Audit and Risk Com­mit­tee — Paper 1

8 Novem­ber 2024

Page 1 of 3

For decision

Title: Intern­al Audit Report Man­age­ment Action Fol­low up

Cov­er paper pre­pared by: Louise Allen, Head of Fin­ance and Cor­por­ate Operations

Annex pre­pared by: Eliza­beth Young, Chief Intern­al Aud­it­or and Stephanie Hume, Seni­or Audit Man­ager, Azets

Pur­pose

This paper presents the intern­al auditor’s inde­pend­ent over­view of man­age­ment action taken on pre­vi­ous intern­al audit recom­mend­a­tions raised and agreed. The fol­low-up review work repor­ted here is part of the intern­al audit pro­gramme agreed for ²⁰²⁴⁄₂₅.

Recom­mend­a­tions

The Audit and Risk Com­mit­tee is asked to:

a) Note the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions; and b) Note the due dates attrib­uted to actions that remain outstanding.

Exec­ut­ive summary

1. Azets, the Park Authority’s Intern­al Aud­it­ors, have under­taken a fol­low-up review of action taken to address pre­vi­ous audit recom­mend­a­tions raised and agreed by the Com­mit­tee, to provide the Audit & Risk Com­mit­tee with assur­ance that man­age­ment actions agreed in pre­vi­ous intern­al audit reports have been imple­men­ted appro­pri­ately. The report of their fol­low-up review is provided in full at the Annex to this paper. The report sum­mar­ises the pro­gress made by man­age­ment in imple­ment­ing agreed man­age­ment actions.

Page 2 of 3

1. Azets have reviewed all open man­age­ment actions and liaised with Park Author­ity staff to obtain an update on their imple­ment­a­tion pro­gress. For recom­mend­a­tions graded pri­or­ity 3 or above, Azets request evid­ence to val­id­ate com­ple­tion of any actions marked for clos­ure by management.

2. There were 28 open actions brought for­ward from the last report (April 2024); there are 24 actions car­ried for­ward. This reflects com­ple­tion of 10 recom­mend­a­tions since the last report, with anoth­er being super­seded by a sub­sequent audit and updated recom­mend­a­tion for action, with sev­en new recom­mend­a­tions added by audit reviews in the year to date.

Con­clu­sion

1. We con­tin­ue to make pro­gress imple­ment­ing audit recom­mend­a­tions. We acknow­ledge that fur­ther work is required to clear the remain­ing recom­mend­a­tions brought for­ward from pre­vi­ous years. How­ever, a report of pro­gress against each of the out­stand­ing items has been provided, and this cla­ri­fies the work remain­ing to be done.

2. Tar­get dates for com­ple­tion have been reviewed and revised where appropriate.

3. We note the age of a num­ber of remain­ing recom­mend­a­tions and high­light that work is in pro­gress on 19 of those recom­mend­a­tions. This high­lights that con­trol improve­ments are under­way in all but 5 of the remain­ing recom­men­ded areas for improve­ment. In many cases, the recom­mend­a­tions remain open as they relate to an exten­ded pro­cess to achieve the final object­ive rather than one-off items, or where there is depend­ency on oth­er pro­jects com­plet­ing to real­ise the aims of the audit improve­ment. For example:

   a) Updat­ing the pub­lic­a­tion scheme (from ²⁰¹⁹⁄₂₀) was sus­pen­ded dur­ing pri­or­it­isa­tion of COV­ID responses and sub­sequent organ­isa­tion­al devel­op­ment and is now linked into the final­isa­tion of our web­site redevel­op­ment pro­ject. Under­pin­ning work is sub­stan­tially com­plete and our Records Man­age­ment Plan fully updated and approved by rel­ev­ant extern­al author­it­ies. b) Pro­ject plan for imple­ment­a­tion of pro­ject man­age­ment approaches (from ²⁰²¹⁄₂₂) is in devel­op­ment led by our pro­ject man­age­ment sys­tems devel­op­ment for the Cairngorms 2030 (C2030) pro­ject. A changeover to MS Pro­ject from a pre­vi­ous soft­ware sys­tem is near com­plete and being reviewed by the C2030 man­age­ment team, while the move to a pro­ject ini­ti­ation pro­cess has been agreed by Seni­or Man­age­ment Team in Octo­ber. These ele­ments will be blen­ded into an organ­isa­tion-wide pro­ject man­age­ment plan in the next months. c) Cyber secur­ity (from ²⁰²¹⁄₂₂) has been pro­gress­ing with Cyber Essen­tials accred­it­a­tion achieved and Cyber Essen­tials Plus now pro­gress­ing. This has been depend­ent on com­ple­tion of our full imple­ment­a­tion of Share­Point and asso­ci­ated records man­age­ment approaches across the organ­isa­tion which itself has been a major pro­ject now sub­stan­tially com­pleted. Again, the final com­ple­tion of action against the audit recom­mend­a­tion requires com­ple­tion of sig­ni­fic­ant wider organ­isa­tion­al change and imple­ment­a­tion of appro­pri­ate con­trol sys­tems. d) Pro­cure­ment (from ²⁰²³⁄₂₄) includes a recom­mend­a­tion that com­bines a recom­mend­a­tion for a new pro­cure­ment strategy with a recom­mend­a­tion for reg­u­lar review and update for policies linked to that strategy, and then fol­lowed by train­ing for staff on the pos­i­tion. As the Com­mit­tee is aware, the strategy has been com­pleted and approved as an urgent item of work, while atten­tion is now giv­en to policy and pro­ced­ure review. How­ever, the time required to achieve all remedi­al actions against this recom­mend­a­tion will stretch over sev­er­al months with this recom­mend­a­tion there­fore remain­ing in pro­gress and par­tially com­plete for some time.

Page 3 of 3

1. These examples are presen­ted to illus­trate the con­nectiv­ity of strands of work required to com­plete fully the con­trol improve­ments sug­ges­ted by the audit recom­mend­a­tions. Giv­en the breadth of work under­way on a range of cor­por­ate sys­tems, there is con­fid­ence that a num­ber of these out­stand­ing recom­mend­a­tions that are in pro­gress can be resolved over the remainder of the cur­rent oper­a­tion­al and fin­an­cial year.

Louise Allen

25 Octo­ber 2024

louiseallen@​cairngorms.​co.​uk