Draft Minutes of the Audit and Risk Committee

Page 1 of 7

Held at: Cairngorms Nation­al Park Author­ity office, Grant­own on Spey Date: 24 March 2023 at 2.30pm In Per­son

Present:

• Fiona McLean (Act­ing Chair)
• Gaen­er Rodger
• Bill Lob­ban
• John Kirk

In Attend­ance:

• Grant Moir, CEO
• Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO
• Louise Allen, Head of Fin­ance, and Cor­por­ate Operations
• Tom Reid, Audit Dir­ect­or, Mazars
• Stephanie Hume, Azets
• Ash­ley Bick­er­staff, Azets
• Catri­ona Strang, Clerk to the Board

Apo­lo­gies:

• Geva Black­ett
• Eliza­beth Young, Azets

Wel­come and introduction.

1. Fiona McLean, the act­ing chair wel­comed every­one to the meet­ing and every­one intro­duced themselves.

Page 2 of 7

Approv­al of minutes of pre­vi­ous meeting

1. The draft minutes of the meet­ing on the 13 Janu­ary 2023 were approved with no amendments.

Action Points

Ref	Action Detail	Who	When	Status
29/10/2021 (Para 8i)	Bring les­sons learned on LEAD­ER back as Agenda item to a future AR Committee.	Dav­id Cameron	Review at next meeting	Open
29/10/2021 (Para 4i)	Com­plete a detailed VAT review.	Dav­id Cameron	At next meeting	Open (delayed due to HH project)
29/10/2021 (Para 20i)	Provide AR Com­mit­tee with timetable for for­ward plan­ning of meetings.	Dav­id Cameron	First meet­ing in 2023⁄24	Closed
11/02/22 (Para 18i)	Stand­ard­isa­tion of pro­ject man­age­ment pro­ced­ures and ter­min­o­logy. This to be brought back to the ARC to ensure the appro­pri­ate lan­guage was used.	Pro­ject Man­ager (when recruited)	On com­ple­tion of intern­al review of process	Open
13/01/23	Pos­i­tion on con­tract man­age­ment of Grant Thornton with regard to 2021⁄22 audit performance.	Dav­id Cameron	Will provide full update at next meeting	Open

Declar­a­tions of interest

1. There were no interests declared.

Page 3 of 7

Intern­al Audit Review: data management

1. Ash­ley Bick­er­staff, Azets, provided the over­view of the intern­al audit review of data man­age­ment and high­lighted the fol­low­ing points:

a) There are three key areas iden­ti­fied for improve­ment on the Park Authority’s approach to data man­age­ment: on the pro­ject to imple­ment Share­Point sys­tem the Author­ity has not adequately doc­u­mented their solu­tion require­ments togeth­er with the risks asso­ci­ated with trans­fer to the cloud; the migra­tion to Share­Point has not been adequately scoped; and noted gaps in policies, togeth­er with review and main­ten­ance of policies being out of date.

1. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and observations:

a) Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, informed the com­mit­tee of a pause imple­men­ted by man­age­ment in the trans­ition to Share­Point due to staff turnover and to afford more time to fully con­sider the desired out­comes and most appro­pri­ate approach. Loch Lomond and Trossachs Nation­al Park Author­ity have an expert in place and have the capa­city for provid­ing ser­vice sup­port to the Cairngorms NPA in its trans­ition work, with good rela­tion­ships being developed by staff now work­ing in this area. The Park Author­ity may also look at out­sourcing some ele­ments of advice or sup­port for the imple­ment­a­tion of SharePoint.

b) A mem­ber asked if the delay in updat­ing IT policy and pro­ced­ure was the same across all organ­isa­tion­al policies and procedure.

c) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO informed the com­mit­tee the focus of staff time in the past three years has been on organ­isa­tion resi­li­ence firstly on response to COVID19 impacts and secondly in estab­lish­ing hybrid work­ing. Con­sequently, there has been a delay in the review and update of organ­isa­tion­al policy across the organ­isa­tion reflect­ing the repri­or­it­isa­tion of staff time, while the new ways of work­ing will them­selves have impact on pro­ced­ure and policies update require­ments across the organ­isa­tion. Some delib­er­ate delay in policy review has been imple­men­ted to allow hybrid work­ing arrange­ments to settle and policy and pro­ced­ures to be adap­ted accord­ingly. The Cor­por­ate team will have a rolling pro­gramme of review on these policies and col­lab­or­ate with Loch Lomond and Trossachs Nation­al Park Author­ity team when pos­sible to devel­op shared pro­ced­ures and duplic­a­tion of work.

d) Stephanie Hume, Azets con­firmed that policies and pro­ced­ures will be reviewed fol­low­ing the peri­od of change now that we are com­ing out of COV­ID and devel­op­ment of hybrid work­ing arrangements.

Recom­mend­a­tion

The Audit and Risk Com­mit­tee is asked to:

a) Con­sider the intern­al aud­it­ors report and find­ings. b) Endorse the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

1. The Audit & Risk Com­mit­tee approved the recommendation.

Page 4 of 7

Intern­al Audit Pro­gress Report

1. Stephanie Hume, Azets, provided the over­view of the intern­al audit pro­gress report and high­lighted the fol­low­ing points:

a) Only the payroll report is out­stand­ing but there are no con­cerns asso­ci­ated with final­isa­tion of this report and will be report­ing at June meet­ing. b) Audit staff are work­ing with man­age­ment to see if any recom­mend­a­tions are super­seded and if risks can be down­graded. c) The annu­al report will come to the next committee.

1. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) A mem­ber com­men­ted that they were pleased to see risks are being looked at with the poten­tial for down­grad­ing where appropriate.

Recom­mend­a­tion

The Audit and Risk Com­mit­tee is asked to:

a) Note the con­tents of the report and the plan for the next quarter.

1. The Audit & Risk Com­mit­tee took note of the con­tents of the report.

Intern­al Audit Plan ²⁰²³⁄₂₄

1. Stephanie Hume, Azets, provided the over­view of the Intern­al Audit Plan ²⁰²³⁄₂₄ and high­lighted the fol­low­ing points:

Page 5 of 7

a) This is an updated plan build­ing on the plan that was approved last year, and there have been a few changes made fol­low­ing con­sulta­tion with the Chief Exec­ut­ive and Deputy Chief Exec­ut­ive. Azets asked the com­mit­tee if they are cov­er­ing the cor­rect areas for assur­ance in the areas of work covered by the pro­posed plan.

1. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, sup­por­ted Azets pro­gramme of work from a man­age­ment per­spect­ive. In par­tic­u­lar, he anti­cip­ated a sig­ni­fic­ant amount of upfront pro­cure­ment from the Her­it­age Hori­zon pro­gramme and recog­nised a need to review how our pro­cure­ment is under­taken in advance of this work being undertaken.

2. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) A mem­ber asked when the deliv­ery phase of the Her­it­age Hori­zon starts b) Grant Moir, CEO con­firmed the deliv­ery phase is due to com­mence Janu­ary 2024 with the devel­op­ment phase com­ple­tion in June and final sub­mis­sion seek­ing approv­al for Deliv­ery Phase in mid August. c) A mem­ber noted their agree­ment to all areas have been covered in the intern­al audit plan and link­ing the new cor­por­ate plan and NPPP. The mem­ber asked wheth­er how we man­age part­ner­ship work­ing mer­ited con­sid­er­a­tion? d) Stephanie Hume, Azets, con­firmed that they have dis­cussed with officers the inclu­sion of part­ner­ship work­ing and to allow time for pro­vi­sion of suf­fi­cient evid­ence to reflect how this pro­cess with regard to the Nation­al Park Part­ner­ship Plan is oper­at­ing. e) Tom Reid, Audit Dir­ect­or, Maz­ars, noted that a three year plan is a sens­ible approach with the audit plan.

Recom­mend­a­tion

The Audit & Risk Com­mit­tee is asked to:

a) Con­sider the intern­al auditor’s stra­tegic intern­al audit plan. b) Con­sider the spe­cif­ic intern­al audit plan for ²⁰²³⁄₂₄ intern­al audit work and the appro­pri­ate­ness of that plan for the Authority’s needs; c) Agree the intern­al audit plan for ²⁰²³⁄₂₄.

1. The Audit & Risk Com­mit­tee approved the recommendations.

Page 6 of 7

Extern­al Audit – update on ²⁰²²⁄₂₃ extern­al audit plans

1. Tom Reid, Maz­ars, provided an oral update on the extern­al audit plans for ²⁰²²⁄₂₃ and high­lighted the fol­low­ing points:

a) The approach will be risk based and not rad­ic­ally dif­fer­ent from pre­vi­ous audits, how­ever there are changes to audit stand­ards with great­er focus on con­trols of fin­an­cial sys­tem and busi­ness pro­cesses. Maz­ars have met with Grant Thornton and have inter­im audit work sched­uled with officers. Maz­ars will bring their audit strategy to the next meet­ing in June.

1. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions con­firmed it was a very pos­it­ive start and have provided Maz­ars with some doc­u­ment­a­tion for their inter­im report.

1. The chair thanked Tom for the presentation.

Stra­tegic Risk Management

1. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO presen­ted the stra­tegic risk man­age­ment and high­lighted the fol­low­ing points:

a) The cur­rent stra­tegic risk register is included as an Appendix to Azets intern­al audit plan and had not been rep­lic­ated again as a paper for this spe­cif­ic item. He con­firmed the officer assess­ment that most stra­tegic risks remained in line with risk man­age­ment pos­i­tion as repor­ted in Novem­ber 2022 with the cov­er­ing paper not­ing two risks are on a down­ward trend from that Novem­ber pos­i­tion includ­ing out­door access man­age­ment respons­ib­il­it­ies. How­ever data man­age­ment and IT ser­vice depend­en­cies are noted as escal­ated risk in light of the intern­al audit reports con­sidered at this meeting.

1. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) A mem­ber asked if there are oth­er risks linked to the Her­it­age Hori­zons Pro­gramme that the com­mit­tee should be aware of? b) Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, con­firmed that the Per­form­ance Com­mit­tee receives reports from Her­it­age Hori­zons Pro­gramme, and Caper­cail­lie and Peat­land pro­jects and there was no added risk impact

Page 7 of 7

iden­ti­fied at the last meet­ing. If any points from the Per­form­ance Com­mit­tee reports needed escal­a­tion with regard to risk implic­a­tions for the Author­ity this would come to the Audit and Risk Com­mit­tee as a report from seni­or officers. c) A mem­ber asked if there was any­thing we could change to mit­ig­ate wild­life crime (A24) d) Grant Moir, CEO con­firmed that A24 need updat­ing as there are gov­ern­ment bills and licenses which will bene­fit action against wild­life crime, there­fore the risk is decreas­ing but will nev­er go away. e) A mem­ber asked if the out­comes of the Caper­cail­lie pro­gramme will be achieved. CEO con­firmed that the pro­gramme is end­ing in Decem­ber and most areas of work are com­pleted. The team are now work­ing at what comes next and what we can afford to do. f) The CEO noted that once the cor­por­ate plan is approved there will be a new stra­tegic risk register with dis­cus­sion tak­ing place on format and approach for the next 4 – 5 years.

Recom­mend­a­tion

The Audit and Risk Com­mit­tee is asked to:

a) Con­sider the cov­er­age and adequacy of the Cairngorms Nation­al Park Authority’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register.

1. The Audit & Risk Com­mit­tee approved the recommendations.

AOB

Date of next meeting

Sched­ule date is 23 June 2023

Action — Clerk to the Board to con­firm an altern­at­ive date for the next meet­ing via email and noted not to a Tuesday.

The meet­ing con­cluded at 15.12.