Paper 2 - Annex 1 Internal Audit 24-25 Annual Report

Audit and Risk Com­mit­tee Paper 2 Annex 1 20 June 2025

A AZETS

Cairngorms Nation­al Park Author­ity Intern­al Audit Annu­al Report ²⁰²⁴⁄₂₅

May 2025

azets​.co​.uk

Table of Contents

Intro­duc­tion 3 Over­all intern­al audit opin­ion 4 Intern­al audit work per­formed 5 Plan­ning pro­cess 6 Appendix 1 — Planned v actu­al days ²⁰²⁴⁄₂₅ 9 Appendix 2 — Sum­mary of Qual­ity Assur­ance Assess­ment 10 Appendix 3 — Defin­i­tions 12

This report is inten­ded for Cairngorms Nation­al Park Author­ity use only and should not be relied upon by any­one else for any pur­pose what­so­ever. Azets is act­ing for Cairngorms Nation­al Park Auhor­ity only and will not be respons­ible to any oth­er per­son for provid­ing pro­tec­tions afforded to cli­ents and will not give any advice to any recip­i­ent of this report. No rep­res­ent­a­tion or war­ranty, express or implied, is giv­en by us as to the accur­acy or com­plete­ness of the inform­a­tion and opin­ions con­tained herein. Addi­tion­ally, no account has been taken of the needs of third party organ­isa­tions in pro­du­cing and agree­ing this report and as such, it may be unsuit­able for their pur­poses. Third parties should there­fore veri­fy the inform­a­tion con­tained in the report with our Cli­ent where necessary.

To the fullest extent per­mit­ted by law, neither Azets nor Cairngorms Nation­al Park Author­ity nor its dir­ect­ors shall be liable for any dir­ect, indir­ect or con­sequen­tial loss or dam­age suffered by any per­son as a res­ult of any third parties rely­ing on any inform­a­tion or opin­ions con­tained herein or in any oth­er com­mu­nic­a­tion in con­nec­tion with this report.

Page 2 of 13

Intro­duc­tion The Glob­al Intern­al Audit Stand­ards (GIAS) state that: ​“The chief audit exec­ut­ive must com­mu­nic­ate the res­ults of intern­al audit ser­vices to the board and seni­or man­age­ment peri­od­ic­ally and for each engage­ment as appro­pri­ate. The res­ults of intern­al audit ser­vices can include • Engage­ment con­clu­sions. • Themes such as effect­ive prac­tices or root causes. • Con­clu­sions at the level of the busi­ness unit or organ­isa­tion.” To meet the above require­ments, this Annu­al Report sum­mar­ises our con­clu­sions and key find­ings from the intern­al audit work under­taken at the Cairngorms Nation­al Park Author­ity (CNPA) dur­ing the year ended 31 March 2025, includ­ing our over­all opin­ion on Cairngorms Nation­al Park Authority’s intern­al con­trol sys­tem. Acknow­ledge­ment We would like to take this oppor­tun­ity to thank all mem­bers of man­age­ment and staff for the help, cour­tesy and co-oper­a­tion exten­ded to us dur­ing the year.

Page 3 of 13 azets​.co​.uk

Over­all intern­al audit opin­ion Basis of opin­ion As the Intern­al Aud­it­or of CNPA, we are required to provide the Audit and Risk Com­mit­tee with assur­ance on the whole sys­tem of intern­al con­trol. In giv­ing our opin­ion it should be noted that assur­ance can nev­er be abso­lute. The most that the intern­al audit ser­vice can provide is reas­on­able assur­ance that there are no major weak­nesses in the whole sys­tem of intern­al con­trol. In assess­ing the level of assur­ance to be giv­en, we have taken into account: • All reviews under­taken as part of the ²⁰²⁴⁄₂₅ intern­al audit plan; • Any scope lim­it­a­tions imposed by man­age­ment; • Mat­ters arising from pre­vi­ous reviews and the extent of fol­low-up action taken includ­ing in year audits; • Expect­a­tions of seni­or man­age­ment, the Audit and Risk Com­mit­tee and oth­er stake­hold­ers; • The extent to which intern­al con­trols address the client’s risk man­age­ment /​control frame­work; • The effect of any sig­ni­fic­ant changes in CNPA object­ives or sys­tems; and • The intern­al audit cov­er­age achieved to date. In my pro­fes­sion­al judge­ment as Chief Intern­al Aud­it­or, suf­fi­cient and appro­pri­ate audit pro­ced­ures have been con­duc­ted and evid­ence gathered to sup­port the basis and the accur­acy of the con­clu­sions reached and con­tained in this report. The con­clu­sions are based on the con­di­tions as they exis­ted at the time of the audit. The con­clu­sions are only applic­able for the entity examined. The pro­gramme of work under­taken and evid­ence gathered is com­pli­ant with the Glob­al Intern­al Audit Stand­ards and is suf­fi­cient to provide seni­or man­age­ment with appro­pri­ate assur­ance from the work of intern­al audit. Intern­al Audit Opin­ion In our opin­ion, CNPA has a frame­work of gov­ernance, risk man­age­ment and con­trols that provides reas­on­able assur­ance regard­ing the effect­ive and effi­cient achieve­ment of object­ives. Azets May 2025

Page 4 of 13 azets​.co​.uk

Intern­al audit work per­formed Scope and respons­ib­il­it­ies Man­age­ment It is management’s respons­ib­il­ity to estab­lish a sound intern­al con­trol sys­tem. The intern­al con­trol sys­tem com­prises the whole net­work of sys­tems and pro­cesses estab­lished to provide reas­on­able assur­ance that organ­isa­tion­al object­ives will be achieved, with par­tic­u­lar ref­er­ence to: • risk man­age­ment; • the effect­ive­ness of oper­a­tions; • the eco­nom­ic and effi­cient use of resources; • com­pli­ance with applic­able policies, pro­ced­ures, laws and reg­u­la­tions; • safe­guards against losses, includ­ing those arising from fraud, irreg­u­lar­ity or cor­rup­tion; and • the integ­rity and reli­ab­il­ity of inform­a­tion and data. Intern­al aud­it­or The Intern­al Aud­it­or assists man­age­ment by examin­ing, eval­u­at­ing and report­ing on the con­trols in order to provide an inde­pend­ent assess­ment of the adequacy of the intern­al con­trol sys­tem. To achieve this, the Intern­al Aud­it­or should: • ana­lyse the intern­al con­trol sys­tem and estab­lish a review pro­gramme; • identi­fy and eval­u­ate the con­trols which are estab­lished to achieve object­ives in the most eco­nom­ic and effi­cient man­ner; • report find­ings and con­clu­sions and, where appro­pri­ate, make recom­mend­a­tions for improve­ment; • provide an opin­ion on the reli­ab­il­ity of the con­trols in the sys­tem under review; and • provide an assur­ance based on the eval­u­ation of the intern­al con­trol sys­tem with­in the organ­isa­tion as a whole. Con­form­ance with Glob­al Intern­al Audit Stand­ards We con­firm that our intern­al audit ser­vice con­forms to the Glob­al Intern­al Audit Stand­ards. This is con­firmed through our qual­ity assur­ance and improve­ment pro­gramme, which includes cyc­lic­al intern­al and extern­al assess­ments of our meth­od­o­logy and prac­tice against the stand­ards. A sum­mary of the res­ults of our most recent extern­al assess­ment is provided at Appendix 2.This EQA was under­taken in Feb­ru­ary 2023 against the 2017 Inter­na­tion­al Intern­al Audit Stand­ards (pre­de­cessor to GIAS). Inde­pend­ence GIAS require us to com­mu­nic­ate on a timely basis all facts and mat­ters that may have a bear­ing on our inde­pend­ence. We can con­firm that the staff mem­bers involved in each ²⁰²⁴⁄₂₅ intern­al audit review were inde­pend­ent of CNPA and their objectiv­ity was not com­prom­ised in any way.

Page 5 of 13 azets​.co​.uk

Plan­ning pro­cess Our stra­tegic and annu­al intern­al audit plans are designed to provide the Audit and Risk Com­mit­tee with assur­ance that CNPA’s gov­ernance, risk man­age­ment and intern­al con­trol sys­tem is effect­ive in man­aging the key risks. The plans are there­fore informed by CNPA’s risk man­age­ment sys­tem and linked to the Stra­tegic Risk Register. The Stra­tegic Intern­al Audit Plan was agreed in con­sulta­tion with seni­or man­age­ment and form­ally approved by the Audit and Risk Com­mit­tee. The Annu­al Intern­al Audit Plan is sub­ject to revi­sion through­out the year to reflect changes in CNPA’s risk pro­file. Dur­ing the course of the year man­age­ment reques­ted that the review of shared ser­vices be replaced with a review of recruit­ment as a res­ult of ongo­ing dis­cus­sions with shared ser­vices pro­viders on updat­ing agree­ments. In addi­tion, a review of Cyber Secur­ity was reques­ted to be deferred to 2025 – 26 due to ongo­ing work regard­ing obtain­ing Cyber Essen­tials plus. These changes were approved by the Audit and Risk Com­mit­tee in Novem­ber 2024. We planned our work so that we have a reas­on­able expect­a­tion of detect­ing sig­ni­fic­ant con­trol weak­nesses. How­ever, intern­al audit can nev­er guar­an­tee to detect all fraud or oth­er irreg­u­lar­it­ies and can­not be held respons­ible for intern­al con­trol fail­ures. Cov­er achieved The ²⁰²⁴⁄₂₅ Intern­al Audit Plan com­prised 59 days of audit work and we com­pleted 51 days, with the dif­fer­ence related to the defer­ral of the cyber secur­ity review. A com­par­is­on of actu­al cov­er­age against the ²⁰²⁴⁄₂₅ plan is attached at Appendix 1. We con­firm that there were no resource lim­it­a­tions affect­ing our abil­ity to meet the full audit needs of CNPA and no restric­tions were placed on our work by man­age­ment. We did not rely on the work per­formed by a third party dur­ing the peri­od. Reports We pre­pared a report from each review and presen­ted these reports to the Audit and Risk Com­mit­tee. The reports are sum­mar­ised in the table below. Where rel­ev­ant, all reports con­tained action plans detail­ing respons­ible officers and imple­ment­a­tion dates. The reports were fully dis­cussed and agreed with man­age­ment pri­or to sub­mis­sion to the Audit and Risk Com­mit­tee. We made no sig­ni­fic­ant recom­mend­a­tions that were not accep­ted by management.

Page 6 of 13 azets​.co​.uk

Sum­mary of reports by con­trol assess­ment and action grade

Review Con­trol object­ive assess­ment No. of issues per grad­ing 4 3 2 1 Advis­ory Cairngorms 2030 1

Oper­a­tion­al and Fin­an­cial Plan­ning 4

Recruit­ment 2 1

The audit defin­i­tions are out­lined in Appendix 3. Pro­gress in imple­ment­ing pre­vi­ous intern­al audit actions Man­age­ment have con­tin­ued to make excel­lent pro­gress in imple­ment­ing agreed actions from intern­al audit reports. We reviewed the 38 actions on the action track­er and obtained suf­fi­cient evid­ence to close 17 (45%) actions and one (2%) action was closed as it was super­seded. Of the 20 remain­ing actions, 17 (85%) are par­tially com­plete and three (15%) are incomplete.

Status of Recom­mend­a­tions 3% 7% 45% 45% ■Com­plete Par­tially com­plete Incom­plete Superseded

Key themes from audit work in ²⁰²⁴⁄₂₅ Cairngorms 2030 Our audit con­firmed that a detailed plan for the deliv­ery phase of Cairngorms 2030 was presen­ted and approved by the Board in Decem­ber 2023, ahead of the deliv­ery phase which star­ted in 2024. There was clear report­ing pro­to­cols out­lined with­in the Cairngorms 2030 Pro­gramme Report. Dis­cus­sions with Non-Exec­ut­ive Dir­ect­ors high­lighted that report­ing primar­ily focussed on pre­vi­ous pro­gramme activ­it­ies and did not provide any for­ward-look. As a res­ult, we raised an advis­ory recom­mend­a­tion to under­take peri­od­ic hori­zon scanning/​risk iden­ti­fic­a­tion exer­cises with the Board to con­sider any poten­tial issues which may impact the deliv­ery of Cairngorms 2030. Page 7 of 13 azets​.co​.uk

Oper­a­tion­al and Fin­an­cial Plan­ning Our audit con­firmed that Cairngorms Nation­al Park Author­ity has estab­lished clear pro­cesses for fin­an­cial and oper­a­tion­al plan­ning to ensure approved plans are in place before the start of each fin­an­cial year. We con­firmed that these plans align with the rel­ev­ant object­ives of the Cor­por­ate Plan, and that the fin­an­cial and staff­ing resources were con­sidered to achieve these object­ives. We also con­firmed that annu­al scen­ario plan­ning is con­duc­ted at the request of the Scot­tish Gov­ern­ment, based on expec­ted budgets, and includes con­sid­er­a­tion of three dis­tinct scen­ari­os. How­ever, we noted that these scen­ario are not repor­ted intern­ally to those respons­ible for gov­ernance, and man­age­ment does not reg­u­larly update long-term fin­an­cial pro­jec­tions to reflect the Cor­por­ate Plan ²⁰²³⁄₂₇ and the Nation­al Park Part­ner­ship Plan 2022 – 27. In addi­tion, the audit high­lighted that reg­u­lar updates on pro­gress and per­form­ance against both oper­a­tion­al and fin­an­cial object­ives are provided to Board and Com­mit­tees. To strengthen these arrange­ments, Cairngorms Nation­al Park Author­ity could imple­ment action logs to track the com­ple­tion of actions. Recruit­ment Our audit of recruit­ment high­lighted that Cairngorms Nation­al Park Author­ity is guided by a com­pre­hens­ive Recruit­ment and Selec­tion Policy with job descrip­tions con­sist­ently draf­ted by line man­agers and assessed by HR to ensure they expec­ted inform­a­tion. A job eval­u­ation is com­pleted by the Head of Organ­isa­tion­al Devel­op­ment and approved by the Deputy CEO before job advert­ise­ments are pos­ted. We raised three low risk improve­ment areas which would fur­ther strengthen the exist­ing con­trols in place which included ensur­ing doc­u­ment­a­tion to evid­ence the approv­al to recruit for a role is con­sist­ently retained and ensur­ing the Recruit­ment and Selec­tion Policy is sub­ject to a reg­u­lar review cycle.

Page 8 of 13 azets​.co​.uk

Appendix 1 — Planned v actu­al days ²⁰²⁴⁄₂₅

Ref and Name of report Planned Actu­al Days Days Cairngorms 2030 11 11 Oper­a­tion­al and Fin­an­cial Plan­ning 14 14 Recruit­ment 10 10 Cyber Secur­ity 8 — Fol­low Up 5 5 Intern­al Audit Man­age­ment and Admin­is­tra­tion 2 2 Audit needs ana­lys­is – Stra­tegic and Oper­a­tion­al Plan­ning 3 3 Audit and Risk Com­mit­tee plan­ning, report­ing and attend­ance 3 3 Con­tract Man­age­ment 2 2 Annu­al Intern­al Audit Report 1 1 Total 59 51

Page 9 of 13 azets​.co​.uk

Appendix 2 — Sum­mary of Qual­ity Assur­ance Assess­ment As part of our reg­u­lar qual­ity assess­ment pro­ced­ures, we com­mis­sioned an extern­al qual­ity assess­ment (EQA) against the Insti­tute of Intern­al Aud­it­ors (IIAs) Inter­na­tion­al Pro­fes­sion­al Prac­tices frame­work (IPPF) and, where appro­pri­ate, the Pub­lic Sec­tor Intern­al Audit Stand­ards (PSI­AS). We are pleased to dis­close the out­come of this assess­ment as we believe it is import­ant to provide you with assur­ance that the ser­vice you receive is of a high qual­ity and fully com­pli­ant with intern­al audit stand­ards. Out­lined below are extracts from our most recent extern­al qual­ity assess­ment under­taken in Feb­ru­ary 2023. Extern­al Qual­ity Assess­ment sum­mary Exec­ut­ive Sum­mary I am pleased to report that there are no mater­i­al gov­ernance, meth­od­o­logy or prac­tic­al issues that are impact­ing Azets Risk Assurance’s over­all con­form­ance with the Insti­tute of Intern­al Aud­it­ors (IIAs) Inter­na­tion­al Pro­fes­sion­al Prac­tices frame­work (IPPF). Intern­al Audit have achieved the highest level of con­form­ance with the Stand­ards, as well as the Defin­i­tion, Core Prin­ciples, and the Code of Eth­ics, which form the man­dat­ory ele­ments of the IPPF, the glob­al stand­ard for qual­ity in Intern­al Audit­ing. The Insti­tute describe this as ​“Gen­er­ally Con­forms”. This is an excel­lent res­ult and is based on an extens­ive EQA cov­er­ing the team’s approach, meth­od­o­logy, pro­cesses, and an extens­ive sample of engage­ment files. The EQA assessor is an exper­i­enced, former Chief Assur­ance Officer and cur­rent Audit Com­mit­tee Chair. Con­form­ance Opin­ion The IPPF/PSIAS includes the Mis­sion and Defin­i­tion of Intern­al Audit­ing, the Core Prin­ciples, Code of Eth­ics, and Inter­na­tion­al Stand­ards. There are 64 fun­da­ment­al prin­ciples to achieve, with 118 points of recom­men­ded prac­tice. I am delighted to con­firm that Azets Risk Assur­ance gen­er­ally con­form with 62 of these 64 fun­da­ment­al prin­ciples. This is an excel­lent res­ult. Fur­ther­more, there are no areas of ​‘par­tial’ or ​‘non- con­form­ance’ with any of the remain­ing fun­da­ment­al prin­ciples. The over­all assess­ment res­ult­ing from the EQA is that Azets Risk Assur­ance ​“gen­er­ally con­forms to the Inter­na­tion­al Pro­fes­sion­al Prac­tices Frame­work”. The term ​“gen­er­ally con­forms” is used by the IIA to rep­res­ent the highest level of achieve­ment and per­form­ance. I include a sum­mary of Azets Risk Assurance’s con­form­ance to these fun­da­ment­al prin­ciples below. Over­all, I believe that Azets Risk Assur­ance has achieved an excel­lent per­form­ance giv­en the breadth of the IPPF, and the diverse work and activ­ity the team undertakes.

Sum­mary of IIA Con­form­ance Stand­ards N/A Does not Par­tially Gen­er­ally Total Con­form Con­forms Con­forms Defin­i­tion of IA and Code of Rules of 12 12 Eth­ics conduct

Page 10 of 13 azets​.co​.uk

Sum­mary of IIA Con­form­ance Stand­ards N/A Does not Par­tially Gen­er­ally Total Con­form Con­forms Con­forms Pur­pose 10001130 8 8 Pro­fi­ciency and Due 12001230 2 4 Pro­fes­sion­al Care

Qual­ity Assur­ance and 13001322 1 6 7 Improve­ment Pro­gramme Man­aging the Intern­al Audit 2000 – 2130 12 12 Activity

Engage­ment Plan­ning and 2200 – 2600 1 20 21 Delivery

Total 2 0 0 62 64

Our response The review iden­ti­fied a num­ber of areas for future con­sid­er­a­tion to fur­ther enhance our intern­al audit prac­tices. We wel­come these find­ings and as such, a detailed action plan will be put into place to address the areas for fur­ther development.

Page 11 of 13 azets​.co​.uk

Appendix 3 — Defin­i­tions Con­trol Object­ive Assess­ment Defin­i­tions R Fun­da­ment­al absence or fail­ure of key con­trols. A Con­trol object­ive not achieved — con­trols are inad­equate or inef­fect­ive. Y Con­trol object­ive achieved — no major weak­nesses but scope for improve­ment. G Con­trol object­ive achieved — con­trols are adequate, effect­ive and effi­cient. Man­age­ment Action Pri­or­it­isa­tion Defin­i­tions 4 •Very high risk expos­ure — major con­cerns requir­ing imme­di­ate seni­or atten­tion that cre­ate fun­da­ment­al risks with­in the organ­isa­tion. 3 •High risk expos­ure — absence / fail­ure of key con­trols that cre­ate sig­ni­fic­ant risks with­in the organ­isa­tion. 2 •Mod­er­ate risk expos­ure — con­trols are not work­ing effect­ively and effi­ciently and may cre­ate mod­er­ate risks with­in the organ­isa­tion. 1 •Lim­ited risk expos­ure — con­trols are work­ing effect­ively, but could be strengthened to pre­vent the cre­ation of minor risks or address gen­er­al house-keep­ing issues.

Page 12 of 13 azets​.co​.uk

Azets 2025. All rights reserved. Registered to carry on audit work in the UK and reg­u­lated for a range of invest­ment busi­ness activ­it­ies by the Insti­tute of Chartered Account­ants in Eng­land and Wales.

Page 13 of 13 azets​.co​.uk