ARC Paper 2 Report February 2021 FINAL
AV AZETS
Cairngorms National Park Authority
Internal Audit Report
Management Action Follow-up – 2020⁄21
March 2021
Introduction and background
Introduction
As part of the internal audit programme we have undertaken a follow up review to provide the Audit & Risk Committee with assurance that management actions agreed in previous internal audit reports have been implemented appropriately. This report summarises the progress made by management in implementing agreed management actions.
Scope
We have reviewed all open management actions and liaised with Cairngorms National Park Authority staff to obtain an update on their implementation progress. For recommendations graded priority 3 or above, we request evidence to validate completion of any actions marked for closure by management.
For all actions raised by the prior Internal Auditor (BDO) we have aligned their risk assessments to the Azets risk grading structure (per Appendix 3).
Action for Audit & Risk Committee
The Committee is asked to note the progress made by management in implementing agreed management actions. The Committee is also asked to consider and approve those actions for which revised timescales have been provided by management (these are detailed at Appendix 2).
Summary of progress
The table below shows the movement in the audit actions in the period from March 2020 to February 2021:
| Number of Actions | |
|---|---|
| Open actions brought forward | 54 |
| Actions added to tracker | 9 |
| Total actions to follow-up | 63 |
| Actions closed | 17 |
| Open actions carried forward | 46 |
Status of Actions as at February 2021
[Diagram showing the status of actions]
We have confirmed that 10 (16%) actions were completed in the period to February 2021. 18 actions (29%) have been assessed as partially complete, 15 (23%) marked as incomplete, 7 (11%) marked as no longer applicable and 13 actions (21%) were not yet due at the time of our validation work.
We understand that progress in implementing a number of “partially complete” actions has been delayed by the impact of COVID-19. We have confirmed with management that work is now ongoing to progress these actions although revised due dates have not been provided in all cases. Further detail on all actions that have passed their original due dates for completion is included at Appendix 2.
Particular attention should be paid to those actions that have passed their original due date for completion over the next quarter, particularly the aged items.
A summary of the status of actions by report is shown at Appendix 1.
Status by Grading
[Diagram showing status by grading]
Appendix 2 sets out the current status of actions classed as “partially complete” and “incomplete” based on updates provided by management.
Open Internal audit actions
The total number of outstanding actions is 46, 33 of which have passed their original completion date.
All 33 actions have been assessed as a grade 1 or 2 (limited or moderate risk exposure). As a result, management should take a view on whether the organisation has the appropriate resource in place to move these actions forward, or are willing to accept the risk in place, in particular for those assessed as grade 1.
Appendix 1: Action status by report
| Report title | Complete | Partially complete | Incomplete | Not Yet Due | No Longer Applicable | Total |
|---|---|---|---|---|---|---|
| Risk Management | 1 | 1 | - | - | 1 | 2 |
| Financial Processes | - | - | - | 1 | 1 | 2 |
| Grant Funding & Management | - | - | 2 | - | - | 2 |
| Tomintoul & Glenlivet Partnership Management | 1 | - | - | 1 | - | 2 |
| IT General Controls | 1 | 1 | - | 1 | - | 3 |
| 2016⁄17 sub-total | 3 | 3 | 1 | 1 | 3 | 10 |
| Project Management | - | 1 | - | 1 | - | 2 |
| Communications & Social Media Strategy | - | 1 | - | - | 1 | 2 |
| 2017⁄18 sub-total | 1 | 2 | 1 | - | 1 | 3 |
| Partnership Management | - | 2 | - | - | - | 2 |
| Resource Planning | - | 1 | - | 1 | - | 2 |
| Business Continuity Planning | 4 | 2 | - | - | 1 | 7 |
| 2018⁄19 sub-total | 4 | 4 | 1 | - | 2 | 11 |
| Payroll Administration | 2 | 3 | 1 | - | - | 6 |
| Risk Management | 1 | 2 | 4 | 1 | - | 7 |
| Expense Claims Process | 1 | 1 | 1 | - | 1 | 4 |
| Staff Objective Setting & Appraisal | 1 | 1 | 1 | - | 1 | 4 |
| FOISA and EIR Requests | - | 2 | 1 | 2 | - | 5 |
| Project Finance | 2 | 2 | 1 | - | - | 5 |
| 2019⁄20 sub-total | 6 | 10 | 10 | 3 | 1 | 30 |
| COVID Recovery | - | - | - | 3 | - | 3 |
| Corporate Governance | - | - | - | 6 | - | 6 |
| 2020⁄21 sub-total | - | - | - | 6 | - | 9 |
| Grand totals | 10 | 18 | 15 | 13 | 7 | 63 |
Appendix 2: Summary of outstanding actions past their current due date
| Report / Action | Recommendation | Action Owner | Grade | Original timescale | Revised timescale | Update 2020⁄21 Follow Up | Status |
|---|---|---|---|---|---|---|---|
| 2016⁄17 Risk Management | We recommend that, on development of a risk management policy, staff with risk management responsibilities are required to sign a checklist to confirm whether they are aware of the organisation’s risk management approach or require further training in this area. | Governance and Information Officer | Medium (Grade 2) | 31-Mar-17 | Aug-21 | From 2021⁄22 we will introduce a schedule of key areas of operations, including project management and risk management, which all managers are expected to go through annually with their direct reports as a prompt to whether any training requirements have arisen in these areas. This is designed and will be launched shortly. | Partially Complete |
| 2016⁄17 Grant Funding & Management | We recommend that the Grant Toolkit is completed, encompassing all processes in place for the awarding, recording, and monitoring of grant funding. The toolkit should also clearly define the following: — Actions to be taken when grant conditions are not being met or terms and conditions are breached; — The process for consideration of the risk and value of grant funding applications to determine the proportion of resource required to evaluate these; and — Review and scrutiny arrangements for progress reports provided by grantees. | Director of Corporate Services | Medium (Grade 2) | 30-Sep-17 | Sep-21 | This work remains outstanding. Intended focus on this in 20⁄21 was overtaken by COVID responses and other associated high priority activity | Incomplete |
| 2016⁄17 Grant Funding & Management | We recommend that management develops and maintains a grant register which records all grant funding provided. The performance requirements detailed within each grant award terms and conditions should be recorded and monitored within the tracker. The register should be reviewed on a regular basis to ensure funds are used effectively and agreed objectives are achieved. | Finance Manager | Low (Grade 1) | 30-Nov-17 | Jun-21 | We will seek to initiate a grant register for commencement from 2021⁄22 financial year. | Incomplete |
| 2016⁄17 Tomintoul & Glenlivet Partnership Management | We recommend that changes in spend profile exceeding an agreed threshold are reported to the TGLP Board on a monthly basis. | CNPA Finance Manager | Low (Grade 1) | 30-Sep-17 | Reports are now produced for the Project manager and the board on projected outturn (T&G 1 report) and movements since the last report (T&G 2) The project is now winding down and will be largely complete by 31 03 21 other than delayed tree planting. Since Jan 2021 a cash flow projection is also included. | Partially Complete | |
| 2016⁄17 IT General Controls | We recommend that, as per the requirements of the Security Policy, there is regular full restore testing of backups i.e. the full recovery of systems on a bare-metal server using backup media. We also recommend that a formal backup plan/policy is developed to ensure a consistent approach is taken to managing backups including implementation, monitoring over their success/failure, rerunning failed backups and regular testing. | Governance and Corporate Performance Manager with IT Manager | Medium (Grade 2) | 31-Jan-18 | Jun-21 | We do individual restores periodically but do not have the resource to complete system back up. | Partially Complete |
| 2016⁄17 IT General Controls | We recommend that all network devices are configured with reference to recognised security baselines to ensure that all active network components have met a minimum-security standard. | IT Manager | Low (Grade1) | 31-Mar-18 | Dec-21 | As hardware is being replaced, we will look into baselining equipment where possible and taking into consideration available resource constraints. | Incomplete |
| 2017⁄18 Project Management | We recommend that roles and responsibilities are fully documented for all key people and groups with responsibilities for each project. | Director of Corporate Services | Low (Grade1) | 31-Jul-18 | Sep-21 | Work pressures in 2020⁄21 have not allowed the issues around role definition in project initiation documents to be taken further forward. | Incomplete |
| 2017⁄18 Communications & Social Media Strategy | We recommend that feedback on the effectiveness of key digital communications is sought and responded to from stakeholders. We recommend that the Communications and Engagement team considers conducting a stakeholder survey campaign to gain feedback on the digital platforms and accounts which are currently in use by CNPA. We also recommend that management consider conducting this process prior to the completion of the communications and social media strategy. | Sian Jamieson | Low (Grade 1) | 30-Apr-18 | Dec-21 | The survey was conducted and an initial collation of the data was conducted by Mail Chimp, the survey software, which generated an internal report for the Digital Campaigns Officer – however due to the COVID Pandemic the analysis was put on hold in March 2020 and due to the ongoing circumstances priorities have focused on delivering essential CNPA communications. However, regular analysis of social media and digital data is conducted and there is a high level of confidence in the delivery of effective content and therefore an effective communications strategy being implemented by the CNPA. Evidence of Analysis: 2020 Digital Pandemic Communications | Partially Complete |
| 2018⁄19 Partnership Management | We recommend that the Authority issue a questionnaire or feedback request on an annual basis to all key partners to seek feedback and thoughts on how the partnership, communication methods and ways of working could be further improved. We further recommend that feedback provided is collated and actions recorded. | Chief Executive with Head of Planning and Rural Development | Low (Grade 1) | 30-Jun-19 | Mar-21 | While a significant amount of partnership work has taken place over 2020, including visitor management responses to relaxation of COVID restrictions in the summer of 2020 and the development of the Heritage Horizons bid, we have not had the opportunity to formally review the effectiveness of our stakeholder engagement processes. The appointment of a new Head of Communications gives the opportunity to progress this work over 2021⁄22 with a fresh perspective. | Partially Complete |
| 2018⁄19 Partnership Management | We understand that there are already plans to improve the engagement process further by implementing a Customer Relationship Management System (CRM). We recommend that the Authority continues with plans for implementing a CRM. | Director of Corporate Services | Low (Grade 1) | 30-Jun-19 | Mar-22 | The full implementation of the CRM remains on hold pending the relaxation of the COVID Business Continuity Plan and ability for staff laptops and desktops to be upgraded with relevant software. | Partially Complete |
| 2018⁄19 Resource Planning | We recommend that a formal framework is put in place for identifying critical roles and developing succession plans for critical roles identified. | Director of Corporate Services and Head of Organisational Development | Low (Grade 1) | 30-May-19 | Sep-21 | This remains a key focus for us in 2020⁄21. With the management and staff restructure in consultation since October / November 2020, it makes sense to wait for the completion of the new structure and to implement this succession planning work on the basis of the new structure | Incomplete |
| 2018⁄19 Business Continuity Planning | We recommend that the Authority implements business continuity training for all staff. Regular refresher training should be provided going forward, and the Authority should ensure it records all training for each staff member and obtains sufficient evidence of attendance/completion. | Director of Corporate Services to coordinate team | Medium (Grade 2) | Nov-19 | Mar-22 | Future training requirements will be incorporated into future work on the revised BCP. | Partially Complete |
| 2018⁄19 Business Continuity Planning | We recommend that CNPA develops a testing plan/schedule for BCP which should be reviewed regularly to ensure a strategic approach to testing is developed and implemented. This plan should ensure that varying categories of events are scheduled to be tested on a regular basis based upon likelihood and overall risk. A formal testing schedule should also be developed for the DRP. We note that the BCP states that testing of the BCP and DRP should be annual, with consideration given to a daily ‘tabletop’ exercise. However, from discussions with management, it is understood that this is not achievable due to the size of the organisation. Therefore, Management should decide on the most suitable frequency of testing, and this should be detailed within the BCP. In addition, we recommend that the outcomes, lessons learned and required actions are formally documented, and thereafter reflected within the plan for each test. | Director of Corporate Services to coordinate team | Medium (Grade 2) | By end November 2019 for incorporation of testing schedule | Mar-22 | The current COVID19 BCP response has given a “full implementation” BCP test. This recommendation is therefore somewhere between superseded and implemented. Future testing arrangements will be taken up as part of the revised BCP and in line with any of the 2020⁄21 internal audit findings. | Partially Complete |
| 2019⁄20 Payroll Administration | We recommend that in addition to the payroll report and BACS reports run each month, CNPA produce a post payment report which should be reviewed and signed by the Director of Corporate Services. | Director of Corporate Services/Payroll & Finance Officer | Low (Grade 1) | Nov-19 | Sep-21 | Control systems were designed and put in place to implement this recommendation. However, remote working over 20⁄21, with consideration of data security and limiting volumes of sensitive information sent by email, have prevented full implementation to date. | Partially Complete |
| 2019⁄20 Payroll Administration | We recommend that CNPA conduct a regular peer review of the desk instructions to ensure that they remain accurate and up to date. Evidence of the review should be seen on the instructions with version control and the date reviewed noted. | Director of Corporate Services or Head of Organisational Development | Low (Grade 1) | Apr-20 | Dec-21 | This has not been progressed as a consequence of COVID BCP implementation | Incomplete |
| 2019⁄20 Payroll Administration | We recommend that all staff with access to payroll information are required to sign a confidentiality agreement. | Director of Corporate Services & Head of Organisational Development | Low (Grade 1) | Mar-20 | Jun-21 | Consultations on this are complete regarding contractual changes required. The implementation of the agreements has yet to be completed. | Partially Complete |
| 2019⁄20 Payroll Administration | It is our recommendation that the Authority investigate the potential for making use of automatic exception reporting. This may be within the capabilities of the current payroll system; a report would be generated of all the differences from the previous months payroll which could be reviewed and authorised. | Director of Corporate Services and Head of Organisational Development | Low (Grade 1) | Mar-20 | Sep-21 | Control systems were designed and put in place to implement this recommendation. However, remote working over 20⁄21, with consideration of data security and limiting volumes of sensitive information sent by email, have prevented full implementation to date. | Partially Complete |
| 2019⁄20 Risk Management | We recommend that a risk management procedure is developed or that the risk management strategy is updated to include the following best practice areas: Risk management process, including identification, assessment, analysis, response, mitigation, and escalation. Risk register format. Risk prompts and tools. Risk impact and likelihood descriptions. | Director of Corporate Services | Low (Grade 1) | 31-May-20 | Mar-21 | No progress on this low-level recommendation during BCP response period. | Incomplete |
| 2019⁄20 Risk Management | We recommend that on a periodic basis, for example every two years to align with the start and mid-point of the Corporate Plan cycle, for management to carry out a full-scale risk identification process for the risk register. | Director of Corporate Services | Low (Grade 1) | 31-May-20 | Mar-24 | No progress on this low-level recommendation during BCP response period | Incomplete |
| 2019⁄20 Expense Claims Process | We recommend that the Travel & Subsistence Policy is further developed to include the elements noted within our finding. | Director of Corporate Services | Medium (Grade 2) | Jan-20 | Sep-21 | Approved through Staffing and Recruitment Committee and Staff Consultative Forum. Not yet implemented as a consequence of homeworking / travel restrictions | Partially Complete |
| 2019⁄20 Expense Claims Process | To address the issues noted and to gain assurance on the consistent application of the policy, we recommend that CNPA reviews and revises the policy to more clearly define the approval procedures that are required prior to incurring costs and the evidence of authorisation required for seeking re-imbursement. | Director of Corporate Services | Medium (Grade 2) | Jan-20 | Sep-21 | Policy has been revised and reviewed by both Staffing and Recruitment Committee and Staff Consultative Forum. Implementation of revised policy due from 1 April 2020. | Partially Complete |
| 2019⁄20 Expense Claims Process | We recommend that that the Finance team’s review of expense claims and credit card documentation is enhanced and evidenced, for example, via signature. This will support a two-step approval process, which is good practice. | Finance Manager | Low (Grade 1) | Apr-20 | Sep-21 | No action pending exit from BCP status. | Incomplete |
| 2019⁄20 Expense Claims Process | We recommend that CNPA signs up to the Scottish Government National Travel Framework. This will ensure that Clyde Travel Management can be used by CNPA, through a procured method as required by the Procurement Policy. CNPA should ensure going forward that it procures travel providers in line with the Procurement Policy, where estimated expenditure meets the relevant thresholds. | Finance Manager | Low (Grade 1) | Jun-20 | Mar-22 | Low level recommendation with very low value consequences. Not a priority given various other pressures. | Incomplete |
| 2019⁄20 Expense Claims Process | We recommend that CNPA assesses the costs vs benefits of introducing an electronic expense system, which will allow for expense claims to be effectively processed. An expense system should allow for the full process to be handled electronically, from creating claims and attaching supporting documentation (photos/scans/electronic versions) to the approval and payment of claims. Approvals can also be provided remotely, which would reduce delays in obtaining approval on hard copy claim forms. CNPA should consider purchasing a system which has user-friendly reporting and automated alerts, for example, when an expense claim has been submitted for review, or for when supporting evidence has not been attached. The electronic system could also automatically calculate miles included in a business journey, which would therefore reduce the risk of business mileage being inflated. | Finance Manager | Low (Grade 1) | April-20 | Mar-23 | No action pending exit from BCP status | Incomplete |
| 2019⁄20 Expense Claims Process | We recommend that CNPA ensures a travel & subsistence/expenses Policy is developed which formally applies to Board members. As the current Travel & Subsistence Policy applies to Board members in practice, management may consider amending the current Policy to ensure the application to Board members is formally documented. Authority to approve Board member expenses should also be clearly documented. | Director of Corporate Services | Low (Grade1) | Jan-20 | Sep-21 | No action pending exit from BCP status | Incomplete |
| 2019⁄20 Staff Objective Setting & Appraisal | We recommend that line managers are reminded of the importance of properly recording their review and approval of job plans. Random spot checks should be carried out by HR to check that job plans are in place and have been appropriately reviewed and signed off by management, including the date of sign off. | Kate Christie | Low (Grade 1) | Immediate and on-going | Dec-21 | Given the impact of lockdown on staff, particularly those with caring responsibilities and inefficient WIFI, staff and managers have been advised to revisit job plans to ensure they cover only work that can realistically be achieved. So, job plans have been revisited at least at 6‑month intervals, but HR have not had capacity during the last 10 months to carry out at these spot checks. | Partially Complete |
| 2019⁄20 Staff Objective Setting & Appraisal | It is our recommendation that the Senior Management Team outline what their expectations are in respect of the outcomes of the performance management process and produce an annual report on the outcomes of the objective setting and appraisal process for presentation to the Recruitment Committee. This report should cover the degree of compliance with the process and details of any concerns identified in order to assess the ongoing effectiveness of the performance management process. | Kate Christie | Low (Grade 1) | December will be the report schedule | Mar-21 | Coved and lockdown has resulted in job plans and targets to be amended to accurately reflect the jobs that are achievable given additional pressures on staff. We have not yet had the opportunity to monitor the effectiveness of the revised performance management process given that it was only in a place for less than a year before Covid and lockdown. | Incomplete |
| 2019⁄20 FOISA and EIR Requests | CNPA should consider the use of flow charts to outline its processes and requirements and communicating these to ensure consistent application of the processes. We recommend refresher GDPR training to understand the nuances between GDPR and FOI | Vicky Walker | Medium (Grade 2) | July-20 | Dec-21 | This has been delayed due to Covid and will be picked up as part of the recommendations from the Data Management audit. This should be completed by May 2021 and will include flowcharts and guidance to support staff in handling these requirements. We have sought legal advice on handling subject access requests and will also incorporate this into revised guidance. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend CNPA update their procedures which include asking the requestor whether the request can be narrowed to allow the deadline to be met. | Vicky Walker | Low (Grade 1) | Jul-20 | Sep-21 | We have used this approach on a number of complex information requests during 2020. This has been successful in narrowing the request to extract relevant and meaning information for the requester. We have not yet incorporated this approach into a refresh of the policy which has been delayed due to emergent work on the Covid pandemic. We are anticipating further recommendations as a result of the data management audit completed in January 2021 and will take these forward in tandem due to the interdependencies of these two policies. | Partially Complete |
| 2019⁄20 FOISA and EIR Requests | We recommend the FOI policy and guidance are updated on a regular basis and document the policy owner and when it is next due to be reviewed. We recommend the Policy and Guidance are updated, refer to job titles and explain acronyms. | Vicky Walker | Low (Grade 1) | Jul-20 | Mar-22 | This has been delayed due to Covid and will be picked up as part of the recommendations from the Data Management audit. This should be completed by May 2021 and will include an update to job titles and list of acronyms. | Incomplete |
| 2019⁄20 Project Finance | We recommend that review of management accounts is a standing agenda item for CNPA Management Team meetings on a monthly basis. We recommend Finance consult with the Management team to determine what financial information they would find useful and update reporting if necessary. | Director of Corporate Services | Medium (Grade 2) | Jun-20 | Jun-21 | Budget management has been a more fluid process than normal in 2020⁄21 with need to revisit spending allocations and plans. Some work has been done in this area. However, this recommendation needs to be retained for review in 2021⁄22 when we hope the situation will have normalised to a degree. | Partially Complete |
| 2019⁄20 Project Finance | We recommend CNPA reviews its procedures for submitting its supporting documentation to NLHF to ensure that all required documentation is provided. CNPA should consider adding an additional review prior to the submission, which should be evidenced. | Dani Ralph | Medium (Grade 2) | Immediate on completion of December claims | Jun-21 | Amendments to the process have proven difficult during BCP remote working | Incomplete |
| 2019⁄20 Project Finance | We recommend forecasting of CNPA’s year-end position is completed on a regular basis and is available for management to review. | Dani Ralph | Low (Grade 1) | 31-Mar-20 | Jun-21 | We have incorporated outturn projections in financial monitoring reports prepared for Finance and Delivery Committee. | Partially Complete |
Appendix 3: Audit Risk Categorisations
Management action grades
- 4: Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure — absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general housekeeping issues.
© Azets 2021. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales. Registered No. 09652677. VAT Registration No. 219 0608 22.
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.