Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

230621AUCtteePaper6GovernanceStatement2223

Audit and Risk Com­mit­tee Paper 6

21 June 2023

Page 1 of 8

For Decision

Title: Gov­ernance Statement

Cov­er Paper pre­pared by: Dav­id Camer­on, Deputy Chief Exec­ut­ive & Dir­ect­or of Cor­por­ate Services

Pur­pose

This paper presents the draft Gov­ernance Report, which forms part of the Annu­al Report and Accounts, to the Com­mit­tee for review and com­ment pri­or to inclu­sion in the draft papers sub­mit­ted for extern­al audit.

Recom­mend­a­tions

The Com­mit­tee is reques­ted to:

a) Review the draft Gov­ernance State­ment presen­ted with this paper.

b) Sub­ject to any agreed amend­ments, approve the Gov­ernance State­ment for inclu­sion in the Park Authority’s draft Annu­al Report and Accounts for 202223.

Exec­ut­ive Summary

The con­tent of the Gov­ernance State­ment with­in the Park Authority’s Annu­al Report and Accounts has a num­ber of pre­scribed areas and format. With­in the required report­ing format, the con­tent of the state­ment has been updated for 202223 as presen­ted with this paper. Key areas of update are shaded in grey to help identi­fy new mater­i­al added.

The Com­mit­tee is invited to review the draft State­ment and make any amend­ments pri­or to its inclu­sion in the doc­u­ments and work­ing papers sub­mit­ted for extern­al audit review of the 202223 accounts.

Page 2 of 8

Gov­ernance Statement

Scope of responsibility

As Account­able Officer, I am respons­ible for main­tain­ing sound sys­tems of intern­al con­trol that sup­port the achieve­ment of Cairngorms Nation­al Park Authority’s policies, aims and object­ives, while safe­guard­ing the pub­lic funds and depart­ment­al assets for which I am per­son­ally respons­ible. These duties are in accord­ance with the Man­age­ment State­ment agreed between the Park Author­ity and Scot­tish Gov­ern­ment, and also align with respons­ib­il­it­ies assigned to me in the Scot­tish Pub­lic Fin­ance Manu­al (SPFM).

The SPFM, issued by the Scot­tish Min­is­ters, provides guid­ance to the Scot­tish Gov­ern­ment and oth­er rel­ev­ant bod­ies on the prop­er hand­ling of pub­lic funds, and sets out the rel­ev­ant stat­utory, par­lia­ment­ary and admin­is­trat­ive require­ments, emphas­ising the need for eco­nomy, effi­ciency and effect­ive­ness, and pro­motes good prac­tice and high stand­ards of pro­pri­ety. As Account­able Officer, I am respons­ible for ensur­ing that the Park Authority’s intern­al con­trol sys­tems com­ply with the require­ments of the SPFM.

The Man­age­ment State­ment estab­lished by Scot­tish Gov­ern­ment sets out the role of the Park Authority’s Board in provid­ing lead­er­ship and gov­ernance. This Man­age­ment State­ment is sched­uled to be replaced by the new stand­ard Frame­work Agree­ment’ between Scot­tish Gov­ern­ment and its devolved pub­lic bod­ies, with the expect­a­tion that the new Agree­ment will come into force before the end of the 2023 cal­en­dar year.

The gov­ernance respons­ib­il­it­ies of the Board are sup­por­ted by Stand­ing Orders last revised and adop­ted in 2019 and a Code of Con­duct revised and adop­ted in 2022. The Board agreed a Gov­ernance Respons­ib­il­ity Frame­work” doc­u­ment in 2021, set­ting out the respect­ive roles and respons­ib­il­it­ies of the board and its non-exec­ut­ive board mem­bers and seni­or man­agers in decision mak­ing to give added clar­ity and under­stand­ing to this aspect of the Cairngorms NPA’s gov­ernance. Our group of pro­fes­sion­al, seni­or staff advisors, com­ple­men­ted by appro­pri­ate Board train­ing and devel­op­ment pro­cesses, sup­port the good gov­ernance arrange­ments set out in the Stand­ing Orders and Code of Conduct.

As a pub­lic body, the Park Author­ity is com­mit­ted to access­ib­il­ity, open­ness and account­ab­il­ity, and sup­ports the highest stand­ards in cor­por­ate governance.

Oth­er than the doc­u­ments referred to above and the resource alloc­a­tion let­ters issued to me over the course of the year, there were no oth­er writ­ten author­it­ies provided to me over the course of 202223.

The oper­a­tion of the Board and sub-committees

The Board com­prises 19 mem­bers: 7 appoin­ted by Min­is­ters fol­low­ing nom­in­a­tion by five Coun­cils with bound­ar­ies with­in the Nation­al Park, 7 appoin­ted by Scot­tish Gov­ern­ment through pub­lic appoint­ments pro­cesses, and 5 dir­ectly elec­ted with­in the wards of the Park.

Page 3 of 8

The Board there­fore reflects a blend of dif­fer­ent exper­i­ence, back­grounds and interests. The full Board meets reg­u­larly to con­sider strategy and per­form­ance against the cur­rent Cor­por­ate Plan. Meet­ings are sched­uled quarterly, with addi­tion­al meet­ings con­vened as required. To enable the Board to dis­charge its duties, all mem­bers receive appro­pri­ate and timely inform­a­tion in advance of meet­ings with all agen­das and papers also placed in the pub­lic domain. Meet­ings are open to the pub­lic, save the occa­sion­al meet­ing held in private for vari­ous reas­ons of busi­ness and com­mer­cial confidentiality.

To ensure that the Board devel­ops an under­stand­ing of the cur­rent and emer­ging issues, mem­bers also par­ti­cip­ate in inform­al dis­cus­sion ses­sions to con­sider evolving policy issues and pro­pos­als. These meet­ings are held in private to provide for early-stage dis­cus­sion and mem­bers’ learn­ing and devel­op­ment on a range of policy top­ics. The agreed stra­tegic dir­ec­tion of the Park Author­ity is dis­cussed and iden­ti­fied in full, open con­sid­er­a­tion at form­al meetings.

The Board has estab­lished sub-com­mit­tees: a Plan­ning Com­mit­tee (which deals with all aspects of the Park Authority’s stat­utory plan­ning respons­ib­il­it­ies), togeth­er with Com­mit­tees cov­er­ing Gov­ernance, Resources, Per­form­ance, and Audit and Risk. This new Com­mit­tee struc­ture was adop­ted over the course of 202122. The revised struc­ture was adop­ted to aug­ment the gov­ernance of the Author­ity and enhance the Board’s assur­ance role, as the Authority’s scale of activ­it­ies and sup­port of sig­ni­fic­ant pro­grammes con­tin­ues to increase. The Gov­ernance Com­mit­tee has been cre­ated to sup­port the board and the Con­vener to main­tain over­sight of the effect­ive­ness of gov­ernance arrange­ments across the organ­isa­tion, includ­ing the effect­ive­ness of the com­mit­tee struc­ture itself. All com­mit­tees have del­eg­ated duties and respons­ib­il­it­ies, set out in terms of ref­er­ence agreed by the full board, to over­see and scru­tin­ise the Park Authority’s deploy­ment and man­age­ment of resources. The oper­a­tion of the new Com­mit­tee struc­ture was reviewed in 202223 and con­tin­ued in place through­out the year.

The record of attend­ance at Board meet­ings can be found else­where in the Annu­al Report and Accounts.

The Audit and Risk Committee

The Audit and Risk Committee’s role is to provide effect­ive gov­ernance over all aspects of the Park Authority’s intern­al man­age­ment con­trol sys­tems and the annu­al fin­an­cial accounts and audit. It also takes a lead in stra­tegic risk man­age­ment, ensur­ing that risks impact­ing on stra­tegic object­ives are iden­ti­fied and mit­ig­ated, and that risk man­age­ment is embed­ded through­out the Park Authority’s oper­a­tions. It is sup­por­ted by the Park Authority’s intern­al audit func­tion, delivered by Azets, and extern­al aud­it­ors, who were Grant Thornton LLP to the close of the 202122 accounts audit and now Maz­ars. Maz­ars have been appoin­ted as the Park Authority’s extern­al aud­it­ors from com­mence­ment of the 202223 accounts audit. Both the intern­al and extern­al aud­it­ors have inde­pend­ent access to the Com­mit­tee and to its Con­vener. The Com­mit­tee is tasked with mon­it­or­ing the oper­a­tion of the intern­al con­trol func­tion and bring­ing any mater­i­al mat­ters to the atten­tion of the full Board. Detailed reports of all audit reviews are made avail­able to both man­age­ment and the Committee.

Page 4 of 8

The Com­mit­tee meets at least quarterly and reports to the board on the adequacy and effect­ive­ness of the Park Authority’s intern­al con­trols, and more widely on its work in the pre­ced­ing year.

The board has con­tin­ued a pro­cess of self-eval­u­ation of effect­ive­ness and gov­ernance over the course of 202223; this pro­cess was ini­ti­ated under the Lead­er­ship” ele­ment of the first Organ­isa­tion­al Devel­op­ment Strategy in 201516. A refresh of the board skills mat­rix, and self-eval­u­ation of mem­bers against that mat­rix, was com­menced in 202223 and will be com­pleted in 202324 when the new pub­lic appointees take their places on the board. The board also held a self-assess­ment work­shop and review in Janu­ary 2023.

The Board has agreed a set of Cor­por­ate Per­form­ance Indic­at­ors in order to improve its over­sight of deliv­ery against key stra­tegic object­ives and the Park Authority’s Cor­por­ate Plan. A detailed per­form­ance report is sub­mit­ted to the Board twice yearly on deliv­ery against key per­form­ance indic­at­ors. This report is typ­ic­ally con­sidered at each June and Decem­ber meet­ing, along­side a review of stra­tegic risk man­age­ment. These mon­it­or­ing and con­trol mech­an­isms sup­port Board scru­tiny over deliv­ery of the Cor­por­ate Plan and Nation­al Park Part­ner­ship Plan pri­or­it­ies. There has been some vari­ation in this report­ing cycle over the 202223 year while the Park Author­ity went through a trans­ition­al year between its 2018 to 2022 Cor­por­ate Plan and its newly adop­ted 2023 to 2027 Cor­por­ate Plan. The board agreed a Trans­ition­al Stra­tegic Plan and budget for 202223 at its meet­ing in March 2022. Deliv­ery against this has been repor­ted in quarterly Chief Exec­ut­ive Officer’s reports to the board, while the end of year report will be presen­ted to the board at its meet­ing in Septem­ber 2023.

Peri­od­ic reports from inde­pend­ent intern­al and extern­al aud­it­ors form a key and essen­tial ele­ment in inform­ing my review as Account­able Officer of the effect­ive­ness of the sys­tems of intern­al con­trol with­in the Park Author­ity. The Board’s Audit and Risk Com­mit­tee also plays a vital role in this regard, through its con­sid­er­a­tion of audit recom­mend­a­tions arising from reviews of intern­al con­trol sys­tems, and its scru­tiny of pro­posed man­age­ment action to address any improve­ments required. The Audit and Risk Com­mit­tee also con­siders both a three-year plan for intern­al audit cov­er­age and annu­ally agrees an intern­al audit plan flow­ing from that three-year plan.

Shared ser­vices delivery

The Park Author­ity plays an import­ant role in provid­ing sup­port over a range of activ­it­ies to loc­al com­munit­ies and organ­isa­tions to help deliv­er the Nation­al Park Part­ner­ship Plan’s pri­or­it­ies. In the last year we have sup­por­ted Cairngorms Loc­al Action Group Trust in its lead­er­ship and deliv­ery of new Com­munity Led Loc­al Devel­op­ment fund­ing streams; con­tin­ued our sup­port of the Cairngorms Caper­cail­lie Pro­ject; and led the Devel­op­ment Phase of the Cairngorms 2030 Her­it­age Hori­zons Pro­gramme involving a wide range of part­ners across a vari­ety of sec­tors. All of these have been sig­ni­fic­ant, com­munity and part­ner led pro­grammes of activ­ity. Our man­age­ment and intern­al con­trol struc­tures ensure that sup­port for these com­munity-based deliv­ery entit­ies is sep­ar­ated from the core

Page 5 of 8

activ­it­ies of the Author­ity, while ensur­ing that our sup­port helps them achieve best prac­tice” in their operations.

The Author­ity also under­takes a range of shared ser­vice arrange­ments with oth­er pub­lic body part­ners. Over the course of the year we have provided human resource advice and organ­isa­tion­al devel­op­ment sup­port to the Scot­tish Land Com­mis­sion, while col­lab­or­at­ing on a range of shared ser­vice deliv­ery with Loch Lomond and the Trossachs Nation­al Park Author­ity (LLT­NPA). We receive key sup­port from LLT­NPA on IT infra­struc­ture main­ten­ance and devel­op­ment; shared licence agree­ments for plan­ning sys­tems; and data back-up and secur­ity arrange­ments. In addi­tion to these more form­al shared ser­vices with LLT­NPA, both Nation­al Park Author­it­ies con­tin­ue to col­lab­or­ate closely on areas of shared policy interest.

Intern­al audit

The intern­al audit func­tion is an integ­ral ele­ment of scru­tiny of the Park Authority’s intern­al con­trol sys­tems. Azets was appoin­ted fol­low­ing an open pro­cure­ment pro­cess as the Park Authority’s intern­al aud­it­ors in 2020, and have under­taken a com­pre­hens­ive assess­ment of key intern­al con­trol sys­tems since their appoint­ment in determ­in­ing annu­al and three-year intern­al audit plans. Dur­ing the year to 31 March 2023, Azets has repor­ted to the Audit and Risk Com­mit­tee on the fol­low­ing reviews:

Gov­ernance & riskPer­form­ance Man­age­ment Systems
Assur­ance Mapping
Work­force Man­age­ment and Planning
Fol­low up review of pri­or recommendations
Intern­al con­trol systemsLEAD­ER administration
IT and Data Strategy
Cyber Secur­ity Arrangements
Peat­land Res­tor­a­tion Programme
Data Man­age­ment
Fin­ancePayroll and Expenses Con­trol Systems

All recom­mend­a­tions made by Azets are con­sidered; giv­en man­age­ment responses which are con­sidered by the Audit and Risk Com­mit­tee; and imple­men­ted as appro­pri­ate. There were no instances of intern­al audit recom­mend­a­tions not being accep­ted by man­age­ment in the year.

Extern­al audit

Extern­al aud­it­ors are appoin­ted for us by the Aud­it­or Gen­er­al for Scot­land through Audit Scot­land. Audit Scot­land appoin­ted Maz­ars to the role with effect from the com­mence­ment of the 202223 final accounts audit. We are form­ing an effect­ive and effi­cient audit rela­tion­ship with Maz­ars, who review key sys­tems so they can form a view on the effect­ive­ness of con­trol arrange­ments, which in turn sup­ports their audit opin­ion on the fin­an­cial statements.

Page 6 of 8

No fees were paid for any non-audit work under­taken by Grant Thornton LLP in their appoint­ment as our pre­vi­ous extern­al aud­it­ors, nor to Mazars.

Best value

The Audit and Risk Com­mit­tee con­tin­ues to mon­it­or the Authority’s adher­ence to Scot­tish Gov­ern­ment Best Value guidelines and our approach to con­tinu­ous improve­ment. We launched phase three of our Organ­isa­tion­al Devel­op­ment Strategy in 202021 to con­tin­ue to improve our work pro­cesses, organ­isa­tion­al envir­on­ment, and deliv­ery of ser­vices. We have also com­pleted our most recent inde­pend­ent staff sur­vey, held every 2 years, and the ana­lys­is of the res­ults of that pro­cess. This inform­a­tion has sup­por­ted devel­op­ment of the intern­al organ­isa­tion­al focus of our next Cor­por­ate Plan from 2023 to 2027. We are in the pro­cess of devel­op­ing a fourth phase of our Organ­isa­tion­al Devel­op­ment Strategy in 202324. Our next staff sur­vey in autumn 2023 will inform the deliv­ery of con­tinu­ous organ­isa­tion­al improve­ment as part of our new Cor­por­ate Plan to 2027.

Risk man­age­ment

We have a risk man­age­ment strategy in accord­ance with guid­ance issued by Scot­tish Min­is­ters to identi­fy actu­al and poten­tial threats which may pre­vent us from deliv­er­ing our stat­utory pur­pose, and also to identi­fy appro­pri­ate mit­ig­a­tion actions. The Risk Man­age­ment Strategy was most recently reviewed by the Board in 2019, with the Com­mit­tee also receiv­ing an intern­al audit report on the effect­ive­ness of risk man­age­ment oper­a­tions with­in the organ­isa­tion in that year.

The Board recog­nises the import­ance of risk man­age­ment and con­tin­ues to mon­it­or the Park Authority’s Stra­tegic Risk Register. The Board held a risk appet­ite work­shop in May 2023 to estab­lish the over­all stra­tegic risk appet­ite for areas of the 202327 Cor­por­ate Plan. This pos­i­tion will form the start­ing point for redevel­op­ment of the Park Authority’s Stra­tegic Risk Register and sup­port­ing deliv­ery of our new Cor­por­ate Plan objectives.

The Stra­tegic Risk Register records risks, action taken to mit­ig­ate the iden­ti­fied risks and seni­or management’s respons­ib­il­ity for lead­ing on each risk and its mit­ig­a­tion. The Stra­tegic Risk Register is reviewed by the Seni­or Man­age­ment Team four times each year, and updated by the full Board twice and also by the Audit and Risk Com­mit­tee twice a year.

The Audit and Risk Com­mit­tee, with the Seni­or Man­age­ment Team, leads on embed­ding risk man­age­ment pro­cesses through­out the Park Author­ity. Both groups con­sider the man­age­ment of stra­tegic risk in line with the Risk Strategy to ensure that the required actions are appro­pri­ately reflec­ted and incor­por­ated in oper­a­tion­al deliv­ery plans.

Page 7 of 8

Data secur­ity

Pro­ced­ures are in place to ensure that inform­a­tion is being man­aged in accord­ance with legis­la­tion and that data is held accur­ately and securely. The Park Author­ity has no repor­ted nor recor­ded instances of data loss in the year to 31 March 2023.

We con­tin­ue to review our digit­al prac­tices and infra­struc­ture to ensure they remain fit for pur­pose and that all reas­on­able steps are taken to min­im­ise the risk of data loss or com­prom­ise of sys­tems due to Cyber Attacks. The Park Author­ity is cur­rently pre­par­ing for the third review of our sys­tems through the Cyber Essen­tials Plus process.

The Authority’s Seni­or Man­age­ment Team approved an IT and Data Man­age­ment Strategy in 2021 which approved our trans­ition toward cloud based ser­vice infra­struc­ture. We also made addi­tion­al invest­ment in cyber secur­ity pro­tec­tion over the course of the year.

As noted else­where in this state­ment, our IT Strategy and Cyber Secur­ity arrange­ments have each been sub­ject to intern­al audit review as part of the intern­al audit pro­gramme. Actions arising from these audits will be addressed over the course of the com­ing year. The Park Author­ity has inves­ted in a new Inform­a­tion Man­ager role to fur­ther enhance the focus of our work in this area, with the pos­thold­er tak­ing up the role from 1 June 2023.

Response to COVID19 Pandemic

The Author­ity imple­men­ted its Busi­ness Con­tinu­ity Plan (BCP) pro­cesses on 17 March 2020 in response to the COVID19 pan­dem­ic and con­tin­ued to apply that BCP pro­cess through­out 202122. The BCP has pri­or­it­ised the main­ten­ance and evol­u­tion of sys­tems to sup­port dis­persed work­ing while main­tain­ing max­im­um focus on deliv­ery of the Authority’s stra­tegic out­comes. Our BCP has also placed an emphas­is on staff wel­fare and ensur­ing our people remain as phys­ic­ally and men­tally healthy as pos­sible through­out this peri­od of BCP operations.

The Board also approved BCP meas­ures to sup­port effect­ive gov­ernance through­out the pan­dem­ic. This included adapt­ing Board Stand­ing Orders to remote work­ing and meet­ings held by video con­fer­ence and tele­phone, and ensur­ing appro­pri­ate Board and Seni­or Man­age­ment suc­ces­sion plans are in place.

The Park Author­ity is pro­gress­ing its move­ment from these BCP arrange­ments to revised, hybrid work­ing arrange­ments, which have been tri­alled through­out 202223. The major­ity of our staff con­tin­ue to work part time from home and dis­persed loc­a­tions and part time in the office. Our board also holds both hybrid and full face-to-face pub­lic meet­ings. The Author­ity has com­menced an intern­al review of the evol­u­tion of our new work­ing arrange­ments for staff, fol­low­ing staff drop-in ses­sions held through­out the course of 202223 to gauge effect­ive­ness of policies and pro­cesses and learn about improve­ments and adapt­a­tions we could make. We aim to adopt final hybrid work­ing arrange­ments by the end of Septem­ber 2023.

Page 8 of 8

Con­clu­sion

As Account­able Officer I am respons­ible for review­ing the effect­ive­ness of the sys­tem of intern­al con­trol. In order to do this my review is informed by:

a) the exec­ut­ive man­agers with­in the organ­isa­tion who have respons­ib­il­ity for the devel­op­ment and main­ten­ance of the intern­al con­trol frame­work and who provide assur­ance on sys­tems with­in reg­u­lar Seni­or Man­age­ment Team meetings;

b) intern­al mon­it­or­ing of con­trol sys­tems by staff against SPFM requirements;

c) the work of the intern­al aud­it­ors, who sub­mit reg­u­lar reports to the Audit and Risk Com­mit­tee, which include the Head of Intern­al Audit’s inde­pend­ent and object­ive opin­ion on the adequacy and effect­ive­ness of our sys­tems of intern­al con­trol togeth­er with recom­mend­a­tions for improvement;

d) com­ments made by the extern­al aud­it­ors in their man­age­ment let­ter and oth­er reports.

I am sup­por­ted by the Deputy Chief Exec­ut­ive and Dir­ect­or of Cor­por­ate Ser­vices, who in turn is sup­por­ted by the Cor­por­ate Ser­vices staff group, and provides seni­or man­age­ment lead­er­ship on the fin­an­cial man­age­ment, intern­al con­trols and gov­ernance arrange­ments. I take assur­ance from the effect­ive­ness of intern­al con­trol sys­tems, fin­an­cial man­age­ment and plan­ning pro­cesses, and risk man­age­ment from the assur­ances received from the Dir­ect­or of Cor­por­ate Ser­vices and Deputy Chief Executive.

I have also been advised on the effect­ive­ness of the sys­tem of intern­al con­trol by the Board and its Audit and Risk Com­mit­tee. Appro­pri­ate action is taken against any weak­nesses iden­ti­fied and to ensure con­tinu­ous improve­ment of our systems.

The intern­al auditor’s annu­al report for 202223 states that, […]. Action is under­way on imple­ment­ing improve­ments required to mit­ig­ate risk areas iden­ti­fied by intern­al audit and as such I also take assur­ance on the adequacy and effect­ive­ness of the Authority’s intern­al con­trols from the inde­pend­ent intern­al auditor’s report for the year.

Ver­sion

5 June DFC ini­tial draft for ARC consideration

5 June reflect­ing LA and DR comments

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!