Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

230621AuCtteePaper2CNPAManagementActionFollowUpReport

Cairngorms Nation­al Park Authority

Intern­al Audit Report

Man­age­ment Action Fol­low-up – 202223

May 2023

Con­tents:

  • Intro­duc­tion and back­ground (page 1)
  • Sum­mary of pro­gress (page 2)
  • Appendix 1: Action status by report (page 4)
  • Appendix 2: Sum­mary of out­stand­ing actions past their cur­rent due date (page 6)
  • Appendix 3: Audit risk cat­egor­isa­tions (page 21)

Intro­duc­tion and background

Intro­duc­tion:

As part of the intern­al audit pro­gramme we have under­taken a fol­low up review to provide the Audit & Risk Com­mit­tee with assur­ance that man­age­ment actions agreed in pre­vi­ous intern­al audit reports have been imple­men­ted appro­pri­ately. This report sum­mar­ises the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions.

Scope:

We have reviewed all open man­age­ment actions and liaised with Cairngorm Nation­al Park Author­ity staff to obtain an update on their imple­ment­a­tion pro­gress. This included man­age­ment identi­fy­ing actions which were no longer applic­able. For recom­mend­a­tions graded pri­or­ity 3 or above, we request evid­ence to val­id­ate com­ple­tion of any actions marked for clos­ure by management.

For all actions raised by the pri­or Intern­al Aud­it­or (BDO) we have aligned their risk assess­ments to the Azets risk grad­ing struc­ture (per Appendix 3).

Action for Audit & Risk Committee:

The Com­mit­tee is asked to note the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions. The Com­mit­tee is also asked to con­sider and approve those actions for which revised times­cales have been provided by man­age­ment (these are detailed at Appendix 2).


Sum­mary of progress:

The table below shows the move­ment in the audit actions in the peri­od from Novem­ber 2022 to May 2023:

Num­ber of Actions
Open actions brought forward41
Actions com­plete pending evid­ence (not yet received)3
Actions added to tracker2
Total actions to follow-up46
Actions closed5
Actions super­seded6
Actions com­plete pending evidence7
Open actions car­ried forward28

Status of Actions as at May 2023:

(Pie chart show­ing the fol­low­ing data)

  • Com­plete: 7
  • Super­seded: 5
  • Com­plete pending evid­ence: 6
  • Par­tially Com­plete: 4
  • Incom­plete: 17
  • Not Yet Due: 7

We have con­firmed that five actions (11%) were com­peted in the peri­od to May 2023, with a fur­ther sev­en com­plete pending the pro­vi­sion of evid­ence (15%) and six super­seded (13%). Four actions (9%) have been assessed as par­tially com­plete, 17 (37%) are incom­plete and sev­en actions (15%) were not yet due at the time of our val­id­a­tion work. We did not receive updates on a num­ber of out­stand­ing actions, in these instances the actions were assessed in line with the pre­vi­ous assess­ment made or marked as incomplete.

Fur­ther detail on all actions that have passed their cur­rent due dates for com­ple­tion is included at Appendix 2.

We recom­mend that man­age­ment retain a strong focus on clear­ing aged items in the com­ing months. We recom­mend pri­or­it­ising the most aged items, dat­ing back to 201617, and those that are grade 3 and grade 4. Atten­tion should then be paid to those remain­ing actions that have passed their ori­gin­al due date and those which will pass their due date for com­ple­tion over the next period.

A sum­mary of the status of actions by report is shown at Appendix 1.


Appendix 1: Action status by report:

(Table show­ing the fol­low­ing data. The table spans two pages in the ori­gin­al doc­u­ment. Data has been com­bined here for clarity.)

Report TitleCom­pleteCom­plete Pending Evid­enceNLAPar­tially Com­pleteIncom­pleteNot Yet DueTotal
Fin­an­cial Processes1000001
Grant Fund­ing & Management1000001
201617 sub total2000002
Part­ner­ship Management1000012
Busi­ness Con­tinu­ity Planning0000112
201819 sub total1000113
Payroll Admin­is­tra­tion2000002
Risk Man­age­ment0000101
Expense Claims Process1000001
Staff Object­ives Set­ting & Appraisal0000101
FOISA and FIR Requests0000112
201920 sub total2000227
COV­ID Recovery0200002
Cor­por­ate Governance1000001
Data Man­age­ment0000113
202021 sub total1200116
LEAD­ER Programme1000001
Fin­an­cial Man­age­ment and Reporting0001102
Assur­ance Map­ping of Major Projects1000001
Cyber Secur­ity Review1000203
ICT Strategy0000314
Peat­land Action Pro­gramme Set Up1430109
202122 sub- total24319120
LEAD­ER Programme0000112
Per­form­ance Management0000202
Work­force Man­age­ment and Planning0000202
Data Man­age­ment0000112
202223 sub- total0000428
Grand totals576417746

Appendix 2: Sum­mary of out­stand­ing actions past their cur­rent due date:

(Table show­ing the fol­low­ing data. The table spans sev­er­al pages in the ori­gin­al doc­u­ment. Data has been com­bined here for clarity.)

Report / ActionRecom­mend­a­tionAction Own­erGradeOri­gin­al Times­caleRevised Times­caleUpdate May 2023Status
201617 Fin­an­cial ProcessesWe recom­mend that the Fin­ance Man­age­ment sched­ule is updated to provide detailed policies and guid­ance on all fin­an­cial pro­cesses. These should be reviewed on an annu­al basis. (etc.)Fin­ance ManagerLow (1)Jun-17Dec-22No update provided.Incom­plete
201617 Grant Fund­ing and ManagementWe recom­mend that the Grant Toolkit is com­pleted, encom­passing all pro­cesses in place for the award­ing, record­ing and mon­it­or­ing of grant fund­ing. (etc.)Dir­ect­or of Cor­por­ate ServicesMedi­um (2)Sep-2017Mar-23No update provided.Incom­plete
201920 Payroll AdministrationWe recom­mend that CNPA con­duct a reg­u­lar peer review of the desk instruc­tions to ensure that they remain accur­ate and up to date. (etc.)Dir­ect­or of Cor­por­ate Ser­vices or Head of Organ­isa­tion­al DevelopmentLow (1)Apr-20Dec-22Com­pleted.Com­plete pending evidence
201920 Payroll AdministrationIt is our recom­mend­a­tion that the Author­ity invest­ig­ate the poten­tial for mak­ing use of auto­mat­ic excep­tion report­ing. (etc.)Payroll and Fin­ance OfficerLow (1)Mar-20Dec-22Com­pleted.Com­plete pending evidence
201920 Staff Object­ive Set­ting and AppraisalWe recom­mend that line man­agers are reminded of the import­ance of prop­erly record­ing their review and approv­al of job plans. (etc.)Head of Organ­isa­tion­al DevelopmentLow (1)Ongo­ingMar-23No update provided.Incom­plete
202021 Data ManagementWe recom­mend that the Author­ity ensure that data audits are con­duc­ted annu­ally in line with the policy. (etc.)Head of Organ­isa­tion­al DevelopmentMedi­um (3)May-21Mar-24The appoint­ment of our new Inform­a­tion Man­ager provides the oppor­tun­ity to revis­it this work. (etc.)Incom­plete
202021 Data ManagementWe recom­mend that once the Author­ity have received the feed­back from their DPOaaS pro­vider, they cre­ate a sub­ject access request pro­ced­ure, (etc.)Office Ser­vices ManagerMedi­um (3)Jun-21Updated and imple­men­ted. No fur­ther DSAR requests received.Com­plete pending evidence
202122 Assur­ance Map­ping of Major ProjectsMan­age­ment should put in place a pro­ject plan for imple­ment­a­tion of the new pro­ject man­age­ment approach. (etc.)Gov­ernance and Report­ing ManagerMedi­um (2)Sep-22No update provided.Incom­plete
202122 Cyber Secur­ity ReviewWe recom­mend that CNPA should per­form a risk assess­ment as well as a gap ana­lys­is of the cur­rent tech­no­logy, policy and busi­ness envir­on­ment, to identi­fy the key cyber secur­ity risks. (etc.)Inform­a­tion Sys­tems ManagerMedi­um (3)Aug-22Sept 23While we are mind­ful of risks as part of the course of our day-to-day man­age­ment of our IT resources, there has been a lack of form­al­ity in record­ing these risks. (etc.)Incom­plete
202122 Cyber Secur­ity ReviewWe recom­mend that CNPA estab­lish pro­ced­ures for hand­ling cyber secur­ity events. (etc.)Inform­a­tion Sys­tems ManagerMedi­um (2)Dec-22No update provided.Incom­plete
202122 Fin­an­cial Man­age­ment and ReportingMan­age­ment should doc­u­ment and com­mu­nic­ate the fin­an­cial respons­ib­il­it­ies of staff with fin­an­cial author­ity, ensur­ing that all staff form­ally acknow­ledge their responsibilities.Fin­ance Man­ager and Fin­an­cial AccountantMedi­um (2)Jun-22Mar-23No update provided.Par­tially Complete
202122 Budget Man­age­ment PolicyRecom­mend­a­tion agreed. Will be developed, approved and cir­cu­lated to rel­ev­ant staff.Fin­ance Man­ager and Fin­an­cial AccountantMedi­um (2)Sep-22No update provided.Incom­plete
202122 ICT StrategyWe recom­mend that annu­al oper­a­tion­al plans are developed which sets out a work­plan for each fin­an­cial year. (etc.)Inform­a­tion Sys­tems Man­ager and Head of FinanceMedi­um (3)Jun-22June 23The IT oper­a­tion­al plan will, in future, fol­low nat­ur­ally from the ICT strategy. (etc.)Incom­plete
202122 ICT StrategyWe recom­mend that man­age­ment expli­citly doc­u­ment approvals of strategies with­in minutes of meet­ings. (etc.)Dir­ect­or of Cor­por­ate ServicesMedi­um (2)Mar-23No update provided.Incom­plete
202122 ICT StrategyWe recom­mend that the action plan with­in the IT and Data Strategy is updated to include action own­ers and deliv­ery dates. (etc.)Pro­ject plan = Inform­a­tion Sys­tems Man­ager, New IT Data Strategy = Dir­ect­or of Cor­por­ate ServicesMedi­um (3)Pro­ject Plan — Jun-22, Data Strategy — Sep-22Dec 23The Authority’s stra­tegic approach to ICT is under con­sid­er­a­tion. (etc.)Incom­plete
202122 LEAD­ER ProgrammeMan­age­ment should ensure that feed­back on CNPA intern­al pro­cesses is obtained and, where appro­pri­ate, fed into Scot­tish Gov­ern­ment reviews on pro­gramme pro­cesses. (etc.)LEAD­ER Pro­gramme ManagerMedi­um (2)Mar-22Apr-23No update provided.Incom­plete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should doc­u­ment the scheme require­ments, ensur­ing that this is rep­res­ent­at­ive of the arrange­ments cur­rently in place or in devel­op­ment, and com­mu­nic­ate these clearly to staff.Head of Ser­vice, Land Man­age­ment, with Peat­land Action Pro­gramme ManagersMedi­um (3)Nov-22Aug 23This require­ment is par­tially imple­men­ted. (etc.)Par­tially Complete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should doc­u­ment the risks asso­ci­ated with the full-ser­vice approach and put mit­ig­at­ing con­trols in place to man­age this with­in the risk appetite/​tolerance of the CNPA Board. (etc.)Dir­ect­or of Nature and Cli­mate ChangeHigh (4)Leg­al advice — Dec-22, Risk Map and action plan — Dec-22This require­ment is par­tially imple­men­ted. (etc.)Par­tially Complete
202122 Peat­land Action Pro­gramme Set UpCNPA should ensure the con­sist­ent treat­ment of Pri­or Noti­fic­a­tion costs, mean­ing that those should be reim­bursed if incurred by CNPA and appro­pri­ately reflec­ted in grant offer letters.Peat­land Action Pro­gramme ManagersMedi­um (2)Nov-22No update provided.Incom­plete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should devel­op a com­mu­nic­a­tions strategy for the pro­gramme, includ­ing a review of the CNPA web­site and aware­ness rais­ing activ­it­ies for the Peat­land Action Pro­gramme and con­sider how the work to identi­fy peat­land sites will inform the com­mu­nic­a­tion activ­it­ies under­taken. (etc.)Head of Land ManagementMedi­um (3)Apr-23This require­ment has been fully implemented.Com­plete Pending Evidence
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should final­ise and imple­ment the fund­ing cri­ter­ia for applic­a­tion apprais­als. (etc.)Peat­land Action Pro­gramme ManagersMedi­um (3)Mar-23This require­ment has been fully implemented.Com­plete Pending Evidence
202122 Peat­land Action Pro­gramme Set UpCNPA should ensure that the min­im­um con­trols, pro­cesses and doc­u­ment­a­tion iden­ti­fied below are in place and being used. Detail in report.Head of Ser­vice with Peat­land Action ManagersHigh (4)Feb-22Aug 23This require­ment has been par­tially imple­men­ted. (etc.)Par­tially Complete
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should imple­ment a gov­ernance struc­ture which is able to dir­ect the stra­tegic dir­ec­tion of the pro­gramme and provide assur­ance over the deliv­ery of pro­gramme. (etc.)Dir­ect­or of Nature and Cli­mate Change with Head of Land ManagementMedi­um (2)Nov-22This require­ment is fully implemented.Com­plete Pending Evidence
202122 Peat­land Action Pro­gramme Set UpMan­age­ment should update the pro­gramme mon­it­or­ing tools to provide suf­fi­cient inform­a­tion to man­age the pro­gramme effect­ively includ­ing detail­ing pro­gress with each of the stages with­in the core grant pro­cess for each pro­ject. (etc.)Peat­land Action Pro­gramme ManagersMedi­um (3)Oct-22This require­ment is fully implemented.Com­plete Pending Evidence
202223 Data ManagementIn line with the update of policies and iden­ti­fic­a­tion of require­ments recom­men­ded in MAP 1.1, we recom­mend that CNPA estab­lishes a cloud migra­tion strategy or plan which takes into account how these require­ments will be met by Share­Point and the actions required to con­fig­ure the solu­tion to do so. (etc.)Deputy Chief Exec­ut­ive, as seni­or spon­sor of the Share­Point Trans­ition Pro­ject and over­sight of wider organ­isa­tion­al devel­op­ment work requiredMedi­um (3)Apr-23No update provided.Incom­plete
202223 LEAD­ER ProgrammeFor oth­er grant pro­grammes CNPA should ensure that decisions taken which vary from stand­ard pro­cesses are clearly doc­u­mented includ­ing the approv­al route for the decision being made. (etc.)Com­munity Grants ManagerMedi­um (2)Dec-22No update provided.Incom­plete
202223 Per­form­ance ManagementWe sup­port management’s approach to devel­op­ing a dash­board to sup­port more fre­quent scru­tiny and chal­lenge by seni­or man­age­ment. (etc.)Gov­ernance, Data and Report­ing ManagerMedi­um (2)Dec-22No update provided.Incom­plete
202223 Per­form­ance ManagementWhilst devel­op­ing the new cor­por­ate plan, man­age­ment should ensure that this is sup­por­ted by a suf­fi­cient mix of qual­it­at­ive and quant­it­at­ive meas­ures and indic­at­ors that clearly define the pro­posed out­come of the activ­it­ies being under­taken. (etc.)Gov­ernance, Data and Report­ing ManagerMedi­um (2)Mar-23No update provided.Incom­plete

Appendix 3: Audit risk categorisations

Man­age­ment action grades:

  • 4: Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organisation.
  • 3: High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organisation.
  • 2: Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organisation.
  • 1: Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house­keep­ing issues.

Azets 2023. All rights reserved. Azets refers to Azets Audit Ser­vices Lim­ited. Registered in Eng­land & Wales Registered No. 09652677. VAT Regis­tra­tion No. 219 0608 22.

Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!