Audit and Risk Committee draft minutes - 20 June 2025

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 1 of 14

Draft minutes of the Audit and Risk Com­mit­tee meet­ing Held at Cairngorms Nation­al Park Author­ity office, Grant­own-on-Spey Online 20 June 2025 at 10.00am

Present online Fiona McLean (Chair) Peter Cos­grove (Deputy Chair) Bill Lob­ban Geva Black­ett Paul Gibb Duncan Miller

In attend­ance Grant Moir, Chief Exec­ut­ive Officer Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions Kath­rine Mal­in-August, Fin­an­cial Account­ant Eliza­beth Young, Azets Gra­ham Gilespie, wbg Peter Clark, wbg Tom Reid, Maz­ars Alix Hark­ness, Clerk to the Board

Apo­lo­gies Dav­id Camer­on, Deputy Chief Exec­ut­ive Officer and Dir­ect­or of Cor­por­ate Ser­vices Paul Dav­is­on, Inform­a­tion Manager

Wel­come and introduction

1. Fiona McLean, Chair of the Audit and Risk Com­mit­tee, wel­comed every­one to the meet­ing. Apo­lo­gies were noted.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 2 of 14

Approv­al of minutes of pre­vi­ous meetings

1. The draft minutes of the pre­vi­ous Audit and Risk Com­mit­tee meet­ing held on 21 March 2025 were approved with no amendments.

Mat­ters arising not covered elsewhere

1. There were no mat­ters arising.

   Ref	Action Detail	Who	When	Status
   21/06/24	At para 341 Les­sons learned brief­ing for the com­mit­tee for the next meeting	Dav­id	Will come to meet­ing in June/​Sept depend­ing on staff time available	Open
   21/06/24	At para 34m Chair and Deputy Chair to receive monthly updates of pro­gress against the action plan	Dav­id and Louise	Monthly updates have been issued since June meeting	In Pro­gress
   27/09/24	At para 20i iv. Update on intern­al audit view on fin­an­cial scen­ario plan­ning to be provided to the Audit and Risk Committee	Dav­id and Stephanie	At the end of the 24⁄25 fin­an­cial year.	Ongo­ing
   08/11/24	At para 26b i. Inform­a­tion man­ager to provide Com­mit­tee mem­bers with the num­ber of requestees for FOISA.	Paul	20 June 2025 meeting	Open Paper today
   21/03/25	At para 28 i. Stat­ist­ic­al ana­lys­is to be brought back to the Committee	Louise		Out­stand­ing

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 3 of 14

| | show­ing of the con­tracts awar­ded how many com­pan­ies were based in the Cairngorms Nation­al Park, how many around and how many out with over the course of one year. | | | | | | ii. Head of Fin­ance and Cor­por­ate Oper­a­tions to dif­fer­en­ti­ate between con­flict and declar­a­tion of interest on page 6 of the Pro­cure­ment Action Plan. | Louise | | | |21/03/25| At Para 33 iii. Paper detail­ing the pri­or­ity of key risk areas to include a timetable of future reports on the strands to be brought to the next meet­ing. | David | | |

Declar­a­tions of interest

1. There were no declar­a­tions of interest.

Paul Gibb arrived at the meet­ing at 10.10am

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 4 of 14

Intern­al Audit Plan ²⁰²⁴⁄₂₅: Recruit­ment (Paper 1)

1. Eliza­beth Young, Part­ner, Azets presen­ted the paper, which presents the intern­al audit review car­ried out by Azets of the Park Authority’s recruit­ment and onboard­ing pro­cess. The review con­sidered the recruit­ment pro­cesses in place, includ­ing the approv­al pro­cess for posts pri­or to advert­ise­ment through to the onboard­ing pro­cess for staff.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) Head of Fin­ance and Oper­a­tions com­men­ted that the issue iden­ti­fied around doc­u­ment man­age­ment because of the inter­ac­tion of the People portal and Share­Point to man­age doc­u­ments, is sim­il­ar to the situ­ation with the new Fin­ance sys­tem, which also works from the same Access plat­form. There is a need to estab­lish the rel­at­ive pri­or­ity of these sys­tems. She will dis­cuss the appro­pri­ate approach to be taken with the Inform­a­tion Man­ager. b) Com­ment made on the need to have a trans­par­ent way that doc­u­ments seni­or man­age­ment have approved all recruit­ment, espe­cially giv­en the recent guidelines around pub­lic sec­tor spend­ing released 19 June 2025. CEO advised that there had not been a single post recruited over the past 10 years that had not been approved by him, and he provided the reas­sur­ance that no new post would be in the future. The issue was ensur­ing a paper trail for each post to show this had happened. c) Head of Fin­ance and Oper­a­tions made the Com­mit­tee aware that Scot­tish Gov­ern­ment have been request­ing a monthly fore­cast of head­count, with jus­ti­fic­a­tion for any addi­tion­al posts, demon­strat­ing that extern­al scru­tiny has already star­ted. d) The Chair thanked Stephanie and team for the reas­sur­ance and work provided on this.
3. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: a) Con­sider the intern­al aud­it­ors report and find­ings. b) Endorse the man­age­ment responses to recom­mend­a­tions for future action and improvements.
4. Action Points Arising: None.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 5 of 14

Intern­al Audit Annu­al Report ²⁰²⁴⁄₂₅ (Paper 2)

1. Eliza­beth Young, Chief Intern­al Aud­it­or, Azets presen­ted the paper, which sum­mar­ises the con­clu­sions and key find­ings from the intern­al audit work under­taken at Cairngorms Nation­al Park Author­ity dur­ing the year ended 31 March 2025, includ­ing the Intern­al Auditor’s over­all opin­ion on Cairngorms Nation­al Park Authority’s intern­al con­trol system.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) Head of Fin­ance and Cor­por­ate Oper­a­tions com­men­ted that it was a great pos­i­tion to be in, and that it had been a very pos­it­ive exper­i­ence work­ing with Azets; she thanked them for the sup­port­ive, advice and guid­ance provided over the years The Chair echoed those com­ments and par­tic­u­larly thanked Stephanie and Eliza­beth. b) The Chair noted that good pro­gress been made on out­stand­ing recom­mends, and felt reas­sured that Azets felt that this was the case.
3. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: a) Con­sider the Intern­al Auditor’s annu­al report for 2024 – 25. b) Note the Intern­al Audit annu­al opin­ion as set out in page 4 of the report and endorse the inclu­sion of that opin­ion with­in the Gov­ernance State­ment for 2024 – 25.
4. Action Points Arising: None. Intern­al audit plan (Paper 3)
5. Gra­ham Gillespie and Peter Clark, wbg, presen­ted the paper, which set out a pro­posed intern­al audit plan for 2025 – 26 (and future years) pre­pared by wbg.
6. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) Head of Fin­ance and Oper­a­tions repor­ted that they had had a very pos­it­ive first meet­ing with wbg and the key theme of dis­cus­sions had been how best to provide assur­ance while achiev­ing best value for money. As an example,

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 6 of 14

she explained that wbg had been pre­pared to take a prag­mat­ic approach to the review of cyber secur­ity and that this would help the IT team as well as provid­ing the Com­mit­tee with the assur­ance they need. b) The Chair praised the assur­ance map and com­men­ted that she had found it help­ful. c) The Chair raised her con­cerns around the time­tabling, with no report until March 2026 when there would be five reports presen­ted and then the final report for the year in June, which seemed very late in the year. Peter Clark, wbg advised this pro­gramme had been developed around team avail­ab­il­ity, but that he would be happy to review the situ­ation to achieve a more even spread of the work. The Chair sug­ges­ted that even if only one of the reports could be brought for­ward, that would be help­ful. It was agreed that wbg would dis­cuss and agree this with management.

1. The Audit and Risk Com­mit­tee noted the paper and agreed the two recom­mend­a­tions: a) Con­sider the auditor’s pro­pos­al b) Assess the plan for 2025 – 26 and con­sider wheth­er the focus of work meets the Park Authority’s need for assurance.
2. Action Points Arising: i. Wbg to review the time­tabling of work and to dis­cuss and agree with Man­age­ment a more even spread of reporting.

Extern­al audit update (Paper 4)

1. Tom Reid, Maz­ars presen­ted the paper, which sets out the audit of the annu­al report and accounts for 2024 – 25 pre­pared by Mazars.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) The Chair noted that the timeline had changed, with field­work com­men­cing one month later than planned; she sought reas­sur­ance that it was going to be com­pleted on time. Head of Fin­ance and Oper­a­tions advised that the delay had been down to team capa­city. She explained that the earli­er date would have been impossible giv­en the ill health of the Fin­ance Man­ager and the

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 7 of 14

delay in the new Fin­an­cial Account­ant start­ing, due to her hav­ing to work a three month notice period.

1. The Audit and Risk Com­mit­tee con­sidered the auditor’s report and pro­gress to date.
2. Action Points Arising: None. Stra­tegic risk registers (Paper 5)
3. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which sup­ports a review by the Com­mit­tee of the Park Authority’s stra­tegic risk man­age­ment position.
4. Grant Moir, CEO repor­ted that the fund­ing for trans­port pro­jects was cur­rently going through the account­able officer pro­cess. Any expendit­ure over a cer­tain value has to go through vari­ous approvals with­in Scot­tish Gov­ern­ment. Trans­port Scot­land have announced the money for the build phases that they’re doing this year and we are now wait­ing for the fund­ing announce­ments for design pro­jects. A decision is likely to be made towards the end of July and if we still have not received any update on the fund­ing at that point, then it’s prob­ably get­ting too late in the year to do the work that we are look­ing to take for­ward on some of these schemes. He provided reas­sur­ance that there was a plan B. He reit­er­ated that the end of July would be the pinch point for this.
5. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) The Chair asked for reas­sur­ance that the Nation­al Lot­tery Her­it­age Fund (NLHF) were flex­ible in response to this. CEO advised that if there is to be a sig­ni­fic­ant change the Park Author­ity would need to make a form­al change request to NLHF. b) Pub­lic sec­tor reform strategy (PSR) – a sug­ges­tion was made to update risk 1 to incor­por­ate the implic­a­tions of the PSR strategy. CEO agreed to add that in. c) A mem­ber sug­ges­ted that before the Scot­tish Gov­ern­ment under­go a review of pub­lic sec­tor bod­ies such as the Park Author­ity, it would be good to doc­u­ment shared ser­vices with Loch Lomond and Trossachs Nation­al Park.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 8 of 14

d) CEO advised that cost sav­ings will be required of all pub­lic bod­ies. He noted that, as we come to the end of the Cairngorms 2030 pro­ject the Authority’s head­count will reduce. Addi­tion­al sav­ings will be avail­able from effi­cien­cies such as those achieved from the new web­site build, which means that we no longer have to use the Com­mon Place plat­form, and that will reduce spend by £10k per year. He added that there was not enough detail yet to know pre­cisely what the PSR strategy will mean for us.

1. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: a) Con­sider the cov­er­age and adequacy of the Park Authority’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register. b) Con­sider the cov­er­age and adequacy of the Cairngorms 2030 pro­gramme risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent pro­gramme risk register.
2. Action Points Arising: i. Risk One to be amended to include detail which con­siders and reflects the risks with­in the Pub­lic Reform Strategy that was pub­lished the day before the meeting.

Inform­a­tion requests and com­plaints update (Paper 6)

1. Louise Allen presen­ted the paper, which provides an update on the num­ber of inform­a­tion requests, and key per­form­ance meas­ures in meet­ing them, under Free­dom of Inform­a­tion (Scot­land) Act (FOISA)/ Envir­on­ment­al Inform­a­tion (Scot­land) Reg­u­la­tions (EIR) and Data pro­tec­tion arrange­ments, provid­ing an update for the full fin­an­cial year ²⁴⁄₂₅. The paper also describes num­bers and out­comes of form­al com­plaints to the Cairngorms Nation­al Park Authority.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: a) The Chair thanked the Inform­a­tion Man­ager for the pro­gress being made; she noted that 100% of requests had been dealt with with­in the times­cales and praised this achievement.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 9 of 14

b) CEO advised that sig­ni­fic­ant staff resource is needed to deal with FOI requests. He expressed the view that the Park Author­ity might con­sider increas­ing the amount of inform­a­tion pub­lished routinely so that the pub­lic can find what they need without mak­ing a form­al request. He acknow­ledged, how­ever, that we should avoid cre­at­ing more work for ourselves, and noted that the key is to find a bal­ance between routine pub­lic­a­tion and FOI requests. c) The Chair asked if the time spent by staff could be cap­tured. CEO agreed to look into that and provide rough fig­ures. d) Mem­ber com­men­ted that it was inter­est­ing to see the num­ber of requesters and the areas of the organ­isa­tion involved in provid­ing the inform­a­tion reques­ted. He asked if it would be pos­sible to have a sum­mary break­down that included more detail on the inform­a­tion reques­ted, so that any emer­ging themes could be iden­ti­fied. CEO agreed to see what could be pulled out for the next update.

1. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: a) Note activ­ity in this area and Park Author­ity per­form­ance b) Com­ment on breadth and depth of report­ing for future updates
2. Action Points Arising: i. Estim­ated time spent by staff on each inform­a­tion request to be cap­tured and included in the next report. ii. Each request to include enough detail to help identi­fy emer­ging themes.

Pro­cure­ment action plan (Paper 7)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which presents an action plan towards improve­ment of the Park Authority’s pro­cure­ment pro­cesses, pro­ced­ures and intern­al con­trols. The action plan had been developed in response to the Intern­al Audit review of pro­cure­ment car­ried out by Azets as part of the approved 2023 – 24 audit programme.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ment and obser­va­tion: a) The Chair thanked the Head of Fin­ance and Cor­por­ate Oper­a­tions and the Pro­cure­ment officer for all their hard work get­ting to that point.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 10 of 14

1. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: a) Reviewed pro­gress made against each activ­ity in the pro­gramme for improve­ment developed by man­age­ment. b) Agreed they were con­tent to pass ongo­ing mon­it­or­ing back to the seni­or team.
2. Action Points Arising: None. Update on out­stand­ing intern­al audit recom­mend­a­tions (Paper 8)
3. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which set out an update on actions under­way to address out­stand­ing intern­al audit recom­mend­a­tions on con­trols relat­ing to inform­a­tion tech­no­logy, cyber secur­ity and inform­a­tion man­age­ment. The paper pro­poses revised, updated actions for adop­tion by the Com­mit­tee in place of the exist­ing recom­mend­a­tions, which in some cases are out­dated fol­low­ing sig­ni­fic­ant action by the Park Authority’s teams work­ing in this area.
4. The Audit and Risk Com­mit­tee Chair invited Stephanie Humes’ (Azets) views on management’s approach to this. She made the fol­low­ing points: a) The pre­vi­ous recom­mend­a­tions included those focused on the improve­ment of pro­ced­ures for the man­age­ment of cyber­se­cur­ity, which may now have been super­seded by cyber essen­tials plus, but it would be help­ful to be clear to the Com­mit­tee on how the ori­gin­al recom­mend­a­tions are being addressed. b) The ori­gin­al recom­mend­a­tion for the devel­op­ment of a busi­ness con­tinu­ity plan (BCP), include advice that the BCP should include test­ing sched­ules; the com­mit­tee should seek assur­ance that the BCP developed is prop­erly tested.
5. The Audit and Risk Com­mit­tee Chair thanked Stepan­ie Hume, Azets and said those points would be noted.
6. The Audit and Risk Com­mit­tee noted the paper and: a) Agreed the six pri­or intern­al audit recom­mend­a­tions set out are super­seded. b) Agreed the adop­tion of the three actions set out as replace­ment actions required to imple­ment an appro­pri­ate over­arch­ing con­trol envir­on­ment for the Park Authority’s IT and data man­age­ment operations.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 11 of 14

c) Agreed to receive updates on pro­gress against these actions as part of updates on action in imple­ment­ing audit recom­mend­a­tions. d) Agreed the scope of any intern­al audit work in these areas over the next 12 months should reflect the status of the cur­rent evol­u­tion of the Park Authority’s oper­at­ing envir­on­ment for IT and data services.

1. Action Points Arising: None.

AOCB

1. None

Date of Next Meeting

1. The date of the next meet­ing is 12 Septem­ber 2025, online.
2. The meet­ing con­cluded at 11.00

   Ref	Action Detail	Who	When	Status
   21/06/24	At para 341 Les­sons learned brief­ing for the com­mit­tee for the next meeting	Dav­id	Will come to meet­ing in June/​Sept depend­ing on staff time available	Open To come to Sept meeting
   21/06/24	At para 34m Chair and Deputy Chair to receive monthly updates of pro­gress against the action plan	Dav­id and Louise	Monthly updates have been issued since June meeting	Closed
   27/09/24	At para 20i V. Update on intern­al audit view on fin­an­cial scen­ario plan­ning to be provided to the Audit and Risk Committee	Dav­id and Stephanie	At the end of the 24⁄25 fin­an­cial year.	Ongo­ing Man­age­ment to report back to Com­mit­tee to give assurance

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 12 of 14

| 08/11/24 | At para 26b ii. Inform­a­tion man­ager to provide Com­mit­tee mem­bers with the num­ber of requestees for FOISA. | Paul | 20 June 2025 meet­ing | Closed (on today’s agenda) | | 21/03/25 | At para 28 i. Stat­ist­ic­al ana­lys­is to be brought back to the Com­mit­tee show­ing of the con­tracts awar­ded how many com­pan­ies were based in the Cairngorms Nation­al Park, how many around and how many out with over the course of one year. | Louise | | Out­stand­ing | | | ii. Head of Fin­ance and Cor­por­ate Oper­a­tions to dif­fer­en­ti­ate between con­flict and declar­a­tion of interest on page 6 of the Pro­cure­ment Action Plan. |Louise | |In Hand Louise will run new word­ing past Pete Cos­grove | | 21/03/25 | At Para 33 iii. Paper detail­ing the pri­or­ity of key risk | Dav­id | | Closed (on today’s agenda) |

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 13 of 14

From today’s meet­ing | 20/06/25 | At Para 16 i. Wbg to dis­cuss and agree with Man­age­ment to review the time­tabling of the reports to provide more of an even spread. | Peter Clark, Gra­ham Gillespie, Louise, Dav­id | Septem­ber meet­ing | | | 20/06/25 | At Para 25 i. Risk One to be amended to include detail which con­siders and reflects the risks posed with­in the Pub­lic Reform Strategy that was pub­lished the day before the meet­ing. | Dav­id | By the next meet­ing | | | 20/06/25 | At Para 29 i. Estim­ated time spent by staff on each inform­a­tion request to be cap­tured and | Paul | For the next update to Com­mit­tee Nov meeting | |

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Page 14 of 14

| | included in the next report. | | | | | | ii. Each request to include a little bit of detail to help identi­fy emer­ging themes. | | | | | | i. | | | |