Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

Audit and Risk Committee Paper 1 Annex 2 - 2024-25 management response

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 1 of 7

Request for inform­a­tion from Man­age­ment and from Those Charged with Governance

Fraud

1) What are Management’s pro­cesses in rela­tion to, and how does the Com­mit­tee, in its role as those charged with gov­ernance, exer­cise over­sight of management’s pro­cesses in rela­tion to:

  • under­tak­ing an assess­ment of the risk that the fin­an­cial state­ments may be mater­i­ally mis­stated due to fraud or error (includ­ing the nature, extent and fre­quency of these assessments);
  • identi­fy­ing and respond­ing to risks of fraud in the organ­isa­tion, includ­ing any spe­cif­ic risks of fraud which man­age­ment have iden­ti­fied or that have been brought to its atten­tion, or classes of trans­ac­tions, account bal­ances, or dis­clos­ure for which a risk of fraud is likely to exist;
  • com­mu­nic­at­ing to employ­ees of views on busi­ness prac­tice and eth­ic­al beha­viour (for example by updat­ing, com­mu­nic­at­ing and mon­it­or­ing against the organisation’s code of con­duct); and
  • com­mu­nic­at­ing to those charged with gov­ernance the pro­cesses for identi­fy­ing and respond­ing to fraud or error?
    • Resources com­mit­tee reviews the man­age­ment accounts at every meet­ing and con­siders the res­ults shown in the fin­an­cial state­ments in the con­text of their know­ledge of events over the year.
    • Reli­ance is placed on the know­ledge, exper­i­ence, and integ­rity of seni­or man­age­ment and assur­ances provided by management.
    • Risk register is con­sidered at each meet­ing of the ARC.
    • Known incid­ents are repor­ted to the Seni­or Man­age­ment Team, to Scot­tish Gov­ern­ment and to the ARC.
    • Resources Com­mit­tee is respons­ible for board over­sight and scru­tiny of organ­isa­tion­al policies and com­pli­ance with those, while ARC sees intern­al audit reports on effect­ive­ness of these policies and the intern­al con­trol sys­tems that they implement.
    • ARC reviews and approves the gov­ernance statement.
    • ARC takes assur­ance from inde­pend­ent input from intern­al and extern­al auditors.
    • The terms of ref­er­ence for the board’s com­mit­tees makes clear escal­a­tion and com­mu­nic­a­tion mech­an­isms between com­mit­tees in the event of any mat­ters arising.

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 2 of 7

  • From May 2024, all Board mem­bers receive the papers provided for all com­mit­tee meet­ings, keep­ing them informed of mat­ters repor­ted by Management.
  • Train­ing is provided to Board mem­bers peri­od­ic­ally, to assist them in meet­ing their respons­ib­il­it­ies. A ses­sion was held on 19 April 2024. It was provided by the Intern­al Aud­it­ors and covered:
    • a) The role and respons­ib­il­it­ies of the Park Authority’s board with regard to risk man­age­ment and how ele­ments of these respons­ib­il­it­ies are dis­charged by and Audit and Risk Committee
    • b) Require­ments of the SPFM
    • c) Assur­ance map­ping and risk management
    • d) The scru­tiny and chal­lenge role of board members.
  • Train­ing on mem­bers’ respons­ib­il­it­ies under the Code of Con­duct was delivered by an exper­i­enced extern­al train­er in Feb­ru­ary 2025.

2) How does Man­age­ment / the Com­mit­tee over­see man­age­ment pro­cesses to identi­fy and respond to the risk of fraud and pos­sible breaches of intern­al con­trol? Is Man­age­ment / the Com­mit­tee aware of any breaches of intern­al con­trol dur­ing 202425? Please provide details.

  • Intern­al audit report­ing – annu­al pro­gramme agreed with ARC.
  • Recom­mend­a­tions from intern­al audit work are mon­itored by ARC from point of recom­mend­a­tions being raised until they have been implemented.
  • We are not aware of any mater­i­al breaches of intern­al con­trol dur­ing the year.
  • There have been vari­ous improve­ments made to pro­ced­ure over the course of the year (e.g. action taken to improve pro­cure­ment pro­cesses and procedures).

3) Has Man­age­ment / the Com­mit­tee know­ledge of any actu­al, sus­pec­ted or alleged fraud dur­ing the peri­od 1 April 202431 March 2025? Where appro­pri­ate please provide details.

  • None known.

4) Has Man­age­ment / the Com­mit­tee any sus­pi­cion that fraud may be occur­ring with­in the organ­isa­tion? Please provide details.

  • No sus­pi­cions
  • Has Man­age­ment / the Com­mit­tee iden­ti­fied any spe­cif­ic fraud risks with­in the organ­isa­tion? Please provide details.
    • None iden­ti­fied

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 3 of 7

  • Does Man­age­ment / the Com­mit­tee have any con­cerns that there are areas with­in the organ­isa­tion that are at risk of fraud? Please provide details.
    • No con­cerns
  • Are there par­tic­u­lar loc­a­tions with­in the organ­isa­tion where fraud is more likely to occur? Please provide details.
    • Cyber secur­ity risks and mit­ig­a­tions noted on risk register and dis­cussed at ARC.
    • The ARC accepts and agrees with the key risks high­lighted by the extern­al aud­it­ors in their audit plan.

5) Is Man­age­ment / the Com­mit­tee sat­is­fied that intern­al con­trols, includ­ing segreg­a­tion of duties, exist and work effect­ively? Please provide details.

  • Segreg­a­tion of duties is in place to the extent pos­sible with­in a small organisation.
  • Intern­al audit reports sub­stan­ti­ate con­trols and identi­fy improve­ments where required.
  • Reg­u­lar man­age­ment inform­a­tion is provided includ­ing any sig­ni­fic­ant exceptions.
  • Del­eg­ated Levels of Author­ity (DLA) policy.
  • If not, where are the risk areas?
    • None known.
  • What oth­er con­trols are in place to help pre­vent, deter or detect fraud?
    • All new employ­ees are sub­ject to full induc­tion and Disclosure.
    • Reg­u­lar repeat train­ing in rel­ev­ant con­trol areas.
    • IT team keep up to date on ongo­ing risks to IT sys­tems through daily reports from Cyber Scotland.
    • Cyber­se­cur­ity Plus accred­it­a­tion achieved dur­ing the year.
    • Pay­ments from the bank must be author­ised by two sig­nat­or­ies, using the bank’s secure pay­ment sys­tem (card read­er, card and PIN)

6) Is Man­age­ment / the Com­mit­tee sat­is­fied that staff are encour­aged to report their con­cerns about fraud, and the types of con­cerns they are expec­ted to report? Please provide details.

  • Reli­ance is placed on the know­ledge, exper­i­ence, and integ­rity of seni­or man­age­ment. Exper­i­ence has shown that staff report fraud where they have con­cerns – this led to detec­tion of the fraud repor­ted in 202223.
  • All staff are encour­aged to report any­thing, no mat­ter how minor, which looks out of the ordin­ary, and / or where due pro­cess has not been followed.

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 4 of 7

  • Segreg­a­tion of duties with­in the Fin­ance Team.
  • The Fin­ance team is charged with governance.

7) From a fraud and cor­rup­tion per­spect­ive, what are con­sidered by Man­age­ment / the Com­mit­tee to be high risk posts with­in the organ­isa­tion? Please provide details.

  • Mem­bers of Seni­or Man­age­ment Team are con­sidered to be high risk posts as these staff con­duct the major­ity of fin­an­cial approvals and all high value approvals, while also inter­act­ing with actu­al and poten­tial sup­pli­ers and grant recipients.
  • How are the risks relat­ing to these posts iden­ti­fied, assessed and managed?
    • All new employ­ees are sub­ject to Disclosure.
    • All seni­or man­agers are required to com­plete a staff register of interests. Divi­sion of respons­ib­il­ity in author­isa­tions is also a require­ment amongst this seni­or staff group. ARC takes assur­ance from the effect­ive oper­a­tion of these controls.
    • Del­eg­ated Levels of Author­ity (DLA) policy.

8) Is Man­age­ment / the Com­mit­tee aware of any related party rela­tion­ships or trans­ac­tions that could give rise to instances of fraud? Please provide details.

  • Use of sup­pli­ers con­nec­ted with spouses / part­ners of CNPA employ­ees is con­trolled by the staff register of interests policy and divi­sion of respons­ib­il­ity. Man­age­ment is respons­ible for giv­ing appro­pri­ate assur­ance to the ARC and Board that all policy devel­op­ment and fin­an­cial trans­ac­tions are sub­ject to appro­pri­ate intern­al con­trols, while the interests of the Exec­ut­ive Dir­ect­ors are pub­lished and avail­able for pub­lic scrutiny.
  • How are the risks asso­ci­ated with fraud related to such rela­tion­ships and trans­ac­tions mitigated?
    • Aware­ness of these rela­tion­ships through­out the organ­isa­tion in accord­ance with Register of Interests policy.
    • Trans­par­ency and divi­sion of respons­ib­il­ity when pre­par­ing pur­chase requisitions.

9) Is Man­age­ment / the Com­mit­tee aware of any entries made in the account­ing records of the organ­isa­tion that it believes or sus­pects are false or inten­tion­ally mis­lead­ing? Please provide details.

  • None known.
  • Are there par­tic­u­lar bal­ances where fraud is more likely to occur? Please provide details.

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 5 of 7

The main areas of judge­ment are set out below.

  • The pro­vi­sion for LEAD­ER irreg­u­lar­it­ies – pro­vi­sion no longer con­sidered necessary.
  • The pro­vi­sion of guar­an­tees to landown­ers in respect of poten­tial dam­age by beavers.
  • The valu­ation of the Bal­later office, which is leased by the Park Author­ity. In order to recog­nise the ongo­ing and long-term bene­fit gained by the Author­ity from lease agree­ments, leased assets are recog­nised as Non-cur­rent assets’ (Right of Use Assets) in the state­ment of fin­an­cial pos­i­tion. The meth­od for cal­cu­lat­ing their value is pro­scribed by Inter­na­tion­al Fin­an­cial Report­ing Stand­ards (IFRS 16) but requires the exer­cise of sub­jectiv­ity in order to determ­ine the para­met­ers used in the calculation.

It is assessed that these mat­ters do not provide for any great­er like­li­hood of fraud.

  • Is Man­age­ment / the Com­mit­tee aware of any assets, liab­il­it­ies or trans­ac­tions that it believes were improp­erly included or omit­ted from the accounts of the organ­isa­tion? Please provide details.
    • None known.
  • Could a false account­ing entry escape detec­tion? If so, how?
    • Would require col­lab­or­a­tion involving seni­or mem­bers of the Fin­ance team.
  • Are there any extern­al fraud risk factors which are high risk of fraud? Please provide details.
    • The greatest extern­al risks arise from the poten­tial for breach of cyber security.
    • IT team keep up to date on ongo­ing risks to IT sys­tems through daily reports from Cyber Scotland.
    • Cyber­se­cur­ity Plus accred­it­a­tion achieved dur­ing the year.
    • Staff are reminded reg­u­larly of the need for care over the threats from activ­ity such as phishing.

10) Is Man­age­ment / the Com­mit­tee aware of any organ­isa­tion­al, or man­age­ment pres­sure to meet fin­an­cial or oper­at­ing tar­gets? Please provide details.

  • The object­ive, to make best use of avail­able resources in any fin­an­cial year and break-even, is well estab­lished. How­ever, there is no evid­ence to sug­gest that organ­isa­tion­al scru­tiny of this object­ive nor management’s actions to deliv­er this object­ive trans­lates into any­thing oth­er than appro­pri­ate motiv­a­tion and encour­age­ment with­in the staff group.

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 6 of 7

  • DLA policy, sys­tem of requis­i­tions and review of man­age­ment inform­a­tion all provide mitigation.
  • Is Man­age­ment / the Com­mit­tee aware of any inap­pro­pri­ate organ­isa­tion­al or man­age­ment pres­sure being applied, or incent­ives offered, to you or col­leagues to meet fin­an­cial or oper­at­ing tar­gets? Please provide details.
    • None known.

Laws and regulations

11) How does Man­age­ment / the Com­mit­tee gain assur­ance that all rel­ev­ant laws and reg­u­la­tions have been com­plied with. For example:

  • Is Man­age­ment / the Com­mit­tee aware of the pro­cess man­age­ment has in place for identi­fy­ing and respond­ing to changes in laws and reg­u­la­tions? Please provide details.
  • What arrange­ments are in place for Man­age­ment / the Com­mit­tee to over­see this process?
  • Is Man­age­ment / the Com­mit­tee aware of the arrange­ments man­age­ment have in place, for com­mu­nic­at­ing with employ­ees, non-exec­ut­ive dir­ect­ors, part­ners and stake­hold­ers regard­ing the rel­ev­ant laws and reg­u­la­tions that need to be fol­lowed? Please provide details.
    • Seni­or man­age­ment, extern­al and intern­al aud­it­ors all provide inform­a­tion where appro­pri­ate to the role of the ARC or one of the Board’s oth­er committees.
    • Seni­or man­agers are them­selves respons­ible for their over­sight of their areas and the evolving law and reg­u­la­tions that may impact on those areas. Man­age­ment receives tailored monthly updates from our out­sourced leg­al advisors on changes in law and reg­u­la­tions which may impact the Park Authority.
  • Does Man­age­ment / the Com­mit­tee have know­ledge of actu­al or sus­pec­ted instances where appro­pri­ate laws and reg­u­la­tions have not been com­plied with, and if so, is it aware of what actions man­age­ment is tak­ing to address it? Please provide details.
    • None known by either man­age­ment or ARC.

Lit­ig­a­tion and claims

12) Is Man­age­ment / the Com­mit­tee aware of any actu­al or poten­tial lit­ig­a­tion or claims that would affect the fin­an­cial state­ments? Please provide details.

  • None known by either man­age­ment or ARC.

Audit and Risk Com­mit­tee Paper 1 Annex 2 12 Septem­ber 2025 Page 7 of 7

Going con­cern

13) How has Man­age­ment / the Com­mit­tee assessed and sat­is­fied itself that it is appro­pri­ate to adopt the going con­cern basis in pre­par­ing the fin­an­cial statements?

  • All ARC mem­bers are mem­bers of the full board and are there­fore fully aware of the Park Authority’s oper­at­ing pos­i­tion and future inten­tions of Scot­tish Ministers.
  • Con­tin­ued Grant-in-aid sup­port from Scot­tish Gov­ern­ment – ongo­ing dis­cus­sion with Scot­tish Gov­ern­ment sug­gests pos­it­ive rela­tion­ship and fund­ing to be continued
  • Pro­ject fund­ing – £10.8m award made by Nation­al Lot­tery Her­it­age Fund in Decem­ber 2023 for the C2030 programme.

14) Has Man­age­ment / the Com­mit­tee iden­ti­fied any events or con­di­tions since the assess­ment was under­taken which may cast sig­ni­fic­ant doubt on the organisation’s abil­ity to con­tin­ue as a going con­cern? Please provide details

  • None known by Com­mit­tee or man­age­ment – ongo­ing dis­cus­sion with Scot­tish Gov­ern­ment sug­gests pos­it­ive rela­tion­ship and fund­ing to be continued.
×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!

Give feedback