DRAFT MINUTES OF THE AUDIT AND RISK COMMITTEE MEETING of THE CAIRNGORMS NATIONAL PARK AUTHORITY

held via Lifesize Video Conferencing on 12 March 2021 at 9.15am

PRESENT

Judith Webb (Chair)
Peter Argyle
Pippa Hadley
Janet Hunter
John Latham
Gaener Rodger (Vice Chair)

In Attendance:

Chris Brown, Azets
David Cameron, Director of Corporate Services, CNPA
Grant Moir, CEO, CNPA
John Boyd, Azets
Paul Kelly, Azets
Vicky Walker, Office Services Manager, CNPA

Apologies:

Stephanie Hume, Azets

1. Welcome and Apologies

Everyone was welcomed to the meeting.

2. Minutes of Last Meeting – Approval

The draft Minutes of the meetings on 2 February 2021 were approved. External audit plan still to be finalised and will carry forward as an action.

3. Action point arising:

a) External Audit Plan to be finalised.

4. Matters Arising

There was one matter arising in relation to the accounting treatment of Peatland funding in the ²⁰²⁰⁄₂₁ accounts, and this was to be discussed with David Cameron and External Audit. John Boyd of Grant Thornton confirmed he would be happy to find some time over the next few weeks to discuss this matter.

5. Action point arising:

a) Peatland funding to be discussed between David Cameron and External audit.

6. Declaration of Interests

There were no interests declared.

7. Data Management Audit (Paper 1)

Paul Kelly, Azets introduced Paper 1 which looked at Data Management processes within the organisation.

8. Key findings on report:

a) Good practice:

i. Staff survey undertaken to establish ways forward in relation to Data Management but these findings had been impacted by COVID.

b) Recommendations:

i. Update to Data Management Policies which were out of date and required review. ii. Compliance with policy in relation to file storage, file naming and file retention. iii. Improve access to increased file structure (which is currently reduced by remote working). iv. Create formal process around Data Subject Access Requests (DSAR). v. Look at cloud services and migration but consider revenue impact of this. vi. Consider impact of Brexit on GDPR – there is now an adequacy decision due by the EU which could make this less of an impact.

9. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) June 2022 date was set for recommendation 1.2 on page 5. The Director of Corporate Services clarified this date was proposed by management as it would allow for new policy and procedure to be implemented and established before undertaking an audit as proposed in the recommendation to ascertain if actions were successful. Initial data audit would be undertaken as part of data restoration. b) Clarification on Brexit and EU data impact. The draft adequacy decision reduces risk of restricted data held in EU. The Office Services Manager confirmed CNPA engaged with Scottish Government data group and completed data assessment prior to Brexit and CNPA data assessed at low risk due to storage on local server.

The Audit and Risk Committee:

i. Endorsed management responses and findings in the Data Management Audit.

10. Follow Up Review (Paper 2)

Chris Brown, Azets introduced Paper 2 which looked at wide range of audit actions. There are two actions which are classed as Grade 3 both are not yet due and one Grade 4 action which is being completed. The remaining 47 actions reported as incomplete are classed as low or low-moderate risk. Overall, in Azets’ independent internal audit view this represents appropriate prioritisation of actions.

11. David Cameron, the Director of Corporate Services, commented that although there are a number of outstanding actions he was pleased his team had managed to complete so many alongside the corporate COVID response. The Corporate Services Team have been incredibly busy in terms of business continuity plan over lockdown period and administering the Green Recovery Grants. The Director of Corporate Services proposed to come back with an update of further action taken in implementing audit recommendations in first half of the ²⁰²¹⁄₂₂ financial year.

12. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) Welcomed the pragmatic approach to the completion of actions but would be keen to learn which actions are likely to increase in priority for action and those which will become redundant.

13. Action point arising:

a) Bring update on audit action to future meeting in first half of new financial year with proposal for how to deal with outstanding actions

The Audit and Risk Committee:

i. Approved the timetable for review of audit actions

12. Internal Audit Annual Report ²⁰²⁰⁄₂₁ (Paper 3)

Chris Brown, Azets introduced Paper 3 which is the internal audit annual report. Noting that there was one outstanding piece of work — the VAT health check — he was not anticipating that will change opinion. Some amber findings had been reported over the year but overall opinion is that the CNPA provides reasonable assurance regarding organisational controls and governance.

13. Chris confirmed that there had been no limitations placed on work and no reliance had been placed on 3^rd parties. No issues raised by audit which were not accepted by management. The auditors remained independent of organisation and carried out work in line with audit standards.

14. David Cameron confirmed management accepted report for ²⁰²⁰⁄₂₁ and overall conclusion would be included in the governance statement for subsequent inclusion in the annual report and accounts.

15. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) Noted VAT health check outstanding. b) Gave appreciation for the level of report and work completed during ²⁰²⁰⁄₂₁. c) Noted in particular that the format of internal audit reports produced by Azets were pitched at an excellent level of information provision to support the work of the Committee.

The Audit and Risk Committee:

i. Accepted the Internal Audit Annual Report and recommendations contained within it.

14. Internal Audit Strategic Plan ²⁰²¹⁄₂₂ to ²⁰²³⁄₂₄ (Paper 4)

Chris Brown, Azets introduced Paper 4 which outlines the internal audit strategic plan for ²⁰²¹⁄₂₂ to ²⁰²³⁄₂₄. Chris highlighted Azets’ view that the plan represents a good balance between major risk areas to the organisation. Noting that there is a limit to number of audits an organisation can support there are some areas which have not been prioritised; health and safety and grant awards. The plan is linked to organisational risk register and as such needs to remain flexible so plan can be amended during forthcoming financial year.

15. David Cameron updated that there has been a request from management informing this plan to review project planning and overall governance of major projects. Although the subject has recently been audited this is an area where significant work is anticipated over the coming financial years following recent Board and Committee conversations on assurance over delivery of major projects and their impact on the Authority’s objectives.

16. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) Cyber risk remains high impact but likelihood unclear. SEPA recently suffered a cyber-attack. Home working means that risk has changed but implementation of better security measures has mitigated these. The Authority is also pursuing Cyber Security Plus re-evaluation with Scottish Government and therefore some independent review of appropriate controls are already in place.

17. Action point arising:

a) Review Risk Rating for Cyber Security.

The Audit and Risk Committee:

i. Adopted the Internal Audit Strategic Plan as presented to Committee.

18. Heritage Horizons Bid Risk Register and Impact on CNPA Strategic Risk Register (Paper 5)

David Cameron, Director of Corporate Services introduced Paper 5 which originated from a Board request to the committee to consider the impact of Heritage Horizons Project on strategic risk management processes. In order to support this consideration by the Committee, an updated CNPA Strategic Risk Register was presented alongside the Heritage Horizons Risk Register.

19. David asked the committee if any amendments are suggested or whether at present the risk register appropriately covers risks in relation to working with external partners and impact on staff resources. The outcome of the bid is due in June this year. As such, while agreed by the Board that this item should come to the Committee, the consideration in great detail of these project risks is possibly somewhat premature. It is proposed that if funding is secured a further paper is presented to the Audit and Risk Committee to review any implications for the strategic risk register at that time.

20. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) National Park Authority has managed large projects successfully in the past. Budget will support increase in staff resource. Need to assess the risk appetite of the Board. b) Potential for creation of conflict and competition. Bid focusses on community engagement which may impact on existing dynamics as innovative approaches to engagement are considered should the bid be successful.

21. Action points arising:

a) Committee to ask convenor to find board time to address risk appetite of Board as a whole. b) Committee recognises in relation to HH expect to see further development of risk register at appropriate date once we know outcome of bid.

22. Board Complaints Handling Lessons Learned (Paper 6)

David Cameron, Director of Corporate Services introduced Paper 6 which follows a request from the Audit and Risk Committee for a lessons learned review following complaints handling over the July and August 2020. In preparing the paper advice was also taken from David Nichol of On-board training. The paper recommends CNPA continues to include complaints in relation to board members within organisational processes and they are dealt with by the Director Corporate Services. The report also addresses how complaints run alongside any referral or investigation by Ethical Standards Commission (ESC).

23. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) How does authority manage parallel processes with CNPA and ESC? If there is the potential for them to come to different outcomes. Other areas refer complaints to ESC in the first instance. The Director of Corporate Services clarified that CNPA has no jurisdiction whatsoever in relation to a breach of code of conduct. This lies with ESC. However CNPA can issue a finding that values and behaviour exhibited are below CNPA expected standard. Proposals retains CNPAs ability to respond to behaviour which CNPA finds needs addressing without ruling on whether or not actions are breaching code. Complainants remain free to escalate their issue to the ESC irrespective of finding by the Authority under its complaints procedures. b) David Cameron confirmed a complaint from an external person or a member of staff would be dealt with under the same procedure. c) Paragraph 19 would be helpful to integrate a proactive approach that reiterates wanting to protect board members by bringing to their attention expected standards of behaviour as a whole. Need to re-energise work around expected standards of behaviour. d) Time required to deal with these things and staff resources. How do we control the impact and end point? e) If an internal complaint then Bullying and Harassment policy could also apply. f) David Cameron confirmed that the paper takes account of ESC proposals. The model code for NDBPs is currently out for consultation and CNPA has responded suggesting inclusion of perception tests to mirror councillor code. Timescales for issue of a revised Model Code by ESC unknown at present but when released will need to respond to new model code.

24. Action points arising:

a) Reword paper to further clarify how to deal with parallel processes within CNPA and ESC. b) Bring back draft policy to committee before full board process.

25. FOISA Scorecard (Paper 7)

Vicky Walker, Office Services Manager introduced Paper 7 which outlined performance in relation to FOISA and GDPR information requests.

26. The Audit and Risk Committee discussed the paper and made the following comments and observations:

a) Liked visual overview of performance. b) Welcomed proposal to include comparison with previous years for year-end reporting.

27. Action point arising:

i. Continue to provide quarterly updates to the Committee and include comparisons to previous year’s activity.

28. Governance Responsibility Framework (Oral Update)

David Cameron, Director of Corporate Services gave an oral update on ongoing work developing a document which outlines responsibility and distinctions between operational and strategic decisions. Draft report currently with convenor, deputy convenor and chief executive. A future draft will be brought back to the Audit and Risk Committee. The Board Business Session in May will look at wider governance review.

29. The Audit and Risk Committee discussed the update and made the following comments and observations:

a) Additional 1 hour meeting is agreed to fully discuss and review a draft paper when available.

30. Action point arising:

a) Additional meeting 1 hour meeting to be scheduled to review governance responsibility

31. AOCB

Discussion with auditors without staff is not currently scheduled but in future a pre-meet prior to the formal Audit Committee should be scheduled for 15 mins. The chair reminded members that they can always speak to auditors directly.

32. Action point arising:

a) The timetable pre-meeting for the May Audit and Risk Committee meeting.

33. Chair commented that reports to commission from auditors very clear and welcomed.

34. Date of Next Meeting

The next scheduled Audit and Risk Committee meeting tbc.

35. The meeting finished at 10:52 hours.

AuditandRiskDraftMinute 12/03/21

DRAFT MINUTES OF THE AUDIT AND RISK COM­MIT­TEE MEET­ING of THE CAIRNGORMS NATION­AL PARK AUTHORITY

We want your feedback

DRAFT MINUTES OF THE AUDIT AND RISK COMMITTEE MEETING of THE CAIRNGORMS NATIONAL PARK AUTHORITY