230621AuCtteePaper2CNPAManagementActionFollowUpReport
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up – 2022⁄23
May 2023
Contents:
- Introduction and background (page 1)
- Summary of progress (page 2)
- Appendix 1: Action status by report (page 4)
- Appendix 2: Summary of outstanding actions past their current due date (page 6)
- Appendix 3: Audit risk categorisations (page 21)
Introduction and background
Introduction:
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope:
We have reviewed all open management actions and liaised with Cairngorm National Park Authority staff to obtain an update on their implementation progress. This included management identifying actions which were no longer applicable. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee:
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress:
The table below shows the movement in the audit actions in the period from November 2022 to May 2023:
| Number of Actions | |
|---|---|
| Open actions brought forward | 41 |
| Actions complete pending evidence (not yet received) | 3 |
| Actions added to tracker | 2 |
| Total actions to follow-up | 46 |
| Actions closed | 5 |
| Actions superseded | 6 |
| Actions complete pending evidence | 7 |
| Open actions carried forward | 28 |
Status of Actions as at May 2023:
(Pie chart showing the following data)
- Complete: 7
- Superseded: 5
- Complete pending evidence: 6
- Partially Complete: 4
- Incomplete: 17
- Not Yet Due: 7
We have confirmed that five actions (11%) were competed in the period to May 2023, with a further seven complete pending the provision of evidence (15%) and six superseded (13%). Four actions (9%) have been assessed as partially complete, 17 (37%) are incomplete and seven actions (15%) were not yet due at the time of our validation work. We did not receive updates on a number of outstanding actions, in these instances the actions were assessed in line with the previous assessment made or marked as incomplete.
Further detail on all actions that have passed their current due dates for completion is included at Appendix 2.
We recommend that management retain a strong focus on clearing aged items in the coming months. We recommend prioritising the most aged items, dating back to 2016⁄17, and those that are grade 3 and grade 4. Attention should then be paid to those remaining actions that have passed their original due date and those which will pass their due date for completion over the next period.
A summary of the status of actions by report is shown at Appendix 1.
Appendix 1: Action status by report:
(Table showing the following data. The table spans two pages in the original document. Data has been combined here for clarity.)
| Report Title | Complete | Complete Pending Evidence | NLA | Partially Complete | Incomplete | Not Yet Due | Total |
|---|---|---|---|---|---|---|---|
| Financial Processes | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Grant Funding & Management | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| 2016⁄17 sub total | 2 | 0 | 0 | 0 | 0 | 0 | 2 |
| Partnership Management | 1 | 0 | 0 | 0 | 0 | 1 | 2 |
| Business Continuity Planning | 0 | 0 | 0 | 0 | 1 | 1 | 2 |
| 2018⁄19 sub total | 1 | 0 | 0 | 0 | 1 | 1 | 3 |
| Payroll Administration | 2 | 0 | 0 | 0 | 0 | 0 | 2 |
| Risk Management | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
| Expense Claims Process | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Staff Objectives Setting & Appraisal | 0 | 0 | 0 | 0 | 1 | 0 | 1 |
| FOISA and FIR Requests | 0 | 0 | 0 | 0 | 1 | 1 | 2 |
| 2019⁄20 sub total | 2 | 0 | 0 | 0 | 2 | 2 | 7 |
| COVID Recovery | 0 | 2 | 0 | 0 | 0 | 0 | 2 |
| Corporate Governance | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Data Management | 0 | 0 | 0 | 0 | 1 | 1 | 3 |
| 2020⁄21 sub total | 1 | 2 | 0 | 0 | 1 | 1 | 6 |
| LEADER Programme | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Financial Management and Reporting | 0 | 0 | 0 | 1 | 1 | 0 | 2 |
| Assurance Mapping of Major Projects | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| Cyber Security Review | 1 | 0 | 0 | 0 | 2 | 0 | 3 |
| ICT Strategy | 0 | 0 | 0 | 0 | 3 | 1 | 4 |
| Peatland Action Programme Set Up | 1 | 4 | 3 | 0 | 1 | 0 | 9 |
| 2021⁄22 sub- total | 2 | 4 | 3 | 1 | 9 | 1 | 20 |
| LEADER Programme | 0 | 0 | 0 | 0 | 1 | 1 | 2 |
| Performance Management | 0 | 0 | 0 | 0 | 2 | 0 | 2 |
| Workforce Management and Planning | 0 | 0 | 0 | 0 | 2 | 0 | 2 |
| Data Management | 0 | 0 | 0 | 0 | 1 | 1 | 2 |
| 2022⁄23 sub- total | 0 | 0 | 0 | 0 | 4 | 2 | 8 |
| Grand totals | 5 | 7 | 6 | 4 | 17 | 7 | 46 |
Appendix 2: Summary of outstanding actions past their current due date:
(Table showing the following data. The table spans several pages in the original document. Data has been combined here for clarity.)
| Report / Action | Recommendation | Action Owner | Grade | Original Timescale | Revised Timescale | Update May 2023 | Status |
|---|---|---|---|---|---|---|---|
| 2016⁄17 Financial Processes | We recommend that the Finance Management schedule is updated to provide detailed policies and guidance on all financial processes. These should be reviewed on an annual basis. (etc.) | Finance Manager | Low (1) | Jun-17 | Dec-22 | No update provided. | Incomplete |
| 2016⁄17 Grant Funding and Management | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording and monitoring of grant funding. (etc.) | Director of Corporate Services | Medium (2) | Sep-2017 | Mar-23 | No update provided. | Incomplete |
| 2019⁄20 Payroll Administration | We recommend that CNPA conduct a regular peer review of the desk instructions to ensure that they remain accurate and up to date. (etc.) | Director of Corporate Services or Head of Organisational Development | Low (1) | Apr-20 | Dec-22 | Completed. | Complete pending evidence |
| 2019⁄20 Payroll Administration | It is our recommendation that the Authority investigate the potential for making use of automatic exception reporting. (etc.) | Payroll and Finance Officer | Low (1) | Mar-20 | Dec-22 | Completed. | Complete pending evidence |
| 2019⁄20 Staff Objective Setting and Appraisal | We recommend that line managers are reminded of the importance of properly recording their review and approval of job plans. (etc.) | Head of Organisational Development | Low (1) | Ongoing | Mar-23 | No update provided. | Incomplete |
| 2020⁄21 Data Management | We recommend that the Authority ensure that data audits are conducted annually in line with the policy. (etc.) | Head of Organisational Development | Medium (3) | May-21 | Mar-24 | The appointment of our new Information Manager provides the opportunity to revisit this work. (etc.) | Incomplete |
| 2020⁄21 Data Management | We recommend that once the Authority have received the feedback from their DPOaaS provider, they create a subject access request procedure, (etc.) | Office Services Manager | Medium (3) | Jun-21 | Updated and implemented. No further DSAR requests received. | Complete pending evidence | |
| 2021⁄22 Assurance Mapping of Major Projects | Management should put in place a project plan for implementation of the new project management approach. (etc.) | Governance and Reporting Manager | Medium (2) | Sep-22 | No update provided. | Incomplete | |
| 2021⁄22 Cyber Security Review | We recommend that CNPA should perform a risk assessment as well as a gap analysis of the current technology, policy and business environment, to identify the key cyber security risks. (etc.) | Information Systems Manager | Medium (3) | Aug-22 | Sept 23 | While we are mindful of risks as part of the course of our day-to-day management of our IT resources, there has been a lack of formality in recording these risks. (etc.) | Incomplete |
| 2021⁄22 Cyber Security Review | We recommend that CNPA establish procedures for handling cyber security events. (etc.) | Information Systems Manager | Medium (2) | Dec-22 | No update provided. | Incomplete | |
| 2021⁄22 Financial Management and Reporting | Management should document and communicate the financial responsibilities of staff with financial authority, ensuring that all staff formally acknowledge their responsibilities. | Finance Manager and Financial Accountant | Medium (2) | Jun-22 | Mar-23 | No update provided. | Partially Complete |
| 2021⁄22 Budget Management Policy | Recommendation agreed. Will be developed, approved and circulated to relevant staff. | Finance Manager and Financial Accountant | Medium (2) | Sep-22 | No update provided. | Incomplete | |
| 2021⁄22 ICT Strategy | We recommend that annual operational plans are developed which sets out a workplan for each financial year. (etc.) | Information Systems Manager and Head of Finance | Medium (3) | Jun-22 | June 23 | The IT operational plan will, in future, follow naturally from the ICT strategy. (etc.) | Incomplete |
| 2021⁄22 ICT Strategy | We recommend that management explicitly document approvals of strategies within minutes of meetings. (etc.) | Director of Corporate Services | Medium (2) | Mar-23 | No update provided. | Incomplete | |
| 2021⁄22 ICT Strategy | We recommend that the action plan within the IT and Data Strategy is updated to include action owners and delivery dates. (etc.) | Project plan = Information Systems Manager, New IT Data Strategy = Director of Corporate Services | Medium (3) | Project Plan — Jun-22, Data Strategy — Sep-22 | Dec 23 | The Authority’s strategic approach to ICT is under consideration. (etc.) | Incomplete |
| 2021⁄22 LEADER Programme | Management should ensure that feedback on CNPA internal processes is obtained and, where appropriate, fed into Scottish Government reviews on programme processes. (etc.) | LEADER Programme Manager | Medium (2) | Mar-22 | Apr-23 | No update provided. | Incomplete |
| 2021⁄22 Peatland Action Programme Set Up | Management should document the scheme requirements, ensuring that this is representative of the arrangements currently in place or in development, and communicate these clearly to staff. | Head of Service, Land Management, with Peatland Action Programme Managers | Medium (3) | Nov-22 | Aug 23 | This requirement is partially implemented. (etc.) | Partially Complete |
| 2021⁄22 Peatland Action Programme Set Up | Management should document the risks associated with the full-service approach and put mitigating controls in place to manage this within the risk appetite/tolerance of the CNPA Board. (etc.) | Director of Nature and Climate Change | High (4) | Legal advice — Dec-22, Risk Map and action plan — Dec-22 | This requirement is partially implemented. (etc.) | Partially Complete | |
| 2021⁄22 Peatland Action Programme Set Up | CNPA should ensure the consistent treatment of Prior Notification costs, meaning that those should be reimbursed if incurred by CNPA and appropriately reflected in grant offer letters. | Peatland Action Programme Managers | Medium (2) | Nov-22 | No update provided. | Incomplete | |
| 2021⁄22 Peatland Action Programme Set Up | Management should develop a communications strategy for the programme, including a review of the CNPA website and awareness raising activities for the Peatland Action Programme and consider how the work to identify peatland sites will inform the communication activities undertaken. (etc.) | Head of Land Management | Medium (3) | Apr-23 | This requirement has been fully implemented. | Complete Pending Evidence | |
| 2021⁄22 Peatland Action Programme Set Up | Management should finalise and implement the funding criteria for application appraisals. (etc.) | Peatland Action Programme Managers | Medium (3) | Mar-23 | This requirement has been fully implemented. | Complete Pending Evidence | |
| 2021⁄22 Peatland Action Programme Set Up | CNPA should ensure that the minimum controls, processes and documentation identified below are in place and being used. Detail in report. | Head of Service with Peatland Action Managers | High (4) | Feb-22 | Aug 23 | This requirement has been partially implemented. (etc.) | Partially Complete |
| 2021⁄22 Peatland Action Programme Set Up | Management should implement a governance structure which is able to direct the strategic direction of the programme and provide assurance over the delivery of programme. (etc.) | Director of Nature and Climate Change with Head of Land Management | Medium (2) | Nov-22 | This requirement is fully implemented. | Complete Pending Evidence | |
| 2021⁄22 Peatland Action Programme Set Up | Management should update the programme monitoring tools to provide sufficient information to manage the programme effectively including detailing progress with each of the stages within the core grant process for each project. (etc.) | Peatland Action Programme Managers | Medium (3) | Oct-22 | This requirement is fully implemented. | Complete Pending Evidence | |
| 2022⁄23 Data Management | In line with the update of policies and identification of requirements recommended in MAP 1.1, we recommend that CNPA establishes a cloud migration strategy or plan which takes into account how these requirements will be met by SharePoint and the actions required to configure the solution to do so. (etc.) | Deputy Chief Executive, as senior sponsor of the SharePoint Transition Project and oversight of wider organisational development work required | Medium (3) | Apr-23 | No update provided. | Incomplete | |
| 2022⁄23 LEADER Programme | For other grant programmes CNPA should ensure that decisions taken which vary from standard processes are clearly documented including the approval route for the decision being made. (etc.) | Community Grants Manager | Medium (2) | Dec-22 | No update provided. | Incomplete | |
| 2022⁄23 Performance Management | We support management’s approach to developing a dashboard to support more frequent scrutiny and challenge by senior management. (etc.) | Governance, Data and Reporting Manager | Medium (2) | Dec-22 | No update provided. | Incomplete | |
| 2022⁄23 Performance Management | Whilst developing the new corporate plan, management should ensure that this is supported by a sufficient mix of qualitative and quantitative measures and indicators that clearly define the proposed outcome of the activities being undertaken. (etc.) | Governance, Data and Reporting Manager | Medium (2) | Mar-23 | No update provided. | Incomplete |
Appendix 3: Audit risk categorisations
Management action grades:
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general housekeeping issues.
Azets 2023. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.