CAIRNGORMS NATION­AL PARK AUTHORITY

Audit & Risk Com­mit­tee Paper 1 Annex 1 20/04/21

Gov­ernance Statement

Scope of responsibility

1. As Account­able Officer, I am respons­ible for main­tain­ing sound sys­tems of intern­al con­trol which sup­port the achieve­ment of Cairngorms Nation­al Park Authority’s policies, aims and object­ives, whilst safe­guard­ing the pub­lic funds and depart­ment­al assets for which I am per­son­ally respons­ible. These duties are in accord­ance with the Man­age­ment State­ment agreed between the Park Author­ity and Scot­tish Gov­ern­ment, and also respons­ib­il­it­ies assigned to me in the Scot­tish Pub­lic Fin­ance Manu­al (SPFM).

2. The SPFM, issued by the Scot­tish Min­is­ters, provides guid­ance to the Scot­tish Gov­ern­ment and oth­er rel­ev­ant bod­ies on the prop­er hand­ling of pub­lic funds, and sets out the rel­ev­ant stat­utory, par­lia­ment­ary and admin­is­trat­ive require­ments, emphas­ising the need for eco­nomy, effi­ciency and effect­ive­ness, and pro­motes good prac­tice and high stand­ards of pro­pri­ety. I am there­fore respons­ible as Account­able Officer to ensure the Park Authority’s intern­al con­trol sys­tems com­ply with the require­ments of the SPFM.

3. The Man­age­ment State­ment sets out the role of the Park Authority’s Board in provid­ing lead­er­ship and gov­ernance. The gov­ernance respons­ib­il­it­ies of the Board are sup­por­ted by Stand­ing Orders last revised and adop­ted in 2019 and a Code of Con­duct revised and adop­ted in 2014. A group of pro­fes­sion­al, seni­or staff advisors and appro­pri­ate Board train­ing and devel­op­ment pro­cesses sup­port the good gov­ernance arrange­ments set out in the Stand­ing Orders and Code of Con­duct. As a pub­lic body, the Park Author­ity oper­ates in an open and account­able man­ner, and is com­mit­ted to access­ib­il­ity, open­ness and account­ab­il­ity and sup­ports the highest stand­ards in cor­por­ate governance.

4. Oth­er than the doc­u­ments referred to above and the resource alloc­a­tion let­ters issued to me over the course of the year, there are no oth­er writ­ten author­it­ies provided to me in ²⁰²⁰⁄₂₁.

The oper­a­tion of the Board and sub-committees

1. The Board com­prises 19 mem­bers: 7 appoin­ted by five Coun­cils with bound­ar­ies with­in the Nation­al Park, 7 appoin­ted by Scot­tish Gov­ern­ment, and 5 dir­ectly elec­ted with­in the wards of the Park. The Board there­fore reflects a blend of dif­fer­ent exper­i­ence, back­grounds and interests. The full Board meets reg­u­larly to con­sider strategy, and per­form­ance against the cur­rent Cor­por­ate Plan. Meet­ings are sched­uled quarterly, with addi­tion­al meet­ings con­vened as required. To enable the Board to dis­charge its duties, all mem­bers receive appro­pri­ate and timely inform­a­tion in advance of meet­ings with all agen­das and papers also placed in the pub­lic domain. Meet­ings are open to the pub­lic save the occa­sion­al meet­ing held in private for vari­ous reas­ons of busi­ness and com­mer­cial confidentiality.

2. To ensure that the Board devel­ops an under­stand­ing of the cur­rent and emer­ging issues, mem­bers also par­ti­cip­ate in inform­al dis­cus­sion ses­sions to con­sider emer­ging policy issues and pro­pos­als, and a pre­ferred stra­tegic dir­ec­tion iden­ti­fied pri­or to fuller, open con­sid­er­a­tion at form­al meetings.

3. The Board has estab­lished sub-com­mit­tees: a Plan­ning Com­mit­tee (which deals with all aspects of the Park Authority’s stat­utory plan­ning respons­ib­il­it­ies), togeth­er with Com­mit­tees cov­er­ing Fin­ance and Deliv­ery, Staff­ing and Recruit­ment, and Audit and Risk. All com­mit­tees have del­eg­ated duties and respons­ib­il­it­ies set out in terms of ref­er­ence agreed by the full Board to over­see and scru­tin­ise the Park Authority’s deploy­ment and man­age­ment of resources. The record of attend­ance at Board meet­ings can be found else­where in the Annu­al Report and Accounts.

4. The Board has agreed in prin­ciple to alter its Com­mit­tee struc­ture in ²⁰²¹⁄₂₂, to put in place Com­mit­tees cov­er­ing Plan­ning, Gov­ernance, Per­form­ance, Resources and Audit and Risk. The revised struc­ture is planned to aug­ment the gov­ernance of the Author­ity and enhance the Board’s assur­ance role as the Authority’s scale of activ­it­ies and sup­port of sig­ni­fic­ant pro­grammes con­tin­ues to increase. The terms of Ref­er­ence for these Com­mit­tees will be agreed by the Board in the early part of ²⁰²¹⁄₂₂ pri­or to the revised struc­tures being implemented.

The Audit and Risk Committee

1. The Audit and Risk Committee’s role is to provide effect­ive gov­ernance over all aspects of the Park Authority’s intern­al man­age­ment con­trol sys­tems and the annu­al fin­an­cial accounts and audit. It also takes a lead in stra­tegic risk man­age­ment ensur­ing that risks impact­ing on stra­tegic object­ives are iden­ti­fied and mit­ig­ated, and that risk man­age­ment is embed­ded through­out the Park Authority’s oper­a­tions. It is sup­por­ted by the Park Authority’s intern­al audit func­tion, Azets, and extern­al aud­it­ors, Grant Thornton LLP, who both have inde­pend­ent access to the Com­mit­tee and to its Con­vener. The Com­mit­tee is tasked with mon­it­or­ing the oper­a­tion of the intern­al con­trol func­tion and bring­ing any mater­i­al mat­ters to the atten­tion of the full Board. Detailed reports of all audit reviews are made avail­able to both man­age­ment and the Committee.

2. The Com­mit­tee meets at least quarterly and reports to the Board on the adequacy and effect­ive­ness of the Park Authority’s intern­al con­trols, and more widely on its work in the pre­ced­ing year.

3. The Board has con­tin­ued a pro­cess of self-eval­u­ation of effect­ive­ness and gov­ernance over the course of ²⁰²⁰⁄₂₁ which were ori­gin­ally ini­ti­ated under the ​“Lead­er­ship” ele­ment of the first Organ­isa­tion­al Devel­op­ment Strategy in ²⁰¹⁵⁄₁₆. The Board com­pleted a revi­sion of its skills mat­rix in Feb­ru­ary 2020 and, through this pro­cess, estab­lished a pri­or­ity for con­tinu­ing pro­fes­sion­al devel­op­ment of mem­bers over the com­ing years. The Board has com­pleted a self-assess­ment of Board effect­ive­ness in Decem­ber 2020 and con­sidered the res­ults of this in Feb­ru­ary 2021. The Con­vener and Deputy Con­vener have under­taken a com­ple­ment­ary series of ​“Board mem­ber devel­op­ment con­ver­sa­tions” with all board mem­bers in ²⁰²⁰⁄₂₁. This focus on Board effect­ive­ness and devel­op­ment of gov­ernance sys­tems has been com­ple­men­ted by an intern­al audit of gov­ernance sys­tems com­pleted in the year, the improve­ment actions from which will be covered in part by the work men­tioned here and through wider action over the course of the year ahead. Oth­er ele­ments of Board gov­ernance and effect­ive­ness are reviewed and sup­por­ted by seni­or officers as required.

4. The Board has agreed a set of Cor­por­ate Per­form­ance Indic­at­ors so it may improve its over­sight of deliv­ery against key stra­tegic object­ives and the Park Authority’s Cor­por­ate Plan. A detailed per­form­ance report is sub­mit­ted to the Board twice yearly on deliv­ery against key per­form­ance indic­at­ors, con­sidered at each June and Decem­ber meet­ing along­side a review of stra­tegic risk man­age­ment. These mon­it­or­ing and con­trol mech­an­isms sup­port Board scru­tiny over deliv­ery of the Cor­por­ate Plan and Nation­al Park Part­ner­ship Plan priorities.

5. Peri­od­ic reports from inde­pend­ent intern­al and extern­al aud­it­ors form a key and essen­tial ele­ment in inform­ing my review as Account­able Officer of the effect­ive­ness of the sys­tems of intern­al con­trol with­in the Park Author­ity. The Board’s Audit and Risk Com­mit­tee also plays a vital role in this regard, through its con­sid­er­a­tion of audit recom­mend­a­tions arising from reviews of intern­al con­trol sys­tems and its scru­tiny of pro­posed man­age­ment action to address any improve­ments required. The Audit and Risk Com­mit­tee also con­siders both a three year plan for intern­al audit cov­er­age and annu­ally agrees an intern­al audit plan flow­ing from that three year plan.

Shared ser­vices delivery

1. The Park Author­ity plays an import­ant role in provid­ing sup­port over a range of activ­it­ies to loc­al com­munit­ies and organ­isa­tion to help deliv­er the Nation­al Park Part­ner­ship Plan’s pri­or­it­ies. In the last year we have sup­por­ted Cairngorms LEAD­ER Pro­gramme Loc­al Action Group, the Tomin­toul and Glen­liv­et Land­scape Part­ner­ship, the Great Place Badenoch Pro­ject as well as the Caper­cail­lie Frame­work as sig­ni­fic­ant, com­munity and part­ner led pro­grammes of activ­ity. Our man­age­ment and intern­al con­trol struc­tures ensure that sup­port for these com­munity based deliv­ery entit­ies are sep­ar­ated from the core activ­it­ies of the Author­ity, while ensur­ing that our sup­port helps them achieve ​“best prac­tice” in their operations.

2. The Author­ity also under­takes a range of shared ser­vice arrange­ments with oth­er pub­lic body part­ners. Over the course of the year we have provided human resource advice and organ­isa­tion­al devel­op­ment sup­port to the Scot­tish Land Com­mis­sion, while col­lab­or­at­ing on a range of shared ser­vice deliv­ery with Loch Lomond and the Trossachs Nation­al Park Author­ity (LLT­NPA). We receive key sup­port from LLT­NPA on IT infra­struc­ture main­ten­ance, devel­op­ment and shared licence agree­ments for plan­ning sys­tems and data back-up and secur­ity arrange­ments. In addi­tion to these more form­al shared ser­vices with LLT­NPA, both Nation­al Park Author­it­ies con­tin­ue to col­lab­or­ate closely on areas of shared policy interest.

Intern­al audit

1. The intern­al audit func­tion is an integ­ral ele­ment of scru­tiny of the Park Authority’s intern­al con­trol sys­tems. Azets was appoin­ted fol­low­ing an open pro­cure­ment pro­cess as the Park Authority’s intern­al aud­it­ors in 2020 and have under­taken a com­pre­hens­ive assess­ment of key intern­al con­trol sys­tems since their appoint­ment in determ­in­ing annu­al and three-year intern­al audit plans. Dur­ing the year to 31 March 2021, Azets has repor­ted to the Audit and Risk Com­mit­tee on the fol­low­ing reviews:

Gov­ernance & Risk	Cor­por­ate Gov­ernance systems
Intern­al Con­trol Systems	Fol­low up review of pri­or recommendations
	LEAD­ER administration
	Data Man­age­ment
	COVID19 Recov­ery and Busi­ness Continuity

1. All recom­mend­a­tions made by Azets are con­sidered, giv­en man­age­ment responses which are con­sidered by the Audit and Risk Com­mit­tee and imple­men­ted as appro­pri­ate. There were no instances of intern­al audit recom­mend­a­tions not being accep­ted by man­age­ment in the year.

Extern­al audit

1. Extern­al aud­it­ors are appoin­ted for us by the Aud­it­or Gen­er­al for Scot­land through Audit Scot­land. Audit Scot­land appoin­ted Grant Thornton LLP to the role for a five year peri­od com­men­cing in ²⁰¹⁶⁄₁₇. We have formed an effect­ive and effi­cient audit rela­tion­ship with Grant Thornton, who review key sys­tems so they can form a view on the effect­ive­ness of con­trol arrange­ments which in turn sup­ports their audit opin­ion on the fin­an­cial statements.

2. The fees paid to Audit Scot­land for the inde­pend­ent stat­utory audit for ²⁰²⁰⁄₂₁ is £11,590. No fees were paid for non-audit work.

Best value

1. The Audit and Risk Com­mit­tee con­tin­ues to mon­it­or the Authority’s adher­ence to Scot­tish Gov­ern­ment Best Value guidelines and our approach to con­tinu­ous improve­ment. We launched phase three of our Organ­isa­tion­al Devel­op­ment Strategy in the year to con­tin­ue to improve our work pro­cesses, organ­isa­tion­al envir­on­ment, and deliv­ery of services.

Risk man­age­ment

1. We have a risk man­age­ment strategy in accord­ance with guid­ance issued by Scot­tish Min­is­ters to identi­fy actu­al and poten­tial threats which may pre­vent us from deliv­er­ing our stat­utory pur­pose and also to identi­fy appro­pri­ate mit­ig­a­tion actions.

2. The Board recog­nises the import­ance of risk man­age­ment and con­tin­ues to mon­it­or the Park Authority’s Stra­tegic Risk Register. The Stra­tegic Risk Register records risks, action taken to mit­ig­ate the iden­ti­fied risks and seni­or management’s respons­ib­il­ity for lead­ing on each risk and its mit­ig­a­tion. The Stra­tegic Risk Register is reviewed by Man­age­ment Team four times each year and updated by the full Board twice and by the Audit and Risk Com­mit­tee twice a year.

3. The Audit and Risk Com­mit­tee, with the Seni­or Man­age­ment Team, leads on embed­ding risk man­age­ment pro­cesses through­out the Park Author­ity. Both groups con­sider the man­age­ment of stra­tegic risk in line with the Risk Strategy to ensure that the required actions are appro­pri­ately reflec­ted and incor­por­ated in oper­a­tion­al deliv­ery plans. A revised Risk Man­age­ment Strategy was adop­ted by the Audit and Risk Com­mit­tee in 2016, and sub­sequently reviewed by the Board in 2019, with the Com­mit­tee also receiv­ing an intern­al audit report on the effect­ive­ness of oper­a­tions of risk man­age­ment with­in the organ­isa­tion in that year.

Data secur­ity

1. Pro­ced­ures are in place to ensure that inform­a­tion is being man­aged in accord­ance with legis­la­tion and that data is held accur­ately and securely. The Park Author­ity has no repor­ted nor recor­ded instances of data loss in the year to 31 March 2021.

2. The second iter­a­tion of Cyber Essen­tials + accred­it­a­tion was achieved in ²⁰¹⁹⁄₂₀. We con­tin­ue to review our digit­al prac­tices and infra­struc­ture to ensure they remain fit for pur­pose and that all reas­on­able steps are taken to min­im­ise the risk of data loss or com­prom­ise of sys­tems due to Cyber Attacks. Work is cur­rently under­way on a Digit­al Strategy, to be adop­ted in ²⁰²⁰⁄₂₁.

Response to COVID19 Pandemic

1. The Author­ity imple­men­ted its Busi­ness Con­tinu­ity Plan (BCP) pro­cesses on 17 March 2020 in response to the COVID19 pan­dem­ic and con­tin­ues to apply that BCP pro­cess. The BCP has pri­or­it­ised the main­ten­ance and evol­u­tion of sys­tems to sup­port dis­persed work­ing while main­tain­ing max­im­um focus on deliv­ery of the Authority’s stra­tegic out­comes. Our BCP has also placed an emphas­is on staff wel­fare and ensur­ing our people remain as phys­ic­ally and men­tally healthy as pos­sible through­out this peri­od of BCP operations.

2. The Board has adap­ted resource deploy­ment over the course of the year as it leads the Authority’s response to the COVID19 pan­dem­ic and has approved a Green Recov­ery Plan for the Cairngorms to give lead­er­ship and vis­ion to the Authority’s work with part­ners in respond­ing to the impacts of the pandemic.

3. The Board also approved BCP meas­ures to sup­port effect­ive gov­ernance through­out the pan­dem­ic. This included adapt­ing Board Stand­ing Orders to remote work­ing and meet­ings held by video con­fer­ence and tele­phone and ensur­ing appro­pri­ate Board and Seni­or Man­age­ment suc­ces­sion plans are in place.

Con­clu­sion

1. As Account­able Officer I am respons­ible for review­ing the effect­ive­ness of the sys­tem of intern­al con­trol. In order to do this my review is informed by:

a) The exec­ut­ive man­agers with­in the organ­isa­tion who have respons­ib­il­ity for the devel­op­ment and main­ten­ance of the intern­al con­trol frame­work and who provide assur­ance on sys­tems with­in reg­u­lar Seni­or Man­age­ment Team meetings;

b) Intern­al mon­it­or­ing of con­trol sys­tems by staff against SPFM requirements;

c) The work of the intern­al aud­it­ors, who sub­mit reg­u­lar reports to the Audit and Risk Com­mit­tee which include the Head of Intern­al Audit’s inde­pend­ent and object­ive opin­ion on the adequacy and effect­ive­ness of our sys­tems of intern­al con­trol togeth­er with recom­mend­a­tions for improvement;

d) Com­ments made by the extern­al aud­it­ors in their man­age­ment let­ter and oth­er reports.

1. I am sup­por­ted by a Dir­ect­or of Cor­por­ate Ser­vices, who in turn is sup­por­ted by the Cor­por­ate Ser­vices staff group, and provides seni­or man­age­ment lead­er­ship on the fin­an­cial man­age­ment, intern­al con­trols and gov­ernance arrange­ments. I take assur­ance from the effect­ive­ness of intern­al con­trol sys­tems, fin­an­cial man­age­ment and plan­ning pro­cesses, and risk man­age­ment from the assur­ances received from the Dir­ect­or of Cor­por­ate Services.

2. I have also been advised on the effect­ive­ness of the sys­tem of intern­al con­trol by the Board and its Audit and Risk Com­mit­tee. Appro­pri­ate action is taken against any weak­nesses iden­ti­fied and to ensure con­tinu­ous improve­ment of our systems.

3. The intern­al auditor’s annu­al report for ²⁰²⁰⁄₂₁ states that, ​“in our opin­ion CNPA has a frame­work of con­trols in place that provides reas­on­able assur­ance regard­ing the organisation’s gov­ernance frame­work, intern­al con­trols, effect­ive and effi­cient achieve­ment of object­ives and the man­age­ment of key risks, sub­ject to the imple­ment­a­tion of spe­cif­ic high risk actions raised in rela­tion to cor­por­ate gov­ernance pro­cesses and data man­age­ment con­trol improve­ments through­out 2020÷21”. Action is under­way on imple­ment­ing improve­ments required to mit­ig­ate these high risk areas iden­ti­fied by intern­al audit and as such I also take assur­ance on the adequacy and effect­ive­ness of the Authority’s intern­al con­trols from the inde­pend­ent intern­al auditor’s report for the year.