241108ARCCoverPaper1InternalAuditManagementActionFollowUp
Audit and Risk Committee — Paper 1
8 November 2024
Page 1 of 3
For decision
Title: Internal Audit Report Management Action Follow up
Cover paper prepared by: Louise Allen, Head of Finance and Corporate Operations
Annex prepared by: Elizabeth Young, Chief Internal Auditor and Stephanie Hume, Senior Audit Manager, Azets
Purpose
This paper presents the internal auditor’s independent overview of management action taken on previous internal audit recommendations raised and agreed. The follow-up review work reported here is part of the internal audit programme agreed for 2024⁄25.
Recommendations
The Audit and Risk Committee is asked to:
a) Note the progress made by management in implementing agreed management actions; and b) Note the due dates attributed to actions that remain outstanding.
Executive summary
- Azets, the Park Authority’s Internal Auditors, have undertaken a follow-up review of action taken to address previous audit recommendations raised and agreed by the Committee, to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. The report of their follow-up review is provided in full at the Annex to this paper. The report summarises the progress made by management in implementing agreed management actions.
Page 2 of 3
Azets have reviewed all open management actions and liaised with Park Authority staff to obtain an update on their implementation progress. For recommendations graded priority 3 or above, Azets request evidence to validate completion of any actions marked for closure by management.
There were 28 open actions brought forward from the last report (April 2024); there are 24 actions carried forward. This reflects completion of 10 recommendations since the last report, with another being superseded by a subsequent audit and updated recommendation for action, with seven new recommendations added by audit reviews in the year to date.
Conclusion
We continue to make progress implementing audit recommendations. We acknowledge that further work is required to clear the remaining recommendations brought forward from previous years. However, a report of progress against each of the outstanding items has been provided, and this clarifies the work remaining to be done.
Target dates for completion have been reviewed and revised where appropriate.
We note the age of a number of remaining recommendations and highlight that work is in progress on 19 of those recommendations. This highlights that control improvements are underway in all but 5 of the remaining recommended areas for improvement. In many cases, the recommendations remain open as they relate to an extended process to achieve the final objective rather than one-off items, or where there is dependency on other projects completing to realise the aims of the audit improvement. For example:
a) Updating the publication scheme (from 2019⁄20) was suspended during prioritisation of COVID responses and subsequent organisational development and is now linked into the finalisation of our website redevelopment project. Underpinning work is substantially complete and our Records Management Plan fully updated and approved by relevant external authorities. b) Project plan for implementation of project management approaches (from 2021⁄22) is in development led by our project management systems development for the Cairngorms 2030 (C2030) project. A changeover to MS Project from a previous software system is near complete and being reviewed by the C2030 management team, while the move to a project initiation process has been agreed by Senior Management Team in October. These elements will be blended into an organisation-wide project management plan in the next months. c) Cyber security (from 2021⁄22) has been progressing with Cyber Essentials accreditation achieved and Cyber Essentials Plus now progressing. This has been dependent on completion of our full implementation of SharePoint and associated records management approaches across the organisation which itself has been a major project now substantially completed. Again, the final completion of action against the audit recommendation requires completion of significant wider organisational change and implementation of appropriate control systems. d) Procurement (from 2023⁄24) includes a recommendation that combines a recommendation for a new procurement strategy with a recommendation for regular review and update for policies linked to that strategy, and then followed by training for staff on the position. As the Committee is aware, the strategy has been completed and approved as an urgent item of work, while attention is now given to policy and procedure review. However, the time required to achieve all remedial actions against this recommendation will stretch over several months with this recommendation therefore remaining in progress and partially complete for some time.
Page 3 of 3
- These examples are presented to illustrate the connectivity of strands of work required to complete fully the control improvements suggested by the audit recommendations. Given the breadth of work underway on a range of corporate systems, there is confidence that a number of these outstanding recommendations that are in progress can be resolved over the remainder of the current operational and financial year.
Louise Allen
25 October 2024
louiseallen@cairngorms.co.uk