ARC Paper 5 Annex 2 25-26 management response

Request for inform­a­tion from Man­age­ment and from Those Charged with Governance

Fraud

1) What are Management’s pro­cesses in rela­tion to, and how does the Com­mit­tee, in its role as those charged with gov­ernance, exer­cise over­sight of management’s pro­cesses in rela­tion to:

* undertaking an assessment of the risk that the financial statements may be materially misstated due to fraud or error (including the nature, extent and frequency of these assessments);
* identifying and responding to risks of fraud in the organisation, including any specific risks of fraud which management have identified or that have been brought to its attention, or classes of transactions, account balances, or disclosure for which a risk of fraud is likely to exist;
* communicating to employees of views on business practice and ethical behaviour (for example by updating, communicating and monitoring against the organisation's code of conduct); and
* communicating to those charged with governance the processes for identifying and responding to fraud or error?
    * Resources Committee (RC) reviews the management accounts at every meeting and considers the results shown in the financial statements in the context of their knowledge of events over the year.
    * Reliance is placed on the knowledge, experience, and integrity of senior management and assurances provided by management.
    * Risk registers (strategic and programme) are considered at each meeting of the Audit and Risk Committee (ARC).
    * Known incidents are reported to the Senior Management Team, to Scottish Government and to the ARC.
    * RC is responsible for Board oversight and scrutiny of organisational policies and compliance with those, while ARC sees internal audit reports on effectiveness of these policies and the internal control systems that they implement.
    * ARC reviews and approves the governance statement.
    * ARC takes assurance from independent input from internal and external auditors.
    * The terms of reference for the Board's committees makes clear escalation and communication mechanisms between committees in the event of any matters arising.
    * All Board members receive the papers provided for all committee meetings, keeping them informed of matters reported by Management.
    * Training is provided to Board members periodically, to assist them in meeting their responsibilities.

2) How does Man­age­ment / the Com­mit­tee over­see man­age­ment pro­cesses to identi­fy and respond to the risk of fraud and pos­sible breaches of intern­al con­trol? Is Man­age­ment / the Com­mit­tee aware of any breaches of intern­al con­trol dur­ing ²⁰²⁵⁄₂₆? Please provide details.

* Internal audit reporting – annual programme agreed with ARC.
* Recommendations from internal audit work are monitored by the ARC from the point of recommendations being raised until they have been implemented.
* We are not aware of any material breaches of internal control during the year.
* There have been various improvements made to procedure over the course of the year (e.g. introduction of a Project Initiation Process; development of the Grants Management Process).

3) Has Man­age­ment / the Com­mit­tee know­ledge of any actu­al, sus­pec­ted or alleged fraud dur­ing the peri­od 1 April 2025 – 31 March 2026? Where appro­pri­ate please provide details.

* None known.

4) Has Man­age­ment / the Com­mit­tee any sus­pi­cion that fraud may be occur­ring with­in the organ­isa­tion? Please provide details.

* No suspicions
* Has Management / the Committee identified any specific fraud risks within the organisation? Please provide details.
    * None identified
* Does Management / the Committee have any concerns that there are areas within the organisation that are at risk of fraud? Please provide details.
    * No concerns
* Are there particular locations within the organisation where fraud is more likely to occur? Please provide details.
    * Cyber security risks and mitigations noted on risk register and discussed at ARC.
    * The ARC accepts and agrees with the key risks highlighted by the external auditors in their audit plan.

5) Is Man­age­ment / the Com­mit­tee sat­is­fied that intern­al con­trols, includ­ing segreg­a­tion of duties, exist and work effect­ively? Please provide details.

* Segregation of duties is in place to the extent possible within a small organisation.
* Internal audit reports substantiate controls and identify improvements where required.
* Regular management information is provided including any significant exceptions.
* Delegated Levels of Authority (DLA) policy.
* Controls afforded by the implementation of the new Finance system whereby approval workflows are pre-determined in line with DLA and the line management structure
* If not, where are the risk areas?
    * None known.
* What other controls are in place to help prevent, deter or detect fraud?
    * All new employees are subject to full induction and Disclosure.
    * Regular repeat training in relevant control areas.
    * IT team keep up to date on ongoing risks to IT systems through daily reports from Cyber Scotland.
    * Cybersecurity Plus accreditation under renewal.
    * Payments from the bank must be authorised by two signatories, using the bank's secure payment system (card reader, card and PIN)

6) Is Man­age­ment / the Com­mit­tee sat­is­fied that staff are encour­aged to report their con­cerns about fraud, and the types of con­cerns they are expec­ted to report? Please provide details.

* Reliance is placed on the knowledge, experience, and integrity of senior management. Experience has shown that staff report fraud where they have concerns.
* All staff are encouraged to report anything, no matter how minor, which looks out of the ordinary, and / or where due process has not been followed.
* Segregation of duties within the Finance Team.
* The Finance team is charged with governance.

7) From a fraud and cor­rup­tion per­spect­ive, what are con­sidered by Man­age­ment / the Com­mit­tee to be high risk posts with­in the organ­isa­tion? Please provide details.

* Members of Senior Management Team are considered to be high risk posts as these staff conduct the majority of financial approvals and all high value approvals, while also interacting with actual and potential suppliers and grant recipients.
* How are the risks relating to these posts identified, assessed and managed?
    * All new employees are subject to Disclosure.
    * All senior managers are required to complete a staff register of interests. Division of responsibility in authorisations is also a requirement amongst this senior staff group. ARC takes assurance from the effective operation of these controls.
    * Delegated Levels of Authority (DLA) policy.

8) Is Man­age­ment / the Com­mit­tee aware of any related party rela­tion­ships or trans­ac­tions that could give rise to instances of fraud? Please provide details.

* Use of suppliers connected with spouses / partners of CNPA employees is controlled by the staff register of interest's policy and division of responsibility. Management is responsible for giving appropriate assurance to the ARC and Board that all policy development and financial transactions are subject to appropriate internal controls, while the interests of the Executive Directors are published and available for public scrutiny.
* How are the risks associated with fraud related to such relationships and transactions mitigated?
    * Awareness of these relationships throughout the organisation in accordance with Register of Interests policy.
    * Transparency and division of responsibility when preparing purchase requisitions.

9) Is Man­age­ment / the Com­mit­tee aware of any entries made in the account­ing records of the organ­isa­tion that it believes, or sus­pects are false or inten­tion­ally mis­lead­ing? Please provide details.

* None known.
* Are there particular balances where fraud is more likely to occur? Please provide details.

The main areas of judge­ment are set out below.

* The provision of guarantees to landowners in respect of potential damage by beavers.

It is assessed that this mat­ter does not provide for any great­er like­li­hood of fraud.

• Is Man­age­ment / the Com­mit­tee aware of any assets, liab­il­it­ies or trans­ac­tions that it believes were improp­erly included or omit­ted from the accounts of the organ­isa­tion? Please provide details.
  • None known.
• Could a false account­ing entry escape detec­tion? If so, how?
  • Would require col­lab­or­a­tion involving seni­or mem­bers of the Fin­ance team.
• Are there any extern­al fraud risk factors which are high risk of fraud? Please provide details.
  • The greatest extern­al risks arise from the poten­tial for breach of cyber security.
  • IT team keep to date on ongo­ing risks to IT sys­tems through daily reports from Cyber Scotland.
  • Cyber­se­cur­ity Plus accred­it­a­tion is under renewal.
  • Staff are reminded reg­u­larly of the need for care over the threats from activ­ity such as phishing.

10) Is Man­age­ment / the Com­mit­tee aware of any organ­isa­tion­al, or man­age­ment pres­sure to meet fin­an­cial or oper­at­ing tar­gets? Please provide details.

* The objective, to make best use of available resources in any financial year and break-even, is well established. However, there is no evidence to suggest that organisational scrutiny of this objective, nor management's actions to deliver this objective, translates into anything other than appropriate motivation and encouragement within the staff group.
* DLA policy, system of requisitions and review of management information all provide mitigation.

• Is Man­age­ment / the Com­mit­tee aware of any inap­pro­pri­ate organ­isa­tion­al or man­age­ment pres­sure being applied, or incent­ives offered, to you or col­leagues to meet fin­an­cial or oper­at­ing tar­gets? Please provide details.
  • None known.

Laws and regulations

11) How does Man­age­ment / the Com­mit­tee gain assur­ance that all rel­ev­ant laws and reg­u­la­tions have been com­plied with. For example:

• Is Man­age­ment / the Com­mit­tee aware of the pro­cess man­age­ment has in place for identi­fy­ing and respond­ing to changes in laws and reg­u­la­tions? Please provide details.
• What arrange­ments are in place for Man­age­ment / the Com­mit­tee to over­see this process?
• Is Man­age­ment / the Com­mit­tee aware of the arrange­ments man­age­ment have in place, for com­mu­nic­at­ing with employ­ees, non-exec­ut­ive dir­ect­ors, part­ners and stake­hold­ers regard­ing the rel­ev­ant laws and reg­u­la­tions that need to be fol­lowed? Please provide details.
  • Seni­or man­age­ment, extern­al and intern­al aud­it­ors all provide inform­a­tion where appro­pri­ate to the role of the ARC or one of the Board’s oth­er committees.
  • Seni­or man­agers are them­selves respons­ible for their over­sight of their areas and the evolving law and reg­u­la­tions that may impact on those areas. Man­age­ment receives tailored monthly updates from our out­sourced leg­al advisors on changes in law and reg­u­la­tions which may impact the Park Authority.
• Does Man­age­ment / the Com­mit­tee have know­ledge of actu­al or sus­pec­ted instances where appro­pri­ate laws and reg­u­la­tions have not been com­plied with, and if so, is it aware of what actions man­age­ment is tak­ing to address it? Please provide details.
  • None known by either man­age­ment or ARC.

Lit­ig­a­tion and claims

12) Is Man­age­ment / the Com­mit­tee aware of any actu­al or poten­tial lit­ig­a­tion or claims that would affect the fin­an­cial state­ments? Please provide details.

* None known by either management or ARC.

Going con­cern

13) How has Man­age­ment / the Com­mit­tee assessed and sat­is­fied itself that it is appro­pri­ate to adopt the going con­cern basis in pre­par­ing the fin­an­cial statements?

* All ARC members are members of the full board and are therefore fully aware of the Park Authority's operating position and future intentions of Scottish Ministers.
* Continued Grant-in-aid support from Scottish Government – ongoing discussion with Scottish Government suggests positive relationship and funding to be continued.
* Project funding – £10.8m award made by National Lottery Heritage Fund (NLHF) in December 2023 for the Cairngorms 2030 (C2030) programme. Regular updates are provided to SMT and to the Board and its committees on the progress of C2030 delivery and of claims made to NLHF.

14) Has Man­age­ment / the Com­mit­tee iden­ti­fied any events or con­di­tions since the assess­ment was under­taken which may cast sig­ni­fic­ant doubt on the organisation’s abil­ity to con­tin­ue as a going con­cern? Please provide details

* None known by Committee or management – ongoing discussion with Scottish Government suggests positive relationship and funding to be continued.
* History of annual increases in funding provides evidence of strong relationship and the Park Authority's ability to deliver on Scottish Government objectives.