Formal board meeting - paper 9 annex 1: committee minutes - 28 November 2025

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 1 of 38

Annex 1

Approved minutes of the Audit and Risk Com­mit­tee meeting

Held at Cairngorms Nation­al Park Author­ity office, Grant­own-on-Spey Online 20 June 2025 at 10.00am

Present online Fiona McLean (Chair) Peter Cos­grove (Deputy Chair) Bill Lob­ban Geva Black­ett Paul Gibb Duncan Miller

In attend­ance Grant Moir, Chief Exec­ut­ive Officer Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions Kath­rine Mal­in-August, Fin­an­cial Account­ant Eliza­beth Young, Azets Gra­ham Gilespie, wbg Peter Clark, wbg Tom Reid, Maz­ars Alix Hark­ness, Clerk to the Board

Apo­lo­gies Dav­id Camer­on, Deputy Chief Exec­ut­ive Officer and Dir­ect­or of Cor­por­ate Ser­vices Paul Dav­is­on, Inform­a­tion Manager

Wel­come and introduction

1. Fiona McLean, Chair of the Audit and Risk Com­mit­tee, wel­comed every­one to the meet­ing. Apo­lo­gies were noted.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 2 of 38

Approv­al of minutes of pre­vi­ous meetings

1. The draft minutes of the pre­vi­ous Audit and Risk Com­mit­tee meet­ing held on 21 March 2025 were approved with no amendments.

Mat­ters arising not covered elsewhere

1. There were no mat­ters arising.

Ref	Action Detail	Who	When	Status
21/06/24	At para 341Lessons learned brief­ing forthe com­mit­tee for the nextmeeting	Dav­id	Will come tomeet­ing in June/​Sept depend­ing onstaff timeavailable	Open
21/06/24	At para 34mChair and Deputy Chair tore­ceive monthly updates ofpro­gress against the actionplan	Dav­id andLouise	Monthly update­shave been issuedsince Junemeeting	In Pro­gress
27/09/24	At para 20iiv. Update on intern­alaudit view onfin­an­cial scen­arioplan­ning to beprovided to theAu­dit and RiskCommittee	Dav­id andStephanie	At the end of the24/​25 financialyear.	Ongo­ing
08/11/24	At para 26bi. Inform­a­tion­man­ager to provi­de­Com­mit­tee mem­bers with thenum­ber ofre­questees forFOISA.	Paul	20 June 2025meeting	Open Paper today
21/03/25	At para 28i. Stat­ist­ic­al ana­lys­is to be brought back to the Committee	Louise		Out­stand­ing

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 3 of 38

	show­ing of thecon­tracts awar­ded­how manycompan­ies were­based in the­Cairngorm­sNa­tion­al Park, how­many around andhow many out withover the course ofone year.
	ii. Head of Fin­anceand Cor­por­ate­Op­er­a­tions todif­fer­en­ti­ate­b­etween con­flict­and declar­a­tion ofin­terest on page 6of the Pro­cure­mentAc­tion Plan.	Louise
21/03/25	At Para 33i. Paper detail­ing thep­ri­or­ity of keyr­isk areas toin­clude ati­metable offu­ture reportson the strand­sto be broughtto the nextmeeting.	Dav­id

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 4 of 38

Declar­a­tions of interest

1. There were no declar­a­tions of interest.

Paul Gibb arrived at the meet­ing at 10.10am Intern­al Audit Plan ²⁰²⁴⁄₂₅: Recruit­ment (Paper 1)

1. Eliza­beth Young, Part­ner, Azets presen­ted the paper, which presents the intern­al audit review car­ried out by Azets of the Park Authority’s recruit­ment and onboard­ing pro­cess. The review con­sidered the recruit­ment pro­cesses in place, includ­ing the approv­al pro­cess for posts pri­or to advert­ise­ment through to the onboard­ing pro­cess for staff.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) Head of Fin­ance and Oper­a­tions com­men­ted that the issue iden­ti­fied around doc­u­ment man­age­ment because of the inter­ac­tion of the People portal and Share­Point to man­age doc­u­ments, is sim­il­ar to the situ­ation with the new Fin­ance sys­tem, which also works from the same Access plat­form. There is a need to estab­lish the rel­at­ive pri­or­ity of these sys­tems. She will dis­cuss the appro­pri­ate approach to be taken with the Inform­a­tion Man­ager. b) Com­ment made on the need to have a trans­par­ent way that doc­u­ments seni­or man­age­ment have approved all recruit­ment, espe­cially giv­en the recent guidelines around pub­lic sec­tor spend­ing released 19 June 2025. CEO advised that there had not been a single post recruited over the past 10 years that had not been approved by him, and he provided the reas­sur­ance that no new post would be in the future. The issue was ensur­ing a paper trail for each post to show this had happened. c) Head of Fin­ance and Oper­a­tions made the Com­mit­tee aware that Scot­tish Gov­ern­ment have been request­ing a monthly fore­cast of head­count, with jus­ti­fic­a­tion for any addi­tion­al posts, demon­strat­ing that extern­al scru­tiny has already star­ted. d) The Chair thanked Stephanie and team for the reas­sur­ance and work provided on this.
3. The Audit and Risk Com­mit­tee noted the paper and agreed to the recommendations:

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 5 of 38

α) Con­sider the intern­al aud­it­ors report and find­ings. b) Endorse the man­age­ment responses to recom­mend­a­tions for future action and improvements.

1. Action Points Arising: None.

Intern­al Audit Annu­al Report ²⁰²⁴⁄₂₅ (Paper 2)

1. Eliza­beth Young, Chief Intern­al Aud­it­or, Azets presen­ted the paper, which sum­mar­ises the con­clu­sions and key find­ings from the intern­al audit work under­taken at Cairngorms Nation­al Park Author­ity dur­ing the year ended 31 March 2025, includ­ing the Intern­al Auditor’s over­all opin­ion on Cairngorms Nation­al Park Authority’s intern­al con­trol system.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) Head of Fin­ance and Cor­por­ate Oper­a­tions com­men­ted that it was a great pos­i­tion to be in, and that it had been a very pos­it­ive exper­i­ence work­ing with Azets; she thanked them for the sup­port­ive, advice and guid­ance provided over the years The Chair echoed those com­ments and par­tic­u­larly thanked Stephanie and Eliza­beth. b) The Chair noted that good pro­gress been made on out­stand­ing recom­mend­a­tions and felt reas­sured that Azets felt that this was the case.
3. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: α) Con­sider the Intern­al Auditor’s annu­al report for 2024 – 25. b) Note the Intern­al Audit annu­al opin­ion as set out in page 4 of the report and endorse the inclu­sion of that opin­ion with­in the Gov­ernance State­ment for 2024 – 25.
4. Action Points Arising: None.

Intern­al audit plan (Paper 3)

1. Gra­ham Gillespie and Peter Clark, wbg, presen­ted the paper, which set out a pro­posed intern­al audit plan for 2025 – 26 (and future years) pre­pared by wbg.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 6 of 38

1. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) Head of Fin­ance and Oper­a­tions repor­ted that they had had a very pos­it­ive first meet­ing with wbg and the key theme of dis­cus­sions had been how best to provide assur­ance while achiev­ing best value for money. As an example, she explained that wbg had been pre­pared to take a prag­mat­ic approach to the review of cyber secur­ity and that this would help the IT team as well as provid­ing the Com­mit­tee with the assur­ance they need. b) The Chair praised the assur­ance map and com­men­ted that she had found it help­ful. c) The Chair raised her con­cerns around the time­tabling, with no report until March 2026 when there would be five reports presen­ted and then the final report for the year in June, which seemed very late in the year. Peter Clark, wbg advised this pro­gramme had been developed around team avail­ab­il­ity, but that he would be happy to review the situ­ation to achieve a more even spread of the work. The Chair sug­ges­ted that even if only one of the reports could be brought for­ward, that would be help­ful. It was agreed that wbg would dis­cuss and agree this with management.
2. The Audit and Risk Com­mit­tee noted the paper and agreed the two recom­mend­a­tions: α) Con­sider the auditor’s pro­pos­al b) Assess the plan for 2025 – 26 and con­sider wheth­er the focus of work meets the Park Authority’s need for assurance.
3. Action Points Arising: i. Wbg to review the time­tabling of work and to dis­cuss and agree with Man­age­ment a more even spread of reporting.

Extern­al audit update (Paper 4)

1. Tom Reid, Maz­ars presen­ted the paper, which sets out the audit of the annu­al report and accounts for 2024 – 25 pre­pared by Mazars.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and observations:

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 7 of 38

α) The Chair noted that the timeline had changed, with field­work com­men­cing one month later than planned; she sought reas­sur­ance that it was going to be com­pleted on time. Head of Fin­ance and Oper­a­tions advised that the delay had been down to team capa­city. She explained that the earli­er date would have been impossible giv­en the ill health of the Fin­ance Man­ager and the delay in the new Fin­an­cial Account­ant start­ing, due to her hav­ing to work a three month notice period.

1. The Audit and Risk Com­mit­tee con­sidered the auditor’s report and pro­gress to date.
2. Action Points Arising: None.

Stra­tegic risk registers (Paper 5)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which sup­ports a review by the Com­mit­tee of the Park Authority’s stra­tegic risk man­age­ment position.
3. Grant Moir, CEO repor­ted that the fund­ing for trans­port pro­jects was cur­rently going through the account­able officer pro­cess. Any expendit­ure over a cer­tain value has to go through vari­ous approvals with­in Scot­tish Gov­ern­ment. Trans­port Scot­land have announced the money for the build phases that they’re doing this year and we are now wait­ing for the fund­ing announce­ments for design pro­jects. A decision is likely to be made towards the end of July and if we still have not received any update on the fund­ing at that point, then it’s prob­ably get­ting too late in the year to do the work that we are look­ing to take for­ward on some of these schemes. He provided reas­sur­ance that there was a plan B. He reit­er­ated that the end of July would be the pinch point for this.
4. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) The Chair asked for reas­sur­ance that the Nation­al Lot­tery Her­it­age Fund (NLHF) were flex­ible in response to this. CEO advised that if there is to be a sig­ni­fic­ant change the Park Author­ity would need to make a form­al change request to NLHF.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 8 of 38

b) Pub­lic sec­tor reform strategy (PSR) a sug­ges­tion was made to update risk 1 to incor­por­ate the implic­a­tions of the PSR strategy. CEO agreed to add that in. c) A mem­ber sug­ges­ted that before the Scot­tish Gov­ern­ment under­go a review of pub­lic sec­tor bod­ies such as the Park Author­ity, it would be good to doc­u­ment shared ser­vices with Loch Lomond and Trossachs Nation­al Park. d) CEO advised that cost sav­ings will be required of all pub­lic bod­ies. He noted that, as we come to the end of the Cairngorms 2030 pro­ject the Authority’s head­count will reduce. Addi­tion­al sav­ings will be avail­able from effi­cien­cies such as those achieved from the new web­site build, which means that we no longer have to use the Com­mon Place plat­form, and that will reduce spend by £10k per year. He added that there was not enough detail yet to know pre­cisely what the PSR strategy will mean for us.

1. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: α) Con­sider the cov­er­age and adequacy of the Park Authority’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register. b) Con­sider the cov­er­age and adequacy of the Cairngorms 2030 pro­gramme risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent pro­gramme risk register.
2. Action Points Arising: i. Risk One to be amended to include detail which con­siders and reflects the risks with­in the Pub­lic Reform Strategy that was pub­lished the day before the meeting.

Inform­a­tion requests and com­plaints update (Paper 6)

1. Louise Allen presen­ted the paper, which provides an update on the num­ber of inform­a­tion requests, and key per­form­ance meas­ures in meet­ing them, under Free­dom of Inform­a­tion (Scot­land) Act (FOISA)/ Envir­on­ment­al Inform­a­tion (Scot­land) Reg­u­la­tions (EIR) and Data pro­tec­tion arrange­ments, provid­ing an update for the full fin­an­cial year ²⁴⁄₂₅. The paper also describes num­bers and out­comes of form­al com­plaints to the Cairngorms Nation­al Park Authority.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 9 of 38

1. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) The Chair thanked the Inform­a­tion Man­ager for the pro­gress being made; she noted that 100% of requests had been dealt with with­in the times­cales and praised this achieve­ment. b) CEO advised that sig­ni­fic­ant staff resource is needed to deal with FOI requests. He expressed the view that the Park Author­ity might con­sider increas­ing the amount of inform­a­tion pub­lished routinely so that the pub­lic can find what they need without mak­ing a form­al request. He acknow­ledged, how­ever, that we should avoid cre­at­ing more work for ourselves, and noted that the key is to find a bal­ance between routine pub­lic­a­tion and FOI requests. c) The Chair asked if the time spent by staff could be cap­tured. CEO agreed to look into that and provide rough fig­ures. d) Mem­ber com­men­ted that it was inter­est­ing to see the num­ber of requesters and the areas of the organ­isa­tion involved in provid­ing the inform­a­tion reques­ted. He asked if it would be pos­sible to have a sum­mary break­down that included more detail on the inform­a­tion reques­ted, so that any emer­ging themes could be iden­ti­fied. CEO agreed to see what could be pulled out for the next update.
2. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: α) Note activ­ity in this area and Park Author­ity per­form­ance b) Com­ment on breadth and depth of report­ing for future updates
3. Action Points Arising: i. Estim­ated time spent by staff on each inform­a­tion request to be cap­tured and included in the next report. ii. Each request to include enough detail to help identi­fy emer­ging themes.

Pro­cure­ment action plan (Paper 7)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which presents an action plan towards improve­ment of the Park Authority’s pro­cure­ment pro­cesses, pro­ced­ures and intern­al con­trols. The action plan had been developed in response to the Intern­al Audit review of pro­cure­ment car­ried out by Azets as part of the approved 2023 – 24 audit programme.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 10 of 38

1. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ment and obser­va­tion: α) The Chair thanked the Head of Fin­ance and Cor­por­ate Oper­a­tions and the Pro­cure­ment officer for all their hard work get­ting to that point.
2. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: α) Reviewed pro­gress made against each activ­ity in the pro­gramme for improve­ment developed by man­age­ment. b) Agreed they were con­tent to pass ongo­ing mon­it­or­ing back to the seni­or team.
3. Action Points Arising: None.

Update on out­stand­ing intern­al audit recom­mend­a­tions (Paper 8)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper, which set out an update on actions under­way to address out­stand­ing intern­al audit recom­mend­a­tions on con­trols relat­ing to inform­a­tion tech­no­logy, cyber secur­ity and inform­a­tion man­age­ment. The paper pro­poses revised, updated actions for adop­tion by the Com­mit­tee in place of the exist­ing recom­mend­a­tions, which in some cases are out­dated fol­low­ing sig­ni­fic­ant action by the Park Authority’s teams work­ing in this area.
2. The Audit and Risk Com­mit­tee Chair invited Stephanie Humes’ Azets views on management’s approach to this. She made the fol­low­ing points: α) The pre­vi­ous recom­mend­a­tions included those focused on the improve­ment of pro­ced­ures for the man­age­ment of cyber­se­cur­ity, which may now have been super­seded by cyber essen­tials plus, but it would be help­ful to be clear to the Com­mit­tee on how the ori­gin­al recom­mend­a­tions are being addressed. b) The ori­gin­al recom­mend­a­tion for the devel­op­ment of a busi­ness con­tinu­ity plan (BCP), include advice that the BCP should include test­ing sched­ules; the com­mit­tee should seek assur­ance that the BCP developed is prop­erly tested.
3. The Audit and Risk Com­mit­tee Chair thanked Stepan­ie Hume, Azets and said those points would be noted.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 11 of 38

1. The Audit and Risk Com­mit­tee noted the paper and: a) Agreed the six pri­or intern­al audit recom­mend­a­tions set out are super­seded. b) Agreed the adop­tion of the three actions set out as replace­ment actions required to imple­ment an appro­pri­ate over­arch­ing con­trol envir­on­ment for the Park Authority’s IT and data man­age­ment oper­a­tions. c) Agreed to receive updates on pro­gress against these actions as part of updates on action in imple­ment­ing audit recom­mend­a­tions. d) Agreed the scope of any intern­al audit work in these areas over the next 12 months should reflect the status of the cur­rent evol­u­tion of the Park Authority’s oper­at­ing envir­on­ment for IT and data services.
2. Action Points Arising: None.

AOCB

1. None

Date of Next Meeting

1. The date of the next meet­ing is 12 Septem­ber 2025, online.
2. The meet­ing con­cluded at 11.00

Ref	Action Detail	Who	When	Status
21/06/24	At para 341Lessons learned brief­ing forthe com­mit­tee for the nextmeeting	Dav­id	Will come tomeet­ing in June/​Sept dependin­gon staff timeavailable	OpenTo come to Septmeeting
21/06/24	At para 34mChair and Deputy Chair tore­ceive monthly updates ofpro­gress against the actionplan	Dav­id andLouise	Monthly update­shave been issuedsince Junemeeting	Closed
27/09/24	At para 20iV. Update on intern­alaudit view onfin­an­cial scen­arioplan­ning to beprovided to the	Dav­id andStephanie	At the end of the24/​25 financialyear.	Ongo­ing­Man­age­mentto report­back to
	audit and RiskCommittee			Com­mit­tee to giveassurance

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 12 of 38

	Audit and RiskCommit­tee			Com­mit­tee to giveassurance
08/11/24	At para 26bii. Inform­a­tion­man­ager to provi­de­Com­mit­tee mem­bers with thenum­ber ofre­questees forFOISA.	Paul	20 June 2025meeting	Closed (ontoday’sagenda)
21/03/25	At para 28iii. Stat­ist­ic­al ana­lys­is to be brought backto the Com­mit­teeshow­ing of thecon­tracts awar­ded­how manycompan­ies were­based in the­Cairngorm­sNa­tion­al Park, how­many around andhow many out withover the course ofone year.	Louise		Out­stand­ing
	iv. Head of Fin­anceand Cor­por­ate­Op­er­a­tions todif­fer­en­ti­ate­b­etween con­flict­and declar­a­tion ofin­terest on page 6	Louise		In Hand­Louise will­run new­word­ing pastPeteCosgrove

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 13 of 38

	of the Pro­cure­mentAc­tion Plan.
21/03/25	At Para 33V. Paper detail­ing thep­ri­or­ity of key ris­kareas to include ati­metable offu­ture reportson the strand­sto be broughtto the nextmeeting.	Dav­id		Closed (ontoday’sagenda)
From today’s meeting
20/06/25	At Para 16vi. Wbg to dis­cus­sand agree with­Man­age­ment toreview the­t­i­me­tabling of there­ports to providemore of an evenspread.	Peter Clark,GrahamGilespie,Louise,David	Septem­ber­meet­ing
20/06/25	At Para 25vii. Risk One to bea­mended to include­de­tail which­con­siders andre­flects the risks­posed with­in thePub­lic Reform­Strategy that waspub­lished the day­be­fore the meeting.	Dav­id	By the nextmeeting

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 14 of 38

| 20/06/25 | At Para 29viii. Estim­ated timespent by staff oneach inform­a­tion­re­quest to becap­tured andin­cluded in the nextreport.ix. Each request toin­clude a little bit ofde­tail to helpidenti­fy emergingthemes.x. | Paul | For the nex­tup­date toCom­mit­tee Novmeeting| |

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 15 of 38

Approved minutes of the Audit and Risk Com­mit­tee meeting

Held at Cairngorms Nation­al Park Author­ity office, Grant­own-on-Spey Online 12 Septem­ber 2025 at 1.00pm

Present online Fiona McLean (Chair) Paul Gibb Bill Lob­ban Peter Cos­grove (Deputy Chair) John Kirk (sub for Geva Black­ett) Duncan Miller

In attend­ance Grant Moir, Chief Exec­ut­ive Officer Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions Scott McCready. wbg Tom Reid, Maz­ars Ishana Singh, Maz­ars Alix Hark­ness, Clerk to the Board

Apo­lo­gies Geva Black­ett Dav­id Camer­on, Deputy Chief Exec­ut­ive Officer and Dir­ect­or of Cor­por­ate Services

Wel­come and apologies

1. Fiona McLean, Chair of the Audit and Risk Com­mit­tee, wel­comed every­one to the meet­ing. Apo­lo­gies were noted.

Approv­al of minutes of pre­vi­ous meetings

1. The draft minutes of the pre­vi­ous Audit and Risk Com­mit­tee meet­ing held on 20 June 2025 were approved with no amendments

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 16 of 38

Mat­ters arising not covered elsewhere

1. There were no mat­ters arising.

Ref	Action Detail	Who	When	Status
21/06/24	At para 341Lessons learned brief­ing forthe com­mit­tee for the nextmeeting	Dav­id	Will come tomeet­ing in June/​Sept dependin­gon staff timeavailable	OpenTo come to Septmeeting
Update;
on today’s agenda/​closed
27/09/24	At para 20iVI. Update on intern­alaudit view onfin­an­cial scen­arioplan­ning to beprovided to theAu­dit and RiskCommittee	Dav­id andStephanie	At the end of the24/​25 financialyear.	Ongo­ing­Man­age­mentto report­back toCom­mit­tee­to giveassurance
Update:	Grant and Dav­id have been work­ing on it over the sum­mer; more work
to be done before can be brought to the Committee.
21/03/25	At para 28XI. Stat­ist­ic­al ana­lys­is to be brought backto the Com­mit­tee show­ing of thecon­tracts awar­ded­how manycompan­ies were­based in the­Cairngorm­sNa­tion­al Park, how­many around andhow many out with	Louise		Out­stand­ing

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 17 of 38

| | over the course ofone year.XII. Head of Fin­anceand Cor­por­ate­Op­er­a­tions todif­fer­en­ti­ate­b­etween con­flict­and declar­a­tion ofin­terest on page 6of the Pro­cure­mentAc­tion Plan. | Louise | | | |Update: Com­pleted| | | | | | 20/06/25| At Para 16 Wbg to dis­cus­sand agree with­Man­age­mentto review the­t­i­me­tabling ofthe reports toprovidemore of an even­s­pread. | Peter Clark,GrahamGilespie,Louise,David | Septem­ber­meet­ing | | |Update­Closed — On today’s agenda.| | | | | | 20/06/25 | At Para 25XIII. Risk One to bea­mended to include­de­tail which­con­siders andre­flects the risks­posed with­in the | Dav­id | By the nextmeeting | |

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 18 of 38

| | Pub­lic Reform­Strategy that waspub­lished the day­be­fore the meet­ing. | | | | |Upda­teR­isk Register updated with­in today’s papers. Closed| | | | | | 20/06/25| At Para 29XIV. Estim­ated timespent by staff oneach inform­a­tion­re­quest to becap­tured andin­cluded in the nextreport.XV. Each request toin­clude a little bit ofde­tail to helpidenti­fy emergingthemes.XVI. | Paul | For the nex­tup­date toCom­mit­tee Novmeet­ing| | |Update:| | | | | |In hand for next meeting| | | | |

Declar­a­tions of interest

1. There were no declar­a­tions of interest.

Extern­al audit assur­ances (Paper 1)

1. Tom Reid, Maz­ars presen­ted the paper which sets out the Request for inform­a­tion from Man­age­ment and Those Charged with Gov­ernance pre­pared by Maz­ars. The Audit and Risk Com­mit­tee: α) Con­sidered the auditor’s request for inform­a­tion and Management’s response to this.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 19 of 38

1. b) Provided assur­ance that its gov­ernance extends to cov­er the items on which assur­ance is reques­ted. Action Points Arising: i. None.

Intern­al audit pro­gress report (Oral)

1. Scott McCready, wbg presen­ted the update which sets out the pro­gress made on the intern­al audit pro­gress report.
2. The Audit and Risk Com­mit­tee agreed with this approach and advised that, depend­ing on the find­ings of the Intern­al Aud­it­ors on the vari­ous pro­jects for the year they would sched­ule in an addi­tion­al Audit and Risk Com­mit­tee meet­ing in March 2026 should it be required.
3. Action Points Arising: None.

Stra­tegic Risk Registers (Paper 2)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper which sup­ports a review by the Com­mit­tee of the Park Authority’s stra­tegic risk register man­age­ment position.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) A mem­ber quer­ied risk 11 around repu­ta­tion and the poten­tial for unreal­ist­ic expect­a­tions between CNPA and stake­hold­ers, com­mit­ments made regard­ing beavers and their impact on flood banks. The Park Author­ity has made some fin­an­cial guar­an­tees over a lim­ited time­frame but what were the expect­a­tions after this peri­od ends, and was there also a repu­ta­tion­al risk out with the Cairngorms Nation­al Park (CNP) when beavers move across the park bound­ary? CEO advised that the flood bank com­mit­ment would be reviewed in 2026. At time of mak­ing this com­mit­ment, the ini­tial thought was that poten­tial for sup­port through agri-fund­ing would be clear­er, but to date, that was not the case. If neces­sary, fin­an­cial com­mit­ments will be exten­ded to 2028 which was the end of the trans­lo­ca­tion license. NatureScot pick up the

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 20 of 38

b) effects out with the CNP. A watch­ing brief is being kept on that. The mem­ber agreed with that approach. CEO com­men­ted that Trans­port Scot­land hav­ing giv­en fund­ing for 2025/ 2026, it would be odd if they did not award us money for the second stage. How­ever, the fact that there is a Scot­tish elec­tion next year cre­ates some uncer­tainty, so it is not guar­an­teed at this stage.

1. The Audit and Risk Com­mit­tee noted the paper and agreed to the recom­mend­a­tions: α) Con­sidered the cov­er­age and adequacy of the Park Authority’s stra­tegic risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent stra­tegic risk register. b) Con­sidered the cov­er­age and adequacy of the Cairngorms 2030 pro­gramme risk man­age­ment pos­i­tion and advise on any gaps or amend­ments required to the cur­rent pro­gramme risk register.
2. Action Points Arising: None.

Pro­cure­ment approaches: les­sons learned (Paper 3)

1. Louise Allen, Head of Fin­ance and Cor­por­ate Oper­a­tions presen­ted the paper which draws togeth­er reflec­tions on the les­sons learned in identi­fy­ing and tak­ing steps to imple­ment the improve­ments required to the Park Authority’s pro­cure­ment con­trols. The paper is presen­ted at the request of the Com­mit­tee and fol­low­ing reflec­tion by officers involved in the devel­op­ment and imple­ment­a­tion of the pro­cure­ment action plan which fol­lowed the intern­al audit review of the Park Authority’s pro­cure­ment controls.
2. The Audit and Risk Com­mit­tee dis­cussed the report and made the fol­low­ing com­ments and obser­va­tions: α) The Chair com­men­ted that the Com­mit­tee had reques­ted the report to be brought to the Com­mit­tee and felt reas­sured by its con­tents. b) CEO advised that the work under­taken was wider than pro­cure­ment. Lots of work had gone into digit­ising vari­ous aspects of our ser­vices, includ­ing pro­cure­ment, grants etc. — 38 dif­fer­ent pro­cesses had been made digit­al — and ensur­ing those pro­cesses are fit for pur­pose for the future.

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 21 of 38

c) A mem­ber com­men­ted that it was a good paper that covered a lot of ques­tions the Com­mit­tee had raised, and that it dealt with an area that had been picked up at Board meet­ings. How­ever there still remained an under­cur­rent of people with­in the com­munity who do not under­stand the func­tion of CNPA. The mem­ber felt that the report did not pick that up strongly enough and asked who should be lead­ing to address this. CEO advised that the member’s ques­tion was not a mat­ter related to pro­cure­ment but a more gen­er­al point. He agreed there were some grey areas and the devel­op­ment of next Nation­al Park Part­ner­ship Plan (NPPP) would be a sens­ible time to con­sider this.

1. The Audit and Risk Com­mit­tee dis­cussed and com­men­ted on the les­sons learned from col­lect­ive hand­ling of the Park Authority’s approach to devel­op­ing intern­al con­trols on pro­cure­ment as set out in this paper.
2. Action Points Arising: None.

AOCB

1. The Chair announced that this would be Peter Cosgrove’s last meet­ing as Vice- Chair of the Audit and Risk Com­mit­tee and thanked him for being an incred­ibly help­ful mem­ber of the Com­mit­tee, a sup­port­ive vice chair whose insight­ful com­ments have made a real dif­fer­ence to this Com­mit­tee. Peter Cos­grove explained that he was now Chair­ing two oth­er groups and remain­ing as vice Chair of this one, was just too much. The Chair wished him well in his new chair­ing opportunities.
2. Motion to take the next items in con­fid­en­tial session.

Date of Next Meeting

1. The date of the next meet­ing is 14 Novem­ber 2025 in person.
2. The pub­lic part of the meet­ing con­cluded at 13.46 pm

Cairngorms Nation­al Park Author­ity Ugh­dar­ras Pàirc Nàiseanta a’ Mhon­aidh Ruaidh

Form­al Board Paper 9 Annex 1 28 Novem­ber 2025 Page 22 of 38

| Ref | Action Detail | Who | When | Status | | — — — — — -| — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —