Audit and Risk Committee — Paper 3 Annex 1 — 27 September 2024

Request for information from Management and from Those Charged with Governance

Fraud

1) How does the Committee, in its role as those charged with governance, exercise oversight of management’s processes in relation to:

Undertaking an assessment of the risk that the financial statements may be materially misstated due to fraud or error (including the nature, extent and frequency of these assessments);
Identifying and responding to risks of fraud in the organisation, including any specific risks of fraud which management have identified or that have been brought to its attention, or classes of transactions, account balances, or disclosure for which a risk of fraud is likely to exist;
Communicating to employees of views on business practice and ethical behaviour (for example by updating, communicating and monitoring against the organisation’s code of conduct); and
Communicating to those charged with governance the processes for identifying and responding to fraud or error?
- Resources committee reviews the management accounts at every meeting and considers the results shown in the financial statements in the context of their knowledge of events over the year.
- Reliance is placed on the knowledge, experience, and integrity of senior management and assurances provided by management.
- Risk register is considered at each meeting of the ARC.
- Known incidents are reported to the Senior Management Team, to Scottish Government and to the ARC.
- Resources Committee is responsible for board oversight and scrutiny of organisational policies and compliance with those, while ARC sees internal audit reports on effectiveness of these policies and the internal control systems that they implement.
- ARC reviews and approves the governance statement.
- ARC takes assurance from independent input from internal and external auditors.
- The terms of reference for the board’s committees makes clear escalation and communication mechanisms between committees in the event of any matters arising.
- From May 2024, all Board members receive the papers provided for all committee meetings, keeping them informed of matters reported by Management.
- Training is provided to Board members periodically, to assist them in meeting their responsibilities. The last session was held on 19 April 2024. It was provided by the Internal Auditors and covered:
  - The role and responsibilities of the Park Authority’s board with regard to risk management and how elements of these responsibilities are discharged by and Audit and Risk Committee
  - Requirements of the SPFM
  - Assurance mapping and risk management
  - The scrutiny and challenge role of board members.

2) How does the Committee oversee management processes to identify and respond to the risk of fraud and possible breaches of internal control? Is the Committee aware of any breaches of internal control during ²⁰²³⁄₂₄? Please provide details.

Internal audit reporting – annual programme agreed with ARC.
Recommendations from internal audit work are monitored by ARC from point of recommendations being raised until they have been implemented.

3) Has the Committee knowledge of any actual, suspected or alleged fraud during the period 1 April 2023 – 31 March 2024? Where appropriate please provide details.

None known.

4) Has the Committee any suspicion that fraud may be occurring within the organisation? Please provide details.

No suspicions
Has the Committee identified any specific fraud risks within the organisation? Please provide details.
- None identified
Does the Committee have any concerns that there are areas within the organisation that are at risk of fraud? Please provide details.
- No concerns
Are there particular locations within the organisation where fraud is more likely to occur? Please provide details.

5) Is the Committee satisfied that internal controls, including segregation of duties, exist and work effectively? Please provide details.

Segregation of duties is in place to the extent possible within a small organisation.
Internal audit reports substantiate controls and identify improvements where required.
Regular management information is provided including any significant exceptions.
Delegated Levels of Authority (DLA) policy.
If not, where are the risk areas?
- None known.
What other controls are in place to help prevent, deter or detect fraud?
- All new employees are subject to full induction and Disclosure.
- Regular repeat training in relevant control areas.
- IT team keep up to date on zero-day risks to IT systems through daily reports from Cyber Scotland.
- Cyber security risks and mitigations noted on risk register and discussed at ARC.
- The ARC accepts and agrees with the key risks highlighted by the external auditors in their audit plan.

6) Is the Committee satisfied that staff are encouraged to report their concerns about fraud, and the types of concerns they are expected to report? Please provide details.

Reliance is placed on the knowledge, experience, and integrity of senior management. Experience has shown that staff report fraud where they have concerns this led to detection of the fraud reported in ²⁰²²⁄₂₃.
All staff encouraged to report anything no matter how minor which looks out of the ordinary, and / or where due process has not been followed.
Segregation of duties within the Finance Team
Finance team is charged with governance.

7) From a fraud and corruption perspective, what are considered by the Committee to be high risk posts within the organisation? Please provide details.

Members of Senior Management Team are considered to be high risk posts as these staff conduct the majority of financial approvals and all high value approvals, while also interacting with actual and potential suppliers and grant recipients.
How are the risks relating to these posts identified, assessed and managed?
- All new employees are subject to Disclosure.
- All senior managers are required to complete a staff register of interests. Division of responsibility in authorisations is also a requirement amongst this senior staff group. ARC takes assurance from the effective operation of these controls.
- DLA policy.

8) Is the Committee aware of any related party relationships or transactions that could give rise to instances of fraud? Please provide details.

Use of suppliers connected with spouses/partners of CNPA employees is controlled by the staff register of interest’s policy and division of responsibility. Management are responsible for giving appropriate assurance to the ARC and board that all policy development and financial transactions are subject to appropriate internal controls, while the interests of the Executive Directors are published and available for public scrutiny.
How are the risks associated with fraud related to such relationships and transactions mitigated?
- Awareness of these relationships throughout the organisation in accordance with Register of Interests policy.
- Transparency and division of responsibility when preparing requisitions.

9) Is the Committee aware of any entries made in the accounting records of the organisation that it believes or suspects are false or intentionally misleading? Please provide details.

None known.
Are there particular balances where fraud is more likely to occur? Please provide details.
- The main areas of judgement are:
  - the provision for LEADER irregularities.
  - the provision of guarantees to landowners in respect of damage by beavers
  - valuation of a right of use asset after renewal of the lease – Ballater office
These matters are not assessed to provide for any greater likelihood of fraud.
Is the Committee aware of any assets, liabilities or transactions that it believes were improperly included or omitted from the accounts of the organisation? Please provide details.
- None known.
Could a false accounting entry escape detection? If so, how?
- Would require collaboration amongst senior members of the Finance team.
Are there any external fraud risk factors which are high risk of fraud? Please provide details.
- None known.

10) Is the Committee aware of any organisational, or management pressure to meet financial or operating targets? Please provide details.

The objective, to make best use of available resources in any financial year and break-even, is well established. However, there is no evidence to suggest that organisational scrutiny of this objective nor management’s actions to deliver this objective translates into anything other than appropriate motivation and encouragement within the staff group.
DLA, system of requisitions and review of management information all provide mitigation.
Is the Committee aware of any inappropriate organisational or management pressure being applied, or incentives offered, to you or colleagues to meet financial or operating targets? Please provide details.
- None known.

Laws and regulations

11) How does the Committee gain assurance that all relevant laws and regulations have been complied with. For example:

Is the Committee aware of the process management has in place for identifying and responding to changes in laws and regulations? Please provide details.
What arrangements are in place for the Committee to oversee this process?
Is the Committee aware of the arrangements management have in place, for communicating with employees, non-executive directors, partners and stakeholders regarding the relevant laws and regulations that need to be followed? Please provide details.
- Senior management, external and internal auditors all provide information where appropriate to the role of the ARC or one of the board’s other committees.
- Senior managers are themselves responsible for their oversight of their areas and the evolving law and regulations that may impact on those areas. Management receives tailored monthly updates from our outsourced legal advisors on changes in law and regulations which may impact the Park Authority.
Does the Committee have knowledge of actual or suspected instances where appropriate laws and regulations have not been complied with, and if so, is it aware of what actions management is taking to address it? Please provide details.
- None known by either management or ARC.

Litigation and claims

12) Is the Committee aware of any actual or potential litigation or claims that would affect the financial statements? Please provide details.

None known by either management or ARC.

Going concern

13) How has the Committee assessed and satisfied itself that it is appropriate to adopt the going concern basis in preparing the financial statements?

All ARC members are members of the full board and are therefore fully aware of the Park Authority’s operating position and future intentions of Scottish Ministers.
Continued Grant-in-aid support from Scottish Government – ongoing discussion with Scottish Government suggests positive relationship and funding to be continued
Project funding – £10.5m award made by National Lottery Heritage Fund in December 2023 for the C2030 programme.

14) Has the Committee identified any events or conditions since the assessment was undertaken which may cast significant doubt on the organisation’s ability to continue as a going concern? Please provide details

None known by Committee or management – ongoing discussion with Scottish Government suggests positive relationship and funding to be continued.

240927ARCtteePaper3Annex123-24 TCWG Management Response

Audit and Risk Com­mit­tee — Paper 3 Annex 1 — 27 Septem­ber 2024

Fraud

We want your feedback

Audit and Risk Committee — Paper 3 Annex 1 — 27 September 2024