240621ARCPaper3CNPA202324AnnualReportFINAL
Cairngorms National Park Authority
Internal Audit Annual Report 2023⁄24
June 2024
Contents
- Introduction 2
- Overall internal audit opinion 3
- Internal audit work performed 4
- Appendix 1 – Planned v actual days 2023⁄24 9
- Appendix 2 – Summary of Quality Assurance Assessment 10
Introduction
The Public Sector Internal Audit Standards (PSIAS) state that:
“The Chief Audit Executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.”
“The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.”
To meet the above requirements, this Annual Report summarises our conclusions and key findings from the internal audit work undertaken at Cairngorms National Park Authority during the year ended 31 March 2024, including our overall opinion on Cairngorms National Park Authority’s internal control system.
Acknowledgement
We would like to take this opportunity to thank all members of management and staff for the help, courtesy and co-operation extended to us during the year.
Overall internal audit opinion
Basis of opinion
As the Internal Auditor of the Cairngorms National Park Authority, we are required to provide the Audit and Risk Committee with assurance on the whole system of internal control. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the whole system of internal control.
In assessing the level of assurance to be given, we have taken into account:
- All reviews undertaken as part of the 2023⁄24 internal audit plan.
- Any scope limitations imposed by management.
- Matters arising from previous reviews and the extent of follow-up action taken including in year audits.
- Expectations of senior management, the Audit and Risk Committee and other stakeholders.
- The extent to which internal controls address the client’s risk management /control framework.
- The effect of any significant changes in Cairngorms National Park Authority’s objectives or systems.
- The internal audit coverage achieved to date.
In my professional judgement as Head of Internal Audit, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the basis and the accuracy of the conclusions reached and contained in this report. The conclusions are based on the conditions as they existed at the time of the audit. The conclusions are only applicable for the entity examined. The evidence gathered meets professional audit standards and is sufficient to provide senior management with appropriate assurance from the work of internal audit.
Internal Audit Opinion
In our opinion, Cairngorms National Park Authority has a framework of governance, risk management and controls that provides reasonable assurance regarding the effective and efficient achievement of objectives, except in relation to procurement. Our work in this area found a number of significant weaknesses in the control framework in place and potential non-compliance with procurement legislation.
Azets
June 2024
Internal audit work performed
Scope and responsibilities
Management
It is management’s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems and processes established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:
- risk management.
- the effectiveness of operations.
- the economic and efficient use of resources.
- compliance with applicable policies, procedures, laws and regulations.
- safeguards against losses, including those arising from fraud, irregularity or corruption; and
- the integrity and reliability of information and data.
Internal auditor
The Internal Auditor assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, the Internal Auditor should:
- analyse the internal control system and establish a review programme.
- identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner.
- report findings and conclusions and, where appropriate, make recommendations for improvement.
- provide an opinion on the reliability of the controls in the system under review; and
- provide an assurance based on the evaluation of the internal control system within the organisation as a whole.
Planning process
Our strategic and annual internal audit plans are designed to provide the Audit and Risk Committee with assurance that Cairngorms National Park Authority’s internal control system is effective in managing the key risks and best value is being achieved. The plans are therefore informed by Cairngorms National Park Authority’s risk management system and linked to the Corporate Risk Register.
The Strategic Internal Audit Plan was agreed in consultation with senior management and formally approved by the Audit and Risk Committee in March 2023.
The Annual Internal Audit Plan is subject to revision throughout the year to reflect changes in Cairngorms National Park Authority’ risk profile. No changes were made to the 2023⁄24 plan.
We planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held responsible for internal control failures.
Cover achieved
The 2023⁄24 Internal Audit Plan comprised 62 days of audit work and we completed the full programme. A comparison of actual coverage against the 2023⁄24 plan is attached at Appendix 1.
We confirm that there were no resource limitations that impinged on our ability to meet the full audit needs of the Cairngorms National Park Authority and no restrictions were placed on our work by management.
We did not rely on the work performed by a third party during the period.
Reports
We prepared a report from each review and presented these reports to the Audit and Risk Committee. The reports are summarised in the table below.
Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were fully discussed and agreed with management prior to submission to the Audit and Risk Committee. We made no significant recommendations that were not accepted by management.
| Review | Control objective assessment | 4 | 3 | 2 | 1 |
|---|---|---|---|---|---|
| Expenditure and Creditors | 1 | 2 | |||
| Risk Management | 4 | 4 | |||
| Health and Safety | 3 | 3 | |||
| Procurement | 4 | 3 | |||
| Heritage Horizons | 1 | 1 | |||
| Finance System | N/A Due to the style of report | ||||
| Follow up Part 1 | N/A Due to the style of report | ||||
| Follow up Part 2 | N/A Due to the style of report |
Control objective assessment definitions
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved — controls are inadequate or ineffective.
- Y: Control objective achieved — no major weaknesses but scope for improvement.
- G: Control objective achieved — controls are adequate, effective and efficient.
Management action prioritisation definitions
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
Progress in implementing previous internal audit actions
We reviewed the progress of 63 actions during the course of the year and obtained sufficient evidence to close 28 (45%) of these. In addition, two (3%) were considered complete pending evidence and a further five (8%) were superseded.
Of the 28 remaining actions, 22 (79%) are partially complete, 14 (14%) are incomplete and two (7%) were not yet due for completion.
Key themes from audit work in 2023⁄24
Procurement
We identified a number of significant and high-risk issues regarding procurement processes and controls. These included the lack of up-to-date Procurement Strategy and associated policies and procedures. We noted a lack of adherence to procurement legislation, with our testing being unable to confirm appropriate procedures had been followed. This included an inability to demonstrate that appropriate evaluation arrangements were in place, with a lack of evidence retained in a number of cases. We also confirmed that CNPA do not produce an annual procurement report or maintain a contracts register, which was a commitment of the previous CNPA procurement strategy.
Risk Management
We identified a number of issues with regards to risk management. These included the lack of an up-to-date Risk Management Strategy, including the process for maintenance of operational risk registers and the escalation and de-escalation of risks. We also identified issues with the Strategic Risk Register template such as the lack of a risk scoring matrix and links to risk appetite.
We have however confirmed that management has made significant progress in implementing our risk management recommendations over the course of 2023⁄24. This includes the Risk Management Policy being updated in a number of areas, with the Policy also being approved by the Audit and Risk Committee. A formal risk scoring matrix has been developed and used to score risks on the Strategic Risk Register. The Strategic Risk Register template has also been updated to include, risk category, risk appetite, current score, target score and due dates for mitigating actions.
Health and Safety
We found a number of control weaknesses within health and safety, including policies and procedures not being subject to regular review and a lack of completion of health and safety training, both induction and refresher training. In addition, we found there to be a lack of formal process for undertaking investigations and ensuring Incident and Accident Recording Forms are completed fully. We have confirmed some progress has been made with the implementation of our recommendations, including sourcing on-line training for investigations for relevant staff, and the Health and Safety Committee minutes being circulated to SMT.
Independence
PSIAS require us to communicate on a timely basis all facts and matters that may have a bearing on our independence.
We can confirm that the staff members involved in each 2023⁄24 internal audit review were independent of Cairngorms National Park Authority and their objectivity was not compromised in any way.
Conformance with Public Sector Internal Audit Standards
We confirm that our internal audit service conforms to the Public Sector Internal Audit Standards, which are based on the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice against the standards.
A summary of the results of our most recent external assessment is provided at Appendix 2.
Appendix 1 – Planned v actual days 2023⁄24
| Ref and Name of report | Planned Days | Actual Days |
|---|---|---|
| Expenditure and Creditors | 7 | 7 |
| Finance System | 8 | 8 |
| Risk Management | 7 | 7 |
| Health and Safety | 7 | 7 |
| Procurement | 11 | 11 |
| Heritage Horizons | 8 | 8 |
| Follow Up | 3 | 3 |
| Internal Audit Management and Administration | 2 | 2 |
| Audit and Risk Committee Planning, Reporting and Attendance | 3 | 3 |
| Audit Needs Analysis – Strategic and Operational Planning | 3 | 3 |
| Contact Management | 2 | 2 |
| Annual Internal Audit Report | 1 | 1 |
| Total | 62 | 62 |
Appendix 2 – Summary of Quality Assurance Assessment
As part of our regular quality assessment procedures, we commissioned an external quality assessment (EQA) against the Institute of Internal Auditors (IIAs) International Professional Practices framework (IPPF) and, where appropriate, the Public Sector Internal Audit Standards (PSIAS).
We are pleased to disclose the outcome of this assessment as we believe it is important to provide you with assurance that the service you receive is of a high quality and fully compliant with internal audit standards.
Outlined below are extracts from our most recent external quality assessment undertaken in February 2023.
External Quality Assessment summary
Executive Summary
I am pleased to report that there are no material governance, methodology or practical issues that are impacting Azets Risk Assurance’s overall conformance with the Institute of Internal Auditors (IIAs) International Professional Practices framework (IPPF).
Internal Audit have achieved the highest level of conformance with the Standards, as well as the Definition, Core Principles, and the Code of Ethics, which form the mandatory elements of the IPPF, the global standard for quality in Internal Auditing. The Institute describe this as “Generally Conforms.”
This is an excellent result and is based on an extensive EQA covering the team’s approach, methodology, processes, and an extensive sample of engagement files. The EQA assessor is an experienced, former Chief Assurance Officer and current Audit Committee Chair.
Conformance Opinion
The IPPF/PSIAS includes the Mission and Definition of Internal Auditing, the Core Principles, Code of Ethics, and International Standards. There are 64 fundamental principles to achieve, with 118 points of recommended practice.
I am delighted to confirm that Azets Risk Assurance generally conform with 62 of these 64 fundamental principles. This is an excellent result. Furthermore, there are no areas of ‘partial’ or ‘non-conformance’ with any of the remaining fundamental principles.
The overall assessment resulting from the EQA is that Azets Risk Assurance “generally conforms to the International Professional Practices Framework.” The term “generally conforms” is used by the IIA to represent the highest level of achievement and performance.
I include a summary of Azets Risk Assurance’s conformance to these fundamental principles below. Overall, I believe that Azets Risk Assurance has achieved an excellent performance given the breadth of the IPPF, and the diverse work and activity the team undertakes.
| Summary of IIA Conformance | Standards | N/A | Does not Conform | Partially Conforms | Generally Conforms | Total |
|---|---|---|---|---|---|---|
| Definition of IA and Code of Ethics | Rules of conduct | 12 | 12 | |||
| Purpose | 1000 — 1130 | 8 | 8 | |||
| Proficiency and Due Professional Care | 1200 — 1230 | 4 | 4 | |||
| Quality Assurance and Improvement Programme | 1300 — 1322 | 1 | 6 | 7 | ||
| Managing the Internal Audit Activity | 2000 — 2130 | 12 | 12 | |||
| Engagement Planning and Delivery | 2200 — 2600 | 1 | 20 | 21 | ||
| Total | 2 | 0 | 0 | 62 | 64 |
Our response
The review identified a number of areas for future consideration to further enhance our internal audit practices. We welcome these findings and as such, a detailed action plan will be put into place to address the areas for further development.
© Azets 2024. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.