241108_ARCPaper1Annex1InternalAuditReportManagementActionFollowUp
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up Part 1 – 2024⁄25
November 2024
Contents:
- Introduction and background — 1
- Summary of progress — 2
- Appendix 1: Action status by report — 4
- Appendix 2: Summary of outstanding actions — 6
- Appendix 3: Audit risk categorisations — 21
Introduction and background
Introduction
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope
We have reviewed all open management actions and liaised with Cairngorm National Park Authority staff to obtain an update on their implementation progress. This included management identifying actions which were no longer applicable. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress
The table below shows the movement in the audit actions in the period from April 2024 to November 2024:
| Number of Actions | |
|---|---|
| Open actions brought forward | 28 |
| Actions added to tracker | 7 |
| Total actions to follow-up | 35 |
| Actions closed | 10 |
| Actions Superseded | 1 |
| Open actions carried forward | 24 |
Status of Actions as at November 2024
(Pie chart showing 5 Complete, 10 Partially Complete, 1 Superseded, and 19 Incomplete actions)
We have confirmed that 10 actions (29%) were competed in the period to November 2024. In addition, one action is recommended for closure as it has been superseded (3%).
19 actions (54%) have been assessed as partially complete and five (14%) are incomplete. Further detail on all outstanding actions is included at Appendix 2.
We recommend that management take a strong focus on clearing aged items in the coming months. We recommend prioritising the most aged items and those that are grade 3 and grade 4. Attention should then be paid to those remaining actions that have passed their original due date and those which will pass their due date for completion over the next period.
A summary of the status of actions by report is shown at Appendix 1.
Status by Grading
(Bar chart showing the number of complete, incomplete, partially complete, and superseded actions for each grade (1−4))
Appendix 1: Action status by report
| Report title | Complete | Partially complete | Incomplete | Superseded | Total |
|---|---|---|---|---|---|
| Grant Funding & Management | 1 | 1 | |||
| 2016⁄17 sub-total | 1 | 1 | 1 | ||
| Business Continuity Planning | 1 | 1 | |||
| 2018⁄19 sub-total | 1 | 1 | 1 | ||
| FOISA and EIR Requests | 1 | 1 | |||
| 2019⁄20 sub-total | 1 | 1 | 1 | ||
| Data Management | 1 | 1 | 2 | ||
| 2020⁄21 sub-total | 1 | 1 | 1 | 2 | |
| LEADER Programme | 1 | 1 | |||
| Financial Management and Reporting | 1 | 1 | |||
| Assurance Mapping of Major Projects | 2 | 2 | |||
| Cyber Security Review | 2 | 2 | |||
| ICT Strategy | 4 | 4 | |||
| Peatland Action Programme Set Up | 1 | 1 | |||
| 2021⁄22 sub-total | 1 | 8 | 9 | ||
| Performance Management | 1 | 1 | 2 | ||
| Data Management | 1 | 1 | 2 | ||
| Payroll and Expenses | 1 | 1 | |||
| 2022⁄23 sub-total | 3 | 2 | 1 | 6 | |
| Expenditure and Creditors | 1 | 1 | 2 | ||
| Risk Management | 1 | 1 | 2 | ||
| Health and Safety | 3 | 1 | 4 | ||
| Heritage Horizons | 2 | 2 | |||
| Procurement | 3 | 4 | 7 | ||
| 2023⁄24 sub-total | 6 | 6 | 4 | 1 | 16 |
| Grand totals | 10 | 19 | 5 | 1 | 35 |
Appendix 2: Summary of outstanding actions
| Report / Action | Recommendation | Action Owner | Grade | Original timescale | Revised timescale | Update November 2024 | Status |
|---|---|---|---|---|---|---|---|
| 2016⁄17 Grant Funding and Management | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording and monitoring of grant funding. | Director of Corporate Services | Medium (Grade 2) | Sep 2017 | Mar 25 | Grant templates have been developed, including an award document and terms & conditions. | Partially Complete |
| 2018⁄19 Business Continuity Planning | We recommend that CNPA develops a testing plan/schedule for BCP which should be reviewed regularly to ensure a strategic approach to testing is developed and implemented. | Director of Corporate Services | Medium (Grade 2) | Nov 2019 | Mar 25 | BCP is in need of update. | Incomplete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA review and update its Publication Scheme. | Information Manager | Low (Grade 1) | Dec 20 | Mar 25 | Publication scheme will be updated in parallel with the web development project. | Partially Complete |
| 2020⁄21 Data Management | We recommend that once the Authority have received the feedback from their DPOaaS provider, they create a subject access request procedure, or document the process within an existing procedure. | Office Services Manager | Medium (Grade 3) | Jun-21 | Dec 24 | This work is within the remit of Information Manager. | Partially Complete |
| 2021⁄22 Assurance Mapping of Major Projects | Management should put in place a project plan for implementation of the new project management approach. | Director of Corporate Services | Medium (Grade 2) | Sep-22 | Sep 25 | We have developed and implemented a new project management and reporting system. | Partially Complete |
| 2021⁄22 Cyber Security Review | We recommend that CNPA should perform a risk assessment as well as a gap analysis of the current technology, policy and business environment. | Information Systems Manager | Medium (Grade 3) | Aug 22 | Apr 25 | While we are mindful of risks as part of the course of our day-to-day management of our IT resources. | Partially Complete |
| 2021⁄22 Cyber Security Review | We recommend that CNPA establish procedures for handling cyber security events. | Information Systems Manager | Medium (Grade 2) | Dec-22 | Aug 25 | While we are mindful of risks as part of the course of our day-to-day management of our IT resources. | Partially Complete |
| 2021⁄22 ICT Strategy | We recommend that the next development of the IT and Data Strategy includes a financial strategy. | Director of Corporate Services | Medium (Grade 2) | Sept 23 | Dec 25 | The Authority’s strategic approach to ICT is under consideration. | Partially Complete |
| 2021⁄22 ICT Strategy | We recommend that management explicitly document approvals of strategies within minutes of meetings. | Director of Corporate Services | Medium (Grade 2) | Mar-23 | Dec 25 | All strategy and policy documents are presented to both the Senior Management Team and the Board. | Partially Complete |
| 2021⁄22 ICT Strategy | We recommend that the action plan within the IT and Data Strategy is updated to include action owners and delivery dates. | Information Systems Manager | Medium (Grade 3) | Jun-22 | Dec 25 | The IT operational plan will, in future, follow naturally from the ICT strategy. | Partially Complete |
| 2021⁄22 Peatland Action Programme Set Up | Management should document the risks associated with the full-service approach and put mitigating controls in place. | Director of Nature and Climate Change | High (Grade 4) | Dec-22 | Mar 25 | The SLA developed by our lawyers has been circulated and tested with land managers. | Partially Complete |
| 2022⁄23 Data Management | We recommend that CNPA review the current policy suite that is in place and develop and implement policies that address the following policy areas: | Deputy Chief Executive | Medium (Grade 3) | Dec 23 | Apr 25 | The Information Manager is working on this as part of his review of policies. | Partially Complete |
| 2022⁄23 Performance Management | We support management’s approach to developing a dashboard to support more frequent scrutiny and challenge by senior management. | Governance, Data and Reporting Manager | Medium (Grade 2) | Dec-22 | Dec 25 | Our work on corporate performance management is ongoing. | Partially Complete |
| 2022⁄23 Expenditure and Creditors | CNPA should promote the importance of the standardisation of documentation kept for each purchase, and require that for each commitment of expenditure the following should be documented and maintained: | Finance Manager | Grade 2 | Mar 24 | Mar 25 | The importance of segregation of duties was discussed during staff workshops. | Partially Complete |
| 2023⁄24 Risk Management | Management should implement operational risk registers to ensure that operational risks related to the day-to-day activities of the organisation are recorded and monitored on a regular basis. | Deputy Chief Executive | Grade 3 | Dec 23 | Mar 25 | Risk registers are now in place for IT, Comms and C2030 | Partially Complete |
| 2023⁄24 Health and Safety | We recommend that the Health and Safety Policy and all supporting policies are subject to regular review to ensure that they reflect the current legislative requirements. | Facilities Manager | Grade 3 | Apr-24 | Mar 25 | This is in progress. | Partially Complete |
| 2023⁄24 Procurement | CNPA should develop a new Procurement Strategy and supporting policies and procedures as soon as possible. | Deputy Chief Executive with Head of Finance and Corporate Operations | 4 | Sept 24 | TBC | Procurement strategy now refreshed and approved by ARC. | Partially Complete |
| 2023⁄24 Procurement | CNPA should prepare and publish annual procurement reports, maintain a contract register and produce a procurement expenditure report. | Deputy Chief Executive with Head of Finance and Corporate Operations | 3 | Dec 24 | TBC | The procurement strategy has now been updated and agreed, and now sets out any reporting. | Partially Complete |
| 2023⁄24 Procurement | CNPA should undertake a full review of the procurement documentation held for each supplier. | Head of Finance | 4 | Sept 2024 onward, according to the agreed action plan. | TBC | Action plan provided to ARC. | Partially Complete |
| 2023⁄24 Procurement | Management should seek to develop templates which set out the stages of the procurement journey. | Head of Finance | 4 | Mar 25 | N/A | Incomplete | Incomplete |
Appendix 3: Audit risk categorisations
Management action grades
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general housekeeping issues.
© Azets 2024. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.