Busi­ness Con­tinu­ity Planning22
201819 sub-total213
Payroll Admin­is­tra­tion123
Risk Man­age­ment11
Expense Claims Process516
Staff Object­ive Set­ting & Appraisal1
FOISA and EIR Requests2244
201920 sub-total824115
COV­ID Recovery22
Cor­por­ate Governance112
Data Man­age­ment1124
202021 sub-total21328
LEAD­ER Programme112
Fin­an­cial Man­age­ment and Reporting112
Assur­ance Map­ping of Major Projects1
Cyber Secur­ity Review213
ICT Strategy224
Peat­land Action Pro­gramme Set Up279
202122 sub-total3281023
LEAD­ER Programme22
Per­form­ance Management123
Work­force Man­age­ment and Planning22
202223 sub-total167
Grand totals14312131658

Appendix 2: Sum­mary of out­stand­ing actions past their ori­gin­al due date

Report / ActionRecom­mend­a­tionAction Own­erGradeOri­gin­al times­caleRevised times­caleUpdate as at Novem­ber 2022Status
201617 Fin­an­cial ProcessesWe recom­mend that the Fin­ance Man­age­ment sched­ule is updated to provide detailed policies and guid­ance on all fin­an­cial pro­cesses. These should be reviewed on an annu­al basis. We also recom­mend that clear roles and respons­ib­il­it­ies demon­strat­ing segreg­a­tion of duties are doc­u­mented with­in the guid­ance notes for all fin­an­cial pro­cesses. We recog­nise that man­age­ment have made pro­gress in devel­op­ing the sched­ule and that com­ple­tion of this was delayed due to the imple­ment­a­tion of the new Sage system.Fin­ance Manager1Jun 17Dec 22Fin­ance Manu­al to be com­pleted by Oct 22Par­tially Complete
201617 GrantWe recom­mend that the Grant Toolkit is com­pleted, encom­passing all pro­cesses in place for the awarding,Dir­ect­or of Cor­por­ate Services2Sep 17Mar 23Draw togeth­er grant toolkit info plus asso­ci­ated doc­u­ments, e.g. subsidyIncom­plete
Fund­ing & Managementrecord­ing and mon­it­or­ing of grant fund­ing. The toolkit should also clearly define the fol­low­ing: — Actions to be taken when grant con­di­tions are not being met or terms and con­di­tions are breached; — The pro­cess for con­sid­er­a­tion of the risk and value of grant fund­ing applic­a­tions to determ­ine the pro­por­tion of resource required to eval­u­ate these; and — Review and scru­tiny arrange­ments for pro­gress reports provided by grantees.con­trol guid­ance. Com­plete by Mar 23
201819 Part­ner­ship ManagementWe under­stand that there are already plans to improve the engage­ment pro­cess fur­ther by imple­ment­ing a Cus­tom­er Rela­tion­ship Man­age­ment Sys­tem (CRM). We recom­mend that theDir­ect­or of Cor­por­ate Services1Jun 19Sep 23Devel­op­ment and imple­ment­a­tion of Share­Point with­in our records man­age­ment policy dir­ec­tion is the imme­di­ate pri­or­ity for work from Q2 2223. Imple­ment­a­tion of CRM will fol­low on from that.Incom­plete
201819 Busi­ness Con­tinu­ity PlanningWe recom­mend that CNPA devel­ops a test­ing plan/​schedule for BCP which should be reviewed reg­u­larly to ensure a stra­tegic approach to test­ing is developed and imple­men­ted. This plan should ensure that vary­ing cat­egor­ies of events are sched­uled to be tested on a reg­u­lar basis based upon like­li­hood and over­all risk. A form­al test­ing sched­ule should also be developed for the DRP. We note that the BCP states that test­ing of the BCP and DRP should be annu­al, with con­sid­er­a­tion giv­en to a daily table top’ exer­cise. How­ever, from dis­cus­sions with man­age­ment, it is under­stood that this is not achiev­able due to the size of the organ­isa­tion. There­fore, Man­age­ment should decide on the most suit­able fre­quency of test­ing, and this should be detailed with­in the BCP. In addi­tion, we recom­mend that the out­comes, les­sons learned and required actions are form­ally doc­u­mented, and there­after reflec­ted with­in the plan for each test.Dir­ect­or of Cor­por­ate Ser­vices to coordin­ate team2Nov 19Aug 23Ini­tial focus with resources avail­able will be on con­tinu­ing pro­cess of devel­op­ing hybrid work­ing arrange­ments as we estab­lish new oper­at­ing norms. Will work to review BCP in light of exper­i­ence and test sys­tems by sum­mer of 2023.Par­tially Complete
201819 Busi­ness Con­tinu­ity PlanningWe recom­mend that the Author­ity imple­ments busi­ness con­tinu­ity train­ing for all staff. Reg­u­lar refresh­er train­ing should be provided going for­ward, and the Author­ity should ensure it records all train­ing for each staff mem­ber and obtains suf­fi­cient evid­ence of attendance/​completion.Dir­ect­or of Cor­por­ate Ser­vices to coordin­ate team2Nov 19Nov 23BCP train­ing should fol­low review and test­ing there­fore sched­ule for Autumn 2023Par­tially Complete
201920 Risk ManagementWe recom­mend that on a peri­od­ic basis, for example every two years to align with the start and mid-point of the Cor­por­ate Plan cycle, for man­age­ment to carry out a full-scale risk iden­ti­fic­a­tion pro­cess for the risk register.Dir­ect­or of Cor­por­ate Services1May 20Jun 23Risk register to be estab­lished from first prin­ciples as part of 2023 to 2027 Cor­por­ate Plan processPar­tially Complete
201920 Expense Claims ProcessWe recom­mend that CNPA assesses the costs vs bene­fits of intro­du­cing an elec­tron­ic expense sys­tem, which will allow for expense claims to be effect­ively pro­cessed. An expense sys­tem should allow for the full pro­cess to be handled elec­tron­ic­ally, from cre­at­ing claims and attach­ing sup­port­ing doc­u­ment­a­tion (photos/​scans/​electronic ver­sions) to the approv­al and pay­ment of claims. Approvals can also be provided remotely, which would reduce delays in obtain­ing approv­al on hard copy claim forms.Fin­ance Manager1Aug 20Jun 23We will invest­ig­ate by June 23 with­in func­tion­al­ity of cur­rent HR and Fin­ance sys­tems and take land­ing on pos­sib­il­ity of a digit­ised expenses sys­tem by this date.Incom­plete
201920 Staff Object­ive Set­ting & AppraisalWe recom­mend that line man­agers are reminded of the import­ance of prop­erly record­ing their review and approv­al of job plans.Kate Christie1Imme­di­ate and on goingMar-23Review of policy in hand — now likely to be com­pleted in Q4Par­tially complete
201920 FOISA and EIR RequestsWe recom­mend CNPA cre­ates guidelines for staff when search­ing for inform­a­tion for FOISA & EIR requests, such as how to under­take keyword searches in recordsVicky Walk­er1Jul 20Dec 22New guidelines for search­ing for inform­a­tion will be developed along­side the Share­Point user guide and implementation.Par­tially Complete
201920 FOISA and EIR RequestsWe recom­mend CNPA review and update its Pub­lic­a­tion Scheme. We recom­mend CNPA reviews all inform­a­tion it holds with an aim to pub­lish as much as pos­sible to ensure trans­par­ency and reduce FOI requests.Vicky Walk­er1Dec 20Dec-22This will be reviewed in line with the Records Man­age­ment plan which needs updated and resub­mit­ted to NRS by Sum­mer 2023.Par­tially Complete
202021 Cor­por­ate GovernanceMan­age­ment should ensure that all Board mem­bers have received risk man­age­ment train­ing. We sup­port the pro­posed fin­ance train­ing pro­gramme by the Fin­ance and Deliv­ery Com­mit­tee and recom­mend that all board mem­bers attend this training.Dir­ect­or of Cor­por­ate Services3Sep 21Mar 23In hand for Mar 23Par­tially Complete
202021 COV­ID RecoveryMan­age­ment should: • Con­tin­ue to work through the BCP cycle. • Ensure staff have a suf­fi­cient know­ledge of the BCP pro­cess and ter­min­o­logy to adequately com­plete the stages asso­ci­ated with risk assess­ments. • Expand the BCP con­tent in rela­tion to the gov­ernance struc­ture and scope, in line with the points iden­ti­fied above.Office Ser­vices Manager2Mar 21Aug 23Ini­tial focus with resources avail­able will be on con­tinu­ing pro­cess of devel­op­ing hybrid work­ing arrange­ments as we estab­lish new oper­at­ing norms. Will work to review BCP in light of exper­i­ence and test sys­tems by sum­mer of 2023.Incom­plete
202021 COV­ID RecoveryAn out­line com­mu­nic­a­tion strategy should be developed, which includes cent­ral­ised and non-cent­ral­ised chan­nels, as well as sup­port for staff who are unable to access systems.Office Ser­vices Manager1Jul 21Aug 23Ini­tial focus with resources avail­able will be on con­tinu­ing pro­cess of devel­op­ing hybrid work­ing arrange­ments as we estab­lish new oper­at­ing norms. Will work to review BCP in light of exper­i­ence and test sys­tems by sum­mer of 2023.Incom­plete
202021 Data ManagementWe recom­mend that the organ­isa­tion reviews and updates all three policies to ensure that they reflect the latest data pro­tec­tion legis­la­tion and reflect cur­rent organ­isa­tion­al prac­tices. Spe­cific­ally, the Author­ity should ensure that inform­a­tion con­tained with­in each policy is con­sist­ent. The Author­ity should ensure that the own­er for each policy is updated, recor­ded, and going for­ward, it should ensure that policies are reviewed annu­ally in line with the review fre­quency documented.Office Ser­vices Manager2May 21Aug 23Records man­age­ment policy will be updated in line with Share­Point imple­ment­a­tion (Jan 22) and the revised Records Man­age­ment Plan which is to be sub­mit­ted to NRS by Sum­mer 2023.Par­tially Complete
202021 Data ManagementWe recom­mend that the Author­ity ensure that data audits are con­duc­ted annu­ally in line with the policy. These audits should sample vari­ous dir­ect­or­ates to ensure that stor­age and man­age­ment of files adhere to the Records Man­age­ment Policy. Spe­cific­ally, this audit should con­sider com­pli­ance with data reten­tion and dis­pos­al require­ments, ver­sion con­trol require­ments and access and secur­ity require­ments. The out­put of this audit should be doc­u­mented and the Head of Ser­vice for each area should be giv­en recom­men­ded actions, as neces­sary. We also recom­mend that dir­ect­or­ates each take own­er­ship of their own folders and con­duct more reg­u­lar com­pli­ance checks with­in their own teams to ensure that their files com­ply with the Records Man­age­ment Policy.Head of Organ­isa­tion­al Development3May 21Dec 22We have ini­ti­ated a data audit as part of the imple­ment­a­tion of Share­Point with­in the migra­tion to MS365. This pro­cess is under­way, is likely to be impacted by short-term inter­rup­tion dur­ing 202223 as a con­sequence of staff turnover; and will be pri­or­it­ised fol­low­ing recruitment.Par­tially Complete
202122 Lead­er ProgrammeMan­age­ment should ensure that feed­back on CNPA intern­al pro­cesses is obtained and, where appro­pri­ate, fed into Scot­tish Gov­ern­ment reviews on pro­gramme pro­cesses. In addi­tion, man­age­ment should devel­op a les­sons learned action log and ensure this is mon­itored by a rel­ev­ant person(s) with­in the CNPA man­age­ment structure.LEAD­ER Pro­gramme Manager2Mar 22Apr 23Nov 2022 — as stated in April 2022 we are still in the pro­cess of col­lat­ing les­sons learned from pre­vi­ous LEAD­ER pro­gramme, two x Cairngorms Trust grant pro­grammes which are run­ning until Sept 23 and the Com­munity Led Vis­ion Fund which runs until Mar 23. A report will be writ­ten which will encom­pass all of the above and sub­mit­ted as part of our work for the Her­it­age Hori­zons 2030 pro­gramme Devel­op­ment phase.Par­tially Complete
202122 Fin­an­cial Man­age­ment and ReportingMan­age­ment should doc­u­ment and com­mu­nic­ate the fin­an­cial respons­ib­il­it­ies of staff with fin­an­cial author­ity, ensur­ing that all staff form­ally acknow­ledge their responsibilities.Fin­ance Man­ager and Man­age­ment Accountant2Jun 22Jan 23Scheme of del­eg­a­tion approved. Acknow­ledge­ment pro­cesses to be imple­men­ted. Cur­rently in draft.Par­tially Complete
202122 Fin­an­cial Man­age­ment and ReportingRecom­mend­a­tion agreed. Budget Man­age­ment Policy will be developed, approved and cir­cu­lated to rel­ev­ant staff.Fin­ance Man­ager and Man­age­ment Accountant2Sep 22Dec 22Fin­ance Manu­al to be com­pleted by Oct 22.Incom­plete
202122 Assur­ance Map­ping of Major ProjectsMan­age­ment should put in place a pro­ject plan for imple­ment­a­tion of the new pro­ject man­age­ment approach. This may include the use of stage plans to help with main­tain­ing flex­ib­il­ity over how the over­all approach devel­ops. In addi­tion, man­age­ment should ensure that this plan includes appro­pri­ate com­mu­nic­a­tions to explain any jar­gon or spe­cif­ic terminology.Gov­ernance and Report­ing Manager230/09/2022No update receivedIncom­plete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should ensure that con­tract award respons­ib­il­ity is included with­in MAP 2.1 and CNPA Pro­ject Officers obtainDeputy Chief Exec­ut­ive for instruc­tion to enforce terms and con­di­tions requirements3Sep 22No update receivedIncom­plete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should update the pro­gramme mon­it­or­ing tools to provide suf­fi­cient inform­a­tion to man­age the pro­gramme effect­ively includ­ing detail­ing pro­gress with each of the stages with­in the core grant pro­cess for each pro­ject. Pro­gramme and action track­ers used in otherPeat­land Action Pro­gramme Managers3Oct 22No update receivedIncom­plete
202122 ICT StrategyWe recom­mend that the action plan with­in the IT and Data Strategy is updated to include action own­ers and deliv­ery dates. There shouldPro­ject plan Inform­a­tion Sys­tems Manager3Pro­ject Plan — 30 June 2022DataNo update receivedIncom­plete
202122 ICT Strategybe reg­u­lar report­ing to the SMT on the pro­gress of the com­ple­tion of actions. We recom­mend that when the new CNPA Cor­por­ate Plan is estab­lished a new IT and Data Strategy should be developed aligned with the cor­por­ate plan. The Strategy should also be reviewed with the approv­al of the Strategy by the appro­pri­ate over­sight group, fully doc­u­mented and included with­in the document’s ver­sion control.New IT Data Strategy = Dir­ect­or of Cor­por­ate ServicesStrategy — 30 Septem­ber 2022
202122 ICT StrategyWe recom­mend that annu­al oper­a­tion­al plans are developed which sets out a work­plan for each fin­an­cial year. This should include core oper­a­tion­al tasks asso­ci­ated with main­tain­ing a func­tion­ing IT envir­on­ment as well as improve­ment and change activ­it­ies relat­ing to deliv­er­ing the IT and Data Strategy. Plan­ning in this man­ner will ensure that there are appro­pri­ate fin­an­cial and human resources avail­able to meet agreed IT and data pri­or­it­ies. We also recom­mend that there is reg­u­lar mon­it­or­ing of deliv­ery of the IT oper­a­tion­al plan to allow man­age­ment to gain assur­ance that it is being delivered in line with expect­a­tions. This mon­it­or­ing will also allow man­age­ment to identi­fy and imple­ment actions where plans are not track­ing as expected.Inform­a­tion Sys­tems Man­ager with Head of Finance3Jun 22No update receivedIncom­plete
202122 Cyber Secur­ity ReviewWe recom­mend that man­age­ment should update and refresh the man­dat­ory cyber­se­cur­ity train­ing annu­ally for all staff and that the train­ing should form part of induc­tion train­ing for newHead of Organ­isa­tion­al Development3Aug 22No update receivedIncom­plete
202122 Cyber Secur­ity ReviewWe recom­mend that CNPA should per­form a risk assess­ment as well as a gap ana­lys­is of the cur­rent tech­no­logy, policy and busi­ness envir­on­ment, to identi­fy the key cyber secur­ity risks. In con­duct­ing that risk assess­ment and gap ana­lys­is, CNPA should refer to recog­nised lead­ing cyber secur­ity frame­works includ­ing the Scot­tish Gov­ern­ment Cyber Resi­li­ence Frame­work. We recom­mend the intro­duc­tion of a cyber risk register informed by the risk assess­ment and gap ana­lys­is, which includes input from allInform­a­tion Sys­tems Manager3Aug 22No update receivedIncom­plete

Appendix 3: Audit risk categorisations

Man­age­ment action grades

  • 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
  • 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
  • 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
  • 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

© Azets 2022. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales Registered No. 09652677. VAT Regis­tra­tion No. 219 0608 22. Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!