Cairngorms | Paper 3 - Annex 1 Internal Audit Planning HTML version

wby Cairngorms National Park Authority Audit Needs Assessment ²⁰²⁵⁄₂₆ to ²⁰²⁷⁄₂₈ June 2025 Audit and Risk Committee Paper 3 Annex 1 15 June 2025

Table of Contents Section Page number Introduction 3 Approach 4 Operational Plan ²⁰²⁵⁄₂₆ 8 Reporting 15 Initial 3‑year Audit Needs Assessment ²⁰²⁵⁄₂₆ to ²⁰²⁷⁄₂₈ 16

Appendices: A. Grading Structure B. Key Performance Indicators C. Training Topics D. Assurance Map E. Audit Universe 18 19 20 21 28

Introduction wbg Background Wbg Services LLP (Wbg) have been appointed as Internal Auditors by Cairngorms National Park Authority (the Organisation) Audit & Risk Committee for an initial one year period from 1 April 2025 to 31 March 2026 with the option to extend for a further two years.

Internal Audit The prime responsibility of the Internal Audit Service (IAS) is to provide the Board, via the Audit & Risk Committee with an objective assessment of the adequacy and effectiveness of management’s internal control systems.

The IAS objectively examines, evaluates and reports on the adequacy of internal control thus contributing to the economic, efficient and effective use of resources and to the reduction of the potential risks faced by the Organisation.

The operation and conduct of the IAS must comply with the standards and guidelines set down by the Institute of Internal Auditors, including the Global Internal Audit Standards which came into effect from January 2025, as well as the Public Sector Internal Audit Standards.

Terms of Reference — Internal Audit The provision of the IAS by Wbg is covered by the letter of engagement dated 28 April 2025.

Formal Approval The Audit Needs Assessment (ANA) will be presented to Audit & Risk Committee for discussion and approval on 20 June 2025.

Approach Planning process and review wbg

Approach The Audit Needs Assessment (“ANA”) has been produced based on the following: Consideration of the risks noted within the Organisation’s Strategic Risk Register; Consideration of previous internal audit coverage and the key findings from these reports; wby An initial meeting held with the Senior Management Team (SMT), with a follow up meeting with the Deputy CEO / Director of Corporate Operations and the Head of Finance and Corporate Operations.

Meeting with the Chair of the Audit & Risk Committee. Preparation of an Assurance Map; The identification of key controls and associated risks for each system and sub-system; and The determination of the internal audit resource required to meet the identified audit needs.

Planning Process Below is a diagram which details our planning process: Understanding the organisational context

Reviewing and revising the plan Internal Audit planning process

Evaluating the risk management process

Communicating and agreeing the plan Designing the audit plan wbg

Revisiting the ANA wbg The ANA will be reviewed continuously throughout our appointment and will take account of the results of audit work, the development of new systems and any other risk factors identified. Any proposed changes to the ANA will be presented to the the Audit & Risk Committee on at least an annual basis for discussion and approval. We have set out below the proposed Audit Team. Graham Gillespie Peter Clark Scott McCready Andrew Thomson Kevin McDermott Partner and Head of Director of Internal Internal Audit Internal Audit gg@wbg.co.uk Audit pcc@wbg.co.uk Internal Audit Senior Senior IT Auditor Manager smc@wbg.co.uk at@wbg.co.uk kmd@wbg.co.uk

Operational Plan ²⁰²⁵⁄₂₆ wbg

Governance and New Finance System Audit area Governance High level indicative summary scope The purpose of this review is to assess whether the Organisation has appropriate governance arrangements in place and that these have been embedded throughout. This review aims to provide assurance that the Organisation’s corporate governance arrangements are appropriate and represent good practice. Our objectives for this review are to assess whether: There is an effective scheme of governance in place. There is effective leadership at the Organisation. There are effective relationships and communication channels in place with external bodies. Clear responsibilities and reporting arrangements are established and are being followed. There are effective scrutiny arrangements in place which are being followed. There is a formal meeting structure in place. The Organisation’s governance arrangements meet the framework document(s) agreed between CNPA and the Scottish Government, guided by the National Parks (Scotland) Act 2000.

New Finance System The purpose of the assignment will be to review the implementation of the new finance system to assess whether the system is working as anticipated. We will also review the implementation process to ensure that deadlines and costs were met, and that staff have received sufficient training on the system. Our objectives for this review are to assess whether: | The new Finance System is fit for purpose and operating in line with good practice. Data has been accurately transferred from the previous Finance System. Sufficient training has been given to those staff who will be using the new Finance System. | Appropriate controls have been put in place over the new Finance System and these are being adhered to by staff. wbg Total number of days 8

Cyber Security Audit area Cyber Security High level indicative summary scope The scope of this review is to be confirmed following discussions between the Organisation and Wbg.

The Organisation have achieved Cyber Essentials Plus accreditation and have worked with the Scottish Government’s pilot programme (HEFESTIS Pathway) to assess cyber maturity assessment and benchmarking. This programme included access to Pathway toolsets and the Public Sector Cyber Resilience Framework (PSCRF) guidance.

Our scoping discussions will consider undertaking an assessment of the Cyber Essentials Plus criteria, which the Organisation has met, against the National Cyber Security Centre’s 10 steps to Cyber Security Guidance to help identify any gaps. wbg Total number of days 8

Project Initiation Audit area High level indicative summary scope Following the launch of the project control system in June 2025, we will assess whether this is working as anticipated and is being complied with and represents the appropriate level of control. We will assess the new control mechanisms being implemented from June 2025. We will also assess whether funding conditions are being met. Our objectives for this review are to assess whether: Roles and responsibilities for project management are clearly defined and key staff are aware of their specific roles. Criteria is in place to ensure key project decisions are fully informed at the outset, including scope definition, budgeting and risk management. Project Initiation

Decisions are made timely and at an appropriate level. Project outcomes and when benefits will be realised are identified at the outset. These are measurable and progress against these are reported on, at agreed intervals. Identified projects comply with regulatory requirements, any funding requirements and align with the strategic objectives of the Organisation. The Organisation review procurement planning and compliance with public procurement regulations, including early engagement of procurement and adherence to procurement thresholds. The project control system is being adhered to. wbg Total number of days 8

Grants Administration & Management and Follow Up Review Audit area Grants Administration & Management Follow Up Review High level indicative summary scope The purpose of the review is to ensure that the Organisation is operating efficiently and effectively in respect of its grants administration and management. We will undertake testing of the process to assess if the Organisation’s procedures are being adhered to. Our review will consider the new expression of interest system and the new grants programme. This review seeks to provide assurance to the Board, via the Audit & Risk Committee, that the Organisation’s arrangements are adequate. Our objectives for this review are to assess whether: The Organisation has robust arrangements in place for administering and managing grants. The Organisation is consistent in its approach to negotiating, recording, and monitoring grants. Staff are aware of these arrangements and are adhering to these. The Organisation has the effective quality assurance arrangements in place for grants. The Organisation has sufficient monitoring and tracking of grants. The Organisation has appropriate reporting mechanisms surrounding the Organisation’s provision where robust performance measures have been identified and are reported against.

The effectiveness of the internal control system may be compromised if management fails to implement agreed audit recommendations. Our follow up work will provide Audit & Risk Committee with assurance that prior year recommendations are implemented within the expected timescales. Our objective for this review is to assess whether: | The Organisation has appropriately implemented any outstanding internal audit recommendations made in prior years. wby Total number of days 8

Assignment Plans & Dates Assignment Plans wbg A detailed assignment plan will be prepared for each audit undertaken, setting out the scope and objectives of the work, allocating resources and establishing target dates for the completion of the work. Each assignment plan will be agreed and signed off by an appropriate sponsor from the the Organisation.

Key Dates Visit Name No. of audit days Key personnel Provisional start date for visit Provisional date of issue of draft report Provisional date for reporting to Audit & Risk Committee Governance Director of 8 Corporate Services 1 10 November 2025 28 November 2025 March 2026 New Finance System 8 Head of Finance & Corporate Operations Director of Project Initiation 8 Corporate Services 2 1 December 2025 19 December 2025 March 2026 Director of Follow Up Review 5 Corporate Services 4 Grants Administration & Management 8 Community Grants Manager 12 January 2026 30 January 2026 March 2026 Head of Finance & 3 Cyber Security 8 Corporate Operations 16 February 2026 6 March 2026 June 2026

Reporting & Initial 3‑year Audit Needs Assessment wbg

wbg Reporting The reporting arrangements for internal audit will be discussed and agreed with the Audit & Risk Committee.

The following reports will be produced by internal audit: | An Audit Needs Assessment; A report on each audit assignment; An annual report on Internal Audit Service’s activities.

For each audit report we will have an overall level of assurance. For each recommendation, a target date for remedial action will be set taking into account the degree of priority associated with the recommendation. The draft report for each assignment will be discussed with the auditees and the factual accuracy agreed prior to issue of the report in its final form. The auditees will be required to respond to the recommendations stating their proposed action and nominating the person responsible for each action point.

Financial Controls Payroll Procurement Initial 3‑year Audit Needs Assessment 1 April 2025 to 31 March 2028 System Financial Systems Audit Area New Finance System Operating Plan (No. Of days) ²⁰²⁵⁄₂₆ 8 ²⁰²⁶⁄₂₇ ²⁰²⁷⁄₂₈ 8

Strategic and Governance Governance C2030 Mid Programme Review Risk Management 8

8 8 Operational Project Initiation 8 Grants Administration & Management 8 Business Continuity & Disaster Recovery 8 Workforce Management 8 CRM System 8 Operational Planning 8 Information Technology Cyber Security 8 Information Management Controls or IT Strategy 8 Required Follow Up Review 5 5 5 Audit Management 5 5 5 Total 50 50 50 wbg

Appendices A – Grading Structure B – Key Performance Indicators

C – Training Topics

D – Assurance Map

E – Audit Universe

wbg

A – Grading Structure For each area of review, we assign a grading in accordance with the following classification: wbg Assurance Classification Strong Substantial Weak No Controls satisfactory, no major weaknesses found, some minor recommendations identified

Controls largely satisfactory although some weaknesses identified, recommendations for improvement made

Controls unsatisfactory and major systems weaknesses identified that require to be addressed immediately

No or very limited controls in place leaving the system open to significant error or abuse, recommendations made require to be implemented immediately For each recommendation we make we assign a grading either as High, Medium or Low priority depending upon the degree of risk assessed as outlined below: Grading High Medium Risk Classification High Risk Major weakness that we consider needs to be brought to the attention of the Audit & Risk Committee and addressed by Senior Management of the Cairngorms National Park Authority as a matter of urgency

Medium Risk Significant issue or weakness which should be addressed by the Museums as soon as possible

Low Low Risk Minor issue or weakness reported where management may wish to consider our recommendation

B – Key Performance Indicators wby For each area of review, we assign a grading in accordance with the following classification: Performance Indicator Target Internal audit days completed in line with agreed timetable and days allocation 100% Draft scopes provided no later than 10 working days before the internal audit start date and final scopes no later than 5 working days before each start date 100% Draft reports issued within 10 working days of exit meeting 100% Management provide responses to draft reports within 15 working days of receipt of draft reports 100% Final reports issued within 5 working days of receipt of management responses 100% Recommendations accepted by management 100% Draft annual internal audit report to be provided by 30 April each year 100% Attendance Audit & Risk Committee meetings by a senior member of staff 100% Suitably experienced staff used on all assignments 100%

C – Training Topics wbg As a firm we offer a wide range of training topics to our clients and we have listed below some of the topics which we would be able to offer Cairngorms National Park Authority. Topic Risk Management Summary This can cover risk awareness, assessment of risks, responsibilities for monitoring risks, risk appetite and the scoring of risks. This is usually done as a workshop to ensure buy-in from management and committee members to the risk management process.

Role of the Board This would cover the roles and responsibilities of Board members, including the Chair. This has been particularly useful when new Board members have been appointed and allows members to obtain some knowledge on what the expectation of a Board member is and what they should be looking out for. Role of Internal Audit We would provide a short session on what the internal audit function should be delivering to the Cairngorms National Park Authority and the added value which we would bring. Finance for Non- Financials This is useful for committee members who do not have a finance background and covers areas such as the management accounts, budget reporting and the statutory accounts. Fraud Awareness We would cover the importance of a having a strong control environment and areas to be aware of in relation to fraud. We would discuss some real-life examples of where we have identified or been asked to investigate allegations of fraud and the results of these investigations.

D – Assurance Map

We have mapped out below, assurances from your Strategic Risk Register and internal audit reviews. Risk Theme Residual Risk Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. Risk of C2030 match funding not being secured current match funding in bid not fully committed and/or for one year only in many areas. wby Mitigating actions Planned Actions Internal Audit Assurance Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking Remedial: scenario planning on forward budget modelling to Preventative: Ongoing liaison with Scottish Government through our sponsorship team and the Peatland Action Team, highlighting achievements of CNPA. Financial Controls Grants 15 on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternative, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. prepare options for future resource allocations within final allocations, based on funding parameters suggested by sponsorship team. Administration & Management | C2030 Mid Programme Review Preventative: focus over 2025 on match funding position and consequent impacts to ensure C2030 programme plans and Preventative: Ongoing liaison with Scottish Government financing of them fully aligned by end of year. through our sponsorship team and the Peatland Action Preventative: high profile and ongoing focus for SMT in 15 Team, highlighting achievements of CNPA and importance of Peatland Restoration funding to inward investment by NLHF. Remedial: Discussions with Transport Scotland on funding for active travel design work. engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. Prevantative: consideration of new, wider match funding opportunities. Grants Administration & Management | C2030 Mid Programme Review

D – Assurance Map Risk Theme There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors.- Risks that procurement and wider skill set capacities are insufficient to meet the evolving needs of the organisation.- Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery.- Financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. Residual Risk Mitigating actions Planned Actions wby 8 Preventative: Recruitment of Procurement Officer Preventative: Support secured from Scotland Excel (and from Central Government Procurement Shared Services (CGPSS) if required). Preventative: Consider delivery through partners with construction project delivery experience where appropriate to delivery objectives. Preventative: additional support from LL&TNPA requested Preventative: Options for training of wider staff group under investigation — supported by Scotland Excel. Remdial: procurement action plan developed from internal audit recommendations; reviewed monthly by Chair / Vice Chair of ARC. Target date for completion of key improvements 31.03.25 (extended from 31/12/24). SG budget controls may delay training until the first quarter of ²⁰²⁵⁄₂₆. Internal Audit Assurance | Procurement

D — Assurance Map Risk Theme The Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. Increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured. Planning and other Residual Risk 16 Mitigating actions Preventative: licencing arrangements contribute to more effective control framework. Tracker/satellite monitoring deployed for some raptors. Remedial: NPPP development processes used to partnerships. explore partnership attitudes, engagement and powers. Planned Actions wby Internal Audit Assurance Remedial: Development/strengthening of strategic | Operational Planning Preventative: focus on training and development and internal succession planning, in turn bringing recruitment into less experienced/less highly skilled markets and developing pipeline Remedial: contingency planning for example of qualified staff around out-sourcing of aspects of delivery eg Preventative: consideration given to job design, establish call-off framework for consult planning creating roles with more seniority (higher grades), services. specialist staff (IT, procurement, finance) requirements impacted by national labour/skills shortages and/or salary structures not sufficiently competitive to attract or retain key staff. 9 and flexibility of offer regarding part-time/ job share. | Covered in previous IA Plan

D — Assurance Map Risk Theme Supporting speed of organisational change prevents required development and embedding of effective support systems. The speed / scale of operational demand for support from corporate systems is such that we are always fire-fighting and giving the best advice and support we can. However, that ongoing fire-fighting and immediate advice prevents us having sufficient time to design, develop and implement new systems to better suit the new organisation. Residual Risk 16 Mitigating actions Remedial: recruitment of additional staff to corporate function during ²²⁄₂₃ and ²³⁄₂₄. Remedial: project management training provided. Remedial: development of improved systems/ways of working through better use of M365 applications Remedial: Implement new finance system to support wider digitisation of systems and effective financial reporting. Planned Actions wby Internal Audit Assurance Remedial: apply resource to development of improved systems/ways of working — new finance system due to be installed by 31/12/24; new project initiation control under development Remedial: provide training — procurement and in wider assessment of project impacts at initiation stage. Remedial: finalisation and roll-out of project initiation initiationguidanance, including assessment of any new legal implications arising from project delivery intentions. Preventative: design and implement project controls supporting more managed timelines and fuller, earlier consideration of project plans. | Project Initiation

D — Assurance Map Risk Theme CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support.Use of AI increases risk of cyber security threats such as spear-phishing. Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. Residual Risk Mitigating actions Preventative: Daily review of Scottish Cyber Coordination Centre threat summaries, with follow up action taken (eg patching) as appropriate.Preventative/ remedial: Collaboration with LL&TNPA provides 10 support. Preventative: Transition to Sharepoint complete; R‑drive now a read-only Planned Actions wby Internal Audit Assurance Development of the IT operational risk register has identified potential for structural improvement. These considerations to be developed further (potential for external consultancy to develop our IT strategy organisational development, technical improvements and upskilling).

Cyber essentials accreditation achieved; audit towards essentials plus accreditation underway (11÷09÷24). | Cyber Security outside the organisation. renewed focus on IT actions plans will flow from that. Work on the information management plan will produce greater resilience of data and access to key information when complete. 20 repository, reducing risk of threats from A review of IT staff role descriptions now completed; Preventative: implement Cyber Security Plus controls Preventative: Development of hybrid working methods and cloud computing approaches have improved the organisation’s resilience. Remedial: develop updated business continuity plan and embed its provisions Preventative: proposed consultancy to develop new BCP Business Continuity & Disaster Recovery

D — Assurance Map Risk Theme Reputational damage may result from:- Unrealistic expectations of what the Park Authority and its partners can achieve in the face of the significant risks presented by climate change, species extinction, flood management and fire; and/or- Disagreement between the Park Authority and stakeholder groups within the Park. The Park Authority does not adequately respond or adapt to changes in funding environment at Scottish Government policy levels or in evolution of private finance investment. Residual Risk Mitigating actions Preventative: Existing strategic partnerships and stakeholder relationships help to create a wider understanding of the factors that are within, and those that are outside the control of the Park Authority and its partners. 12 Planned Actions wby Internal Audit Assurance Preventative: Management of expectations through: Targeted communications Further development of stakeholder relationships. Development/strengthening of strategic partnerships. Ongoing assessment of operational risk management and mitigation in our communications. Development of stakeholder relationship database | C2030 Mid Programme Review | Operational Planning Preventative: allocate senior time to engagement with Scottish Government in policy discussion and development, identifying and responding to risk implications. 12 Preventative: proactively identify opportunities for private investment and structures to support their investment to For development complement and support NPPP and corporate objectives. | Grant Administration & Management | Financial Controls | C2030 Mid Programme Review

D — Assurance Map Risk Theme The Park Authority’s workforce is not adequately flexible to respond to changing strategic priorities or to changing operational scale Residual Risk Mitigating actions Preventative: workforce management strategy updated and regularly reviewed to take a 5+ year forward view. Planned Actions wby Internal Audit Assurance 9 Preventative: continued investment in training and development for staff supporting performance in current roles and succession / development plans. Preventative: establish an appropriate mix of permanent and fixed term staff to allow for flexibility in future structures. Remedial: retain scrutiny of all vacancies and identification of opportunities to adpat vacancies toward future needs. For development | Workforce Management NPPP delivery responsibilities are not sufficiently clear across the partnership and Park Authority is expected to address more than it is capable to deliver. 12 Preventative: reinforce specific partner delivery responsibilities through performance management systems and reporting. Preventative: reinforce NPPP delivery linkages through grant contract terms. For development | C2030 Mid Programme Review Evolution of the Park Authority’s range of activities and projects results in unidentified and unmitigated exposure to legal implications and associated liabilities 12 Preventative: undertake risk analysis overview of ²⁰²⁵⁄₂₆ operational plan to identify any delivery areas with potential exposure; develop and deliver mitigation action plan For development | C2030 Mid Programme Review

E – Audit universe We have set out below the auditable entities, processes, systems and activities, which support the development of the internal audit plan, and the Internal Audit coverage since 2022. Area ²⁰²²⁄₂₃ ²⁰²³⁄₂₄ Payroll and Expenses Expenditure and Creditors Financial Systems Finance System and Processes ²⁰²⁴⁄₂₅ ²⁰²⁵⁄₂₆ ²⁰²⁶⁄₂₇ ²⁰²⁶⁄₂₇ New Finance System Payroll Financial Controls Performance Management Strategic and Governance Risk Management Cairngorms 2030 Workforce Management and Planning Health & Safety Operational and Financial Planning Operational Procurement Heritage Horizons Recruitment Governance C2030 Mid Programme Review Procurement Risk Management Project Initiation Grants Administration & Management Business Continuity & Disaster Recovery Workforce Management CRM System Operational Planning wbg

Area E – Audit universe ²⁰²²⁄₂₃ ²⁰²³⁄₂₄ ²⁰²⁴⁄₂₅ Information Technology Data Management Compliance and Regulatory Leader Administration wbg ²⁰²⁵⁄₂₆ ²⁰²⁶⁄₂₇ ²⁰²⁶⁄₂₇ Cyber Security Information Management Controls

Paper 3 - Annex 1 Internal Audit Planning

C – Train­ing Topics

E – Audit Universe

D – Assur­ance Map

We want your feedback

C – Training Topics

D – Assurance Map