241122Paper7CNPABdARCommitteeAnnualReport

Form­al Board Paper 7 22 Novem­ber 2024 Page 1 of 9

For dis­cus­sion

Title: Audit and Risk Com­mit­tee annu­al report

Pre­pared by: Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices and Deputy Chief Exec­ut­ive Officer.

Pur­pose

1. This paper presents the Annu­al Report of the Audit and Risk Com­mit­tee to the Board.

Recom­mend­a­tions

1. The Board is asked to note the Audit and Risk Committee’s Annu­al Report.

Back­ground

1. The Audit and Risk Com­mit­tee is required to report to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

2. This Annu­al Report is presen­ted on behalf of the Audit and Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2023 to Septem­ber 2024. The draft report was approved by the Com­mit­tee at its meet­ing of 27 Septem­ber 2024.

Over­view

1. The peri­od of this Annu­al Report cov­ers con­sid­er­a­tion of final accounts for ²⁰²³⁄₂₄. The accounts were sub­mit­ted to the Committee’s meet­ing of 27 Septem­ber 2024 in line with the agreed extern­al audit timetable for accounts to be final­ised and approved for sig­na­ture and sub­mis­sion to the Aud­it­or Gen­er­al for Scot­land at this meet­ing. The report­ing peri­od also cov­ers the approv­al of accounts for ²⁰²²⁄₂₃ giv­en the later than nor­mal audit timetable for that year.

2. Maz­ars remain appoin­ted through Audit Scot­land as extern­al aud­it­ors to the Park Author­ity, with this con­tract com­men­cing with effect from the audit of the ²⁰²²⁄₂₃ accounts.

Page 2 of 9

1. The Com­mit­tee has been sup­por­ted over the dur­a­tion of this report­ing peri­od by Azets in the pro­vi­sion of intern­al audit ser­vices. The Com­mit­tee has con­tin­ued to have over­sight of the work of the Authority’s intern­al aud­it­ors and con­sidered reports issued by them in full.

2. The Com­mit­tee has con­tin­ued to work to the terms of ref­er­ence approved by the Board over the dur­a­tion of this report­ing period.

3. The Com­mit­tee met four times over the peri­od covered by this report. All meet­ings were held as sched­uled and were quorate.

Key Activ­it­ies

1. In addi­tion to man­age­ment reports from the Park Authority’s intern­al and extern­al aud­it­ors, con­sidered in fur­ther detail below, the Com­mit­tee con­sidered the fol­low­ing issues dur­ing the course of the year: a) Risk man­age­ment — The Audit and Risk Com­mit­tee has con­tin­ued to take a stra­tegic over­sight of the Park Authority’s risk man­age­ment strategy and reg­u­larly con­sidered the stra­tegic risk register. The Com­mit­tee has sup­por­ted the full review of the stra­tegic risk register to bring the Park Authority’s stra­tegic risk man­age­ment into line with the new Cor­por­ate Plan span­ning 2023 to 2027. b) Detailed risk ana­lys­is — The Com­mit­tee has con­tin­ued the prac­tice in the year of con­sid­er­ing more in-depth ana­lys­is of key risks from seni­or man­age­ment. This prac­tice provides an oppor­tun­ity to explore key or increas­ing stra­tegic risks in more detail and eval­u­ate the adequacy of mit­ig­a­tion actions. The Com­mit­tee has con­sidered detailed ana­lys­is of the risks asso­ci­ated with the Her­it­age Hori­zons Cairngorms 2030 pro­gramme as it final­ised the devel­op­ment phase of the pro­gramme and moves through its deliv­ery phase. c) Risk train­ing — A train­ing and devel­op­ment ses­sion on the Committee’s respons­ib­il­it­ies for risk man­age­ment was held in April 2024 and made avail­able to the full board. This train­ing was delivered by the Park Authority’s intern­al aud­it­ors. d) Account­ing policy and estim­ates — The Com­mit­tee reviews and agrees account­ing policies and con­siders any sig­ni­fic­ant estim­ates required in the final­isa­tion of the annu­al accounts as part of its con­sid­er­a­tion of final accounts pri­or to their sig­na­ture by the account­able officer. There were no sig­ni­fic­ant vari­ations to

Page 3 of 9

account­ing policy required in either year covered by this report, nor were any estim­ates causes of con­cern. e) Gov­ernance state­ment — Review and approv­al of this state­ment, pri­or to its inclu­sion in the annu­al accounts and pri­or to sig­na­ture by the account­able officer. f) Updates on pro­gress in imple­ment­ing pre­vi­ous audit recom­mend­a­tions — The Com­mit­tee has main­tained a twice-yearly audit review of action taken on pre­vi­ous audit recom­mend­a­tions, sup­ple­men­ted from time to time by man­age­ment reports. g) Con­sid­er­a­tion and agree­ment of for­ward audit activ­ity plans — The Com­mit­tee, has agreed a for­ward plan of intern­al audit activ­ity and has mon­itored pro­gress in suc­cess­ful deliv­ery of the intern­al audit plan for ²⁰²³⁄₂₄ with a plan for ²⁰²⁴⁄₂₅ agreed and cur­rently under deliv­ery. h) Let­ter of rep­res­ent­a­tion — The Com­mit­tee con­sidered the draft let­ter of rep­res­ent­a­tion from the Park Author­ity to Maz­ars, the extern­al aud­it­or, pri­or to its sig­na­ture by the account­able officer as an appro­pri­ate reflec­tion of the Park Authority’s pos­i­tion for pre­par­a­tion of the accounts for ²⁰²³⁄₂₄ and con­duct of the Park Authority’s fin­an­cial and wider con­trol pro­ced­ures over the course of the year. The Com­mit­tee has also reviewed the under­pin­ning detail set out in assur­ances to the extern­al aud­it­or relat­ing to pre­vent­ing fraud in the annu­al accounts, com­pli­ance with laws and reg­u­la­tions, lit­ig­a­tion and claims, and going con­cern. i) Les­sons Learned — The Com­mit­tee has provided over­sight and scru­tiny over les­sons learned from the Park Authority’s sup­port of LEAD­ER grant pro­grammes, with a view that these les­sons will con­trib­ute to devel­op­ing new grant pro­grammes sup­port­ing com­munity led loc­al devel­op­ment which retain the bene­fits of the LEAD­ER sys­tem while address­ing issues and con­cerns with pro­cesses and pro­ced­ures deployed. j) Pro­cure­ment — The Com­mit­tee received an intern­al audit report in June 2024 set­ting out sig­ni­fic­ant weak­nesses in the Park Authority’s intern­al con­trols over its pro­cure­ment activ­it­ies. The Com­mit­tee agreed an action plan includ­ing urgent actions to resolve the key issues. The Chair and Deputy Chair of the Com­mit­tee are mon­it­or­ing deliv­ery of that action plan on a monthly basis, with the full Com­mit­tee receiv­ing updates at its meet­ing. Key actions, includ­ing recruit­ment of a ded­ic­ated Pro­cure­ment Officer, are pro­gress­ing well.

Page 4 of 9

k) Pro­cure­ment Strategy — The Com­mit­tee con­sidered a draft of the Park Authority’s renewed, updated Pro­cure­ment Strategy at its meet­ing in Septem­ber 2024. This strategy provides the found­a­tion for much of the pro­ced­ur­al work to be taken for­ward in the Park Authority’s action plan to strengthen intern­al controls.

Intern­al Audit

1. The Com­mit­tee agree an annu­al intern­al audit work pro­gramme presen­ted by the intern­al auditor.

2. Over the course of the peri­od of this report, Azets have presen­ted five man­age­ment reports to the Com­mit­tee. Their find­ings and con­sequent recom­mend­a­tions for action are graded accord­ing to the intern­al aud­it­ors’ assess­ment of the sig­ni­fic­ance of the under­ly­ing weak­ness to the effect­ive man­age­ment of the organ­isa­tion. Two of the intern­al aud­it­ors’ reports were advis­ory in nature in ²⁰²³⁄₂₄, provid­ing advice on devel­op­ing areas of work rather than test­ing the strength of exist­ing, imple­men­ted intern­al con­trol sys­tems. These advis­ory reviews are help­ful guides to staff in their devel­op­ment of new sys­tems while provid­ing assur­ance to Com­mit­tee mem­bers on the thor­ough­ness of con­sid­er­a­tion in devel­op­ing new systems.

3. Table one presents a sum­mary of the num­ber and degree of sig­ni­fic­ance of intern­al audit find­ings over the peri­od of this report and com­pares this with his­tor­ic levels. The defin­i­tions used for sig­ni­fic­ance of intern­al audit recom­mend­a­tions have changed slightly with the change in intern­al audit pro­viders over time. The cur­rent defin­i­tions used by the intern­al aud­it­ors are giv­en after the table. The areas audited are also clas­si­fied in terms of over­all effect­ive­ness of the intern­al audit con­trol sys­tems reviews and these clas­si­fic­a­tions are also explained below the table.

Page 5 of 9

Table One: Sum­mary of Intern­al Audit Findings

Intern­al Audit Study	Num­ber of Recommendations
Very High Risk	High Risk	Mod­er­ate Risk	Lim­ited Risk
2011⁄12 Total (7 studies)	0	3	14	9
2012⁄13 Total (4 studies)	0	0	0	10
2013⁄14 Total (7 studies)	0	1	9	11
2014⁄15 Total (4 studies)	0	0	5	13
2015⁄16 Total (9 studies)	0	0	9	10
2016⁄17 Total (8 studies)	n/​a	0	11	11
2017⁄18 Total (3 studies)	n/​a	0	3	7
2018⁄19 Total (9 studies)	n/​a	1	6	10
2019⁄21 Total (9 studies)	0	5	16	21
2021⁄22 Total (5 studies)	0	4	10	2
2022⁄23 Total (6 studies)	2	9	11	5
2023⁄24 Total (3 stud­ies + 2 advisory)	4	7	8	0

The 2023⁄24 stud­ies were:	Very High	High	Mod­er­ate	Lim­ited
Cairngorms 2030	0	1	1	0
Health and Safety	0	3	3	0
VAT Review (advis­ory)	-	-	-	-
Pro­cure­ment	4	3	0	0
Spe­cific­a­tion of Fin­ance Sys­tem (advis­ory)	-	-	-	-
Oper­a­tion­al and fin­an­cial planning	0	0	4	0
Total for period	4	7	8	0

Page 6 of 9

1. Key — Azets defin­i­tion of grades for man­age­ment action recom­mend­a­tions: a) Very High-Risk Expos­ure — Major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organ­isa­tion b) High Risk Expos­ure — Absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organ­isa­tion c) Mod­er­ate Risk Expos­ure — Con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organ­isa­tion d) Lim­ited Risk Expos­ure — Con­trols are work­ing effect­ively but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house- keep­ing issues.

2. The Com­mit­tee recog­nises that the risk pro­file of audit recom­mend­a­tions for action and improve­ment of intern­al con­trols remains increased over the course of the year. This to a degree con­tin­ues to recog­nise the rel­at­ively new areas of ser­vice being under­taken by the Park Author­ity, such as tak­ing on full respons­ib­il­ity for the peat­land res­tor­a­tion pro­gramme, togeth­er with sig­ni­fic­ant changes to the scale and breadth of our oper­at­ing envir­on­ment as the organ­isa­tion trans­itions to a hybrid work­ing envir­on­ment and com­men­cing deliv­ery of the Cairngorms 2030 Pro­gramme across mul­tiple pro­ject dir­ec­tions. Nine of the 27 recom­mend­a­tions raised over the pre­vi­ous 12-month peri­od related to the rel­at­ively new and devel­op­ing peat­land res­tor­a­tion pro­gramme, while the very high-risk areas in ²⁰²³⁄₂₄ on pro­cure­ment set out the need to adapt intern­al con­trol sys­tems to a much high­er level of demand for pro­cure­ment sup­port and advice over a wider range of con­tract­ing require­ments. This con­tin­ues to high­light the increased level of audit recom­mend­a­tions likely to be brought up in new or nov­el areas of oper­a­tions as opposed to in more mature oper­at­ing sys­tems. Those actions graded as ​“very high risk” are acted on imme­di­ately by management.

3. The Com­mit­tee is made aware of all recom­mend­a­tions made by the intern­al aud­it­ors, through con­sid­er­a­tion of full man­age­ment reports fol­low­ing each audit review.

4. The Com­mit­tee has agreed man­age­ment responses to all recom­mend­a­tions made and con­tin­ues to mon­it­or pro­gress made. The intern­al aud­it­ors have also con­duc­ted fol­low-up reports and report back to the Com­mit­tee on their findings.

5. The Com­mit­tee has con­sidered the Intern­al Aud­it­ors’ Annu­al Report for ²⁰²³⁄₂₄. The intern­al auditor’s annu­al report for the year gives the fol­low­ing over­all opinion:

Page 7 of 9

“In our opin­ion, Cairngorms Nation­al Park Author­ity has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of object­ives, except in rela­tion to pro­cure­ment. Our work in this area found a num­ber of sig­ni­fic­ant weak­nesses in the con­trol frame­work in place and poten­tial non-com­pli­ance with pro­cure­ment legislation”.

Extern­al Audit

1. The Park Authority’s accounts for ²⁰²³⁄₂₄ are expec­ted to receive a clear, unqual­i­fied extern­al auditor’s report and opin­ion from Maz­ars, our extern­al aud­it­ors on the basis of the extern­al auditor’s draft report on their audit presen­ted to the Com­mit­tee in Septem­ber 2024 and con­firmed by sub­sequent updates.

2. The accounts and extern­al auditor’s report for ²⁰²³⁄₂₄ were con­sidered and approved by the Com­mit­tee at its meet­ing on 27 Septem­ber 2024. Final extern­al audit file review remains ongo­ing as at the date of this report. Signed accounts will be for­war­ded to the Aud­it­or Gen­er­al for Scot­land and once reviewed and released will be laid in Par­lia­ment once the extern­al audit is com­plete. The extern­al aud­it­ors have com­mit­ted to com­plete their work and sign their audit cer­ti­fic­ate in the accounts for ²⁰²³⁄₂₄ in time for the 31 Decem­ber stat­utory dead­line for accounts to be laid in Parliament.

3. The Audit and Risk Com­mit­tee also con­sidered the ²⁰²²⁄₂₃ accounts in this report­ing peri­od along­side Maz­ars’ report to those charged with gov­ernance on the audit of the ²⁰²²⁄₂₃ accounts, at its meet­ing of 24 Novem­ber 2023. The report high­lighted two action points; con­sid­er­a­tion of poten­tial to sim­pli­fy the accounts and ledger struc­ture and explore the poten­tial to use account­ing soft­ware func­tion­al­ity more fully; and con­sid­er­ing appro­pri­ate gov­ernance and con­trol struc­tures around the Park Authority’s cyber risks. These actions were accep­ted by man­age­ment and the Com­mit­tee, and the Com­mit­tee noted these are actions that man­age­ment are already progressing.

4. The extern­al audit report also noted that man­age­ment con­trols had been tightened over the course of ²⁰²²⁄₂₃ fol­low­ing a low value fraud being recog­nised and fur­ther fraud pre­ven­ted fol­low­ing a hack of an email account.

Page 8 of 9

1. The extern­al audit timetable for ²⁰²²⁄₂₃ accounts, which was com­menced later in the year, res­ul­ted in accounts being laid in Par­lia­ment just before recess on 19 Decem­ber 2023.

Stra­tegic Risk Management

1. The Park Authority’s stra­tegic risk register has been fully revised over the course of the year to sup­port deliv­ery of the new Cor­por­ate Plan span­ning 2023 to 2027. The Park Authority’s stra­tegic risk man­age­ment approach now incor­por­ates and is led by the Board’s stra­tegic risk appet­ite, estab­lished fol­low­ing a work­shop in the pri­or year. The Audit and Risk Com­mit­tee has con­tin­ued to review the cov­er­age and adequacy of the stra­tegic risk register since the adop­tion of the new risk register in those quar­ters where it is not presen­ted to the full board.

2. The Com­mit­tee has incor­por­ated assur­ance over risk man­age­ment of the Cairngorms 2030 Pro­gramme as a stand­ing ele­ment of its agenda, ensur­ing any stra­tegic risk implic­a­tions to the Park Author­ity as a whole arising from its lead­er­ship of this sig­ni­fic­ant pro­gramme of work are recog­nised and incor­por­ated in our risk man­age­ment framework.

Con­clu­sions

1. The Audit and Risk Com­mit­tee con­siders that it has been suc­cess­ful in pro­gress­ing the Board’s gov­ernance and intern­al con­trol pri­or­it­ies dur­ing the peri­od covered by this annu­al report.

2. The Com­mit­tee wel­comes the work of the Authority’s Fin­ance team in once again main­tain­ing a high qual­ity and pro­fes­sion­al fin­an­cial account­ing ser­vice. The Com­mit­tee also recog­nises the valu­able work of the wider Cor­por­ate Ser­vices team in sup­port­ing a rap­idly expand­ing range of activ­it­ies and deliv­ery by the Park Author­ity and in help­ing achieve the organisation’s stra­tegic objectives.

3. The Com­mit­tee has engaged through the year with issues iden­ti­fied by the Park Authority’s intern­al and extern­al aud­it­ors, and also by the Park Authority’s officers. The Com­mit­tee has received full reports on issues raised; con­sidered recom­mend­a­tions made; and approved responses and actions. The Com­mit­tee has shaped and approved the over­all audit plan and guided the dir­ec­tion and approach of the intern­al aud­it­ors and their pro­gramme of work. The Com­mit­tee has also mon­itored deliv­ery against approved action plans.

Page 9 of 9

1. Both the intern­al and extern­al aud­it­ors’ find­ings provide assur­ance to the Com­mit­tee and board that the Park Authority’s intern­al con­trol and gov­ernance object­ives are being met effect­ively by man­age­ment. The Com­mit­tee will con­tin­ue to have over­sight in the evol­u­tion of the Park Authority’s pro­cure­ment con­trols over the year ahead, recog­nising devel­op­ment of sys­tems needed to address the con­trol weak­nesses iden­ti­fied in this area.

2. The Com­mit­tee con­tin­ues to recog­nise the cov­er­age of some of the Park Authority’s new­er ser­vice areas has pushed the risk pro­file of recom­mend­a­tions high­er over the course of the last report­ing peri­ods. It is accep­ted that there will always be a range of improve­ments than can be made to ser­vices and con­trols; that these con­trols must con­tin­ue to adapt to chan­ging oper­at­ing and stra­tegic envir­on­ments; and as such a num­ber of recom­mend­a­tions for improve­ment from intern­al audit will always be expec­ted. The Com­mit­tee warmly wel­comes the evid­ence of atten­tion to intern­al con­trol sys­tems by man­age­ment and gen­er­ally effect­ive con­trol sys­tems evid­enced by the annu­al intern­al audit reports. The Com­mit­tee expects the risk pro­file of recom­mend­a­tions to fall back toward more usu­al levels in com­ing years as new ser­vice areas and recom­mend­a­tions for action become bet­ter embedded.

3. The Com­mit­tee will con­tin­ue to address key, basic issues of intern­al con­trol and the devel­op­ment of appro­pri­ate pro­cesses with­in the Authority.

4. The Com­mit­tee will also con­tin­ue to have over­sight of the Authority’s approach to and hand­ling of risk man­age­ment, and of wider aspects of cor­por­ate gov­ernance such as the approach to best value and value for money. In par­tic­u­lar, mem­bers will seek to ensure that les­sons are learned from oper­a­tion­al exper­i­ence and that wherever pos­sible reviews of work­ing prac­tices and learn­ing from them lead to improve­ments in our systems.

Dav­id Camer­on, 11 Novem­ber 2024 davidcameron@​cairngorms.​co.​uk