Draft Minutes of the Audit and Risk Committee

19 April 2024

Page 1 of 10

Held at: Cairngorms Nation­al Park Author­ity office, Grant­own on Spey

Time: 19 April 2024 at 2.35 pm

Present:

• Fiona McLean (Chair)
• Geva Black­ett
• Duncan Miller
• Pete Cos­grove (Vice Chair)
• Bill Lob­ban

In Attend­ance:

• Grant Moir, CEO
• Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO
• Louise Allen, Head of Fin­ance and Cor­por­ate Operations
• Tom Reid, Mazars
• Stephanie Hume, Azets
• Eliza­beth Young, Azets
• Alan Glen, Azets
• Alix Hark­ness, Clerk to the Board
• Kar­en John­stone, Clerk to the Board

Apo­lo­gies:

• Paul Gibb

Wel­come and introduction

1. Fiona McLean, the Chair, wel­comed every­one to the meet­ing. Apo­lo­gies were noted.

Page 2 of 10

1. Fol­low­ing a dis­cus­sion the Chair decided to take Paper 3 intern­al audit VAT review first to allow Alan Glen, Azets to leave and to also give time for Tom Reid, Maz­ars to arrive to the meeting.

Approv­al of minutes of pre­vi­ous meeting

1. The draft minutes of the meet­ing on the 24 Novem­ber 2023 were approved with no amendments.

Action Points

Ref	Action Detail	Who	When	Status
29/10/2021 (Para 8i)	Bring les­sons learned on LEAD­ER back as Agenda item to a future Audit and Risk Committee.	Dav­id Cameron	On today’s Agenda	Closed
29/10/2021 (Para 4i)	Com­plete a detailed VAT review.	Louise and Stephanie	On today’s Agenda	Closed
21/06/23 (Para 20)	To pro­duce timeline for sched­uled board time to devel­op the stra­tegic risk register along­side the new Cor­por­ate Plan	Dav­id Cameron	March Board	Closed
24/11/23	Review accounts fig­ure for con­sultan­cies (page 68)	Louise and David	Look when final­ise the 23⁄24 accounts, high­light to the Com­mit­tee at that point	Open

Mat­ters arising not covered in agenda.

1. No mat­ters raised.

Tom Reid joined the meeting.

Page 3 of 10

Declar­a­tions of interest

1. There were no interests declared.

Intern­al audit VAT review (Paper 3)

1. Alan Glen, Intern­al Aud­it­or, Azets, provided the review of the Value Added Tax (VAT) status of activ­it­ies with­in the Cairngorms 2030 pro­gramme, and the poten­tial need for the Park Author­ity to register for VAT.

2. The Audit and Risk Com­mit­tee dis­cussed the review and made the fol­low­ing com­ments and observations:

a) The Chair praised Alan for the com­pre­hens­ive report. b) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO repor­ted that man­age­ment agreed the dir­ec­tion of travel that had been recom­men­ded in the report. He went on to say that through the devel­op­ment of the Cairngorms 2030 pro­gramme, nuances not only VAT related but also to oth­er poten­tially nov­el approaches would be high­lighted on a pro­ject-by-pro­ject basis. He provided reas­sur­ance that there would be a VAT based check­list that would evolve into a wider health check assess­ment of each of the 20 pro­jects. With the inten­tion being that the Seni­or Man­age­ment team would carry out a sense check on pro­ject plans to determ­ine if it would involve a grant rela­tion­ship or oth­er­wise an arrange­ment which may estab­lish a con­tract for ser­vice sup­ply. c) A mem­ber asked about the pos­sib­il­ity of using the Cairngorms Trust as a vehicle for over­com­ing VAT bar­ri­ers. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that the gov­ernance would have to be checked on a case by case basis and in addi­tion a fur­ther check to ensure that dis­place­ment of respons­ib­il­ity would not occur as a res­ult. The Trust is also not con­sidered to offer any spe­cif­ic VAT advantages.

1. The Audit and Risk Com­mit­tee noted the risks iden­ti­fied in the report and con­sidered the advice provided by Azets.

2. Action: — none.

14.50 Alan Glen left the meeting.

Page 4 of 10

Annu­al audit plan ²⁰²³⁄₂₄ (Paper 1)

1. Tom Reid, Maz­ars intro­duced the paper that presents the extern­al auditor’s plan for the forth­com­ing audit of the ²⁰²³⁄₂₄ Annu­al Report and Accounts.

2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and observations:

d) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO reminded the com­mit­tee of the under­ly­ing situ­ation where a mem­ber of the fin­ance team con­tin­ue to be absent on a medi­um term basis fol­low­ing an oper­a­tion. e) The Chair raised con­cerns around the next Audit and Risk Com­mit­tee meet­ing being sched­uled for 27 Septem­ber 2024 as it seemed late to allow for the res­ol­u­tion of mat­ters. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO provided reas­sur­ance that he was con­fid­ent the com­mit­tee would be sign­ing off the accounts, as it allows time for the field­work to have taken place and any­thing found on that to be resolved in advance. The sched­ule is also con­sid­er­ably in advance of the Novem­ber 2023 meet­ing at which the pri­or year accounts were planned to be presen­ted. f) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO added that if from either officer or aud­it­or per­spect­ive changes were needed to be brought before the com­mit­tee this could be done so In June. The Chair con­firmed she was happy with this. g) Tom Reid con­firmed that he is com­fort­able with the Septem­ber date and by way of con­text the dead­line for Audit Scot­land is the end of Octo­ber, so the Septem­ber dead­line fits with that.

1. The Audit and Risk Com­mit­tee agreed extern­al aud­it­ors audit plan.

2. Action – None.

Gov­ernance state­ment (Paper 2)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the draft Gov­ernance Report, which forms part of the Annu­al Report and Accounts, to the Com­mit­tee for review and com­ment pri­or to inclu­sion in the draft papers sub­mit­ted for extern­al audit.

2. The Audit and Risk Com­mit­tee agreed the gov­ernance statement.

3. Action – none.

Page 5 of 10

Intern­al audit report: man­age­ment action fol­low up ²⁰²³⁄₂₄ (Paper 4)

1. Stephanie Hume, Intern­al Aud­it­or, Azets presen­ted the paper that provides an over­view of man­age­ment action taken on pre­vi­ous intern­al audit recom­mend­a­tions raised and agreed. The fol­low up review work repor­ted here is part of the intern­al audit pro­gramme agreed for ²⁰²³⁄₂₄.

2. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO repor­ted that he was pleased to make a good start in redu­cing the total out­stand­ing actions down to 28. He high­lighted to the com­mit­tee that a few recom­mend­a­tions have a long timeline asso­ci­ated with them and will take time to pro­gress to com­ple­tion. b) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that there has been upscal­ing of the organ­isa­tion; the Cor­por­ate Ser­vices team are busy with chan­ging the intern­al con­trol sys­tems, address­ing his­tor­ic­al issues, while also sup­port­ing the increased breadth of oper­a­tions and this wide range of pri­or­it­ies con­tin­ued to impact the capa­city to wholly focus on address­ing improve­ment recom­mend­a­tions. The man­age­ment team are bring­ing in more resources in rel­ev­ant areas to help resolve issues. c) A mem­ber raised the recent email breech, and a dis­cus­sion was had about the les­sons learned arising from that exper­i­ence. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that it showed that the Park Author­ity were able to escal­ate it quickly, the Inform­a­tion tech­no­logy (IT) team acted quickly, man­age­ment had been involved, and the whole incid­ent resolved with­in 12 – 14 hours. d) Head of Fin­ance and Cor­por­ate Oper­a­tions added that the board email addresses are on a dif­fer­ent domain from Cairngorms Nation­al Park Author­ity staff which helped to pro­tect core sys­tems. e) Head of Fin­ance and Cor­por­ate Oper­a­tions explained that the old serv­er that was being used was com­ing to the end of its life and this was why every­one was being moved onto Share­Point. This stage had now been reached; the old serv­er would house the Rdrive which could still be accessed by staff on a read only basis. This meant that cyber secur­ity plus accred­it­a­tion could now be pro­gressed. f) A com­ment was made that the secur­ity of sys­tems would be depend­ent on vigil­ance of indi­vidu­al col­leagues, and it was the IT team’s inten­tion to test this using fake phish­ing emails in the future. g) The Chair asked for reas­sur­ance that 2 of the actions that had been removed had indeed been super­seded? Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO provided that reas­sur­ance. h) The Chair referred to the actions with revised timelines, grant fund­ing March 2024 par­tially com­plete, cyber secur­ity review and one oth­er do not have dates assigned to them – could that be cla­ri­fied for next time? It was agreed that they could.

1. The Audit and Risk Com­mit­tee noted the intern­al audit report on man­age­ment action fol­low up for ²³⁄₂₄ update includ­ing the revised dates attrib­uted to actions that remain outstanding.

2. Action

i. Dates to be assigned to the man­age­ment actions which do not have dates and brought to the next meeting.

Page 6 of 10

Intern­al audit: intern­al audit plan ²⁰²⁴⁄₂₅ (Paper 5)

1. Eliza­beth Young, Intern­al Aud­it­ors, Azets, presen­ted the pro­posed intern­al audit plan includ­ing the pro­posed intern­al audit work for the ²⁰²⁴⁄₂₅ fin­an­cial and oper­a­tion­al year.

2. The Audit and Risk Com­mit­tee dis­cussed the plan and made the fol­low­ing com­ments and observations:

a) With ref­er­ence to page 14 no timetable had been assigned? When would mit­ig­a­tion be delivered for that risk? b) Head of Fin­ance and Cor­por­ate Oper­a­tions com­men­ted that it was recog­nised that IT is a fast chan­ging situ­ation and in address­ing those risks it was vital to have a team inhouse and a need to retain a team inhouse to deal with user prob­lems and kit. She added that there is also sup­port at Loch Lomond and Trossachs Nation­al Park Author­ity (LLT­NP) to share costs, soft­ware and staff time. The ques­tion would be wheth­er the Park Author­ity are provid­ing a cost effect­ive approach. c) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO added that in way of pre­vent­at­ive mit­ig­a­tion a daily review of cyber secur­ity threats is car­ried out. The Seni­or Man­age­ment Group were tak­ing for­ward wider dis­cus­sions with LLT­NP, with sim­il­ar con­ver­sa­tions with NatureScot planned too, which will identi­fy areas for poten­tial col­lab­or­a­tion. The oper­a­tion­al plan for IT team going for­ward are being drawn up, ensur­ing the work­plans of the IT team are included with­in this, so mit­ig­a­tion is clearly vis­ible. d) Sug­ges­tion made to change the lan­guage of the IT risk mit­ig­a­tions in the risk register as it is mis­lead­ing sug­gest­ing that only mon­it­or­ing rather than pro­act­ive work is being under­taken. This was agreed. e) The Chair added that the pres­sure for shared ser­vices was only going to increase.

1. The Audit & Risk Com­mit­tee agreed the intern­al audit plan for ²⁰²⁴⁄₂₅ sub­ject to the lan­guage in para­graph 14 being made clear­er to reflect the situation.

2. Action

i. The lan­guage on page 14 to be made clear­er to bet­ter reflect the situation.

Page 7 of 10

Intern­al audit: pro­gress report

1. Eliza­beth Young, Intern­al Aud­it­ors, Azets provided an over­view of the intern­al audit pro­gress report, inform­ing the Com­mit­tee that Azets are on track to deliv­er the annu­al report in April.

2. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO repor­ted that he agreed with the broad sen­ti­ment of the report. He noted the pro­cure­ment audit was identi­fy­ing a num­ber of high risk areas requir­ing action and high­lighted action was already under­way in a num­ber of rel­ev­ant areas. He sug­ges­ted that once the pro­cure­ment audit report was draf­ted, it and the indic­at­ive action plan could be shared with the com­mit­tee Chair and taken to the Com­mit­tee in June or if it was felt neces­sary a new addi­tion­al meet­ing could be sched­uled before June. It was agreed that the Dir­ect­or of Cor­por­ate Ser­vices and the Chair take that decision once the audit report is drafted.

3. The Audit & Risk Com­mit­tee noted the paper.

4. Actions

i. Draft intern­al pro­gress report once draf­ted to be shared with the Chair. ii. Togeth­er the Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO and the Chair to decide wheth­er the report could go before the com­mit­tee at their June meet­ing or if an addi­tion­al earli­er meet­ing of the com­mit­tee would need to be scheduled.

Page 8 of 10

Stra­tegic risk register

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, fol­low­ing the review of risk man­age­ment car­ried out by Intern­al Aud­it­ors we have recon­sidered our approach to the man­age­ment of risk and taken the oppor­tun­ity to build on the recom­mend­a­tions made by the Intern­al Aud­it­or. She drew the Committee’s atten­tion to the fact that risk 11 had fallen off the cir­cu­lated meet­ing papers.

2. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that he would arrange for the annex to be recir­cu­lated to the com­mit­tee, with risk 11 included, along with revised rat­ings and word­ing. b) A mem­ber asked that if there was a risk that pro­ject funds could be clawed back by Scot­tish Gov­ern­ment, were pro­gram man­agers aware of that too? CEO advised that Seni­or Man­age­ment Team mem­bers with budgets were aware, and it had become a reg­u­lar annu­al risk. He added that while he was not that con­cerned about it, we have to ensure as much expendit­ure is com­mit­ted as early as pos­sible. c) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO added that staff are used to the annu­al­ised budget alloc­a­tion includ­ing the threat of claw back. He made ref­er­ence to risk num­ber 8 on the Stra­tegic risk register and explained that it would be the first year of its deliv­ery of the Cairngorms2030 pro­gram and recog­nising work­load pres­sures on staff deliv­er­ing this and the Oper­a­tion­al plan. He advised time and resource can be used to get the Oper­a­tion­al plan pro­jects up and run­ning now then focus on the Cairngorms2030 pro­jects after to help man­age staff work­loads. d) A brief dis­cus­sion took place on pro­cure­ment pro­cesses where the Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO stated that it was recog­nised that the Park Author­ity need spe­cial­ist sup­port on pro­cure­ment par­tic­u­larly with infra­struc­ture pro­jects, ensur­ing the staff group have the know­ledge and capa­city inhouse or through appoin­ted advisors. More inform­a­tion on that will come to the Com­mit­tee in due course. e) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that in the past officers have brought the pro­gramme risk register for Cairngorms 2030 for the Com­mit­tee to have sight of the over­all risk man­age­ment approach being taken. He pro­posed that officers would bring it back before this Com­mit­tee as a reg­u­lar item. The Chair agreed.

1. The Audit & Risk Com­mit­tee con­sidered the cov­er­age and adequacy of the Park Authority’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register.

2. Actions

i. Annex to be recir­cu­lated to the com­mit­tee, with risk 11, revised rat­ings and word­ing to be included. ii. Cairngorms2030 pro­ject Stra­tegic risk register to be brought to this Com­mit­tee at the next meeting.

Page 9 of 10

LEAD­ER grant fund­ing – les­sons learned

1. Dav­id Camer­on, Deputy CEO Cairngorms Nation­al Park Author­ity and Vice Chair of Cairngorms Trust presen­ted the paper which sets out the les­sons learned and wider reflec­tions of run­ning a Com­munity Led Loc­al Devel­op­ment (CLLD) grant scheme under the umbrella of the Scot­tish Government’s LEAD­ER Pro­gramme. He went on to say that the intent of this paper is to help con­sid­er­a­tion in estab­lish­ment of future CLLD and grant fund­ing ini­ti­at­ives sup­por­ted in some way by the Park Authority.

2. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Com­ment made that the paper was well writ­ten, coher­ent and clear. Sug­ges­tion made to make the paper avail­able to the rest of the Board. b) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO agreed and added that he would seek to work with the Clerks to ensure that the papers con­cern­ing oth­er board com­mit­tees that the Board mem­bers did not sit on, would still be made read­ily avail­able to them should they wish to have sight of them. c) Sug­ges­tion made that link­ages to policy could be made between part­ners as seen recently with His­tor­ic Scot­land and NatureScot, Sug­ges­tion made that there was poten­tial for Nation­al Parks to get togeth­er to do sim­il­ar. d) Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO advised that it would be good to devel­op a doc­u­ment which helps an applic­ant nav­ig­ate the pleth­ora of grant fund­ing available.

1. The Audit & Risk Com­mit­tee noted the paper.

2. Actions

i. Paper to be cir­cu­lated around the Board and brought to their atten­tion. ii. Dir­ect­or of Cor­por­ate Ser­vices and Deputy CEO to work with Clerks to ensure Board mem­bers can access papers for all board com­mit­tees wheth­er they sit on that com­mit­tee or not.

Page 10 of 10

AOCB

1. There were no items of com­pet­ent business.

Date of next meeting

1. Sched­uled date is 21 June 2024.

2. The pub­lic busi­ness of the meet­ing con­cluded at 3.50 pm.