ARC Paper 4 Strategic Audit Plan
Cairngorms National Park Authority Strategic Internal Audit Plan 2021⁄22 – 2023⁄24
A AZETS
Table of Contents
- Introduction
- Internal Audit Plan 2021 – 24
- Allocation of Audit Days
- Internal Audit Approach
- Delivering the Internal Audit Plan
- Appendix 1 – Corporate Risk Register
- Appendix 2 – Internal Audit Universe
- Appendix 3 – Internal Audit Charter
Introduction
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and governance processes.
Section 3 – Definition of Internal Auditing, Public Sector Internal Audit Standards
The PSIAS require the Chief Internal Auditor to produce a risk-based plan, which takes into account Cairngorm National Park Authority’s risk management framework, its strategic objectives and priorities and the views of senior managers and the Audit & Risk Committee. The objective of audit planning is to direct audit resources in the most efficient manner to provide sufficient assurance that key risks are being managed effectively and value for money is being achieved.
Internal audit is only one source of assurance for the Audit & Risk Committee. Assurance on the management of risk is provided from a number of other sources, including the senior management team, external audit and the risk management framework itself.
This document sets out a strategic internal audit plan for the three-year period 2021⁄22 to 2023⁄24.
Audit & Risk Committee action
This latest version of the audit plan reflects discussions with the Chief Executive and Director of Corporate Services in January 2021. All feedback received to date has been factored into the plan to ensure internal audit work is as relevant and targeted to CNPA’s needs as possible, and that it is supporting management and the Board in addressing the organisation’s key risks.
The Audit & Risk Committee is asked to review and approve the proposed Internal Audit Plan for 2021⁄22.
Internal Audit Plan 2021 – 24
| Audit area | 2021⁄22 | 2022⁄23 | 2023⁄24 | Risk Register Ref | Audit objectives |
|---|---|---|---|---|---|
| A. Financial systems | |||||
| A.1 Financial management and reporting | 8 | Financial risks | Review of financial planning, budget management and reporting to management and the board. | ||
| A.2 Payroll and expenses | 6 | Financial risks | Review of the controls in place for the payment of staff salaries and expenses. Potential to utilise data analytics to undertake 100% sampling. | ||
| A.3 Expenditure and Creditors | 7 | Financial risks | Review of the controls over the processing and monitoring of expenditure and creditor payments. | ||
| Subtotal A: | 8 | 6 | 7 | ||
| B. Governance and Corporate Systems | |||||
| B.1 Assurance Mapping of Major Projects | 8 | All | Review of the mechanisms in place to ensure the Board are being provided with assurance over projects where CNPA acts as accountable body. | ||
| B.2 Strategic Planning | 8 | A23, A21 | Review of process for developing corporate plans, including engagement with stakeholders. | ||
| B.3 Risk Management | 7 | All | Review of the policies, procedures and practices in place to support robust risk management within CNPA. Work will build on the Risk Appetite work being undertaken by the Board. | ||
| B.4 Partnership Management | 8 | A9.3 | Review of the policies, procedures and mechanisms in place to work with CPNA partners and provide assurance on partnership arrangements. To be undertaken towards the end of 2021⁄22 and will consider how CRM is aiding in partnership management. | ||
| Subtotal B: | 8 | 8 | 7 | ||
| C. Operational | |||||
| C.2 Legacy Liabilities | 7 | Review to ensure resource commitments made as part of prior projects are appropriately captured, budgeted and reported on. | |||
| C.5 Health and Safety | 7 | To review the operation and reporting on Health and Safety policies and procedures. | |||
| C.6 Workforce Planning | 8 | A12.2, A9.3 | Review of the arrangements in place for planning future workforce needs to deliver strategies and corporate plans. Will also consider the recruitment and retention arrangements in place for staff. | ||
| C.7 Procurement | 8 | Financial risks | Review of the arrangements in place over the procurement of services. | ||
| Subtotal C: | 7 | 15 | 0 | ||
| D. Information technology | |||||
| D.1 ICT Strategy | 7 | A17, A13 | Review to ensure an up to date ICT strategy is in place and being actively maintained. | ||
| D.2 GDPR | 7 | To assess compliance/progress in relation to the general data protection regulation. | |||
| D.3 Cyber Security | 7 | A18 | Review of the arrangements in place to mitigate cyber security risks. | ||
| Subtotal D: | 14 | 0 | 0 | ||
| E. Compliance and Regulatory | |||||
| E.1 LEADER Administration | 7 | A11.1, A11.2 | To provide assurance on compliance with SLA between CNPA and Scottish Government on administration of EU LEADER funding. | ||
| E.2 Follow Up | 3 | 3 | 3 | To provide independent assurance to the audit and risk committee that agreed actions from previous internal audit reports are implemented as planned. | |
| Subtotal E: | 10 | 3 | 3 | ||
| F. Management | |||||
| Internal audit management and administration | 2 | 2 | 2 | ||
| Audit and Risk Committee planning, reporting and attendance | 3 | 3 | 3 | ||
| Audit needs analysis — strategic and operational IA planning | 3 | 3 | 3 | ||
| Contract management | 2 | 2 | 2 | For coordination and efficiency | |
| Annual internal audit report | 1 | 1 | 1 | ||
| Subtotal F: | 11 | 11 | 11 | ||
| TOTAL | 51 | 65 | 36 |
In addition to the 2021⁄22 scheduled audits outlined above management and Internal Audit will revisit this plan throughout the year to determine if the following audits can be undertaken in the year, subject to CNPA resources:
- Health and Safety
- Grant Awards
Allocation of Audit Days
The table below demonstrates how the internal audit days for 2021⁄22 are allocated across each area of the audit universe (Appendix 2).
(Pie chart showing allocation of audit days)
Internal Audit Approach
Supporting the Governance Statement
Our Internal Audit Plan is designed to provide Cairngorms National Park Authority, through the Audit & Risk Committee, with the assurance it needs to prepare an annual Governance Statement that complies with best practice in corporate governance. We also aim to contribute to the improvement of governance, risk management and internal control processes by using a systematic and disciplined evaluation approach.
Compliance with best practice
Azets’ internal audit methodology complies fully with the Public Sector Internal Audit Standards (PSIAS), which cover the mandatory elements of the Chartered Institute of Internal Auditors’ International Professional Practices Framework.
Risk based internal auditing
Our methodology links internal audit activity to the organisation’s risk management framework. The main benefit to Cairngorms National Park Authority is a strategic, targeted internal audit function that focuses on the key risk areas and provides maximum value for money.
By focussing on the key risk areas, internal audit should be able to conclude that:
- Management has identified, assessed and responded to Cairngorms National Park Authority’s key risks;
- The responses to risks are effective but not excessive;
- Where residual risk is unacceptably high, further action is being taken;
- Risk management processes, including the effectiveness of responses, are being monitored by management to ensure they continue to operate effectively; and
- Risks, responses and actions are being properly classified and reported.
We have reviewed Cairngorm National Park Authority’s risk management arrangements and have confirmed that they are sufficiently robust for us to place reliance on the risk register as one source of the information we use to inform our audit needs assessment.
Audit needs assessment
Our internal audit plans are based on an assessment of audit need. “Audit need” represents the assurance required by the Audit & Risk Committee from internal audit that the control systems established to manage and mitigate the key inherent risks are adequate and operating effectively. The objective of the audit needs assessment is therefore to identify these key controls systems and determine the internal audit resource required to provide assurance on their effectiveness.
Our audit needs assessment involved the following activities:
- Reviewing Cairngorms National Park Authority’s risk register,
- Reviewing Cairngorms National Park Authority’s corporate operational plan,
- Reviewing previous internal audit reports,
- Reviewing external audit reports and plans,
- Reviewing the Cairngorms National Park Authority’s website and internal policies and procedures,
- Utilising our experience at similar organisations, and
- Discussions with senior management and the Audit & Risk Committee
The plan has also been cross-referenced to the Cairngorm National Park Authority’s risk register as at November 2020. The audit universe is included at Appendix 2.
Best value
Our work helps Cairngorms National Park Authority to determine whether services are providing best value. Every report includes an assessment of value for money; i.e. whether the controls identified to mitigate risks are working efficiently and effectively. Where we identify opportunities for improving value for money, we raise these with management and include them in the report action plan.
Liaison with external audit
We seek to complement the areas being covered by Cairngorms National Park Authority’s external auditor. We welcome comments on the internal audit plan from Grant Thornton at any time and we will formally discuss the plan with Grant Thornton on at least an annual basis. This will help us to target our work in the most effective manner, avoiding duplication of effort and maximising the use of total audit resource.
Delivering the internal audit plan
Internal Audit Charter
At Appendix 3 we have set out our Internal Audit Charter, which details how we will work together to deliver the internal audit programme.
Internal Audit team – indicative staff mix
| Grade | 2021⁄22 Input (days) | Grade mix (%) |
|---|---|---|
| Partner / Director | 6 | 12% |
| Manager | 11 | 22% |
| Auditors | 34 | 66% |
| Total | 51 | 100% |
Internal Audit Team Contacts
(Images of Chris Brown and Stephanie Hume with contact information)
Appendix 1 – Corporate Risk Register
(Table detailing corporate risks, mitigation strategies, comments, and trend analysis)
Appendix 2 – Internal Audit Universe
(Table showing auditable areas and their frequency of audit)
Appendix 3 – Internal Audit Charter
The mission for internal auditing is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.
Definition
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve Cairngorm’s National Park Authority operations. It helps Cairngorm’s National Park Authority accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Aim
The aim of this Charter is to set out the management by all parties of the internal audit process. The Charter sets out the context of the internal audit function, including the place of the Audit Committee, the key personnel, timescales and processes to be followed for each internal audit review.
Role
The internal audit activity is established by the Board of Directors or oversight body (hereafter referred to as the Board). The internal audit activity’s responsibilities are defined by the Board as part of their oversight role.
Professionalism
The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Core Principles of Professional Practice of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The IIA’s Practice Advisories, Implementation Guidance, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to Cairngorms National Park Authority’s relevant policies and procedures and the internal audit activity’s standard operating procedures manual.
Authority
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free, and unrestricted access to any and all of the organisation’s records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Board.
Accountability
The Chief Internal Auditor will be accountable to the Audit & Risk Committee and will report administratively to the Director of Corporate Services.
The Audit & Risk Committee will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Internal Auditor.
The Chief Internal Auditor will communicate and interact directly with the Audit & Risk Committee, including between Audit & Risk Committee meetings as appropriate.
Independence and objectivity
The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content. This is essential in maintaining the internal auditors’ independence and objectivity.
Internal auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, manage risks, prepare records, or engage in any other activity that may impair internal auditor’s judgment.
Internal auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Chief Internal Auditor will confirm to the Audit & Risk Committee, at least annually, the organisational independence of the internal audit activity. Any interference experienced should be disclosed by the Chief Audit Executive to the Board and the implications discussed.
Scope and responsibility
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation’s governance, risk management, and internal control processes in relation to the organisation’s defined goals and objectives. Internal control objectives considered by internal audit include:
- Consistency of operations or programs with established objectives and goals and effective performance.
- Effectiveness and efficiency of operations and employment of resources.
- Compliance with significant policies, plans, procedures, laws, and regulations.
- Reliability and integrity of management and financial information processes, including the means to identify, measure, classify, and report such information.
- Safeguarding of assets.
Internal Audit is responsible for evaluating all processes (‘audit universe’) of Cairngorms National Park Authority, including governance processes and risk management processes. In doing so, internal audit maintains a proper degree of coordination with external audit and where practical other assurance providers.
Internal audit may perform consulting and advisory services related to governance, risk management and control as appropriate for the organisation. It may also evaluate specific operations at the request of the Audit & Risk Committee or management, as appropriate.
Based on its activity, internal audit is responsible for reporting significant risk exposures and control issues identified to the Audit & Risk Committee and to senior management, including fraud risks, governance issues, and other matters needed or requested by Cairngorms National Park Authority.
Annual internal audit plan
The audit year runs from 1 April to 31 March.
At least annually, the Chief Audit Executive will submit to the audit committee an internal audit plan for review and approval. The internal audit plan will detail, for each subject review area:
- The outline scope for the review,
- The number of days budgeted,
- The timing, including which Audit & Risk Committee the final will report will go to,
- The review sponsor.
The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to senior management and the Board.
The internal audit plan will be developed based on a prioritisation of the audit universe using a risk-based methodology, including input of senior management. Prior to submission to the Audit & Risk Committee for approval, the plan will be discussed with appropriate senior management. Any significant deviation from the approved internal audit plan will be communicated through the periodic activity reporting process.
Assignment Planning and Conduct
An assignment plan will be drafted prior to the start of every assignment setting out the scope, objectives, timescales and key contacts for the assignment.
Specifically, the assignment plan will detail the timescales for carrying out the work, issuing the draft report, receiving management responses and issuing the final report. The assignment plan will also include the name of the staff member who will be responsible for the audit (review sponsor) and the name of any key staff members to be contacted during the review (key audit contact).
The assignment plan will be agreed with the review sponsor and the key audit contact (for timings) before the review starts.
Reporting and Monitoring
The internal auditor will discuss key issues arising from the audit as soon as reasonably practicable with the key contact and/or review sponsor, as appropriate.
A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed to the review sponsor and key contacts identified in the assignment plan for management responses and comments.
Draft reports will be issued by email within 15 working days of fieldwork concluding. The covering email will specify the deadline for management responses, which will normally be within a further 10 days. The management comments and response to any report will be overseen by the review sponsor. Internal Audit will make time after issuing the draft report to discuss the report and, if necessary, meet with the review sponsor and/or key contact to ensure the report is factually accurate and the agreed actions are clear, practical, achievable and valuable.
The internal auditors will issue the final report to the review sponsor and the Director of Corporate Services. The final report will be issued within 10 working days of the management responses being received. Finalised internal audit reports will be presented to the Audit & Risk Committee. Finalised internal audit outputs must be in the hands of the Director of Corporate Services by prescribed dates annually.
The working days set out above are maximum timescales and tighter timescales may be set out in the assignment plan.
The internal audit activity will follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.
Audit & Risk Committee
The Audit & Risk Committee meets four times a year, normally in March, June, September and November. Dates for Audit & Risk Committee meetings will be provided to internal audit as soon as they are agreed. The Chief Internal Auditor and/or Internal Audit Manager will attend all meetings of the Audit & Risk Committee.
Internal audit will schedule its work so as to spread internal audit reports reasonably evenly over Audit & Risk Committee meetings. The annual internal audit plan will detail the internal audit reports to be presented to each Audit & Risk Committee meeting.
The internal auditor will generally present specific reports to the committee as follows:
| Output | Meeting |
|---|---|
| Annual internal audit plan | March |
| Follow-up report | March |
| Annual report | March |
| Progress report | All meetings |
The Audit & Risk Committee will meet privately with the internal auditors at least once a year.
Periodic Assessment
The Chief Audit Executive is responsible for providing a periodic self-assessment on the internal audit activity as regards its consistency with the Audit Charter (purpose, authority, responsibility) and performance relative to its Plan.
In addition, the Chief Internal Auditor will communicate to senior management and the Audit & Risk Committee on the internal audit activity’s quality assurance and improvement programme, including results of on-going internal assessments and external assessments conducted at least every five years in accordance with Public Sector Internal Audit Standards.
Review of Charter
This Charter will be reviewed by both parties each year and amended if appropriate.
(Azets 2021. All rights reserved. Azets refers to Azets Audit Services Limited. Registered in England & Wales Registered No. 09652677. VAT Registration No. 219 0608 22. Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.)