231124ARCtteePaper2ExternalAnnualAuditReport
Annual Audit Report
Cairngorms National Park Authority – Year ended 31 March 2023
November 2023
Contents
- Executive summary
- Status of the audit
- Audit approach
- Significant findings
- Internal control recommendations
- Summary of misstatements
- Wider scope
Appendix A: Draft management representation letter Appendix B: Draft audit report Appendix C: Independence Appendix D: Other communications Appendix E: Wider scope and Best Value ratings
Our reports are prepared in accordance with Terms of Appointment Letter from Audit Scotland dated 18 May 2022 through which the Auditor General for Scotland has appointed us as external auditor of Cairngorms National Park Authority (CNPA) for financial years 2022⁄23 to 2026⁄27. We undertake our audit in accordance with the Public Finance and Accountability (Scotland) Act 2000, as amended; and our responsibilities as set out within Audit Scotland’s Code of Audit Practice 2021.
Reports and letters prepared by appointed auditors and addressed to CNPA are prepared for the sole use of CNPA and made available to Audit Scotland and the Auditor General for Scotland. We take no responsibility to any member or officer in their individual capacity or to any other third party.
Mazars LLP is the UK firm of Mazars, an international advisory and accountancy group. Mazars LLP is registered by the Institute of Chartered Accountants in England and Wales.
1. Executive Summary
Audit conclusions and significant findings
The detailed scope of our work as your appointed auditor for 2022⁄23 is set out in the Audit Scotland’s Code of Audit Practice 2021. Our responsibilities and powers are derived from our appointment by the Auditor General under the Public Finance and Accountability (Scotland) Act 2000 and, as outlined in our Audit Strategy Memorandum, our audit has been conducted in accordance with International Standards on Auditing (UK) and means we focus on audit risks that we have assessed as resulting in a higher risk of material misstatement.
In section 4 of this report we have set out our conclusions and significant findings from our audit. This section includes our conclusions on the audit risks and areas of management judgement in our Audit Strategy Memorandum, which include:
- Management override of controls;
- Fraud over expenditure recognition
- Fraud over recognition of revenue; and
- IFRS 16 valuation.
Misstatements and internal control recommendations
Section 5 sets out internal control recommendations and section 6 sets out audit misstatements. Section 7 outlines our work on CNPA’s arrangements to achieve economy, efficiency and effectiveness in its use of resources.
Status and audit opinion
We have substantially completed our audit in respect of the financial statements for the year ended 31 March 2023. At the time of preparing this report some matters remain outstanding as outlined in section 2.
Conclusions from our audit testing and audit opinion
We have substantially completed our audit in respect of the financial statements for the year ended 31 March 2023. Based on our audit work completed to date we have the following conclusions:
- Audit opinion: We expect to issue an unqualified opinion, without modification, on the financial statements. Our proposed audit opinion is included in the draft auditor’s report in Appendix B.
- Regularity: We expect to issue an unqualified opinion, without modification, that in all material respects the expenditure and income in the financial statements were incurred or applied in accordance with any applicable enactments and guidance issued by the Scottish Ministers. Our proposed audit opinion is included in the draft auditor’s report in Appendix B.
- Matters on which we report by exception: We are required to report to you if, during the course of our audit, we have found that adequate accounting records have not been kept; the financial statements and the audited part of the Remuneration and Staff Report are not in agreement with the accounting records; or we have not received all the information and explanations we require for our audit. We have nothing to report in respect of these matters.
Conclusions from our audit testing and audit opinion (continued)
- Governance Statement and Performance Report: We are required to report on whether the information given in the Governance Statement and Performance Report is materially inconsistent with the financial statements; has not been properly prepared in accordance with The National Parks (Scotland) Act 2000 and directions made thereunder by the Scottish Ministers; or is materially misstated. We have no matters to report in respect of the Governance Statement or the Performance Report.
- Other information: We are required to report on whether the other information (comprising of the Performance Report and the Accountability Report and the unaudited parts of the Remuneration and Staff Report), is materially inconsistent with the financial statements; has not been properly prepared in accordance with The National Parks (Scotland) Act 2000 and directions made thereunder by the Scottish Ministers; or is materially misstated. No inconsistencies have been identified and we have issued an unmodified opinion in this respect.
Wider Scope conclusions
As auditors appointed by the Auditor General of Scotland, our wider scope responsibilities are set out in the Audit Scotland’s Code of Audit Practice 2021. The Code requirements broaden the scope of the 2022⁄23 audit and allows us to use a risk-based approach to report on our consideration of CNPA’s performance and make recommendations for improvement and, where appropriate, conclude on CNPA’s performance.
The Code’s wider scope framework is categorised into four areas:
- financial management;
- financial sustainability;
- vision, leadership and governance; and
- use of resources to improve outcomes.
It remains the responsibility of CNPA to ensure that it makes proper financial stewardship of public funds, complies with relevant legislation, and establishes effective governance of their activities. CNPA is also responsible for ensuring that it establishes arrangements to secure continuous improvement in performance and, in making those arrangements, ensures resources are being used to improve strategic outcomes and demonstrate the economy, efficiency, and effectiveness throughout the use of its resources. These arrangements should be proportionate to the size and type of the Non Departmental Public Body (NDPB), appropriate to the nature of the NDPB and the services and functions that it has been created to deliver.
2. Status of the audit
Our work is substantially complete and there are currently no matters of which we are aware that would require modification of our audit opinion, subject to the outstanding matters detailed below.
| Audit area | Risk of material adjustment or significant change | Description of the outstanding matters | High | Medium | Low |
|---|---|---|---|---|---|
| Audit quality control and completion procedures | Low | Our audit work is undergoing final stages of review by the Engagement Lead and further quality and compliance checks. In addition, there are residual procedures to complete, including updating post balance sheet event considerations to the point of issuing the opinion, obtaining final management representations and agreeing adjustments to the final set of accounts. | Likely to result in material adjustment or significant change to disclosures within the financial statements. | Potential to result in material adjustment or significant change to disclosures within the financial statements. | Not considered likely to result in material adjustment or change to disclosures within the financial statements. |
| Annual report and accounts and letter of representation | Low | We will complete our final review of the annual report and accounts upon receipt of the signed version of the accounts and letter of representation. |
3. Audit approach
Changes to our audit approach
We provided details of our intended audit approach in our Audit Strategy Memorandum in June 2023. We have not made any changes to our audit approach since we presented our Audit Strategy Memorandum.
Materiality
Our provisional materiality at the planning stage of the audit was set at £206k using a benchmark of 2% of total expenditure. Our final assessment of materiality, based on the final financial statements, is £263k using the same benchmark.
Service organisations
There has been one change to the use of service organisations as set out below.
| Item of account | Service organisation | Audit approach |
|---|---|---|
| Cash equivalent transfer values of pensions as disclosed in the Remuneration and Staff Report | MyCSP | We reviewed the source data CNPA provided to MyCSP and agreed this to CNPA payroll records. We reviewed reports provided by MyCSP to CNPA and agreed these to the pension disclosures included in the Remuneration and Staff Report. |
4. Significant findings
In this section we outline the significant findings from our audit. These findings include:
- our audit conclusions regarding other significant risks and key areas of management judgement outlined in the Audit Strategy Memorandum;
- our comments in respect of the accounting policies and disclosures that you have adopted in the financial statements. On page 18 we have concluded whether the financial statements have been prepared in accordance with the financial reporting framework and commented on any significant accounting policy changes that have been made during the year;
- any further significant matters discussed with management; and
- any significant difficulties we experienced during the audit.
Significant risks
Management override of controls
Description of the risk: Management at various levels within an organisation are in a unique position to perpetrate fraud because of their ability to manipulate accounting records and prepare fraudulent financial statements by overriding controls that otherwise appear to be operating effectively. Due to the unpredictable way in which such override could occur there is a risk of material misstatement due to fraud on all audits.
How we addressed this risk: We addressed this risk by:
- reviewing the key areas within the financial statements where management has used judgement and estimation techniques and consider whether there is evidence of unfair bias;
- examining any accounting policies that vary from the Government Financial Reporting Manual;
- testing the appropriateness of journal entries recorded in the general ledger and other adjustments made in preparing the financial statements; and
- considering and testing any significant transactions outside the normal course of business or otherwise unusual.
Audit conclusion: Our work has provided the assurance we sought in each of these areas and has not highlighted any material issues to bring to your attention.
Key areas of management judgement
Fraud over expenditure recognition
Description of the risk: Practice Note 10: Audit of financial statements and regularity of public sector bodies in the United Kingdom highlights that, as most public-sector bodies are net spending bodies, the risk of fraud related to expenditure may be greater than the risk relating to revenue recognition.
A significant amount of CNPA’s expenditure relates to salaried staff costs. Staff costs are well controlled and made up of low value individual transactions. Depreciation and impairment are funded by agreed forecast Scottish Government funding and there is therefore less incentive to manipulate. However, CNPA has material operational plan expenditure. The nature of this expenditure means there is an increased risk of fraud in its recognition which could result in a material misstatement in the financial statements. This risk is particularly prevalent around the year end.
How we addressed this risk: We addressed this risk by undertaking substantive procedures to ensure programme and project expenditure and other operating costs are recorded appropriately in the financial statements.
Audit conclusion: Management alerted us to a fraud which occurred during 2022⁄23, affecting operational plan expenditure. CNPA suspect this was caused by an unknown and hostile actor gaining access to a staff member’s email account. The actor sent instructions to pay supplier invoices from the staff member’s email address to the Finance team, including a notification of change in bank details. CNPA made five payments totalling £15,665 to this bank account. We note that CNPA enhanced controls over changes to supplier bank details following this incident.
We did not identify any further incidents of proven or suspected fraud from our substantive procedures on operational plan expenditure. We recommend that management ensure its new controls over confirmation of payment requests and changes in bank details are operating effectively.
We have submitted a fraud return to Audit Scotland as required by its guidelines.
Fraud over recognition of revenue
Description of the risk: As set out in International Standard on Auditing (UK) 240: The auditor’s responsibilities relating to fraud in an audit of financial statement, there is a presumed risk of fraud over the recognition of revenue. There is a risk that revenue may be misstated resulting in a material misstatement in the financial statements.
CNPA has material operational plan income. The nature of this income means there is an increased risk of fraud in its recognition which could result in a material misstatement in the financial statements. There is a risk that CNPA could over or understate this income to manipulate its year end position.
How we addressed this risk: We addressed this risk by undertaking substantive procedures to ensure programme and project income is recorded appropriately in the financial statements.
Audit conclusion: We did not identify any errors from our substantive procedures.
IFRS 16 Valuation
Description of the risk: The 2022⁄23 Government Financial Reporting Manual (FReM) requires bodies to account for leases in accordance with IFRS 16 Leases. Under IFRS 16, where a body is a lessee there is no distinction between finance leases and operating leases. Lessees are required to recognise a right-of-use asset and any lease liability in their financial statements.
CNPA assessed the likely impact of IFRS 16 and disclosed this in its 2021⁄22 financial statements. It expected that application of this standard would result in a right-of-use asset of £2.6 million and an associated lease liability of £2.6 million. There is a risk that CNPA does not properly measure right-of-use assets and lease liabilities. There is also a risk that it does not correctly identify all its leases.
How we addressed this risk: We addressed this risk by:
- evaluating whether right-of-use assets as at 31 March 2023 are properly valued;
- evaluating whether the lease liability at 31 March 2023 is properly measured;
- reviewing whether CNPA has properly presented and disclosed leases in the financial statements;
- reviewing CNPA’s process for identifying its leases.
Audit conclusion: We did not identify any errors from our audit procedures.
Qualitative aspects of CNPA’s accounting practices
We have reviewed CNPA’s accounting policies and disclosures and concluded they comply with the Government Financial Reporting Manual (FReM) 2022⁄23, appropriately tailored to CNPA’s circumstances.
The unaudited annual report and accounts were received from CNPA on 18 September 2023 and were of a good quality.
Significant matters discussed with management
During our audit we communicated the following significant matters to management:
- First year audit procedures. Auditing standards require us to carry out additional specific procedures in the first year of an audit. These include: seeking professional clearance confirmations from the predecessor auditor, reviewing the predecessor auditor’s working papers and reports and specific additional procedures over brought forward balances. As part of this work, we discussed controls in place for key information systems with management.
- IFRS 16 Leases. We discussed the accounting treatment of operating leases under IFRS 16 with officers. We did not identify any issues and we concluded that CNPA’s accounting treatment is appropriate.
Significant difficulties during the audit
During the course of the audit we did not encounter any significant difficulties and we have had the full co-operation of management.
Wider responsibilities – statutory reporting
We are required to notify the Auditor General when circumstances indicate that a statutory report may be required.
- Section 22 of the Public Finance and Accountability (Scotland) Act 2000 allows us to prepare a report to bring to the attention of the Scottish Parliament and the public, matters of public interest arising during the audit of CNPA.
- Section 23 of the Public Finance and Accountability (Scotland) Act 2000 allows us to initiate an examination into the economy, efficiency and effectiveness with which CNPA and its officeholders have used their resources in discharging their functions.
We confirm that no such reports have been prepared or any examinations have been initiated.
5. Internal control recommendations
As part of our audit of the financial statements, we obtained an understanding of internal controls sufficient to plan our audit and determine the nature, timing and extent of testing performed. Although our audit was not designed to express an opinion on the effectiveness of internal control, we are required to communicate to the Audit and Risk Committee any significant deficiencies identified during the course of our work.
The purpose of our audit was to express an opinion on the financial statements. As part of our audit we have considered the internal controls in place relevant to the preparation of the financial statements in order to design audit procedures to allow us to express an opinion on the financial statements but not for the purpose of expressing an opinion on the effectiveness of internal control or to identify any significant deficiencies in their design or operation.
The matters reported are limited to those deficiencies and other control recommendations that we have identified during our normal audit procedures and that we consider to be of sufficient importance to merit being reported. If we had performed more extensive procedures on internal control we might have identified more deficiencies to be reported or concluded that some of the reported deficiencies need not in fact have been reported. Our comments should not be regarded as a comprehensive record of all deficiencies that may exist or improvements that could be made.
Our findings and recommendations are set out below. We have assigned priority rankings to each of them to reflect the importance that we consider each poses to your organisation and, hence, our recommendation in terms of the urgency of required action. In summary, the matters arising fall into the following categories:
| Priority ranking | Description | Number of issues |
|---|---|---|
| 1 (high) | In our view, there is potential for financial loss, damage to reputation or loss of information. This may have implications for the achievement of business strategic objectives. The recommendation should be taken into consideration by management immediately. | 1 |
| 2 (medium) | In our view, there is a need to strengthen internal control or enhance business efficiency. The recommendations should be actioned in the near future. | 2 |
| 3 (low) | In our view, internal control should be strengthened in these additional areas when practicable. | 0 |
Significant deficiencies in internal control – Level 1
Description of deficiency: CNPA was the victim of fraud in 2022⁄23 due to inadequate procedures for confirming changes in supplier bank details.
Potential effects: Hostile actors could exploit this control weakness leading to financial loss for CNPA.
Recommendation: CNPA has enhanced its controls for confirmation of supplier bank details, including requests for change of details. This includes introducing call-back procedures and a new supplier set up form. We recommend that management ensure its new controls over confirmation of payment requests and changes in bank details are operating effectively.
Management response: This was a sophisticated fraud that we understand to have been perpetrated when a hostile actor gained access to our email communications through an unsecured Wi-Fi system at a public meeting. We have since set up the processes described above, and these are, to our knowledge, working well. In addition, we require that staff use the data provision on their mobile devices to access Wi-Fi rather than using services provided by outside venues.
Other deficiencies in internal control – Level 2
Description of deficiency: Complex and time-consuming general ledger structures and accounting processes currently exist within the entity, as evidenced by the following features:
- Use of multiple ‘companies’, which means CNPA performs manual consolidation to produce a result for the whole organisation from the five companies set up in the SAGE financial ledger system
- Inconsistencies in the Chart of Accounts for the five companies
- Requisitions for procurement prepared in Excel
- Reporting and payroll processing require manual input into the SAGE system.
Potential effects: The processes currently in place result in duplication of efforts, are time-consuming and strenuous for the finance team, and could lead to errors in information processing.
Recommendation: Management has prepared a paper outlining the improvements required to the ledger system. We recommend that CNPA implements new accounting systems that simplify processes.
Management response: We agree with your assessment of our needs in respect of improvements to our finance system and are working on a business case and specification for a replacement system. You comment on inconsistencies within the chart of accounts. While we agree that our approach is unconventional, it does provide appropriate information. The different structures within each of the five companies reflect the different reporting requirements for core activities and the various activities within our project work. We will undoubtedly refine this approach in any new system, but we are confident that the current ledger structure meets our needs and the needs of funders.
Responsible Officer — Head of Finance and Corporate Operations. Timeline – September 2024
Other deficiencies in internal control – Level 2
Description of deficiency: Weakness in cyber security governance and controls in that there is an absence of robust processes in place at CNPA to assess vulnerability to cyber security risk.
Potential effects: Hostile actors could exploit this control weakness leading to loss of information or financial loss for CNPA similar to the incident that occurred within the financial year under review.
Recommendation: We recommend that CNPA design and implement formal governance and risk management functions over cyber risk.
Management response: We have recently completed a review of operational risks with our IT team. Amongst the identified risks are cloud computing vulnerabilities and daily external threats. Mitigation measures currently in place include:
- Proactive monitoring using Dark Trace software.
- Use of daily threat summaries provided by the Scottish Cyber Coordination Centre and other industry publications to keep up to date with potential threats.
- A schedule of regular software updates to mitigate Zero Day risks.
- Regular communication with knowledge contacts, including Dark Trace and IT colleagues at Loch Lomond and the Trossachs National Park.
- Gaining the Cyber Security Essentials Plus accreditation
- Streamlining the use of 3rd party software by using built-in tools from Microsoft Intune and Endpoint Security
The output from this risk assessment will be consolidated into an IT/ Cyber security risk register providing a vehicle for regular monitoring and reporting on risk.
Responsible Officer — Head of Finance and Corporate Operations. Timeline – March 2024
Follow up on previous internal control recommendation (reported in 2021⁄22 External Audit Report)
Description of deficiency: CNPA uses a complex general ledger structure to segregate incoming and outgoing funds for various programmes being delivered. The use of the company group structure function within the financial accounting package requires six ledgers to be collated to produce the information disclosed in the financial statements.
Potential effects: Significant strain is placed on the CNPA Finance Team throughout the accounts production process.
Recommendation: We recommend that alternative functionality within the accounting package is implemented to maintain the segregation of funds and, while there are likely to be a number of relevant functions available, exploiting Cost Centre functionality is one that may provide an adequate solution.
2022⁄23 update: See internal control recommendation 2 on page 22.
Follow up on previous internal control points (reported in 2021⁄22 External Audit Report)
Description of deficiency: Following our assessment of general IT controls, we have identified weaknesses in the IT control environment. We identified an absence of robust processes in place at CNPA to assess vulnerability to cyber security risk and detect adverse cyber events.
Potential effects: As a public body with responsibility for processing of public funds CNPA is subject to an inflated risk profile and is likely to be a target for cyber-criminal activity.
Recommendation: We recommend that CNPA design and implement formal governance and risk management functions over cyber risk.
2022⁄23 update: CNPA is planning to introduce an ICT Risk Register and introduce SharePoint. See internal control recommendation 3 on page 23.
6. Summary of misstatements
This section outlines the disclosure adjustments proposed to and taken up by management over the course of the audit. There were no misstatements identified during the course of the audit above the trivial threshold for adjustment of £7,900.
Disclosure amendments
We identified the following adjustments during our audit that have been corrected by management:
- Performance report:- Inclusion of additional information to cover disclosures required by the FReM:
- Details of organisational strategic objectives and goals, performance appraisal and analysis
- Summary of principal risks faced and how they have affected the delivery of objectives
- Effects of emerging risks on expected future performance.
- Detail on progress against strategic aims.
- Governance statement:- Amendments to ensure compliance with the Scottish Public Finance Manual:-
- Including a statement that the systems have been in place for the year under review and up to the date of approval of the annual report and accounts.
- Remuneration and staff report:- Amendments made in response to the following points:-
- Capping negative accrued pension benefits at £0 to comply with FReM.
- Disclosure of Board members’ fees in bands of £5,000.
There were also adjustments to the annual report and accounts for other minor disclosure, consistency or presentational matters.
7. Wider scope
Overall summary
As auditors appointed by the Auditor General for Scotland, our wider scope responsibilities are set out in the Audit Scotland’s Code of Audit Practice 2021. The Code requirements broaden the scope of the 2022⁄23 audit and allows us to use a risk-based approach to report on our consideration of CNPA’s performance and make recommendations for improvement and, where appropriate, conclude on CNPA’s performance.
The Code’s wider scope framework is categorised into four areas:
- financial management;
- financial sustainability;
- vision, leadership and governance; and
- use of resources to improve outcomes.
The Code of Audit Practice permits an alternative audit approach where an audited body is considered less complex due its size and limited financial activity. In the Audit Strategy Memorandum, we documented our judgement that CNPA is a less complex body. We have reviewed this assessment and confirmed that it remains appropriate. We therefore restricted our wider scope work to:
- a review of the Governance Statement
- concluding on the financial sustainability of CNPA and the services that it delivers in the medium to longer term.
Overall summary by reporting criteria
From the satisfactory conclusion of our audit work, we have the following conclusions:
| Reporting criteria | Commentary page reference | Identified risks? | Actual risks identified? | Other recommendations made? |
|---|---|---|---|---|
| Financial sustainability | 30 | No | No | No |
| Governance Statement | 32 | No | No | No |
Financial sustainability
Financial sustainability looks forward to the medium and longer term to consider whether the body is planning effectively to continue to deliver its services or the way in which they should be delivered.
Our overall assessment
| Area assessed | Our findings | Our judgements | Risks identified |
|---|---|---|---|
| Financial planning | CNPA reported net expenditure for 2022⁄23 of £10.4 million (2021÷22: £8.9 million). This reflects a small cash underspend of £18k against the Scottish Government resource limit for the year. It reported a more significant underspend of £269k against the capital resource limit due to Peatland restoration activity being less than planned. | CNPA operated within its budget in 2022⁄23. CNPA responds to resource spending review commissions from the Scottish Government on an ongoing basis. | No significant risks identified. |
Governance Statement
| Area assessed | Our findings | Our judgements | Risks identified |
|---|---|---|---|
| Governance Statement | We confirmed that the Governance Statement: is consistent with the financial statements; includes the information required by the FReM and the Scottish Public Finance Manual (SPFM); is consistent with our knowledge obtained through the audit; does not contain any misleading information. | We are required to report on whether the information given in the Governance Statement is materially inconsistent with the financial statements; has not been properly prepared in accordance with The National Parks (Scotland) Act 2000 and directions made thereunder by the Scottish Ministers; or is materially misstated. We have no matters to report in respect of the Governance Statement. | No significant risks identified. |
Appendices
Appendix A: Draft management representation letter
Appendix B: Draft audit report
Appendix C: Independence
Appendix D: Other communications
Appendix E: Wider scope and Best Value ratings