Paper 5 Annex 1 Audit and Risk Committee 19 June 2026 2

forvis mazars

100 Queen Street 2^nd Floor Glasgow G1 3DN

Tel: +44 (0)141 227 2400 www.mazars.co.uk

Audit and Risk Committee Cairngorms National Park Authority 14 The Square Grantown on Spey PH26 3HG

Date: 06 February 2026

Direct line: 07816 354 994

Email: tom.reid@mazars.co.uk

Dear Audit and Risk Committee Members,

Cairngorms National Park Authority (CNPA) – ²⁰²⁵⁄₂₆: Audit and Risk Committee briefing note – ISA 240 (Fraud), ISA 250 (laws and regulations), ISA 501 (litigation and claims) & ISA 570 (going concern)

Introduction

This letter aims to summarise for the Audit and Risk Committee (the Committee) the requirements under International Auditing Standards, in respect of preventing fraud in the annual accounts, compliance with laws and regulations, litigation and claims, and going concern. This letter requests an update from the Committee in order to inform our continuous audit planning as we move into the final stage of our audit of CNPA’s ²⁰²⁵⁄₂₆ accounts.

International Standard for Auditing 240 — The auditor’s responsibility to consider fraud in an audit of financial statements

Background

Under the ISA, the primary responsibility for preventing and detecting fraud rests with both management and ‘those charged with governance’, which for CNPA is the Audit and Risk Committee.

This includes fraud that could impact on the accuracy of the annual accounts.

The ISA requires us, as external auditors, to obtain an understanding of how the Committee exercises oversight of management’s processes for identifying and responding to the risks of fraud and the internal controls established to mitigate them.

What is ‘fraud’ in the context of the ISA?

The ISA views fraud as either:

the intentional misappropriation of CNPA’s assets (cash, property, etc); or
the intentional manipulation or misstatement of the financial statements. 2

What are auditors required to do?

We have to obtain evidence of how management and those charged with governance are discharging their responsibilities, if we are to properly discharge our responsibilities under ISA 240. We are therefore making requests from the Committee and management on the following, or similar, issues:

1) How does the Committee, in its role as those charged with governance, exercise oversight of management’s processes in relation to:

undertaking an assessment of the risk that the financial statements may be materially misstated due to fraud or error (including the nature, extent and frequency of these assessments);
identifying and responding to risks of fraud in the organisation, including any specific risks of fraud which management have identified or that have been brought to its attention, or classes of transactions, account balances, or disclosure for which a risk of fraud is likely to exist;
communicating to employees of views on business practice and ethical behaviour (for example by updating, communicating and monitoring against the organisation’s code of conduct); and
communicating to those charged with governance the processes for identifying and responding to fraud or error?

2) How does the Committee oversee management processes to identify and respond to the risk of fraud and possible breaches of internal control? Is the Committee aware of any breaches of internal control during ²⁰²⁵⁄₂₆? Please provide details.

3) Has the Committee knowledge of any actual, suspected or alleged fraud during the period 1 April 2025 — 31 March 2026? Where appropriate please provide details.

4) Has the Committee any suspicion that fraud may be occurring within the organisation? Please provide details.

Has the Committee identified any specific fraud risks within the organisation? Please provide details.
Does the Committee have any concerns that there are areas within the organisation that are at risk of fraud? Please provide details.
Are there particular locations within the organisation where fraud is more likely to occur? Please provide details.

5) Is the Committee satisfied that internal controls, including segregation of duties, exist and work effectively? Please provide details.

If not, where are the risk areas?
What other controls are in place to help prevent, deter or detect fraud? 3

6) Is the Committee satisfied that staff are encouraged to report their concerns about fraud, and the types of concerns they are expected to report? Please provide details.

7) From a fraud and corruption perspective, what are considered by the Committee to be high risk posts within the organisation? Please provide details.

How are the risks relating to these posts identified, assessed and managed?

8) Is the Committee aware of any related party relationships or transactions that could give rise to instances of fraud? Please provide details.

How are the risks associated with fraud related to such relationships and transactions mitigated?

9) Is the Committee aware of any entries made in the accounting records of the organisation that it believes or suspects are false or intentionally misleading? Please provide details.

Are there particular balances where fraud is more likely to occur? Please provide details.
Is the Committee aware of any assets, liabilities or transactions that it believes were improperly included or omitted from the accounts of the organisation? Please provide details.
Could a false accounting entry escape detection? If so, how?
Are there any external fraud risk factors which are high risk of fraud? Please provide details.

10) Is the Committee aware of any organisational, or management pressure to meet financial or operating targets? Please provide details.

Is the Committee aware of any inappropriate organisational or management pressure being applied, or incentives offered, to you or colleagues to meet financial or operating targets? Please provide details.

International Standard for Auditing 250 – Consideration of laws and regulations in an audit of financial statements

Background

Under the ISA, in the UK and Ireland, the primary responsibility for ensuring that the entity’s operations are conducted in accordance with laws and regulations and the responsibility for the prevention and detection of non-compliance rests with management and ‘those charged with governance’, which for CNPA is the Audit and Risk Committee. The ISA requires us, as external auditors, to obtain an understanding of how the Committee gains assurance that all relevant laws and regulations have been complied with. 4

What are auditors required to do?

We have to obtain evidence of how management and those charged with governance are discharging their responsibilities, if we are to properly discharge our responsibilities under ISA 250. We are therefore making requests from the Committee, and will be making similar enquiries of management:

11) How does the Committee gain assurance that all relevant laws and regulations have been complied with. For example:

Is the Committee aware of the process management has in place for identifying and responding to changes in laws and regulations? Please provide details.
What arrangements are in place for the Committee to oversee this process?
Is the Committee aware of the arrangements management have in place, for communicating with employees, non-executive directors, partners and stakeholders regarding the relevant laws and regulations that need to be followed? Please provide details.
Does the Committee have knowledge of actual or suspected instances where appropriate laws and regulations have not been complied with, and if so is it aware of what actions management is taking to address it? Please provide details.

International Standard for Auditing 501 – Specific consideration of the potential for, and actual, litigation and claims affecting the financial statements

Background

This ISA deals with specific considerations by the auditor in obtaining sufficient appropriate audit evidence, in this instance with respect to the completeness of litigation and claims involving the entity. The ISA requires us, as external auditors, to design and perform audit procedures in order to identify litigation and claims involving the entity which may give rise to a risk of material misstatement.

What are auditors required to do?

We have to obtain evidence of how management and those charged with governance are discharging their responsibilities, if we are to properly discharge our responsibilities under ISA 501. We are therefore making requests from the Committee, and will be making similar enquiries of management:

12) Is the Committee aware of any actual or potential litigation or claims that would affect the financial statements? Please provide details.

International Standard for Auditing 570 – Consideration of the going concern assumption in an audit of financial statements

Background

Financial statements are generally prepared on the basis of the going concern assumption. Under the going concern assumption, an audited body is ordinarily viewed as continuing in operation for the foreseeable future. Accordingly, assets and liabilities are recorded in the financial 5

statements on the basis that the audited body will be able to realise its assets and discharge its liabilities in the normal course of its operations.

What are auditors required to do?

If used, we are required to consider the appropriateness of management’s use of the going concern assumption in the preparation of the financial statements if we are to properly discharge our responsibilities under ISA 570. We are therefore making the following request from the Committee:

13) How has the Committee assessed and satisfied itself that it is appropriate to adopt the going concern basis in preparing the financial statements?

14) Has the Committee identified any events or conditions since the assessment was undertaken which may cast significant doubt on the organisation’s ability to continue as a going concern? Please provide details.

The way forward

The information you provide will help inform our understanding of CNPA and its business processes, prior to the start of the final stage of the audit of the ²⁰²⁵⁄₂₆ financial statements.

I would be grateful for your responses, which should be formally considered and communicated to us on the Committee’s behalf to cover the year to 31 March 2026, by 31 May 2026. In the meantime, if you have any queries, please do not hesitate to contact me.

Yours sincerely,

[Signature]

Tom Reid Audit Director Forvis Mazars LLP

ARC Paper 5 Annex 1 Letter 25-26 TCWG