Skip to content
Please be aware the content below has been generated by an AI model from a source PDF.

AuditandRiskDraftMinute 12/03/21

DRAFT MINUTES OF THE AUDIT AND RISK COM­MIT­TEE MEET­ING of THE CAIRNGORMS NATION­AL PARK AUTHORITY

held via Lifes­ize Video Con­fer­en­cing on 12 March 2021 at 9.15am

PRESENT

  • Judith Webb (Chair)
  • Peter Argyle
  • Pippa Had­ley
  • Janet Hunter
  • John Lath­am
  • Gaen­er Rodger (Vice Chair)

In Attend­ance:

  • Chris Brown, Azets
  • Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices, CNPA
  • Grant Moir, CEOCNPA
  • John Boyd, Azets
  • Paul Kelly, Azets
  • Vicky Walk­er, Office Ser­vices Man­ager, CNPA

Apo­lo­gies:

  • Stephanie Hume, Azets

1. Wel­come and Apologies

Every­one was wel­comed to the meeting.

2. Minutes of Last Meet­ing – Approval

The draft Minutes of the meet­ings on 2 Feb­ru­ary 2021 were approved. Extern­al audit plan still to be final­ised and will carry for­ward as an action.

3. Action point arising:

a) Extern­al Audit Plan to be finalised.

4. Mat­ters Arising

There was one mat­ter arising in rela­tion to the account­ing treat­ment of Peat­land fund­ing in the 202021 accounts, and this was to be dis­cussed with Dav­id Camer­on and Extern­al Audit. John Boyd of Grant Thornton con­firmed he would be happy to find some time over the next few weeks to dis­cuss this matter.

5. Action point arising:

a) Peat­land fund­ing to be dis­cussed between Dav­id Camer­on and Extern­al audit.

6. Declar­a­tion of Interests

There were no interests declared.

7. Data Man­age­ment Audit (Paper 1)

Paul Kelly, Azets intro­duced Paper 1 which looked at Data Man­age­ment pro­cesses with­in the organisation.

8. Key find­ings on report:

a) Good prac­tice:

i. Staff sur­vey under­taken to estab­lish ways for­ward in rela­tion to Data Man­age­ment but these find­ings had been impacted by COVID.

b) Recom­mend­a­tions:

i. Update to Data Man­age­ment Policies which were out of date and required review. ii. Com­pli­ance with policy in rela­tion to file stor­age, file nam­ing and file reten­tion. iii. Improve access to increased file struc­ture (which is cur­rently reduced by remote work­ing). iv. Cre­ate form­al pro­cess around Data Sub­ject Access Requests (DSAR). v. Look at cloud ser­vices and migra­tion but con­sider rev­en­ue impact of this. vi. Con­sider impact of Brexit on GDPR – there is now an adequacy decision due by the EU which could make this less of an impact.

9. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) June 2022 date was set for recom­mend­a­tion 1.2 on page 5. The Dir­ect­or of Cor­por­ate Ser­vices cla­ri­fied this date was pro­posed by man­age­ment as it would allow for new policy and pro­ced­ure to be imple­men­ted and estab­lished before under­tak­ing an audit as pro­posed in the recom­mend­a­tion to ascer­tain if actions were suc­cess­ful. Ini­tial data audit would be under­taken as part of data res­tor­a­tion. b) Cla­ri­fic­a­tion on Brexit and EU data impact. The draft adequacy decision reduces risk of restric­ted data held in EU. The Office Ser­vices Man­ager con­firmed CNPA engaged with Scot­tish Gov­ern­ment data group and com­pleted data assess­ment pri­or to Brexit and CNPA data assessed at low risk due to stor­age on loc­al server.

The Audit and Risk Committee:

i. Endorsed man­age­ment responses and find­ings in the Data Man­age­ment Audit.

10. Fol­low Up Review (Paper 2)

Chris Brown, Azets intro­duced Paper 2 which looked at wide range of audit actions. There are two actions which are classed as Grade 3 both are not yet due and one Grade 4 action which is being com­pleted. The remain­ing 47 actions repor­ted as incom­plete are classed as low or low-mod­er­ate risk. Over­all, in Azets’ inde­pend­ent intern­al audit view this rep­res­ents appro­pri­ate pri­or­it­isa­tion of actions.

11. Dav­id Camer­on, the Dir­ect­or of Cor­por­ate Ser­vices, com­men­ted that although there are a num­ber of out­stand­ing actions he was pleased his team had man­aged to com­plete so many along­side the cor­por­ate COV­ID response. The Cor­por­ate Ser­vices Team have been incred­ibly busy in terms of busi­ness con­tinu­ity plan over lock­down peri­od and admin­is­ter­ing the Green Recov­ery Grants. The Dir­ect­or of Cor­por­ate Ser­vices pro­posed to come back with an update of fur­ther action taken in imple­ment­ing audit recom­mend­a­tions in first half of the 202122 fin­an­cial year.

12. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Wel­comed the prag­mat­ic approach to the com­ple­tion of actions but would be keen to learn which actions are likely to increase in pri­or­ity for action and those which will become redundant.

13. Action point arising:

a) Bring update on audit action to future meet­ing in first half of new fin­an­cial year with pro­pos­al for how to deal with out­stand­ing actions

The Audit and Risk Committee:

i. Approved the timetable for review of audit actions

12. Intern­al Audit Annu­al Report 202021 (Paper 3)

Chris Brown, Azets intro­duced Paper 3 which is the intern­al audit annu­al report. Not­ing that there was one out­stand­ing piece of work — the VAT health check — he was not anti­cip­at­ing that will change opin­ion. Some amber find­ings had been repor­ted over the year but over­all opin­ion is that the CNPA provides reas­on­able assur­ance regard­ing organ­isa­tion­al con­trols and governance.

13. Chris con­firmed that there had been no lim­it­a­tions placed on work and no reli­ance had been placed on 3rd parties. No issues raised by audit which were not accep­ted by man­age­ment. The aud­it­ors remained inde­pend­ent of organ­isa­tion and car­ried out work in line with audit standards.

14. Dav­id Camer­on con­firmed man­age­ment accep­ted report for 202021 and over­all con­clu­sion would be included in the gov­ernance state­ment for sub­sequent inclu­sion in the annu­al report and accounts.

15. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Noted VAT health check out­stand­ing. b) Gave appre­ci­ation for the level of report and work com­pleted dur­ing 202021. c) Noted in par­tic­u­lar that the format of intern­al audit reports pro­duced by Azets were pitched at an excel­lent level of inform­a­tion pro­vi­sion to sup­port the work of the Committee.

The Audit and Risk Committee:

i. Accep­ted the Intern­al Audit Annu­al Report and recom­mend­a­tions con­tained with­in it.

14. Intern­al Audit Stra­tegic Plan 202122 to 202324 (Paper 4)

Chris Brown, Azets intro­duced Paper 4 which out­lines the intern­al audit stra­tegic plan for 202122 to 202324. Chris high­lighted Azets’ view that the plan rep­res­ents a good bal­ance between major risk areas to the organ­isa­tion. Not­ing that there is a lim­it to num­ber of audits an organ­isa­tion can sup­port there are some areas which have not been pri­or­it­ised; health and safety and grant awards. The plan is linked to organ­isa­tion­al risk register and as such needs to remain flex­ible so plan can be amended dur­ing forth­com­ing fin­an­cial year.

15. Dav­id Camer­on updated that there has been a request from man­age­ment inform­ing this plan to review pro­ject plan­ning and over­all gov­ernance of major pro­jects. Although the sub­ject has recently been audited this is an area where sig­ni­fic­ant work is anti­cip­ated over the com­ing fin­an­cial years fol­low­ing recent Board and Com­mit­tee con­ver­sa­tions on assur­ance over deliv­ery of major pro­jects and their impact on the Authority’s objectives.

16. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Cyber risk remains high impact but like­li­hood unclear. SEPA recently suffered a cyber-attack. Home work­ing means that risk has changed but imple­ment­a­tion of bet­ter secur­ity meas­ures has mit­ig­ated these. The Author­ity is also pur­su­ing Cyber Secur­ity Plus re-eval­u­ation with Scot­tish Gov­ern­ment and there­fore some inde­pend­ent review of appro­pri­ate con­trols are already in place.

17. Action point arising:

a) Review Risk Rat­ing for Cyber Security.

The Audit and Risk Committee:

i. Adop­ted the Intern­al Audit Stra­tegic Plan as presen­ted to Committee.

18. Her­it­age Hori­zons Bid Risk Register and Impact on CNPA Stra­tegic Risk Register (Paper 5)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices intro­duced Paper 5 which ori­gin­ated from a Board request to the com­mit­tee to con­sider the impact of Her­it­age Hori­zons Pro­ject on stra­tegic risk man­age­ment pro­cesses. In order to sup­port this con­sid­er­a­tion by the Com­mit­tee, an updated CNPA Stra­tegic Risk Register was presen­ted along­side the Her­it­age Hori­zons Risk Register.

19. Dav­id asked the com­mit­tee if any amend­ments are sug­ges­ted or wheth­er at present the risk register appro­pri­ately cov­ers risks in rela­tion to work­ing with extern­al part­ners and impact on staff resources. The out­come of the bid is due in June this year. As such, while agreed by the Board that this item should come to the Com­mit­tee, the con­sid­er­a­tion in great detail of these pro­ject risks is pos­sibly some­what pre­ma­ture. It is pro­posed that if fund­ing is secured a fur­ther paper is presen­ted to the Audit and Risk Com­mit­tee to review any implic­a­tions for the stra­tegic risk register at that time.

20. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Nation­al Park Author­ity has man­aged large pro­jects suc­cess­fully in the past. Budget will sup­port increase in staff resource. Need to assess the risk appet­ite of the Board. b) Poten­tial for cre­ation of con­flict and com­pet­i­tion. Bid focusses on com­munity engage­ment which may impact on exist­ing dynam­ics as innov­at­ive approaches to engage­ment are con­sidered should the bid be successful.

21. Action points arising:

a) Com­mit­tee to ask con­ven­or to find board time to address risk appet­ite of Board as a whole. b) Com­mit­tee recog­nises in rela­tion to HH expect to see fur­ther devel­op­ment of risk register at appro­pri­ate date once we know out­come of bid.

22. Board Com­plaints Hand­ling Les­sons Learned (Paper 6)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices intro­duced Paper 6 which fol­lows a request from the Audit and Risk Com­mit­tee for a les­sons learned review fol­low­ing com­plaints hand­ling over the July and August 2020. In pre­par­ing the paper advice was also taken from Dav­id Nich­ol of On-board train­ing. The paper recom­mends CNPA con­tin­ues to include com­plaints in rela­tion to board mem­bers with­in organ­isa­tion­al pro­cesses and they are dealt with by the Dir­ect­or Cor­por­ate Ser­vices. The report also addresses how com­plaints run along­side any refer­ral or invest­ig­a­tion by Eth­ic­al Stand­ards Com­mis­sion (ESC).

23. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) How does author­ity man­age par­al­lel pro­cesses with CNPA and ESC? If there is the poten­tial for them to come to dif­fer­ent out­comes. Oth­er areas refer com­plaints to ESC in the first instance. The Dir­ect­or of Cor­por­ate Ser­vices cla­ri­fied that CNPA has no jur­is­dic­tion what­so­ever in rela­tion to a breach of code of con­duct. This lies with ESC. How­ever CNPA can issue a find­ing that val­ues and beha­viour exhib­ited are below CNPA expec­ted stand­ard. Pro­pos­als retains CNPAs abil­ity to respond to beha­viour which CNPA finds needs address­ing without rul­ing on wheth­er or not actions are breach­ing code. Com­plain­ants remain free to escal­ate their issue to the ESC irre­spect­ive of find­ing by the Author­ity under its com­plaints pro­ced­ures. b) Dav­id Camer­on con­firmed a com­plaint from an extern­al per­son or a mem­ber of staff would be dealt with under the same pro­ced­ure. c) Para­graph 19 would be help­ful to integ­rate a pro­act­ive approach that reit­er­ates want­ing to pro­tect board mem­bers by bring­ing to their atten­tion expec­ted stand­ards of beha­viour as a whole. Need to re-ener­gise work around expec­ted stand­ards of beha­viour. d) Time required to deal with these things and staff resources. How do we con­trol the impact and end point? e) If an intern­al com­plaint then Bul­ly­ing and Har­ass­ment policy could also apply. f) Dav­id Camer­on con­firmed that the paper takes account of ESC pro­pos­als. The mod­el code for NDBPs is cur­rently out for con­sulta­tion and CNPA has respon­ded sug­gest­ing inclu­sion of per­cep­tion tests to mir­ror coun­cil­lor code. Times­cales for issue of a revised Mod­el Code by ESC unknown at present but when released will need to respond to new mod­el code.

24. Action points arising:

a) Reword paper to fur­ther cla­ri­fy how to deal with par­al­lel pro­cesses with­in CNPA and ESC. b) Bring back draft policy to com­mit­tee before full board process.

25. FOISA Score­card (Paper 7)

Vicky Walk­er, Office Ser­vices Man­ager intro­duced Paper 7 which out­lined per­form­ance in rela­tion to FOISA and GDPR inform­a­tion requests.

26. The Audit and Risk Com­mit­tee dis­cussed the paper and made the fol­low­ing com­ments and observations:

a) Liked visu­al over­view of per­form­ance. b) Wel­comed pro­pos­al to include com­par­is­on with pre­vi­ous years for year-end reporting.

27. Action point arising:

i. Con­tin­ue to provide quarterly updates to the Com­mit­tee and include com­par­is­ons to pre­vi­ous year’s activity.

28. Gov­ernance Respons­ib­il­ity Frame­work (Oral Update)

Dav­id Camer­on, Dir­ect­or of Cor­por­ate Ser­vices gave an oral update on ongo­ing work devel­op­ing a doc­u­ment which out­lines respons­ib­il­ity and dis­tinc­tions between oper­a­tion­al and stra­tegic decisions. Draft report cur­rently with con­ven­or, deputy con­ven­or and chief exec­ut­ive. A future draft will be brought back to the Audit and Risk Com­mit­tee. The Board Busi­ness Ses­sion in May will look at wider gov­ernance review.

29. The Audit and Risk Com­mit­tee dis­cussed the update and made the fol­low­ing com­ments and observations:

a) Addi­tion­al 1 hour meet­ing is agreed to fully dis­cuss and review a draft paper when available.

30. Action point arising:

a) Addi­tion­al meet­ing 1 hour meet­ing to be sched­uled to review gov­ernance responsibility

31. AOCB

Dis­cus­sion with aud­it­ors without staff is not cur­rently sched­uled but in future a pre-meet pri­or to the form­al Audit Com­mit­tee should be sched­uled for 15 mins. The chair reminded mem­bers that they can always speak to aud­it­ors directly.

32. Action point arising:

a) The timetable pre-meet­ing for the May Audit and Risk Com­mit­tee meeting.

33. Chair com­men­ted that reports to com­mis­sion from aud­it­ors very clear and welcomed.

34. Date of Next Meeting

The next sched­uled Audit and Risk Com­mit­tee meet­ing tbc.

35. The meet­ing fin­ished at 10:52 hours.

×

We want your feedback

Thank you for visiting our new website. We'd appreciate any feedback using our quick feedback form. Your thoughts make a big difference.

Thank you!