ARC Paper 3 Internal Audit Annual Report
Cairngorms National Park Authority
Internal Audit Annual Report 2020⁄21
March 2021
Contents
- Introduction 2
- Overall Internal Audit Opinion 3
- Internal Audit Work Performed 4
- Appendix 1 – Planned v actual days 2020⁄21 9
- Appendix 2 – Summary of Internal Quality Assurance Assessment 10
Introduction
The Public Sector Internal Audit Standards (PSIAS) state that:
“The Chief Audit Executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement.”
“The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.”
To meet the above requirements, this Annual Report summarises our conclusions and key findings from the internal audit work undertaken at the Cairngorms National Park Authority (CNPA) during the year ended 31 March 2021, including our overall opinion on CNPA’s internal control system.
Acknowledgement
We would like to take this opportunity to thank all members of management and staff for the help, courtesy and co-operation extended to us during the year.
Overall Internal Audit Opinion
Basis of Opinion
As the Internal Auditor of CNPA, we are required to provide the Audit and Risk Committee with assurance on the whole system of internal control. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the whole system of internal control.
In assessing the level of assurance to be given, we have taken into account:
- All reviews undertaken as part of the 2020⁄21 internal audit plan;
- Any scope limitations imposed by management;
- Matters arising from previous reviews and the extent of follow-up action taken including in year audits;
- Expectations of senior management, the Audit and Risk Committee and other stakeholders;
- The extent to which internal controls address the client’s risk management/control framework;
- The effect of any significant changes in CNPA’s objectives or systems; and
- The internal audit coverage achieved to date.
In my professional judgement as Head of Internal Audit, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the basis and the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the entity examined. The evidence gathered meets professional audit standards and is sufficient to provide senior management with proof of the conclusions derived from the internal audit work.
Internal Audit Opinion
In our opinion CNPA has a framework of controls in place that provides reasonable assurance regarding the organisation’s governance framework, internal controls, effective and efficient achievement of objectives and the management of key risks, subject to the implementation of specific high risk actions raised in relation to corporate governance processes and data management control improvements throughout 2020⁄21.
Azets
March 2021
Internal Audit Work Performed
Scope and Responsibilities
Management
It is management’s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems and processes established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to:
- Risk management;
- The effectiveness of operations;
- The economic and efficient use of resources;
- Compliance with applicable policies, procedures, laws and regulations;
- Safeguards against losses, including those arising from fraud, irregularity or corruption; and
- The integrity and reliability of information and data.
Internal Auditor
The Internal Auditor assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, the Internal Auditor should:
- Analyse the internal control system and establish a review programme;
- Identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner;
- Report findings and conclusions and, where appropriate, make recommendations for improvement;
- Provide an opinion on the reliability of the controls in the system under review; and
- Provide an assurance based on the evaluation of the internal control system within the organisation as a whole.
Planning Process
Our strategic and annual internal audit plans are designed to provide the Audit and Risk Committee with assurance that CNPA’s internal control system is effective in managing the key risks and best value is being achieved. The plans are therefore informed by CNPA’s risk management system and linked to the Corporate Risk Register.
The Strategic Internal Audit Plan was agreed in consultation with senior management and formally approved by the Audit and Risk Committee.
The Annual Internal Audit Plan is subject to revision throughout the year to reflect changes in CNPA’s risk profile.
We planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held responsible for internal control failures.
Cover Achieved
The 2020⁄21 Internal Audit Plan comprised 73 days of audit work and we have completed 54.3 days, deferring audit work in agreement with management and the Audit and Risk Committee. A comparison of actual coverage against the 2020⁄21 plan is attached at Appendix 1.
We confirm that there were no resource limitations that impinged on our ability to meet the full audit needs of the CNPA and no restrictions were placed on our work by management.
We did not rely on the work performed by a third party during the period.
Reports
We prepared a report from each review and presented these reports to the Audit and Risk Committee. The reports are summarised in the table below.
Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were fully discussed and agreed with management prior to submission to the Audit and Risk Committee.
We made no significant recommendations that were not accepted by management.
Summary of reports by control assessment and action grade
| Review | Control objective assessment | No. of issues per grading |
|---|---|---|
| A4. VAT Health Check | N/A | 4, 3, 2, 1 |
| B1. Corporate Governance | 2, 4 | |
| C1. COVID Recovery | 2, 1 | |
| D4. Data Management | 3, 2 | |
| E1. LEADER Administration | ||
| E2. Follow Up | N/A |
Control objective assessment definitions
- R: Fundamental absence or failure of key controls.
- A: Control objective not achieved – controls are inadequate or ineffective.
- Y: Control objective achieved – no major weaknesses but scope for improvement.
- G: Control objective achieved – controls are adequate, effective and efficient.
Management action prioritisation definitions
- 4: Very high risk exposure – major concerns requiring immediate senior attention that create fundamental risks within the organisation.
- 3: High risk exposure – absence / failure of key controls that create significant risks within the organisation.
- 2: Moderate risk exposure – controls are not working effectively and efficiently and may create moderate risks within the organisation.
- 1: Limited risk exposure – controls are working effectively, but could be improved. Typically these are the correction of minor risks or address general house-keeping issues.
Key Findings – Grade 3 Actions
Corporate Governance
- Management and the Board should agree a completion date for the Governance Responsibility Framework.
- Management should progress with the review and implementation of the updated Framework Agreement within the first half of 2021.
- Management should work with Board members to review the assurance arrangements for major projects and address any perceived gaps, including project financials.
Data Management
- We recommend that the Authority ensure that data audits are conducted annually in line with the policy. These audits should sample various directorates to ensure that storage and management of files adhere to the Records Management Policy. Specifically, this audit should consider compliance with data retention and disposal requirements, version control requirements and access and security requirements. The output of this audit should be documented and the Head of Service for each area should be given recommended actions as necessary.
- We also recommend that the Authority evaluates the approach to ownership of folders and how compliance checks against the Records Management Policy are performed.
- We recommend that the Authority reviews the list of users who can make modification to the file structure. The top level of folders i.e. folders for each directorate, should be locked down so that only a small number of users who require amendment rights can modify them. To support better management of file permissions for lower-level folders within each directorate, we recommend that each directorate is provided with access to create sub-folders within their respective top-level folder without having to ask IT or the Admin Team for permission.
- We also recommend that requests for amendments to the top-level the file structure are submitted to the Office Service Manager who can make a decision on their justification.
- We recommend that once the Authority have received the feedback from their DPOaaS provider, they create a subject access request procedure, or document the process within an existing procedure, if appropriate. The procedure should outline the following aspects:
- Roles and responsibilities when responding to requests
- Initial steps for acknowledging the request and verifying the identity of the individual
- Identifying what data is within scope
- How to search for data
- How data should be sent to the individual
- How requests will be logged and monitored by the Authority
Progress in Implementing Previous Internal Audit Actions
We reviewed the 63 actions on the action tracker and obtained sufficient evidence to close 10 (16%) actions, 18 (29%) actions have been assessed as partially complete, 15 (23%) marked as incomplete, 7 (11%) marked no longer applicable and 13 (21%) were not yet due.
Independence
PSIAS require us to communicate on a timely basis all facts and matters that may have a bearing on our independence.
We can confirm that the staff members involved in each 2020⁄21 internal audit review were independent of CNPA and their objectivity was not compromised in any way.
Conformance with Public Sector Internal Audit Standards
We confirm that our internal audit service conforms to the Public Sector Internal Audit Standards, which are based on the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice against the standards.
A summary of the results of our most recent internal assessment is provided at Appendix 2.
Appendix 1 – Planned v actual days 2020⁄21
| Ref and Name of report | Planned Days | Actual Days |
|---|---|---|
| A4. VAT Health Check | 8 | 8 |
| B1. Corporate Governance | 8 | 8 |
| C1. Covid Recovery | 8 | 8 |
| C2. Legacy Liabilities (deferred) | 7 | 0.2 |
| C3. Outdoor Access Infrastructure (removed) | 6 | 0.9 |
| D1. ICT Strategy (deferred) | 7 | 0.2 |
| D4. Data Management | 8 | 6 |
| E1. LEADER Administration | 7 | 7 |
| E2. Follow Up | 3 | 0 |
| Internal Audit Management and Administration | 2 | 2 |
| Audit and Risk Committee planning reporting and attendance | 3 | 3 |
| Audit needs analysis – strategic and operational IA planning | 3 | 3 |
| Contract Management | 2 | 2 |
| Annual Internal Audit Report | 1 | 1 |
| Total | 73 | 54.3 |
Appendix 2 – Summary of Internal Quality Assurance Assessment
We are pleased to disclose the outcome of our regular internal and external quality assessments with our clients to provide you with assurance that the service you receive is of high quality and fully compliant with internal audit standards.
The table below summarises the outcome of our most recent internal quality assessment (completed August 2020), in which we have assessed the extent to which our internal audit methodology conforms to the standards. Compliance with the methodology is monitored through an annual review of a sample of audit files and we review our compliance with the IPPF/PSIAS through a wider review of our methodology. In addition, every five years we commission a full External Quality Assessment, the most recent of which was completed in July 2018.
| Generally Conforms | Partially Conforms | Does Not Conform | Improvement actions | |
|---|---|---|---|---|
| Definition of Internal Auditing | ✓ | |||
| Code of Ethics | ||||
| Integrity | ✓ | |||
| Objectivity | ✓ | |||
| Confidentiality | ✓ | |||
| Competence | We are working on a skills matrix for the team that is aligned to the IIA’s Global Internal Audit Competency Framework. | |||
| Attribute Standards | ||||
| Purpose, Authority and Responsibility | ✓ | |||
| Recognising Mandatory Guidance in the Internal Audit Charter | ✓ | |||
| Independence and Objectivity | ✓ | |||
| Organisational Independence | ||||
| Direct Interaction with the Board | ✓ | |||
| Chief Audit Executive Roles Beyond Internal Auditing | ✓ | |||
| Individual Objectivity | ✓ | |||
| Impairments to Independence or Objectivity | ✓ | |||
| Proficiency and Due Professional Care (The sum of Standards 1210 – 1230) | ✓ | |||
| Proficiency | ✓ | |||
| Due Professional Care | ✓ | |||
| Continuing Professional Development | ✓ | |||
| Quality Assurance and Improvement Programme (The sum of Standards 1310 – 1320) | ✓ | We are in the process of consolidating our quality and continuous improvement processes within a single Quality Assurance and Improvement Plan. | ||
| Requirements of the Quality Assurance and Improvement Programme | ✓ | |||
| Internal Assessments | ✓ | |||
| External Assessments | ✓ | |||
| Reporting on the Quality Assurance and Improvement Programme | ✓ | |||
| Use of Conforms with the International Standards for the Professional Practice of Internal Auditing | ✓ | |||
| Disclosure of Non-conformance | ✓ | |||
| Performance Standards | ||||
| Managing the Internal Audit Activity (Sum total of Standards 2010 – 2060) | ✓ | |||
| Planning | ✓ | |||
| Communication and Approval | ✓ | |||
| Resource Management Policies and Procedures | ✓ | |||
| Coordination and Reliance | ✓ | Ensuring full co-ordination with other assurance providers remains challenging for all internal audit functions. We have developed a robust methodology for assurance mapping that enables us to support our clients in this important area. In addition, wherever possible we work closely with both external audit and key regulators to minimise any duplication in the scope of our work plans. In addition, we recently refreshed the risk maturity checklist that we use during strategic audit planning to ensure we place an appropriate level of reliance on the risk management process. | ||
| Reporting to Senior Management and the Board | ✓ | |||
| External Service Provider and Organisational Responsibility for Internal Audit | ✓ | |||
| Nature of Work (Sum of Standards 2110 – 2130) | ✓ | |||
| Governance | ✓ | |||
| Risk Management | ✓ | |||
| Control | ||||
| Engagement Planning (Sum of Standards 2201 – 2240) | ✓ | We identified the need to provide refresher training to staff on the appropriate conduct of and attendance at audit scoping and opening meetings. | ||
| Planning Considerations | ||||
| Engagement Objectives | ✓ | |||
| Engagement Scope | ✓ | |||
| Engagement Resource Allocation | ✓ | |||
| Engagement Work Programme | ✓ | |||
| Performing the Engagement (The sum of Standards 2300 – 2340) | We have included a focus in this year’s training on the use of sample testing. This is being rolled out across all levels of staff within our team to cover both planning, execution and review. We also identified the need to provide refresher training for auditors covering the appropriate documentation of control assessments. | |||
| Identifying Information | ✓ | |||
| Analysis and Evaluation | ✓ | |||
| Documenting Information | We recently updated our IA Methodology in relation to the Azets Professional Record Retention Policy to ensure that we continue to retain only essential information on audit files and securely destroy confidential info. | |||
| Engagement Supervision | ✓ | Timely sign-off of file completion remains a pervasive challenge; we have reminded all staff of the | ||
| Communicating Results (Sum of Standards 2410 – 2440) | We identified the need to provide refresher training to staff on the appropriate conduct of and attendance at audit close out meetings. | |||
| Criteria for Communicating | ✓ | |||
| Quality of Communications | ✓ | |||
| Errors and Omissions | ✓ | |||
| Use of ‘conducted in conformance with the International Standards for the Professional Practice of Internal Auditing’ | ✓ | |||
| Engagement Disclosure of Non-conformance | ✓ | |||
| Disseminating Results | ✓ | |||
| Overall Opinions | ✓ | |||
| Monitoring Progress | ✓ | |||
| Resolution of Senior Management’s Acceptance of Risks | ✓ |
Overall, our service conforms to the requirements of the PSIAS. Our assessment is based on the overall service that is delivered to each client. We are happy to provide CNPA’s members with further details of the information set out above and the assessment process, if required.
© Azets 2021. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.