230621AUCtteePaper6GovernanceStatement2223
Audit and Risk Committee Paper 6
21 June 2023
Page 1 of 8
For Decision
Title: Governance Statement
Cover Paper prepared by: David Cameron, Deputy Chief Executive & Director of Corporate Services
Purpose
This paper presents the draft Governance Report, which forms part of the Annual Report and Accounts, to the Committee for review and comment prior to inclusion in the draft papers submitted for external audit.
Recommendations
The Committee is requested to:
a) Review the draft Governance Statement presented with this paper.
b) Subject to any agreed amendments, approve the Governance Statement for inclusion in the Park Authority’s draft Annual Report and Accounts for 2022⁄23.
Executive Summary
The content of the Governance Statement within the Park Authority’s Annual Report and Accounts has a number of prescribed areas and format. Within the required reporting format, the content of the statement has been updated for 2022⁄23 as presented with this paper. Key areas of update are shaded in grey to help identify new material added.
The Committee is invited to review the draft Statement and make any amendments prior to its inclusion in the documents and working papers submitted for external audit review of the 2022⁄23 accounts.
Page 2 of 8
Governance Statement
Scope of responsibility
As Accountable Officer, I am responsible for maintaining sound systems of internal control that support the achievement of Cairngorms National Park Authority’s policies, aims and objectives, while safeguarding the public funds and departmental assets for which I am personally responsible. These duties are in accordance with the Management Statement agreed between the Park Authority and Scottish Government, and also align with responsibilities assigned to me in the Scottish Public Finance Manual (SPFM).
The SPFM, issued by the Scottish Ministers, provides guidance to the Scottish Government and other relevant bodies on the proper handling of public funds, and sets out the relevant statutory, parliamentary and administrative requirements, emphasising the need for economy, efficiency and effectiveness, and promotes good practice and high standards of propriety. As Accountable Officer, I am responsible for ensuring that the Park Authority’s internal control systems comply with the requirements of the SPFM.
The Management Statement established by Scottish Government sets out the role of the Park Authority’s Board in providing leadership and governance. This Management Statement is scheduled to be replaced by the new standard ‘Framework Agreement’ between Scottish Government and its devolved public bodies, with the expectation that the new Agreement will come into force before the end of the 2023 calendar year.
The governance responsibilities of the Board are supported by Standing Orders last revised and adopted in 2019 and a Code of Conduct revised and adopted in 2022. The Board agreed a “Governance Responsibility Framework” document in 2021, setting out the respective roles and responsibilities of the board and its non-executive board members and senior managers in decision making to give added clarity and understanding to this aspect of the Cairngorms NPA’s governance. Our group of professional, senior staff advisors, complemented by appropriate Board training and development processes, support the good governance arrangements set out in the Standing Orders and Code of Conduct.
As a public body, the Park Authority is committed to accessibility, openness and accountability, and supports the highest standards in corporate governance.
Other than the documents referred to above and the resource allocation letters issued to me over the course of the year, there were no other written authorities provided to me over the course of 2022⁄23.
The operation of the Board and sub-committees
The Board comprises 19 members: 7 appointed by Ministers following nomination by five Councils with boundaries within the National Park, 7 appointed by Scottish Government through public appointments processes, and 5 directly elected within the wards of the Park.
Page 3 of 8
The Board therefore reflects a blend of different experience, backgrounds and interests. The full Board meets regularly to consider strategy and performance against the current Corporate Plan. Meetings are scheduled quarterly, with additional meetings convened as required. To enable the Board to discharge its duties, all members receive appropriate and timely information in advance of meetings with all agendas and papers also placed in the public domain. Meetings are open to the public, save the occasional meeting held in private for various reasons of business and commercial confidentiality.
To ensure that the Board develops an understanding of the current and emerging issues, members also participate in informal discussion sessions to consider evolving policy issues and proposals. These meetings are held in private to provide for early-stage discussion and members’ learning and development on a range of policy topics. The agreed strategic direction of the Park Authority is discussed and identified in full, open consideration at formal meetings.
The Board has established sub-committees: a Planning Committee (which deals with all aspects of the Park Authority’s statutory planning responsibilities), together with Committees covering Governance, Resources, Performance, and Audit and Risk. This new Committee structure was adopted over the course of 2021⁄22. The revised structure was adopted to augment the governance of the Authority and enhance the Board’s assurance role, as the Authority’s scale of activities and support of significant programmes continues to increase. The Governance Committee has been created to support the board and the Convener to maintain oversight of the effectiveness of governance arrangements across the organisation, including the effectiveness of the committee structure itself. All committees have delegated duties and responsibilities, set out in terms of reference agreed by the full board, to oversee and scrutinise the Park Authority’s deployment and management of resources. The operation of the new Committee structure was reviewed in 2022⁄23 and continued in place throughout the year.
The record of attendance at Board meetings can be found elsewhere in the Annual Report and Accounts.
The Audit and Risk Committee
The Audit and Risk Committee’s role is to provide effective governance over all aspects of the Park Authority’s internal management control systems and the annual financial accounts and audit. It also takes a lead in strategic risk management, ensuring that risks impacting on strategic objectives are identified and mitigated, and that risk management is embedded throughout the Park Authority’s operations. It is supported by the Park Authority’s internal audit function, delivered by Azets, and external auditors, who were Grant Thornton LLP to the close of the 2021⁄22 accounts audit and now Mazars. Mazars have been appointed as the Park Authority’s external auditors from commencement of the 2022⁄23 accounts audit. Both the internal and external auditors have independent access to the Committee and to its Convener. The Committee is tasked with monitoring the operation of the internal control function and bringing any material matters to the attention of the full Board. Detailed reports of all audit reviews are made available to both management and the Committee.
Page 4 of 8
The Committee meets at least quarterly and reports to the board on the adequacy and effectiveness of the Park Authority’s internal controls, and more widely on its work in the preceding year.
The board has continued a process of self-evaluation of effectiveness and governance over the course of 2022⁄23; this process was initiated under the “Leadership” element of the first Organisational Development Strategy in 2015⁄16. A refresh of the board skills matrix, and self-evaluation of members against that matrix, was commenced in 2022⁄23 and will be completed in 2023⁄24 when the new public appointees take their places on the board. The board also held a self-assessment workshop and review in January 2023.
The Board has agreed a set of Corporate Performance Indicators in order to improve its oversight of delivery against key strategic objectives and the Park Authority’s Corporate Plan. A detailed performance report is submitted to the Board twice yearly on delivery against key performance indicators. This report is typically considered at each June and December meeting, alongside a review of strategic risk management. These monitoring and control mechanisms support Board scrutiny over delivery of the Corporate Plan and National Park Partnership Plan priorities. There has been some variation in this reporting cycle over the 2022⁄23 year while the Park Authority went through a transitional year between its 2018 to 2022 Corporate Plan and its newly adopted 2023 to 2027 Corporate Plan. The board agreed a Transitional Strategic Plan and budget for 2022⁄23 at its meeting in March 2022. Delivery against this has been reported in quarterly Chief Executive Officer’s reports to the board, while the end of year report will be presented to the board at its meeting in September 2023.
Periodic reports from independent internal and external auditors form a key and essential element in informing my review as Accountable Officer of the effectiveness of the systems of internal control within the Park Authority. The Board’s Audit and Risk Committee also plays a vital role in this regard, through its consideration of audit recommendations arising from reviews of internal control systems, and its scrutiny of proposed management action to address any improvements required. The Audit and Risk Committee also considers both a three-year plan for internal audit coverage and annually agrees an internal audit plan flowing from that three-year plan.
Shared services delivery
The Park Authority plays an important role in providing support over a range of activities to local communities and organisations to help deliver the National Park Partnership Plan’s priorities. In the last year we have supported Cairngorms Local Action Group Trust in its leadership and delivery of new Community Led Local Development funding streams; continued our support of the Cairngorms Capercaillie Project; and led the Development Phase of the Cairngorms 2030 Heritage Horizons Programme involving a wide range of partners across a variety of sectors. All of these have been significant, community and partner led programmes of activity. Our management and internal control structures ensure that support for these community-based delivery entities is separated from the core
Page 5 of 8
activities of the Authority, while ensuring that our support helps them achieve “best practice” in their operations.
The Authority also undertakes a range of shared service arrangements with other public body partners. Over the course of the year we have provided human resource advice and organisational development support to the Scottish Land Commission, while collaborating on a range of shared service delivery with Loch Lomond and the Trossachs National Park Authority (LLTNPA). We receive key support from LLTNPA on IT infrastructure maintenance and development; shared licence agreements for planning systems; and data back-up and security arrangements. In addition to these more formal shared services with LLTNPA, both National Park Authorities continue to collaborate closely on areas of shared policy interest.
Internal audit
The internal audit function is an integral element of scrutiny of the Park Authority’s internal control systems. Azets was appointed following an open procurement process as the Park Authority’s internal auditors in 2020, and have undertaken a comprehensive assessment of key internal control systems since their appointment in determining annual and three-year internal audit plans. During the year to 31 March 2023, Azets has reported to the Audit and Risk Committee on the following reviews:
Governance & risk | Performance Management Systems |
Assurance Mapping | |
Workforce Management and Planning | |
Follow up review of prior recommendations | |
Internal control systems | LEADER administration |
IT and Data Strategy | |
Cyber Security Arrangements | |
Peatland Restoration Programme | |
Data Management | |
Finance | Payroll and Expenses Control Systems |
All recommendations made by Azets are considered; given management responses which are considered by the Audit and Risk Committee; and implemented as appropriate. There were no instances of internal audit recommendations not being accepted by management in the year.
External audit
External auditors are appointed for us by the Auditor General for Scotland through Audit Scotland. Audit Scotland appointed Mazars to the role with effect from the commencement of the 2022⁄23 final accounts audit. We are forming an effective and efficient audit relationship with Mazars, who review key systems so they can form a view on the effectiveness of control arrangements, which in turn supports their audit opinion on the financial statements.
Page 6 of 8
No fees were paid for any non-audit work undertaken by Grant Thornton LLP in their appointment as our previous external auditors, nor to Mazars.
Best value
The Audit and Risk Committee continues to monitor the Authority’s adherence to Scottish Government Best Value guidelines and our approach to continuous improvement. We launched phase three of our Organisational Development Strategy in 2020⁄21 to continue to improve our work processes, organisational environment, and delivery of services. We have also completed our most recent independent staff survey, held every 2 years, and the analysis of the results of that process. This information has supported development of the internal organisational focus of our next Corporate Plan from 2023 to 2027. We are in the process of developing a fourth phase of our Organisational Development Strategy in 2023⁄24. Our next staff survey in autumn 2023 will inform the delivery of continuous organisational improvement as part of our new Corporate Plan to 2027.
Risk management
We have a risk management strategy in accordance with guidance issued by Scottish Ministers to identify actual and potential threats which may prevent us from delivering our statutory purpose, and also to identify appropriate mitigation actions. The Risk Management Strategy was most recently reviewed by the Board in 2019, with the Committee also receiving an internal audit report on the effectiveness of risk management operations within the organisation in that year.
The Board recognises the importance of risk management and continues to monitor the Park Authority’s Strategic Risk Register. The Board held a risk appetite workshop in May 2023 to establish the overall strategic risk appetite for areas of the 2023⁄27 Corporate Plan. This position will form the starting point for redevelopment of the Park Authority’s Strategic Risk Register and supporting delivery of our new Corporate Plan objectives.
The Strategic Risk Register records risks, action taken to mitigate the identified risks and senior management’s responsibility for leading on each risk and its mitigation. The Strategic Risk Register is reviewed by the Senior Management Team four times each year, and updated by the full Board twice and also by the Audit and Risk Committee twice a year.
The Audit and Risk Committee, with the Senior Management Team, leads on embedding risk management processes throughout the Park Authority. Both groups consider the management of strategic risk in line with the Risk Strategy to ensure that the required actions are appropriately reflected and incorporated in operational delivery plans.
Page 7 of 8
Data security
Procedures are in place to ensure that information is being managed in accordance with legislation and that data is held accurately and securely. The Park Authority has no reported nor recorded instances of data loss in the year to 31 March 2023.
We continue to review our digital practices and infrastructure to ensure they remain fit for purpose and that all reasonable steps are taken to minimise the risk of data loss or compromise of systems due to Cyber Attacks. The Park Authority is currently preparing for the third review of our systems through the Cyber Essentials Plus process.
The Authority’s Senior Management Team approved an IT and Data Management Strategy in 2021 which approved our transition toward cloud based service infrastructure. We also made additional investment in cyber security protection over the course of the year.
As noted elsewhere in this statement, our IT Strategy and Cyber Security arrangements have each been subject to internal audit review as part of the internal audit programme. Actions arising from these audits will be addressed over the course of the coming year. The Park Authority has invested in a new Information Manager role to further enhance the focus of our work in this area, with the postholder taking up the role from 1 June 2023.
Response to COVID19 Pandemic
The Authority implemented its Business Continuity Plan (BCP) processes on 17 March 2020 in response to the COVID19 pandemic and continued to apply that BCP process throughout 2021⁄22. The BCP has prioritised the maintenance and evolution of systems to support dispersed working while maintaining maximum focus on delivery of the Authority’s strategic outcomes. Our BCP has also placed an emphasis on staff welfare and ensuring our people remain as physically and mentally healthy as possible throughout this period of BCP operations.
The Board also approved BCP measures to support effective governance throughout the pandemic. This included adapting Board Standing Orders to remote working and meetings held by video conference and telephone, and ensuring appropriate Board and Senior Management succession plans are in place.
The Park Authority is progressing its movement from these BCP arrangements to revised, hybrid working arrangements, which have been trialled throughout 2022⁄23. The majority of our staff continue to work part time from home and dispersed locations and part time in the office. Our board also holds both hybrid and full face-to-face public meetings. The Authority has commenced an internal review of the evolution of our new working arrangements for staff, following staff drop-in sessions held throughout the course of 2022⁄23 to gauge effectiveness of policies and processes and learn about improvements and adaptations we could make. We aim to adopt final hybrid working arrangements by the end of September 2023.
Page 8 of 8
Conclusion
As Accountable Officer I am responsible for reviewing the effectiveness of the system of internal control. In order to do this my review is informed by:
a) the executive managers within the organisation who have responsibility for the development and maintenance of the internal control framework and who provide assurance on systems within regular Senior Management Team meetings;
b) internal monitoring of control systems by staff against SPFM requirements;
c) the work of the internal auditors, who submit regular reports to the Audit and Risk Committee, which include the Head of Internal Audit’s independent and objective opinion on the adequacy and effectiveness of our systems of internal control together with recommendations for improvement;
d) comments made by the external auditors in their management letter and other reports.
I am supported by the Deputy Chief Executive and Director of Corporate Services, who in turn is supported by the Corporate Services staff group, and provides senior management leadership on the financial management, internal controls and governance arrangements. I take assurance from the effectiveness of internal control systems, financial management and planning processes, and risk management from the assurances received from the Director of Corporate Services and Deputy Chief Executive.
I have also been advised on the effectiveness of the system of internal control by the Board and its Audit and Risk Committee. Appropriate action is taken against any weaknesses identified and to ensure continuous improvement of our systems.
The internal auditor’s annual report for 2022⁄23 states that, […]. Action is underway on implementing improvements required to mitigate risk areas identified by internal audit and as such I also take assurance on the adequacy and effectiveness of the Authority’s internal controls from the independent internal auditor’s report for the year.
Version
5 June DFC initial draft for ARC consideration
5 June reflecting LA and DR comments