Cairngorms Nation­al Park Author­ity — Audit and Risk Com­mit­tee Paper 2

19 April 2024

Page 1 of 10

For decision

Title: Gov­ernance Statement

Cov­er Paper pre­pared by: Louise Allen, Head of Fin­ance and Cor­por­ate Operations

Pur­pose

This paper presents the draft Gov­ernance Report, which forms part of the Annu­al Report and Accounts, to the Com­mit­tee for review and com­ment pri­or to inclu­sion in the draft papers sub­mit­ted for extern­al audit.

Recom­mend­a­tions

The Com­mit­tee is reques­ted to:

a) Review the draft Gov­ernance State­ment presen­ted with this paper.

b) Sub­ject to any agreed amend­ments, approve the Gov­ernance State­ment for inclu­sion in the Park Authority’s draft Annu­al Report and Accounts for ²⁰²³⁄₂₄.

Exec­ut­ive Summary

The con­tent of the Gov­ernance State­ment with­in the Park Authority’s Annu­al Report and Accounts has a num­ber of pre­scribed areas and format. With­in the required report­ing format, the con­tent of the state­ment has been updated for ²⁰²³⁄₂₄ as presen­ted with this paper. Key areas of update are shaded in grey to help identi­fy new mater­i­al added.

The Com­mit­tee is invited to review the draft State­ment and make any amend­ments pri­or to its inclu­sion in the doc­u­ments and work­ing papers sub­mit­ted for extern­al audit review of the ²⁰²³⁄₂₄ accounts.

Page 2 of 10

Gov­ernance Statement

Scope of responsibility

As Account­able Officer, I am respons­ible for main­tain­ing sound sys­tems of intern­al con­trol that sup­port the achieve­ment of Cairngorms Nation­al Park Authority’s policies, aims and object­ives, while safe­guard­ing the pub­lic funds and depart­ment­al assets for which I am per­son­ally respons­ible. These duties are in accord­ance with the Frame­work Agree­ment between the Park Author­ity and Scot­tish Gov­ern­ment and align with respons­ib­il­it­ies assigned to me in the Scot­tish Pub­lic Fin­ance Manu­al (SPFM).

The SPFM, issued by the Scot­tish Min­is­ters, provides guid­ance to the Scot­tish Gov­ern­ment and oth­er rel­ev­ant bod­ies on the prop­er hand­ling of pub­lic funds, and sets out the rel­ev­ant stat­utory, par­lia­ment­ary, and admin­is­trat­ive require­ments, emphas­ising the need for eco­nomy, effi­ciency, and effect­ive­ness, and pro­motes good prac­tice and high stand­ards of pro­pri­ety. As Account­able Officer, I am respons­ible for ensur­ing that the Park Authority’s intern­al con­trol sys­tems com­ply with the require­ments of the SPFM.

The Frame­work Agree­ment with Scot­tish Gov­ern­ment sets out the role of the Park Authority’s Board in provid­ing lead­er­ship and gov­ernance. The Frame­work Agree­ment is a new stand­ard agree­ment between Scot­tish Gov­ern­ment and its devolved pub­lic bod­ies and came into force fol­low­ing approv­al by the Park Author­ity board at its meet­ing on 26 May 2023.

The gov­ernance respons­ib­il­it­ies of the Board are sup­por­ted by Stand­ing Orders last revised and adop­ted in 2019 and a Code of Con­duct revised and adop­ted in 2022. Required addi­tions to the Code to handle board involve­ment in quasi-judi­cial and reg­u­lat­ory decision mak­ing have been iden­ti­fied and agreed in prin­ciple with officers at the Stand­ards Com­mis­sion for Scot­land. Amend­ments will be taken for­ward over ²⁰²⁴⁄₂₅. The Board agreed a ​“Gov­ernance Respons­ib­il­ity Frame­work” doc­u­ment in 2021, set­ting out the respect­ive roles and respons­ib­il­it­ies of the board and its non-exec­ut­ive board mem­bers and seni­or man­agers in decision mak­ing, to give added clar­ity and under­stand­ing to this aspect of the Cairngorms NPA’s gov­ernance. Our group of pro­fes­sion­al, seni­or staff advisors, com­ple­men­ted by appro­pri­ate Board train­ing and devel­op­ment pro­cesses, sup­port the good gov­ernance arrange­ments set out in the Stand­ing Orders and Code of Conduct.

Page 3 of 10

As a pub­lic body, the Park Author­ity is com­mit­ted to access­ib­il­ity, open­ness, and account­ab­il­ity, and sup­ports the highest stand­ards in cor­por­ate gov­ernance. Oth­er than the doc­u­ments referred to above and the resource alloc­a­tion let­ters issued to me over the course of the year, there were no oth­er writ­ten author­it­ies provided to me over the course of ²⁰²³⁄₂₄.

The oper­a­tion of the Board and sub-committees

The Board com­prises 19 mem­bers: 7 appoin­ted by Min­is­ters fol­low­ing nom­in­a­tion by five Coun­cils with bound­ar­ies with­in the Nation­al Park, 7 appoin­ted by Scot­tish Gov­ern­ment through pub­lic appoint­ments pro­cesses, and 5 dir­ectly elec­ted with­in the wards of the Park. Dur­ing ²⁰²³⁄₂₄ the Board was not at full strength; appoint­ments dur­ing the year redressed this, and at 31 March 2024 there was only one remain­ing Board vacancy. This vacancy was filled on [date].

The Board there­fore reflects a blend of dif­fer­ent exper­i­ence, back­grounds and interests. The full Board meets reg­u­larly to con­sider strategy and per­form­ance against the cur­rent Cor­por­ate Plan. Meet­ings are sched­uled quarterly, with addi­tion­al meet­ings con­vened as required. To enable the Board to dis­charge its duties, all mem­bers receive appro­pri­ate and timely inform­a­tion in advance of meet­ings with all agen­das and papers also placed in the pub­lic domain. Meet­ings are open to the pub­lic, save the occa­sion­al meet­ing held in private for vari­ous reas­ons of busi­ness and com­mer­cial confidentiality.

To ensure that the Board devel­ops an under­stand­ing of the cur­rent and emer­ging issues, mem­bers also par­ti­cip­ate in inform­al dis­cus­sion ses­sions to con­sider evolving policy issues and pro­pos­als. These meet­ings are held in private to provide for early-stage dis­cus­sion and mem­bers’ learn­ing and devel­op­ment on a range of policy top­ics. The agreed stra­tegic dir­ec­tion of the Park Author­ity is dis­cussed and iden­ti­fied in full, open con­sid­er­a­tion at form­al meetings.

The Board has estab­lished sub-com­mit­tees: a Plan­ning Com­mit­tee (which deals with all aspects of the Park Authority’s stat­utory plan­ning respons­ib­il­it­ies), togeth­er with Com­mit­tees cov­er­ing Gov­ernance, Resources, Per­form­ance, and Audit and Risk. The com­mit­tee struc­ture aug­ments the gov­ernance of the Author­ity and enhances the Board’s assur­ance role, as the Authority’s scale of activ­it­ies and sup­port of sig­ni­fic­ant pro­grammes con­tin­ues to increase. The Gov­ernance Com­mit­tee has been cre­ated to sup­port the Board and the Con­vener to main­tain over­sight of the effect­ive­ness of gov­ernance arrange­ments across the organ­isa­tion, includ­ing the effect­ive­ness of the com­mit­tee struc­ture itself. All com­mit­tees have del­eg­ated duties and respons­ib­il­it­ies, set out in terms of ref­er­ence agreed by the full Board, to over­see and scru­tin­ise the Park Authority’s deploy­ment and man­age­ment of resources. The oper­a­tion of the new com­mit­tee struc­ture was reviewed in ²⁰²²⁄₂₃ and con­tin­ued in place through­out the ²⁰²³⁄₂₄ fin­an­cial year.

The record of attend­ance at Board meet­ings can be found in the Remu­ner­a­tion and Staff Report with­in the Annu­al Report and Accounts.

Page 4 of 10

The Audit and Risk Committee

The Audit and Risk Committee’s role is to provide effect­ive gov­ernance over all aspects of the Park Authority’s intern­al man­age­ment con­trol sys­tems and the annu­al fin­an­cial accounts and audit. It also takes a lead in stra­tegic risk man­age­ment, ensur­ing that risks impact­ing on stra­tegic object­ives are iden­ti­fied and mit­ig­ated, and that risk man­age­ment is embed­ded through­out the Park Authority’s oper­a­tions. It is sup­por­ted by the Park Authority’s intern­al audit func­tion, delivered by Azets, and extern­al aud­it­ors, Maz­ars. Maz­ars were appoin­ted as the Park Authority’s extern­al aud­it­ors from com­mence­ment of the audit of the ²⁰²²⁄₂₃ accounts. Both the intern­al and extern­al aud­it­ors have inde­pend­ent access to the Com­mit­tee and to its Con­vener. The Com­mit­tee is tasked with mon­it­or­ing the oper­a­tion of the intern­al con­trol func­tion and bring­ing any mater­i­al mat­ters to the atten­tion of the full Board. Detailed reports of all audit reviews are made avail­able to both man­age­ment and the Committee.

The Com­mit­tee meets at least quarterly and reports to the Board on the adequacy and effect­ive­ness of the Park Authority’s intern­al con­trols, and more widely on its work in the pre­ced­ing year.

The Board has con­tin­ued a pro­cess of self-eval­u­ation of effect­ive­ness and gov­ernance over the course of ²⁰²³⁄₂₄; this pro­cess was ini­ti­ated under the ​“Lead­er­ship” ele­ment of the first Organ­isa­tion­al Devel­op­ment Strategy in ²⁰¹⁵⁄₁₆. A refresh of the Board skills mat­rix, and self-eval­u­ation of mem­bers against that mat­rix, took place in ²⁰²²⁄₂₃ The Board also held a self-assess­ment work­shop and review in Janu­ary 2023 with a fur­ther gov­ernance work­shop sched­uled for April 2024.

Page 5 of 10

The Board has agreed a set of Cor­por­ate Per­form­ance Indic­at­ors in order to improve its over­sight of deliv­ery against key stra­tegic object­ives and the Park Authority’s Cor­por­ate Plan. A detailed per­form­ance report is sub­mit­ted to the Board twice yearly on deliv­ery against key per­form­ance indic­at­ors. This report is typ­ic­ally con­sidered at each June and Decem­ber meet­ing, along­side a review of stra­tegic risk man­age­ment. These mon­it­or­ing and con­trol mech­an­isms sup­port Board scru­tiny over deliv­ery of the Cor­por­ate Plan and Nation­al Park Part­ner­ship Plan pri­or­it­ies. There was some vari­ation in this report­ing cycle over the ²⁰²²⁄₂₃ year while the Park Author­ity went through a trans­ition­al year between its 2018 to 2022 Cor­por­ate Plan and its newly adop­ted 2023 to 2027 Cor­por­ate Plan. The board agreed a Trans­ition­al Stra­tegic Plan and budget for ²⁰²²⁄₂₃ at its meet­ing in March 2022. Deliv­ery against this was repor­ted by the Chief Exec­ut­ive Officer in quarterly reports to the Board. This approach to per­form­ance report­ing has been con­tin­ued dur­ing ²⁰²³⁄₂₄, while new KPIs are in development.

Peri­od­ic reports from inde­pend­ent intern­al and extern­al aud­it­ors form a key and essen­tial ele­ment in inform­ing my review as Account­able Officer of the effect­ive­ness of the sys­tems of intern­al con­trol with­in the Park Author­ity. The Board’s Audit and Risk Com­mit­tee also plays a vital role in this regard, through its con­sid­er­a­tion of audit recom­mend­a­tions arising from reviews of intern­al con­trol sys­tems, and its scru­tiny of pro­posed man­age­ment action to address any improve­ments required. The Audit and Risk Com­mit­tee also con­siders both a three-year plan for intern­al audit cov­er­age and annu­ally agrees an intern­al audit plan flow­ing from that three-year plan.

Shared ser­vices delivery

The Park Author­ity plays an import­ant role in provid­ing sup­port to loc­al com­munit­ies and organ­isa­tions, over a range of activ­it­ies, to help deliv­er the Nation­al Park Part­ner­ship Plan’s pri­or­it­ies. In the last year we have sup­por­ted Cairngorms Loc­al Action Group Trust in its lead­er­ship and deliv­ery of new Com­munity Led Loc­al Devel­op­ment fund­ing streams; con­tin­ued our sup­port of the Cairngorms Caper­cail­lie Pro­ject; and com­pleted the Devel­op­ment Phase of the Cairngorms 2030 Her­it­age Hori­zons Pro­gramme involving a wide range of part­ners across a vari­ety of sec­tors. In Janu­ary 2024, after a lengthy applic­a­tion pro­cess, we were awar­ded £10.77m of fund­ing by the Nation­al Lot­tery Her­it­age Fund to com­mence the Deliv­ery Phase of the Cairngorms 2030 pro­gramme. All of these have been sig­ni­fic­ant, community‑, and part­ner-led pro­grammes of activ­ity. Our man­age­ment and intern­al con­trol struc­tures ensure that sup­port for these com­munity-based deliv­ery entit­ies is sep­ar­ated from the core activ­it­ies of the Author­ity, while ensur­ing that our sup­port helps them achieve ​“best prac­tice” in their operations.

Page 6 of 10

The Author­ity also under­takes a range of shared ser­vice arrange­ments with oth­er pub­lic body part­ners. Over the course of the year, we have provided human resource advice and organ­isa­tion­al devel­op­ment sup­port to the Scot­tish Land Com­mis­sion, while col­lab­or­at­ing on a range of shared ser­vice deliv­ery with Loch Lomond and the Trossachs Nation­al Park Author­ity (LLT­NPA). We receive key sup­port from LLT­NPA on IT infra­struc­ture main­ten­ance and devel­op­ment, shared licence agree­ments for plan­ning sys­tems, and data back-up and secur­ity arrange­ments. In addi­tion to these more form­al shared ser­vices with LLT­NPA, both Nation­al Park Author­it­ies con­tin­ue to col­lab­or­ate closely on areas of shared policy interest.

Intern­al audit

The intern­al audit func­tion is an integ­ral ele­ment of scru­tiny of the Park Authority’s intern­al con­trol sys­tems. Azets were appoin­ted as the Park Authority’s intern­al aud­it­ors in 2020, fol­low­ing an open pro­cure­ment pro­cess, and have under­taken a com­pre­hens­ive assess­ment of key intern­al con­trol sys­tems since their appoint­ment. The term of Azets’ appoint­ment has been exten­ded until 31 March ²⁰²⁴⁄₂₅; pro­cure­ment of the intern­al audit ser­vice will be car­ried out dur­ing ²⁰²⁴⁄₂₅. Dur­ing the year to 31 March 2024, Azets have repor­ted to the Audit and Risk Com­mit­tee on the fol­low­ing reviews:

• Gov­ernance & risk
• Risk Man­age­ment
• Her­it­age Hori­zons — gov­ernance and report­ing arrangements
• Health and Safety
• Intern­al con­trol systems
• Pro­cure­ment
• Fin­ance
• Expendit­ure and Creditors
• Non-assur­ance, crit­ic­al friend review of busi­ness case for a new fin­ance system

Page 7 of 10

All recom­mend­a­tions made by Azets are con­sidered, giv­en man­age­ment responses, which are con­sidered by the Audit and Risk Com­mit­tee, and imple­men­ted as appro­pri­ate. There were no instances of intern­al audit recom­mend­a­tions not being accep­ted by man­age­ment in the year.

Extern­al audit

Extern­al aud­it­ors are appoin­ted for us by the Aud­it­or Gen­er­al for Scot­land through Audit Scot­land. Audit Scot­land appoin­ted Maz­ars to the role with effect from the com­mence­ment of the ²⁰²²⁄₂₃ final accounts audit. We are form­ing an effect­ive and effi­cient audit rela­tion­ship with Maz­ars, who review key sys­tems so they can form a view on the effect­ive­ness of con­trol arrange­ments, and to sup­port their audit opin­ion on the fin­an­cial state­ments. No non-audit work was under­taken by Maz­ars, and con­sequently, no fees were paid.

Best value

The Audit and Risk Com­mit­tee con­tin­ues to mon­it­or the Authority’s adher­ence to Scot­tish Gov­ern­ment Best Value guidelines and our approach to con­tinu­ous improve­ment. This year, we launched phase four of our Organ­isa­tion­al Devel­op­ment Strategy to con­tin­ue to improve our work pro­cesses, organ­isa­tion­al envir­on­ment, and deliv­ery of ser­vices. We also com­pleted our most recent bien­ni­al inde­pend­ent staff sur­vey in autumn 2023, and the ana­lys­is of the res­ults of that pro­cess have been shared with staff. The sur­vey will inform the deliv­ery of con­tinu­ous organ­isa­tion­al improve­ment as part of our new Cor­por­ate Plan to 2027.

Risk man­age­ment

We have a risk man­age­ment strategy in accord­ance with guid­ance issued by Scot­tish Min­is­ters to identi­fy actu­al and poten­tial threats that may pre­vent us from deliv­er­ing our stat­utory pur­pose, and also to identi­fy appro­pri­ate mit­ig­a­tion actions. The Risk Man­age­ment Strategy was updated in Octo­ber 2023, after a review of the effect­ive­ness of risk man­age­ment oper­a­tions with­in the organ­isa­tion by the Intern­al Aud­it­ors. The revised approach to risk man­age­ment, togeth­er with the updated stra­tegic risk register, was presen­ted to the Audit and Risk Com­mit­tee in Novem­ber 2023, and reviewed by the Board at its inform­al ses­sion in Feb­ru­ary 2024.

The Board recog­nises the import­ance of risk man­age­ment and con­tin­ues to mon­it­or the Park Authority’s Stra­tegic Risk Register. The Board held a workshop

Page 8 of 10

in May 2023 to estab­lish the over­all stra­tegic risk appet­ite for areas of the ²⁰²³⁄₂₇ Cor­por­ate Plan. This pos­i­tion informed the redevel­op­ment of the Park Authority’s Stra­tegic Risk Register and sup­ports deliv­ery of our new Cor­por­ate Plan objectives.

The Stra­tegic Risk Register records risks, action taken to mit­ig­ate the iden­ti­fied risks and seni­or management’s respons­ib­il­ity for lead­ing on each risk and its mit­ig­a­tion. The Stra­tegic Risk Register is reviewed by the Seni­or Man­age­ment Team four times each year and updated by both the full Board and the Audit and Risk Com­mit­tee, twice a year.

The Audit and Risk Com­mit­tee, with the Seni­or Man­age­ment Team, leads on embed­ding risk man­age­ment pro­cesses through­out the Park Author­ity. Both groups con­sider the man­age­ment of stra­tegic risk in line with the Risk Strategy to ensure that the required actions are appro­pri­ately reflec­ted and incor­por­ated in oper­a­tion­al deliv­ery plans.

Data secur­ity

Pro­ced­ures are in place to ensure that inform­a­tion is being man­aged in accord­ance with legis­la­tion and that data is held accur­ately and securely. The Park Author­ity has no repor­ted nor recor­ded instances of data loss in the year to 31 March 2024.

We con­tin­ue to review our digit­al prac­tices and infra­struc­ture to ensure they remain fit for pur­pose and that all reas­on­able steps are taken to min­im­ise the risk of data loss or com­prom­ise of sys­tems due to Cyber Attacks. The Park Author­ity is cur­rently pre­par­ing for the third review of our sys­tems through the Cyber Essen­tials Plus accred­it­a­tion process.

The Authority’s Seni­or Man­age­ment Team approved an IT and Data Man­age­ment Strategy in 2021. The strategy described our trans­ition toward cloud-based ser­vice infra­struc­ture. We also made addi­tion­al invest­ment in cyber secur­ity pro­tec­tion over the course of the year.

Our Cyber Secur­ity arrange­ments will be sub­ject to review as part of the intern­al audit pro­gramme for ²⁰²⁴⁄₂₅. The Park Author­ity has inves­ted in a new Inform­a­tion Man­ager role to fur­ther enhance the focus of our work in this area, with the pos­thold­er tak­ing up the role from 1 June 2023.

Page 9 of 10

Busi­ness continuity

The Author­ity imple­men­ted its Busi­ness Con­tinu­ity Plan (BCP) pro­cesses on 17 March 2020 in response to the COVID19 pan­dem­ic and con­tin­ued to apply that BCP pro­cess through­out ²⁰²¹⁄₂₂. The BCP pri­or­it­ised the main­ten­ance and evol­u­tion of sys­tems to sup­port dis­persed work­ing while main­tain­ing max­im­um focus on deliv­ery of the Authority’s stra­tegic out­comes. Our BCP also placed an emphas­is on staff wel­fare and ensur­ing our people remain as phys­ic­ally and men­tally healthy as pos­sible through­out this peri­od of BCP operations.

The Board also approved BCP meas­ures to sup­port effect­ive gov­ernance through­out the pan­dem­ic. This included adapt­ing Board Stand­ing Orders to remote work­ing and meet­ings held by video con­fer­ence and tele­phone, and ensur­ing appro­pri­ate Board and Seni­or Man­age­ment suc­ces­sion plans are in place.

Over the past two years, the Park Author­ity has been pro­gress­ing its move­ment from these BCP arrange­ments to revised, hybrid work­ing arrange­ments, which were tri­alled through­out ²⁰²²⁄₂₃. The major­ity of our staff con­tin­ue to work part time from home and dis­persed loc­a­tions, and part time in the office. Our board also holds both hybrid and full face-to-face pub­lic meet­ings. The Author­ity car­ried out an intern­al review of the evol­u­tion of these new work­ing arrange­ments for staff over the course of ²⁰²²⁄₂₃. Final hybrid work­ing arrange­ments have now been adopted.

Con­clu­sion

As Account­able Officer I am respons­ible for review­ing the effect­ive­ness of the sys­tem of intern­al con­trol. In order to do this my review is informed by:

a) the exec­ut­ive man­agers with­in the organ­isa­tion who have respons­ib­il­ity for the devel­op­ment and main­ten­ance of the intern­al con­trol frame­work and who provide assur­ance on sys­tems with­in reg­u­lar Seni­or Man­age­ment Team meetings;

b) intern­al mon­it­or­ing of con­trol sys­tems by staff against SPFM requirements;

c) the work of the intern­al aud­it­ors, who sub­mit reg­u­lar reports to the Audit and Risk Com­mit­tee, which include the Head of Intern­al Audit’s inde­pend­ent and object­ive opin­ion on the adequacy and effect­ive­ness of our sys­tems of intern­al con­trol togeth­er with recom­mend­a­tions for improvement;

d) com­ments made by the extern­al aud­it­ors in their man­age­ment let­ter and oth­er reports.

Page 10 of 10

I am sup­por­ted by the Deputy Chief Exec­ut­ive and Dir­ect­or of Cor­por­ate Ser­vices, who in turn is sup­por­ted by the Cor­por­ate Ser­vices staff group, and provides seni­or man­age­ment lead­er­ship on the fin­an­cial man­age­ment, intern­al con­trols and gov­ernance arrange­ments. I take assur­ance from the effect­ive­ness of intern­al con­trol sys­tems, fin­an­cial man­age­ment and plan­ning pro­cesses, and risk man­age­ment from the assur­ances received from the Dir­ect­or of Cor­por­ate Ser­vices and Deputy Chief Executive.

I have also been advised on the effect­ive­ness of the sys­tem of intern­al con­trol by the Board and its Audit and Risk Com­mit­tee. Appro­pri­ate action is taken against any weak­nesses iden­ti­fied and to ensure con­tinu­ous improve­ment of our systems.

The intern­al auditor’s annu­al report for ²⁰²³⁄₂₄ states that, [“….”]. Action is under­way on imple­ment­ing improve­ments required to mit­ig­ate risk areas iden­ti­fied by intern­al audit and as such I also take assur­ance on the adequacy and effect­ive­ness of the Authority’s intern­al con­trols from the inde­pend­ent intern­al auditor’s report for the year.