230621AuCtteePaper3CNPAInternalAuditAnnualReport
Cairngorms National Park Authority Internal Audit Annual Report 2022⁄23
May 2023
Contents
- Introduction — 2
- Overall internal audit opinion — 3
- Internal audit work performed — 4
- Appendix 1 – Planned v actual days 2022⁄23 — 9
- Appendix 2 – Summary of Quality Assurance Assessment — 10
Introduction
The Public Sector Internal Audit Standards (PSIAS) state that:
“The Chief Audit Executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.”
“The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.”
To meet the above requirements, this Annual Report summarises our conclusions and key findings from the internal audit work undertaken at Cairngorms National Park Authority during the year ended 31 March 2023, including our overall opinion on Cairngorms National Park Authority’s internal control system.
Acknowledgement
We would like to take this opportunity to thank all members of management and staff for the help, courtesy and co-operation extended to us during the year.
Overall internal audit opinion
Basis of opinion
As the Internal Auditor of the Cairngorms National Park Authority, we are required to provide the Audit and Risk Committee with assurance on the whole system of internal control. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the whole system of internal control.
In assessing the level of assurance to be given, we have taken into account:
- All reviews undertaken as part of the 2022⁄23 internal audit plan;
- Any scope limitations imposed by management;
- Matters arising from previous reviews and the extent of follow-up action taken including in year audits;
- Expectations of senior management, the Audit and Risk Committee and other stakeholders;
- The extent to which internal controls address the client’s risk management/control framework;
- The effect of any significant changes in Cairngorms National Park Authority’s objectives or systems; and
- The internal audit coverage achieved to date.
In my professional judgement as Head of Internal Audit, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the basis and the accuracy of the conclusions reached and contained in this report. The conclusions are based on the conditions as they existed at the time of the audit. The conclusions are only applicable for the entity examined. The evidence gathered meets professional audit standards and is sufficient to provide senior management with appropriate assurance from the work of internal audit.
Internal Audit Opinion
In our opinion, Cairngorms National Park Authority has a framework of governance, risk management and controls that provides reasonable assurance regarding the effective and efficient achievement of objectives. We note however a significant number of audit actions remain outstanding from previous years, some of which are now aged.
Azets
May 2023
Internal audit work performed
Scope and responsibilities
Management
It is management’s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems and processes established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:
- Risk management;
- The effectiveness of operations;
- The economic and efficient use of resources;
- Compliance with applicable policies, procedures, laws and regulations;
- Safeguards against losses, including those arising from fraud, irregularity or corruption; and
- The integrity and reliability of information and data.
Internal auditor
The Internal Auditor assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, the Internal Auditor should:
- Analyse the internal control system and establish a review programme;
- Identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner;
- Report findings and conclusions and, where appropriate, make recommendations for improvement;
- Provide an opinion on the reliability of the controls in the system under review; and
- Provide an assurance based on the evaluation of the internal control system within the organisation as a whole.
Planning process
Our strategic and annual internal audit plans are designed to provide the Audit and Risk Committee with assurance that Cairngorms National Park Authority’s internal control system is effective in managing the key risks and best value is being achieved. The plans are therefore informed by Cairngorms National Park Authority’s risk management system and linked to the Corporate Risk Register.
The Strategic Internal Audit Plan was agreed in consultation with senior management and formally approved by the Audit and Risk Committee in March 2022.
The Annual Internal Audit Plan is subject to revision throughout the year to reflect changes in Cairngorms National Park Authority’ risk profile. No changes were made to the 2022⁄23 plan.
We planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held responsible for internal control failures.
Cover achieved
The 2022⁄23 Internal Audit Plan comprised 55 days of audit work and we completed the full programme. A comparison of actual coverage against the 2022⁄23 plan is attached at Appendix 1.
We confirm that there were no resource limitations that impinged on our ability to meet the full audit needs of the Cairngorms National Park Authority and no restrictions were placed on our work by management.
We did not rely on the work performed by a third party during the period.
Reports
We prepared a report from each review and presented these reports to the Audit and Risk Committee. The reports are summarised in the table below.
Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were fully discussed and agreed with management prior to submission to the Audit and Risk Committee. We made no significant recommendations that were not accepted by management.
Summary of reports by control assessment and action grade
| Review | Control objective assessment | No. of issues per grading | ||
|---|---|---|---|---|
| 4 | 3 | 2 | 1 | |
| Payroll and Expenses | 5 | 4 | ||
| Performance Management | 2 | |||
| Workforce Management and Planning | 1 | 1 | ||
| Data Management | 2 | |||
| Leader Administration | 1 | |||
| Follow up Part 1 | N/A Due to the style of report | |||
| Follow up Part 2 | N/A Due to the style of report |
Control objective assessment definitions
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved — controls are inadequate or ineffective.
- Y: Control objective achieved — no major weaknesses but scope for improvement.
- G: Control objective achieved — controls are adequate, effective and efficient.
Management action prioritisation definitions
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence/failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
Progress in implementing previous internal audit actions
We reviewed the progress of 60 actions during the course of the year and obtained sufficient evidence to close 19 (32%) of these. In addition, seven (12%) were considered complete pending evidence and a further six (10%) were superseded. Of the 28 remaining actions, four (14%) are partially complete, 17 (61%) are incomplete and seven (25%) were not yet due for completion.
Key themes from audit work in 2022⁄23
Payroll and expenses
We identified a number of weaknesses in the controls in place over payroll and expenses, with two of the more significant findings both relating to controls over the maintenance of payroll data. We firstly noted a lack of control over payroll amendments, with a lack of secondary review over changes made to standing data (including starters and leavers). We also recommended that back-up arrangements be improved, to ensure that those could be accessed and used timeously in the event of their being required. We also raised a number of less significant points over a range of areas that require management attention.
Organisational planning and reporting
We carried out an audit of Performance Management which found CNPA’s approach to operational reporting to be ad hoc, with a lack of clarity over the frequency and expected content. Our discussions with senior management highlighted that they are aware of this issue and have recognised the need to improve reporting on objectives operationally. In particular management has identified the need to have real-time information available on ongoing activities that impact the delivery of the corporate objectives.
We also reviewed workforce planning and management, an important area for CNPA as the organisation undergoes a period of growth and in which a number of recruitment and retention risks exist. At the time of fieldwork, the current Workforce Strategy (dated 2018) was not wholly reflective of the current landscape in which CNPA is operating and required to be updated. While we note that many of the challenges outlined in the 2018 Workforce Strategy, such as rurality, remain, additional challenges such as COVID-19 and increased partnership funding have not yet been incorporated within the strategy.
We note that CNPA has recently launched a new Corporate Strategy, which should in due course be reflected across the suite of organisational planning tools and reports. This includes being reflected in the revised performance reporting and workforce planning documentation recommended within these reviews.
Data management
We identified that key policies and procedures surrounding the lifecycle of data are not in place within CNPA. An overarching ICT Policy includes references to acceptable use of internet and email, as well as electronic filing and disk space management however, this policy has not been updated since January 2016. Policies addressing areas of data security, such as Access Control, Cloud and Data Security, and Data Labelling and Classification, are not addressed in existing policies. Further, there has been no work to update any policies with relation to the use of SharePoint. Policies that are in place are outdated; the organisation’s Data Protection Policy and Data Security Breach Management Policy were last updated in September 2018, and the Email Policy in January 2016.
Independence
PSIAS require us to communicate on a timely basis all facts and matters that may have a bearing on our independence.
We can confirm that the staff members involved in each 2022⁄23 internal audit review were independent of Cairngorms National Park Authority and their objectivity was not compromised in any way.
Conformance with Public Sector Internal Audit Standards
We confirm that our internal audit service conforms to the Public Sector Internal Audit Standards, which are based on the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice against the standards.
A summary of the results of our most recent external assessment is provided at Appendix 2.
Appendix 1 – Planned v actual days 2022⁄23
| Ref and Name of report | Planned Days | Actual Days |
|---|---|---|
| Payroll and Expenses | 10 | 10 |
| Performance Management | 8 | 8 |
| Workforce Management and Reporting | 11 | 11 |
| Data Management | 7 | 7 |
| Leader Administration | 5 | 5 |
| Follow Up | 3 | 3 |
| Internal Audit Management and Administration | 2 | 2 |
| Audit and Risk Committee planning, reporting and attendance | 3 | 3 |
| Audit needs analysis — strategic and operational IA planning | 3 | 3 |
| Contract Management | 2 | 2 |
| Annual Internal Audit Report | 1 | 1 |
| Total | 55 | 55 |
Appendix 2 – Summary of Quality Assurance Assessment
As part of our regular quality assessment procedures, we commissioned an external quality assessment (EQA) against the Institute of Internal Auditors (IIAs) International Professional Practices framework (IPPF) and, where appropriate, the Public Sector Internal Audit Standards (PSIAS).
We are pleased to disclose the outcome of this assessment as we believe it is important to provide you with assurance that the service you receive is of a high quality and fully compliant with internal audit standards.
Outlined below are extracts from our most recent external quality assessment undertaken in February 2023.
External Quality Assessment summary
Executive Summary
I am pleased to report that there are no material governance, methodology or practical issues that are impacting Azets Risk Assurance’s overall conformance with the Institute of Internal Auditors (IIAs) International Professional Practices framework (IPPF).
Internal Audit have achieved the highest level of conformance with the Standards, as well as the Definition, Core Principles, and the Code of Ethics, which form the mandatory elements of the IPPF, the global standard for quality in Internal Auditing. The Institute describe this as “Generally Conforms”.
This is an excellent result and is based on an extensive EQA covering the team’s approach, methodology, processes, and an extensive sample of engagement files. The EQA assessor is an experienced, former Chief Assurance Officer and current Audit Committee Chair.
Conformance Opinion
The IPPF/PSIAS includes the Mission and Definition of Internal Auditing, the Core Principles, Code of Ethics, and International Standards. There are 64 fundamental principles to achieve, with 118 points of recommended practice.
I am delighted to confirm that Azets Risk Assurance generally conforms with 62 of these 64 fundamental principles. This is an excellent result. Furthermore, there are no areas of ‘partial’ or ‘non-conformance’ with any of the remaining fundamental principles.
The overall assessment resulting from the EQA is that Azets Risk Assurance “generally conforms to the International Professional Practices Framework”. The term “generally conforms” is used by the IIA to represent the highest level of achievement and performance.
I include a summary of Azets Risk Assurance’s conformance to these fundamental principles below. Overall, I believe that Azets Risk Assurance has achieved an excellent performance given the breadth of the IPPF, and the diverse work and activity the team undertakes.
Summary of IIA Conformance
| Standards | N/A | Does not Conform | Partially Conforms | Generally Conforms | Total |
|---|---|---|---|---|---|
| Definition of IA and Code of Ethics | 12 | 12 | |||
| Purpose | 8 | 8 | |||
| Proficiency and Due Professional Care | 4 | 4 | |||
| Quality Assurance and Improvement Programme | 1 | 6 | 7 | ||
| Managing the Internal Audit Activity | 12 | 12 | |||
| Engagement Planning and Delivery | 1 | 20 | 21 | ||
| Total | 2 | 0 | 0 | 62 | 64 |
Our response
The review identified a number of areas for future consideration to further enhance our internal audit practices. We welcome these findings and as such, a detailed action plan will be put into place to address the areas for further development.
© Azets 2023. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.