230324DraftAuCtteeMinute
Draft Minutes of the Audit and Risk Committee
Page 1 of 7
Held at: Cairngorms National Park Authority office, Grantown on Spey Date: 24 March 2023 at 2.30pm In Person
Present:
- Fiona McLean (Acting Chair)
- Gaener Rodger
- Bill Lobban
- John Kirk
In Attendance:
- Grant Moir, CEO
- David Cameron, Director of Corporate Services and Deputy CEO
- Louise Allen, Head of Finance, and Corporate Operations
- Tom Reid, Audit Director, Mazars
- Stephanie Hume, Azets
- Ashley Bickerstaff, Azets
- Catriona Strang, Clerk to the Board
Apologies:
- Geva Blackett
- Elizabeth Young, Azets
Welcome and introduction.
- Fiona McLean, the acting chair welcomed everyone to the meeting and everyone introduced themselves.
Page 2 of 7
Approval of minutes of previous meeting
- The draft minutes of the meeting on the 13 January 2023 were approved with no amendments.
Action Points
Ref | Action Detail | Who | When | Status |
---|---|---|---|---|
29/10/2021 (Para 8i) | Bring lessons learned on LEADER back as Agenda item to a future AR Committee. | David Cameron | Review at next meeting | Open |
29/10/2021 (Para 4i) | Complete a detailed VAT review. | David Cameron | At next meeting | Open (delayed due to HH project) |
29/10/2021 (Para 20i) | Provide AR Committee with timetable for forward planning of meetings. | David Cameron | First meeting in 2023⁄24 | Closed |
11/02/22 (Para 18i) | Standardisation of project management procedures and terminology. This to be brought back to the ARC to ensure the appropriate language was used. | Project Manager (when recruited) | On completion of internal review of process | Open |
13/01/23 | Position on contract management of Grant Thornton with regard to 2021⁄22 audit performance. | David Cameron | Will provide full update at next meeting | Open |
Declarations of interest
- There were no interests declared.
Page 3 of 7
Internal Audit Review: data management
- Ashley Bickerstaff, Azets, provided the overview of the internal audit review of data management and highlighted the following points:
a) There are three key areas identified for improvement on the Park Authority’s approach to data management: on the project to implement SharePoint system the Authority has not adequately documented their solution requirements together with the risks associated with transfer to the cloud; the migration to SharePoint has not been adequately scoped; and noted gaps in policies, together with review and maintenance of policies being out of date.
- The Audit and Risk Committee discussed the report and made the following comments and observations:
a) David Cameron, Director of Corporate Services and Deputy CEO, informed the committee of a pause implemented by management in the transition to SharePoint due to staff turnover and to afford more time to fully consider the desired outcomes and most appropriate approach. Loch Lomond and Trossachs National Park Authority have an expert in place and have the capacity for providing service support to the Cairngorms NPA in its transition work, with good relationships being developed by staff now working in this area. The Park Authority may also look at outsourcing some elements of advice or support for the implementation of SharePoint.
b) A member asked if the delay in updating IT policy and procedure was the same across all organisational policies and procedure.
c) Director of Corporate Services and Deputy CEO informed the committee the focus of staff time in the past three years has been on organisation resilience firstly on response to COVID19 impacts and secondly in establishing hybrid working. Consequently, there has been a delay in the review and update of organisational policy across the organisation reflecting the reprioritisation of staff time, while the new ways of working will themselves have impact on procedure and policies update requirements across the organisation. Some deliberate delay in policy review has been implemented to allow hybrid working arrangements to settle and policy and procedures to be adapted accordingly. The Corporate team will have a rolling programme of review on these policies and collaborate with Loch Lomond and Trossachs National Park Authority team when possible to develop shared procedures and duplication of work.
d) Stephanie Hume, Azets confirmed that policies and procedures will be reviewed following the period of change now that we are coming out of COVID and development of hybrid working arrangements.
Recommendation
The Audit and Risk Committee is asked to:
a) Consider the internal auditors report and findings. b) Endorse the management responses to recommendations for future action and system improvements.
- The Audit & Risk Committee approved the recommendation.
Page 4 of 7
Internal Audit Progress Report
- Stephanie Hume, Azets, provided the overview of the internal audit progress report and highlighted the following points:
a) Only the payroll report is outstanding but there are no concerns associated with finalisation of this report and will be reporting at June meeting. b) Audit staff are working with management to see if any recommendations are superseded and if risks can be downgraded. c) The annual report will come to the next committee.
- The Audit and Risk Committee discussed the update and made the following comments and observations:
a) A member commented that they were pleased to see risks are being looked at with the potential for downgrading where appropriate.
Recommendation
The Audit and Risk Committee is asked to:
a) Note the contents of the report and the plan for the next quarter.
- The Audit & Risk Committee took note of the contents of the report.
Internal Audit Plan 2023⁄24
- Stephanie Hume, Azets, provided the overview of the Internal Audit Plan 2023⁄24 and highlighted the following points:
Page 5 of 7
a) This is an updated plan building on the plan that was approved last year, and there have been a few changes made following consultation with the Chief Executive and Deputy Chief Executive. Azets asked the committee if they are covering the correct areas for assurance in the areas of work covered by the proposed plan.
David Cameron, Director of Corporate Services and Deputy CEO, supported Azets programme of work from a management perspective. In particular, he anticipated a significant amount of upfront procurement from the Heritage Horizon programme and recognised a need to review how our procurement is undertaken in advance of this work being undertaken.
The Audit and Risk Committee discussed the update and made the following comments and observations:
a) A member asked when the delivery phase of the Heritage Horizon starts b) Grant Moir, CEO confirmed the delivery phase is due to commence January 2024 with the development phase completion in June and final submission seeking approval for Delivery Phase in mid August. c) A member noted their agreement to all areas have been covered in the internal audit plan and linking the new corporate plan and NPPP. The member asked whether how we manage partnership working merited consideration? d) Stephanie Hume, Azets, confirmed that they have discussed with officers the inclusion of partnership working and to allow time for provision of sufficient evidence to reflect how this process with regard to the National Park Partnership Plan is operating. e) Tom Reid, Audit Director, Mazars, noted that a three year plan is a sensible approach with the audit plan.
Recommendation
The Audit & Risk Committee is asked to:
a) Consider the internal auditor’s strategic internal audit plan. b) Consider the specific internal audit plan for 2023⁄24 internal audit work and the appropriateness of that plan for the Authority’s needs; c) Agree the internal audit plan for 2023⁄24.
- The Audit & Risk Committee approved the recommendations.
Page 6 of 7
External Audit – update on 2022⁄23 external audit plans
- Tom Reid, Mazars, provided an oral update on the external audit plans for 2022⁄23 and highlighted the following points:
a) The approach will be risk based and not radically different from previous audits, however there are changes to audit standards with greater focus on controls of financial system and business processes. Mazars have met with Grant Thornton and have interim audit work scheduled with officers. Mazars will bring their audit strategy to the next meeting in June.
- The Audit and Risk Committee discussed the update and made the following comments and observations:
a) Louise Allen, Head of Finance and Corporate Operations confirmed it was a very positive start and have provided Mazars with some documentation for their interim report.
- The chair thanked Tom for the presentation.
Strategic Risk Management
- David Cameron, Director of Corporate Services and Deputy CEO presented the strategic risk management and highlighted the following points:
a) The current strategic risk register is included as an Appendix to Azets internal audit plan and had not been replicated again as a paper for this specific item. He confirmed the officer assessment that most strategic risks remained in line with risk management position as reported in November 2022 with the covering paper noting two risks are on a downward trend from that November position including outdoor access management responsibilities. However data management and IT service dependencies are noted as escalated risk in light of the internal audit reports considered at this meeting.
- The Audit and Risk Committee discussed the update and made the following comments and observations:
a) A member asked if there are other risks linked to the Heritage Horizons Programme that the committee should be aware of? b) David Cameron, Director of Corporate Services and Deputy CEO, confirmed that the Performance Committee receives reports from Heritage Horizons Programme, and Capercaillie and Peatland projects and there was no added risk impact
Page 7 of 7
identified at the last meeting. If any points from the Performance Committee reports needed escalation with regard to risk implications for the Authority this would come to the Audit and Risk Committee as a report from senior officers. c) A member asked if there was anything we could change to mitigate wildlife crime (A24) d) Grant Moir, CEO confirmed that A24 need updating as there are government bills and licenses which will benefit action against wildlife crime, therefore the risk is decreasing but will never go away. e) A member asked if the outcomes of the Capercaillie programme will be achieved. CEO confirmed that the programme is ending in December and most areas of work are completed. The team are now working at what comes next and what we can afford to do. f) The CEO noted that once the corporate plan is approved there will be a new strategic risk register with discussion taking place on format and approach for the next 4 – 5 years.
Recommendation
The Audit and Risk Committee is asked to:
a) Consider the coverage and adequacy of the Cairngorms National Park Authority’s strategic risk management position and advise on any gaps or amendments required to the current strategic risk register.
- The Audit & Risk Committee approved the recommendations.
AOB
Date of next meeting
Schedule date is 23 June 2023
Action — Clerk to the Board to confirm an alternative date for the next meeting via email and noted not to a Tuesday.
The meeting concluded at 15.12.