Draft Minutes of the Audit and Risk Committee

Held Vir­tu­ally

21 June 2023 at 3.00pm

Present:

• Fiona McLean (Act­ing Chair)
• Gaen­er Rodger

In Attend­ance:

• Grant Moir, CEO
• Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO
• Louise Allen, Head of Fin­ance, and Cor­por­ate Operations
• Tom Reid, Audit Dir­ect­or, Mazars
• Eliza­beth Young, Azets
• Catri­ona Strang, Clerk to the Board

Apo­lo­gies:

• Bill Lob­ban
• Geva Black­ett
• John Kirk

1. Wel­come and Introduction.

Fiona McLean, the act­ing chair, wel­comed every­one to the meet­ing. Apo­lo­gies were noted. The act­ing chair high­lighted that the meet­ing was not quor­ate. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, com­men­ted that with the forth­com­ing hol­i­day peri­od, it was unlikely that a quor­ate meet­ing could be con­vened in the next few weeks. It was agreed that the meet­ing would pro­ceed des­pite not being quor­ate, and approv­al of any decisions in prin­ciple would be sought from com­mit­tee mem­bers by email.

2. Approv­al of minutes of pre­vi­ous meeting

The draft minutes of the meet­ing on the 24 March 2023 were approved with no amendments.

Action Points

Ref	Action Detail	Who	When	Status
29/10/2021 (Para 8i)	Bring les­sons learned on LEAD­ER back as Agenda item to a future AR Committee.	Dav­id Cameron	Review will come to meet­ing in Sept 2023	Open
29/10/2021 (Para 4i)	Com­plete a detailed VAT review.	Louise & Stephanie	Com­plete in next 6 months. Delayed due to HH project	Open
11/02/22 (Para 18i)	Stand­ard­isa­tion of pro­ject man­age­ment pro­ced­ures and ter­min­o­logy. This to be brought back to the ARC to ensure the appro­pri­ate lan­guage was used.	Pro­ject Man­ager (when recruited)	On HH com­ple­tion of intern­al review of process	Open
13/01/23	Pos­i­tion on con­tract man­age­ment of Grant Thornton with regard to 2021⁄22 audit performance.	Dav­id Cameron	Con­firm­a­tion from lead at Audit Scot­land about con­tract management	Closed

3. Mat­ters arising not covered in agenda.

None

4. Declar­a­tions of interest

There were no interests declared.

5. Intern­al Audit Report ²⁰²²⁄₂₃: Payroll and Expenses

Eliza­beth Young, Chief Intern­al Aud­it­or, Azets, provided the over­view of the intern­al audit review of payroll and expenses. While a rel­at­ively large num­ber of recom­mend­a­tions for action have been raised from this review, all are at grades 1 and 2 in terms of their sig­ni­fic­ance: sig­ni­fy­ing lim­ited or mod­er­ate risk expos­ure and action that can either strengthen exist­ing con­trols or make these con­trols more effect­ive. Eliza­beth also high­lighted that the man­age­ment responses con­firmed action had already been taken in address­ing a num­ber of areas which was reassuring.

• a) Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, con­firmed that the fin­ance team has com­pleted sub­stant­ive work in address­ing a num­ber of the areas for action high­lighted between receipt of the draft report and the final report now being presen­ted to the Committee.
• b) Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions, noted that it is a small fin­ance team and dif­fi­cult to segreg­ate duties in all areas recommended.

6. Com­ments and observations

• a) A mem­ber observed con­cerns about busi­ness con­tinu­ity plans and along with payroll and were there any oth­er aspects of out­sourcing of data hold­ing with­in the busi­ness. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed there are oth­er cloud-based backup sys­tems and there are recog­nised vul­ner­ab­il­it­ies asso­ci­ated with this. Head of Fin­ance, and Cor­por­ate Oper­a­tions con­firmed the account­ing sys­tem is cur­rently serv­er-based but will be moved to cloud-based. The Inform­a­tion man­ager will lead on revi­sion to busi­ness con­tinu­ity plans, while the IT Man­ager will address appro­pri­ate data back-up arrange­ments to sup­port out­sourced and cloud-based data storage.
• b) A mem­ber noted the com­plex­ity of the board time alloc­a­tion sys­tem and sug­ges­ted this needs to be con­sidered sep­ar­ately from this report. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted that this is a mat­ter for the board to review and struc­ture going forward.

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

• a) Con­sider the intern­al aud­it­ors’ report and findings;
• b) Endorse the man­age­ment responses to recom­mend­a­tions for future action and sys­tem improvements.

7. The Audit & Risk Com­mit­tee agreed the recom­mend­a­tion in principle.

8. Intern­al Audit Report Man­age­ment Action Fol­low up ²⁰²²⁄₂₃

Eliza­beth Young, Chief Intern­al Aud­it­or, Azets, provided the over­view of the six-monthly intern­al audit pro­gress report and high­lighted the fol­low­ing points:

• a) There is a pos­it­ive down­ward move­ment in the num­ber of open audit recom­mend­a­tions, with 28 open actions car­ried for­ward com­pared with a start point of 41.
• b) With­in this down­ward move­ment, sup­port­ing evid­ence was still required to be sub­mit­ted for sev­en recommendations.
• c) High­lighted that there are a sub­stan­tial num­ber of actions still out­stand­ing with­in Appendix 1.

9. Com­ments and observations:

• a) A mem­ber asked why some of the actions have no update. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed there have been chal­lenges in man­aging work­load and in coordin­at­ing the alloc­a­tion of actions to indi­vidu­als and receiv­ing feed­back. Giv­en work­load chal­lenges focus has been on the high­er-graded risk items and the status of some lower risk items have there­fore not been reviewed at this point.
• b) A mem­ber asked if an updated times­cale could be provided at the next com­mit­tee. A mem­ber asked if some actions were down­graded due to par­tial com­ple­tion. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed that some actions have been par­tially com­pleted and there­fore down­graded. Some action we are await­ing com­ple­tion of doc­u­ment­a­tion before down­grad­ing of risks can be applied. The updated timetable for action would be presen­ted with the next update on status.
• c) A mem­ber asked wheth­er a num­ber of risks are super­seded by oth­er risks, or has the risk been removed? Louise Allan, Head of Fin­ance and Cor­por­ate Oper­a­tions con­firmed that a review of the table will be under­taken with Azets to ensure cor­rect risks are noted.

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

• d) To note the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions.

10. The Audit & Risk Com­mit­tee noted the recom­mend­a­tion in principle.

11. Action - Louise Allen, Head of Fin­ance to review times­cales with Azets and bring to the next com­mit­tee to confirm.

12. Intern­al Audit Annu­al Report ²⁰²²⁄₂₃

Eliza­beth Young, Azets, provided the over­view of the Intern­al Audit Plan ²⁰²³⁄₂₄ and high­lighted the fol­low­ing points:

• a. Mem­bers’ atten­tion was drawn to the Intern­al Audit Opin­ion for ²⁰²²⁄₂₃ which notes that the Park Author­ity has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of objectives.
• b. The opin­ion for ²²⁄₂₃ also high­lights the level of out­stand­ing audit recom­mend­a­tions as noted in the pre­vi­ous report and con­sidered by the Com­mit­tee in the pre­vi­ous report.

13. The chair noted the work com­plete by Azets in the report and thanked Eliza­beth and the Azets team for their work and sup­port of the Com­mit­tee over the course of the year. The Chair noted that the intern­al audit opin­ion would be included in the Gov­ernance State­ment to be included in the Annu­al Report and Accounts for ²⁰²²⁄₂₃.

14. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

• a) No com­ments or observations

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

• a) Con­sider the intern­al aud­it­ors’ annu­al report for ²⁰²²⁄₂₃;
• b) Note the intern­al audit annu­al opin­ion as set out in page 3 of the report and endorse the inclu­sion of that opin­ion with­in the Gov­ernance State­ment for ²⁰²²⁄₂₃.

15. The Audit & Risk Com­mit­tee noted the recom­mend­a­tion and in prin­ciple endorse the inclu­sion of the gov­ernance state­ment for ²⁰²²⁄₂₃.

16. Risk Appet­ite Workshop

Eliza­beth Young, Chief Intern­al Aud­it­or, Azets, provided an over­view of the paper which sum­mar­izes the out­comes of the risk appet­ite workshop.

17. The chair thanked Eliza­beth Young and Stephanie for the work­shop and enga­ging the board mem­bers on risk appetite.

18. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

• a) Dav­id Camer­on Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted that the risk register will be updated around the new cor­por­ate plan and he will con­sider how to incor­por­ate the risk appet­ite out­comes into the process.
• b) Grant Moir, CEO, asked if the risk appet­ite middle column on the report should include all the cat­egor­ies rather than just the largest. Eliza­beth Young, Azets, noted that all the cat­egor­ies score are in Appendix 2. A mem­ber asked if a heat map could be pro­duced to show the nuances of the cat­egor­ies selec­ted in the main report. Eliza­beth Young agreed this could be provided.
• c) Mem­bers noted that dur­ing the work­shop there was a lot of dis­cus­sion on the link between land man­age­ment and impact on loc­al com­munit­ies and the board’s view was that we may need to con­sider hav­ing loc­al com­munit­ies as a sep­ar­ate risk cat­egory. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted that these two can be sep­ar­ated out depend­ing on the spe­cif­ic stra­tegic risk aspect related to the cor­por­ate plan.
• d) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted he expec­ted that a timeline would be in place by the end of July with schedul­ing board time and cor­por­ate risk register development.

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

• a) To review the work­shop out­puts and con­sider the next steps in embed­ding risk appet­ite as agreed by the board in the Park Authority’s stra­tegic risk man­age­ment approaches.

19. The Audit & Risk Com­mit­tee noted the recom­mend­a­tion in principle.

20. ACTION - Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO to pro­duce a timeline for sched­uled board time to devel­op the stra­tegic risk register along­side the new Cor­por­ate Plan.

21. Extern­al Audit Strategy Memorandum

Tom Reid, Maz­ars, provided an update on the extern­al audit plan for ²⁰²²⁄₂₃

• a. Pre­lim­in­ary work was well under­way and early engage­ment between the Maz­ars team and the Park Authority’s fin­ance team was devel­op­ing well.
• b. Main field­work was expec­ted to take place over Septem­ber and Octo­ber, with final accounts to come to the Com­mit­tee for sign-off in Novem­ber 2023.

22. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

• a) Dav­id Camer­on Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted the con­tent of the strategy and agreed with Tom that the over­all approach and col­lab­or­a­tion between Maz­ars and Fin­ance team is already in place and work­ing well. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO com­men­ted that the timeline is tight with not a lot of con­tin­gen­cies for slip­page if accounts are to be laid in Par­lia­ment before recess in Decem­ber. How­ever, he is con­fid­ent that the accounts can be released by Audit Scot­land and laid in par­lia­ment before Christ­mas recess if inform­a­tion exchange con­tin­ues to flow effect­ively between the two teams. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO high­lighted the fees are set by Audit Scot­land and all non-depart­ment­al pub­lic bod­ies have seen fee increases between 11 – 16% for ²⁰²²⁄₂₃. Audit Scot­land also takes a pro­por­tion of the fees. The fee level was there­fore in line with the expect­a­tion for the sector.
• b) A mem­ber thanked Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO for the explan­a­tion of the fees and noted that the fee increase could have been lar­ger depend­ing on the size of the organisation.

Recom­mend­a­tions

The Audit & Risk Com­mit­tee is asked to:

• a) Agree the final extern­al audit plan for the extern­al audit of the ²⁰²²⁄₂₃ annu­al report and accounts;
• b) Agree the fee for the audit as set out in Sec­tion Six of the Annex to this paper;

The Audit & Risk Com­mit­tee agreed in prin­ciple the final extern­al audit plan and agreed the fee for the audit.

23. Gov­ernance Statement

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO presen­ted the paper and high­lighted the fol­low­ing points:

• a) This is a stand­ard state­ment for inclu­sion with­in our annu­al reports and accounts using the same tem­plate as in pre­vi­ous years. The struc­ture of the state­ment is pre­scribed in some areas and there­fore we do not have full flex­ib­il­ity over the con­tent and struc­ture of the Statement.

24. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

• a) A mem­ber asked if a sus­tain­ab­il­ity state­ment is required along with accounts and where does this sit? Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed that a draft of the full annu­al report will come to the board 8 Septem­ber and will include the sus­tain­ab­il­ity statement.
• b) Tom Reid, Maz­ars, is happy to review the gov­ernance state­ment pri­or to when the audit gets under­way in terms of its con­tent and fit with required struc­ture and elements.

Recom­mend­a­tion

The Com­mit­tee is reques­ted to:

• a) Review the draft Gov­ernance State­ment presen­ted with this paper.
• b) Sub­ject to any agreed amend­ments, approve the Gov­ernance State­ment for inclu­sion in the Park Authority’s draft Annu­al Report and Accounts for ²⁰²²⁄₂₃.

25. The Audit & Risk Com­mit­tee approved the recom­mend­a­tions in principle.

26. Stra­tegic Risk Management

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO, presen­ted the update on the Park Authority’s stra­tegic risk man­age­ment pos­i­tion and high­lighted the fol­low­ing points:

• a) Risk register presents updated risk assess­ment trends as at May 2023. The stra­tegic risk register iden­ti­fies a num­ber of risks that have been on a down­ward trend for some time and are there­fore recom­men­ded to be removed from risk register as those risks no longer require act­ive management.

27. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

• a) A mem­ber noted only four A 11.1, A14.1 A16 and A21 which were on a down­ward trend. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed the fifth as A20.
• b) A mem­ber noted that two risks for remov­al are on repu­ta­tion and high­lights the good works and com­mu­nic­a­tion activ­ity being undertaken.
• c) A mem­ber asked if A14.1 — adverse social media cov­er­age — would return to the Risk register after a num­ber of years or are we bet­ter at man­aging this risk. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO noted that there will occa­sion­ally have one off incid­ents of adverse social media pro­files in the future and sug­ges­ted that ongo­ing mon­it­or­ing is required for this risk area. If there is a trend of adverse social media activ­ity then there will be a case to bring this risk back onto the stra­tegic risk register as a con­sequence of its poten­tial impact on over­all repu­ta­tion­al management.

Recom­mend­a­tions

The Audit and Risk Com­mit­tee is asked to:

• a) Con­sider the cov­er­age and adequacy of the Cairngorms NPA’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register.

28. The Audit & Risk Com­mit­tee approved in prin­ciple the adequacy of the pro­posed stra­tegic risk register.

AOB

29. Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO con­firmed that an email will be sent to all com­mit­tee mem­bers ask­ing mem­bers to con­firm they agree with all decisions taken in prin­ciple at the meeting.

Date of next meeting

30. Sched­ule date is 22 Septem­ber 2023

31. The meet­ing con­cluded at 16:19