Paper 1 - Annex 1 Internal Audit Recruitment Report
Cairngorms National Park Authority
Internal Audit Report 2024⁄25
Recruitment
March 2025
Audit and Risk Committee
Paper 1 Annex 1 20 June 2025
Cairngorms National Park Authority Internal Audit Report 2024⁄25 Recruitment
Executive Summary 1
Management Action Plan 5
Appendix A — Definitions 12
Audit Sponsor David Cameron, Deputy Chief Executive
Key Contacts Kate Christie, Head of Organisational Development
Pip Mackie, HR Manager
Audit team Eliabeth Young, Partner
Stephanie Hume, Director
Amber Hamilton, Internal Auditor
This report is intended for Cairngorms National Park Authority use only and should not be relied upon by anyone else for any purpose whatsoever. Azets is acting for Cairngorms National Park Authority only and will not be responsible to any other person for providing protections afforded to clients and will not give any advice to any recipient of this report. No representation or warranty, express or implied, is given by us as to the accuracy or completeness of the information and opinions contained herein. Additionally, no account has been taken of the needs of third-party organisations in producing and agreeing this report and as such, it may be unsuitable for their purposes. Third parties should therefore verify the information contained in the report with Cairngorms National Park Authority where necessary.
To the fullest extent permitted by law, neither Azets nor Cairngorms National Park Authority nor its directors shall be liable for any direct, indirect or consequential loss or damage suffered by any person as a result of any third parties relying on any information or opinions
contained herein or in any other communication in connection with this report.
Executive Summary
Conclusion
Cairngorms National Park Authority (CNPA) has robust policies and processes in place that cover the end-to-end recruitment process. A comprehensive Recruitment and Selection Policy is in place that details each key step of the recruitment process for all current and prospective staff. Job descriptions are created by the relevant line manager using a standard template and are shared with HR to ensure all necessary information is contained within them. This includes essential and desirable criteria, roles and responsibilities and any statutory checks that must be satisfied. A job evaluation must also be completed by the Head of Organisational Development and approved by the Deputy Chief Executive Officer prior to advertisement. Further, all contracts of employment are issued subject to the completion of satisfactory statutory checks with all supporting documentation to evidence the completion of these checks retained on the CNPA SharePoint.
We have identified three low risk opportunities for improvement that would further strengthen the existing controls in place, as outlined within the management action plan.
Background and scope
As Cairngorms National Park Authority (CNPA) continues to expand as an organisation it is important that the organisation has the right people with the right skills in the right roles to help it succeed. This has been particularly challenging given the diverse skills base needed across a remote geographic location and in a competitive recruitment market.
It is therefore important for CNPA to have a robust and effective recruitment and onboarding process that clearly outlines the skills and experience needed, and that can be enacted quickly. This will help to ensure there are minimal delays across the recruitment journey, including between a decision being taken to recruit, to advert, and to appointment.
We have reviewed the recruitment processes in place, including consideration of the approval process for posts
prior to advertisement through to the onboarding process for staff.
Control assessment
Vacant posts are reviewed and approved prior to advertising to consider how it is most appropriate to treat the post including whether it should be replaced or re- profiled.
Clear role descriptions are in place for vacancies prior to advertising that set out both essential and desirable requirements for the role and provide candidates with sufficient information about both the role and organisation
Recruitment policies and procedures are in place that cover advertising, consideration of application forms, shortlisting, interview and appointment arrangements.
There are clear processes in place for onboarding of new staff that includes the completion of all relevant pre- employment checks.
Improvement actions by type and priority
Graphs representing the counts of Grade 1 – 4 for Control Design and Control Operation
Three improvement actions have been identified from this review, all of which relate to compliance with existing procedures. See Appendix A for definitions of colour coding.
Key findings
Good practice
CNPA has a comprehensive Recruitment and Selection Policy that sets out the end-to-end recruitment process in detail. This includes how job descriptions should be developed, the interview and short- listing process as well as how a candidate should be selected for the role.
Job descriptions are created by the line manager and reviewed by HR prior to advertisement to ensure all necessary information is included. All job descriptions are created using a standard description template which also includes the statutory checks that must be satisfied by the potential candidate. Further, all job descriptions clearly detail the role’s essential and desirable criteria, as well as key responsibilities.
All interview panels must include the relevant line manager, the line manager’s line manager, and a member of the HR team to ensure it consists of staff with appropriate knowledge of the role. We have confirmed that the interview panel for each of our sampled roles included the relevant individuals in line with CNPA procedures.
Prior to advertisement, the Head of Organisational Development and the Deputy Chief Executive will conduct a job evaluation and score the role based on a number of predetermined categories in order to determine the paygrade of the role. The paygrade must be approved by the Deputy Chief Executive. We have confirmed that the approved paygrade matched what was advertised for each of our sample of roles.
All roles are advertised at the bottom of the band at first instance. If a candidate requests an increase in salary a ‘Checklist to Inform Decisions to Appoint New Staff Above Band Minimum’ must be completed by a HR representative and approved by either the CEO or Deputy CEO.
CNPA contracts of employment are subject to the completion of satisfactory statutory checks. Evidence to confirm the candidate’s Eligibility to Work in the UK must be provided prior to the candidate’s interview. Moreover, all employees are also required to complete a basic Disclosure Scotland, and in some instances depending on job role a Protecting Vulnerable Groups certificate. Scans of the supporting paperwork to confirm these checks are retained on the CNPA SharePoint.
Areas for improvement
We have identified a small number of areas for improvement which, if addressed, would strengthen CNPA’s control framework. These include:
- Ensuring documentation to evidence the approval to recruit for a role is consistently retained; and
- Determining a timeframe by which the Recruitment and Selection Policy should be periodically reviewed.
These are further discussed in the Management Action Plan below.
Impact on risk register
The CNPA corporate risk register (dated November 2024) included the following risks relevant to this review:
- Risk 5: Increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured. Planning and other specialist staff (IT, procurement, finance) requirements impacted by national labour/skills shortages and/or salary structures not sufficiently competitive to attract or retain key staff.
Our audit fieldwork has highlighted that CNPA has robust policies and procedures in place that cover the end- to-end recruitment process and mitigate risk associated with inappropriate recruitment practices.
Acknowledgements
We would like to thank all staff consulted during this review for their assistance and co-operation.
Management Action Plan
Control Objective 1:
Vacant posts are reviewed and approved prior to advertising to consider how it is most appropriate to treat the post including whether it should be replaced or re- profiled. Yellow
1.1 Documentation of approval to recruit
We reviewed the Recruitment and Selection Policy which details the end-to-end recruitment process. The policy states that prior to any form of recruitment, there is a requirement to scrutinise and challenge staffing proposals in order for an organisation-wide view to be taken on the potential operational, financial and human resources effects of the recruitment. Following this a decision will be taken regarding whether the role should be recruited for and how that will occur, for example whether it will be a like for like replacement. The policy sets out the expectation that this scrutiny will be undertaken by the Corporate Services Director with the Management Team if deemed appropriate by the Corporate Services Director, however the policy does not detail how this process of scrutiny should occur or be documented.
Per discussions with the Head of Organisational Development, we understand that recruitment is discussed at Senior Management Team (SMT) meetings and discussion around recruitment and the subsequent recruitment decision should be contained within the meeting minutes. However, we have been informed that this does not always occur and often only verbal approval to recruit or approval via email correspondence is provided.
We tested a sample of seven roles that had been recruited and filled in 2024 to determine if there was a formal process by which recruitments are considered prior to advertisement. Further, we sought to understand how this process is documented. Whilst we were able to review various documentation to confirm that consideration was given to the role prior to recruitment or infer approval for recruitment based on other supporting documentation, this process has not been consistently documented and the evidence confirmed to retain this has been somewhat limited.
The below table details our chosen sample of roles. It notes context for the recruitment of each as provided by the Head of Organisation Development, as well as the evidence we have obtained and reviewed to confirm or infer that approval was given to recruit for each position.
| Role | Evidence to Support Decision to Recruit |
|---|---|
| Content Creation Intern | An email thread between the Head of Communications and the Director of Corporate Services. The thread provided approval to recruit for the role from the Director of Corporate Services on the basis that previous approval for a similar role that ultimately wasn’t filled had already been provided. Therefore the financial implications of recruiting for this role would be the same. |
| Cycling Development Officer | A newly developed role as a result of the Cairngorms 2030 Project. The Cairngorms 2030: National Lottery Heritage Horizons Fund Delivery phase application report that was taken to the Board on 23/06/23 and confirmed the creation of the Cycle Development Officer role as a new position developed in aid of the project. |
| Seasonal Ranger | The National Park Partnership Plan 2022 – 2027 was approved by the Board and sets the objective of ensuring a High-Quality Visitor Experience. This is aided by a high-quality ranger service, nothing that an indicator of success of this objective will be a stable or increasing number of rangers. We have confirmed that prior to recruitment, seven rangers left their position and so a subsequent seven were therefore recruited to ensure a stable number of rangers was in place. |
| Clerk to the Board | We have been informed by the Head of Organisational Development that verbal approval was given by the CEO to recruit for this role. This is a critical role that was replaced like for like in order to maintain operation of the Board. We have not been able to obtain any evidence to confirm this. |
| Sustainable Transport Manager | This is a new role as a result of the Cairngorms 2030 Project. This is also confirmed within the Cairngorms 2030: National Lottery Heritage Horizons Fund Delivery phase application report. |
| Trainee Ranger | A further Ranger recruitment in aid of ensuring a stable number of Rangers under the National Park Partnership Plan 2022 – 2027. |
| Media Communication Manager | The Media Communications Manger role was established after an officer in a similar role (but of a lower band) resigned and prompted a broad restructure of the Communications Team. A PowerPoint containing the proposed new structure of team was obtained which includes the creation of the Media Communication Manager role. A communication from the Head of Communications was also obtained which noted the candidate’s appointment, and detailed cover for their role until they could begin. This was signed off as approved by the Director of Corporate Services. |
Risk
There is a risk that approval to recruit for a role, and the manner in which that role should be recruited for, is unclear in the absence of a consistent process and evidence to confirm that the process occurred. Failure to retain evidence to confirm approval to recruit was given could result in legal and reputational damage.
Recommendation
CNPA should ensure documentation to evidence the approval to recruit for a role is consistently retained. This should contain discussions around why the decision to recruit was taken, what factors were considered in this decision, and who ultimately approved the decision.
Management Action Grade 2 (Operation) Recommendation agreed. We agree the need for a more systematic, standardised recruitment proposal, review and approval process.
Action owner: Head of Organisational Development
Due date: 30 June 2025
Control Objective 2:
Clear role descriptions are in place for vacancies prior to advertising that set out both essential and desirable requirements for the role and provide candidates with sufficient information about both the role and organisation Green
No reportable weaknesses identified
We have reviewed the Recruitment and Selection Policy with regards to job descriptions and confirmed that the policy sets the expectation that job descriptions will be written by the appropriate line manager. The description must set out the person specification of the post (which details the essential and desirable criteria of the post) and should also include the roles and responsibilities the future employee will be expected to perform.
A template job description has been created that includes sections to ensure that all of the above detail is captured. The template has built in the basic statutory checks required for all CNPA employees such as the Right to Work in the UK and the requirement for a basic Disclosure Scotland Certificate. Once the draft description has been created, it is shared with HR to review to ensure all required information has been completed.
We reviewed the job descriptions created for the seven roles in our sample and found that each job description was detailed and clearly set out all essential and desirable criteria. The job descriptions also provided the context of CNPA as an organisation and how the role would fit into this, as well as detailing a comprehensive list of all responsibilities relevant to the role.
We note that of our sample, six job descriptions were created using the standard job description, and one differed in appearance. We discussed this with the Head of Organisational Development and the Head of HR, and we have been informed that this was for the Content Creation Intern and was created using a template and guidance from Inclusion Scotland. This role was for a fixed term internship and was geared towards a younger demographic and was therefore less restrictive in in its essential requirements. However, we note that despite the difference in template, the job description still clearly set out essential and desirable criteria under the people specification section, including the required statutory checks for the role. Further it also included a detailed overview of the tasks expected to be completed by the recruited individual.
Control Objective 3:
Recruitment policies and procedures are in place that cover advertising, consideration of application forms, shortlisting, interview and appointment arrangements. Yellow
3.1 Review of recruitment and selection policy
The Recruitment and Selection Policy was initially approved in February 2013 by the Staff Consultative Forum. Per discussion with the Head of Organisational Development and the HR Manager, we understand that there is no expected timeframe by which the policy should be reviewed. The policy will be updated to reflect any legal changes as necessary, but that does not include a full review of the policy content.
On review of the policy, we noted that there is a section on monitoring and review that states that CNPA will monitor and review the processes within the policy in order to reflect organisational needs, experiences and statutory obligations. This section includes a note of all amendments made to the policy since its introduction. We note that these amendments refer to updates as a response to changes in statutory obligations and legal requirements rather than a review of the processes themselves. The Head of Organisational Development has confirmed that a full review of the policy has not been undertaken since it was initially introduced.
Risk
There is a risk that the Recruitment and Selection Policy is outdated and no longer fit for purpose in the absence of periodic reviews of the policy content. This could result in unclear recruitment processes, leading to inconsistencies in recruitment exercises, ultimately resulting in legal and reputational damage.
Recommendation
CNPA should determine the timeframe within which the Recruitment and Selection Policy should be reviewed to ensure the processes contained within it are reflective of the current organisational recruitment processes. Documentation of the review should be evidenced on the policy under the monitoring and review section to evidence that the review occurred in line with the agreed timeframe.
Management Action Grade 2 (Operation) Recommendation accepted. We confirm that the policy had been updated regularly in response to changes in the law to ensure it remained compliant, We will review the policy during 2025⁄26 to ensure all processes are fit for current purpose, and accommodates other changes in process arising from response to this audit. We will also schedule a review of the policy at least every three subsequent years.
Action owner: Head of Organisational Development
Due date: 30 September 2025
Control Objective 4:
There are clear processes in place for onboarding of new staff that includes the completion of all relevant pre-employment checks. Green
4.1 Documentation of Statutory Checks
CNPA carries out several statutory checks on all new employees including:
- Right to Work in the UK
- Basic Disclosure Scotland or Protecting Vulnerable Groups (PVG) certificate
- Valid UK driver’s license (for applicable roles)
We tested the completion of statutory checks for a sample of seven employees to ensure they had been completed as part of the employee’s onboarding process and that they had been formally documented. Through our testing we reviewed the completed checks for all seven employees and confirmed that the relevant documents and certificates have been saved to the CNPA SharePoint.
As part of this we looked to confirm that the relevant statutory checks had been added to each of the employee’s HR profiles. In doing so, we found that of our sample two employee’s profiles did not have all the completed statutory checks uploaded despite having confirmed that the checks had been completed and were available to view on SharePoint.
In addition we identified that a copy of the standard Employee New Starter checklist, which confirms the checks undertaken, is not retained in the employee HR profile.
Risk
There is a risk that employee information is incorrectly stored due to the lack of uploading documentation to support statutory checks securely to the employee file, leading to potential legal, operational and reputational risks.
Recommendation
A review should be undertaken of the current HR employee profiles to ensure that all supporting documentation has been uploaded. Additionally, when onboarding future employees, consideration should be given to retaining an electronic copy of the Employee New Starter checklist that details the check was carried out and confirmed by a member of the HR team. This should also be supported by uploading the required documentation to the HR profile to confirm completion of the relevant check.
Management Action Grade 1 (Operation) The SharePoint folders for all staff are the main organisational records management system for supporting documentation. These folders are all up to date. The HR portal, PeopleHR is just a secondary system for these documents, presenting staff with direct access to core information they may find useful, and as such a location where staff have access to their own documents. As such, whilst we acknowledge that 2 of the 7 checks were not updated on the HR portal, it is important to note this is a secondary rather than primary records store. We appreciate that this has been identified as a low-level risk.
Given the risk level, rather than review all employee profiles centrally, we will consider the interaction of PeopleHR and primary SharePoint records. If necessary, we will issue an update to staff setting out records they should see direct access to through People HR and to contact the team if any records are missing.
Action owner: HR Manager
Due date: September 2025
Appendix A – Definitions
Control assessments
R Fundamental absence or failure of key controls.
A Control objective not achieved — controls are inadequate or ineffective.
Y Control objective achieved — no major weaknesses but scope for improvement.
G Control objective achieved — controls are adequate, effective and efficient.
Management action grades
4 Very high risk exposure — major concerns requiring immediate senior attention that create fundamental risks within the organisation.
3 High risk exposure — absence / failure of key controls that create significant risks within the organisation.
2 Moderate risk exposure — controls are not working effectively and efficiently and may create moderate risks within the organisation.
1 Limited risk exposure — controls are working effectively, but could be strengthened to prevent the creation of minor risks or address general house-keeping issues.
© Azets 2025. All rights reserved
Registered to carry on audit work in the UK and regulated for a range of investment business activities by the Institute of Chartered Accountants in England and Wales.