231124ARCPaper4ManagementActionFollowUp
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up Part 1 — 2023⁄24
November 2023
Contents
- Introduction and background — 1
- Summary of progress — 2
- Appendix 1: Action status by report — 4
- Appendix 2: Summary of outstanding actions past their original due date — 6
- Appendix 3: Audit risk categorisations — 23
Introduction and background
Introduction
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope
We have reviewed all open management actions and liaised with Cairngorm National Park Authority staff to obtain an update on their implementation progress. This included management identifying actions which were no longer applicable. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress
The table below shows the movement in the audit actions in the period from May 2023 to November 2023:
| Number of Actions | |
|---|---|
| Open actions brought forward | 35 |
| Actions added to tracker | 20 |
| Total actions to follow-up | 55 |
| Actions closed | 11 |
| Actions no longer applicable | 3 |
| Open actions carried forward | 41 |
Status of Actions as at November 2023
We have confirmed that 11 actions (20%) were competed in the period to November 2023, and three are no longer applicable (6%). 20 actions (36%) have been assessed as partially complete, five (9%) are incomplete and 16 actions (29%) were not yet due at the time of our validation work.
Further detail on all actions that have passed their current due dates for completion is included at Appendix 2.
We recommend that management retain a strong focus on clearing aged items in the coming months. We recommend prioritising the most aged items, dating back to 2016⁄17, and those that are grade 3 and grade 4.
Attention should then be paid to those remaining actions that have passed their original due date and those which will pass their due date for completion over the next period.
A summary of the status of actions by report is shown at Appendix 1.
Open Internal audit actions
Of the 41 outstanding actions 25 (61%) have passed their original completion date.
15 of these actions have been assessed as a grade 1 or 2 (limited or moderate risk exposure), as a result, management should take a view on whether the organisation has the appropriate resource in place to move these actions forward, or are willing to accept the risk in place, in particular for those assessed as grade 1.
Appendix 1: Action status by report
Appendix 2: Summary of outstanding actions past their original due date
Appendix 3: Audit risk categorisations
Management action grades
- Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general housekeeping issues.
Disclaimer
© Azets 2023. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.