Audit and Risk Committee meeting - Paper 4: Draft Audit and Risk Committee annual report - 14 November 2025

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 1 of 7

For decision

Title: Draft Audit and Risk Com­mit­tee annu­al report

Pre­pared by: Dav­id Camer­on, Deputy CEO

Pur­pose

To present the draft Audit & Risk Com­mit­tee Report for con­sid­er­a­tion pri­or to sub­mis­sion to the Board.

Recom­mend­a­tion

The Audit & Risk Com­mit­tee is reques­ted to:

α) Con­sider the report and; b) Agree any amend­ments to it pri­or to cir­cu­la­tion to the Board.

Back­ground

1. The Audit & Risk Com­mit­tee is required to report to the full Board on its activ­it­ies over the year, and on the reports presen­ted to the Com­mit­tee by the Authority’s intern­al and extern­al auditors.

2. This Annu­al Report is presen­ted on behalf of the Audit & Risk Com­mit­tee to cov­er the peri­od of its oper­a­tions from Septem­ber 2024 to Septem­ber 2025.

Over­view

1. The peri­od of this Annu­al Report cov­ers con­sid­er­a­tion of final accounts for ²⁰²³⁄₂₄. The accounts were sub­mit­ted to the Committee’s meet­ing of 27 Septem­ber 2024 in line with the agreed extern­al audit timetable for accounts to be final­ised and approved for sig­na­ture and sub­mis­sion to the Aud­it­or Gen­er­al for Scot­land at this meeting.

2. The Com­mit­tee has also over­seen the con­duct of the extern­al audit of the ²⁰²⁴⁄₂₅ annu­al report and accounts dur­ing this peri­od, with the draft accounts for this

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 2 of 7

fin­an­cial year sub­mit­ted to the committee’s meet­ing of Septem­ber 2025 in line with the agreed timetable for the ²⁴⁄₂₅ audit.

1. Maz­ars remain appoin­ted through Audit Scot­land as extern­al aud­it­ors to the Park Authority.

2. Dur­ing the report­ing peri­od, the Com­mit­tee was sup­por­ted by Azets in the pro­vi­sion of intern­al audit ser­vices, with wbg aud­it­ors assum­ing this role from April 2025. There was a peri­od of over­lap between Azets and wbg dur­ing which the Com­mit­tee main­tained over­sight of the work of both intern­al audit pro­viders. The Com­mit­tee has agreed an intern­al audit plan for ²⁰²⁵⁄₂₆ which will be delivered by wbg. How­ever, the tim­ing of the intern­al audit work is over the second half of the year and there­fore no intern­al audit reports on spe­cif­ic areas of audit have been sub­mit­ted to the Com­mit­tee between April and Septem­ber 2025.

3. The Com­mit­tee has con­tin­ued to work to the terms of ref­er­ence approved by the Board over the dur­a­tion of this report­ing period.

4. The Com­mit­tee met four times over the peri­od covered by this report. All meet­ings were held as sched­uled and were quorate.

Key Activ­it­ies

1. In addi­tion to man­age­ment reports from the Authority’s Intern­al and Extern­al Aud­it­ors, con­sidered in fur­ther detail below, the Com­mit­tee con­sidered the fol­low­ing issues dur­ing the course of the year: α) Risk man­age­ment: the Audit & Risk Com­mit­tee has con­tin­ued to take a stra­tegic over­sight of the Authority’s risk man­age­ment strategy and reg­u­larly con­sidered the stra­tegic risk register. The Com­mit­tee has sup­por­ted the full review of the stra­tegic risk register to ensure the Park Authority’s stra­tegic risk man­age­ment remains sup­port­ive of deliv­ery of the Cor­por­ate Plan span­ning 2023 to 2027. b) Detailed Risk Ana­lys­is: the Com­mit­tee has con­tin­ued the prac­tice in the year of con­sid­er­ing more in-depth ana­lys­is of key risks from seni­or man­age­ment. This prac­tice provides an oppor­tun­ity to explore key or increas­ing strategic

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 3 of 7

risks in more detail and eval­u­ate the adequacy of mit­ig­a­tion actions. The Com­mit­tee has con­sidered detailed ana­lys­is of the risks asso­ci­ated with the Cairngorms 2030 pro­gramme as it moved into its Deliv­ery Phase. c) Account­ing Policy and Estim­ates: the Com­mit­tee reviews and agrees account­ing policies and con­siders any sig­ni­fic­ant estim­ates required in the final­isa­tion of the annu­al accounts as part of its con­sid­er­a­tion of final accounts pri­or to their sig­na­ture by the Account­able Officer. There were no sig­ni­fic­ant vari­ations to account­ing policy required in either year covered by this report, nor were any estim­ates causes of con­cern. d) Gov­ernance State­ment: review and approv­al of this state­ment, pri­or to its inclu­sion in the annu­al accounts and pri­or to sig­na­ture by the Account­able Officer. e) Updates on pro­gress in imple­ment­ing pre­vi­ous audit recom­mend­a­tions: the Com­mit­tee has main­tained a twice-yearly audit review of action taken on pre­vi­ous audit recom­mend­a­tions, sup­ple­men­ted from time to time by man­age­ment reports. f) Con­sid­er­a­tion and agree­ment of for­ward audit activ­ity plans: the Com­mit­tee has agreed a for­ward plan of intern­al audit activ­ity and has mon­itored pro­gress in suc­cess­ful deliv­ery of the intern­al audit plan for ²⁰²⁴⁄₂₅. A plan for intern­al audit work has been agreed for ²⁰²⁵⁄₂₆. g) Let­ter of rep­res­ent­a­tion: the Com­mit­tee con­sidered the draft let­ter of rep­res­ent­a­tion from the Author­ity to Maz­ars, the extern­al aud­it­or, pri­or to its sig­na­ture by the Account­able Officer as an appro­pri­ate reflec­tion of the Authority’s pos­i­tion for pre­par­a­tion of the accounts for ²⁰²⁴⁄₂₅ and con­duct of the Authority’s fin­an­cial and wider con­trol pro­ced­ures over the course of the year. The Com­mit­tee has also reviewed the under­pin­ning detail set out in assur­ances to the extern­al aud­it­or relat­ing to pre­vent­ing fraud in the annu­al accounts, com­pli­ance with laws and reg­u­la­tions, lit­ig­a­tion and claims, and going con­cern. h) Pro­cure­ment: the Com­mit­tee received an intern­al audit report in June 2024 set­ting out sig­ni­fic­ant weak­nesses in the Park Authority’s intern­al con­trols over its pro­cure­ment activ­it­ies. The Com­mit­tee agreed an action plan includ­ing urgent actions to resolve the key issues. The Chair and Vice Chair of the Com­mit­tee mon­itored deliv­ery of that action plan monthly ini­tially, with the full Com­mit­tee receiv­ing updates at its meet­ing. The appoint­ment of a Pro­cure­ment Officer in 2024 rep­res­en­ted a key step in tak­ing for­ward priority

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 4 of 7

i) actions, and a pro­cure­ment action place has now been mostly com­pleted. The Com­mit­tee also con­sidered the les­sons learned on pro­cure­ment at their meet­ing of Septem­ber 2025. j) The Com­mit­tee reviewed updates on inform­a­tion requests and com­plaints, ensur­ing appro­pri­ate over­sight and con­sid­er­a­tion of mat­ters presented.

Intern­al Audit

1. The Com­mit­tee agree an annu­al intern­al audit work pro­gramme presen­ted by the intern­al auditor.

Table One: Sum­mary of Intern­al Audit Findings

Intern­al Audit Study	Num­ber of Recommendations
	Very High Risk	High Risk	Mod­er­ate Risk	Lim­ited Risk
2011⁄12 Total (7 studies)	0	3	14	9
2012⁄13 Total (4 studies)	0	0	0	10
2013⁄14 Total (7 studies)	0	1	9	11
2014⁄15 Total (4 studies)	0	0	5	13
2015⁄16 Total (9 studies)	0	0	9	10
2016⁄17 Total (8 studies)	n/​a	10	11	11
2017⁄18 Total (3 studies)	n/​a	0	3	7
2018⁄19 Total (9 studies)	n/​a	1	6	10
2019⁄21 Total (9 studies)	0	5	16	21
2021⁄22 Total (5 studies)	0	4	10	2
2022⁄23 Total (6 studies)	2	9	11	5
2023⁄24 Total (3 stud­ies + 2 advisory)	4	7	8	0
2023⁄24 Total	4	7	8	0

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 5 of 7

The 2024⁄25 stud­ies were:
	Very High	High	Mod­er­ate	Lim­ited
Cairngorms 2030 (1 advisory)
Oper­a­tion­al and fin­an­cial plan­ning (1 advisory)	0	0	4	0
Recruit­ment	0	0	2	1
Total for period	10	0	6	1

Extern­al Audit

1. The com­ple­tion of the extern­al audit for the ²⁰²³⁄₂₄ accounts was delayed into Novem­ber / Decem­ber 2024 while the audit team com­pleted final checks and review pro­cesses. The accounts were laid in Par­lia­ment pri­or to the stat­utory date of 31 December.

2. Work on the ²⁰²⁴⁄₂₅ extern­al audit was still under­way at the point of the Committee’s con­sid­er­a­tion of the draft accounts in Septem­ber 2025. The Park Authority’s account­ing treat­ment of the fin­an­cing and expendit­ure related to the Cairngorms 2030 (C2030) Pro­gramme has required an in-depth tech­nic­al eval­u­ation and this has caused some delay in final­isa­tion of accounts present­a­tion and the sub­sequent com­ple­tion of audit work. The accounts for ²⁰²⁴⁄₂₅ are now sched­uled to be presen­ted and final­ised at the Committee’s Novem­ber meet­ing and sub­sequently presen­ted to the board at the end of November.

Stra­tegic Risk Management

1. The Authority’s stra­tegic risk register has been fully revised over the course of the year, with over­sight and input to this pro­cess from the Com­mit­tee, to ensure the Park Authority’s approach to stra­tegic risk man­age­ment con­tin­ues to sup­port effect­ive deliv­ery of the Cor­por­ate Plan span­ning 2023 to 2027. The Park Authority’s stra­tegic risk man­age­ment approach now incor­por­ates and is led by the Board’s stra­tegic risk appet­ite. The Audit & Risk Com­mit­tee has con­tin­ued to review the cov­er­age and adequacy of the stra­tegic risk register in those quar­ters where it is not presen­ted to the full Board.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 6 of 7

1. The Com­mit­tee has incor­por­ated assur­ance over risk man­age­ment of the Cairngorms 2030 Pro­gramme as a stand­ing ele­ment of its agenda, ensur­ing any stra­tegic risk implic­a­tions to the Park Author­ity as a whole arising from its lead­er­ship of this sig­ni­fic­ant pro­gramme of work are recog­nised and incor­por­ated in our risk man­age­ment framework.

Con­clu­sions

1. The Audit & Risk Com­mit­tee con­siders that it has been suc­cess­ful in pro­gress­ing the Board’s gov­ernance and intern­al con­trol pri­or­it­ies dur­ing the peri­od covered by this annu­al report.

2. The Com­mit­tee wel­comes the work of the Authority’s Fin­ance team in once again main­tain­ing a high qual­ity and pro­fes­sion­al fin­an­cial account­ing ser­vice. The Com­mit­tee also recog­nises the valu­able work of the wider Cor­por­ate Ser­vices team in sup­port­ing a rap­idly expand­ing range of activ­it­ies and deliv­ery by the Park Author­ity and in help­ing achieve the organisation’s stra­tegic objectives.

3. The Com­mit­tee has engaged through the year with issues iden­ti­fied by the Authority’s intern­al and extern­al aud­it­ors, and also by the Authority’s officers. The Com­mit­tee has received full reports on issues raised; con­sidered recom­mend­a­tions made; and approved responses and actions. The Com­mit­tee has shaped and approved the over­all audit plan and guided the dir­ec­tion and approach of the intern­al aud­it­ors and their pro­gramme of work. The Com­mit­tee has also mon­itored deliv­ery against approved action plans.

4. Both the intern­al and extern­al aud­it­ors’ find­ings provide assur­ance to the Com­mit­tee and Board that the Authority’s intern­al con­trol and gov­ernance object­ives are being met effect­ively by management.

5. The Com­mit­tee con­tin­ues to recog­nise the con­tin­ued expan­sion and evol­u­tion of the cov­er­age of the Park Authority’s range of activ­it­ies has pushed the risk pro­file of recom­mend­a­tions high­er over the course of the last report­ing peri­ods. It is accep­ted that there will always be a range of improve­ments than can be made to ser­vices and

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh Audit and Risk Com­mit­tee Paper 4 14 Novem­ber 2025 Page 7 of 7

con­trols; that these con­trols must con­tin­ue to adapt to chan­ging oper­at­ing and stra­tegic envir­on­ments; and as such a num­ber of recom­mend­a­tions for improve­ment from intern­al audit will always be expec­ted. The Com­mit­tee warmly wel­comes the evid­ence of atten­tion to intern­al con­trol sys­tems by man­age­ment and gen­er­ally effect­ive con­trol sys­tems evid­enced by the annu­al intern­al audit reports. The Com­mit­tee expects the risk pro­file of recom­mend­a­tions to fall back toward more usu­al levels in com­ing years as new ser­vice areas and recom­mend­a­tions for action become bet­ter embedded.

1. The Com­mit­tee will con­tin­ue to address key, basic issues of intern­al con­trol and the devel­op­ment of appro­pri­ate pro­cesses with­in the Author­ity. The evid­ence of the urgent atten­tion giv­en to high-risk recom­mend­a­tions arising from the pro­cure­ment audit gives the Com­mit­tee reas­sur­ance that where con­trol gaps are iden­ti­fied these mat­ters are pri­or­it­ised through alloc­a­tion of time and, where neces­sary, fin­an­cial resources.

2. The Com­mit­tee will also con­tin­ue to have over­sight of the Authority’s approach to and hand­ling of risk man­age­ment, and of wider aspects of cor­por­ate gov­ernance such as the approach to Best Value and value for money. In par­tic­u­lar, mem­bers will seek to ensure that les­sons are learned from oper­a­tion­al exper­i­ence and that wherever pos­sible reviews of work­ing prac­tices and learn­ing from them lead to improve­ments in our systems.

Mari­ann Pita, Dav­id Camer­on, for Audit & Risk Com­mit­tee mem­bers 3 Novem­ber 2025 mariaanpita@​cairngorms.​co.​uk davidcameron@​cairngorms.​co.​uk