Audit and Risk Committee - 19 June 2026

This document contains a notice from the Cairngorms National Park Authority about an online Audit and Risk Committee Meeting set for 19 June 2026 at 10am. You can find the agenda and papers for this meeting on their website, www.cairngorms.co.uk/, from the Friday before the meeting.

This document contains the agenda for a meeting of the Audit and Risk Committee, scheduled for 19 June 2026 at 10am. The meeting will take place online from the Cairngorms National Park Authority office in Grantown-on-Spey. Key discussion points include the internal audit annual report for 2025/26, reviews of IT disaster recovery and the complaints procedure, external audit updates, and strategic risk registers. The committee will also discuss the Cairngorms 2030 Communities Fund Development, the draft annual procurement report, and a draft governance statement, before receiving an update on information requests and complaints. The agenda concludes with the approval of confidential minutes from a previous meeting and setting the date for the next meeting.

This document contains the draft minutes from the Audit and Risk Committee meeting held on 13 March 2026. During the meeting, members approved past minutes and confirmed that financial planning is now complete. They looked at the external audit plan for 2025/2026, highlighting a concern about pension information due to issues with the administration company. The committee also reviewed several internal audit reports, including those on how the organisation is run, the smooth launch of its new finance system, how new projects are started, and how grants are managed. They agreed on actions from these audits, such as future training for Board members and follow-up checks. Finally, they discussed future audit plans for 2026/2027, with a special focus on cybersecurity.

This document contains the Internal Audit Annual Report for the Cairngorms National Park Authority for the year ending 31 March 2026, summarizing its main findings and the Internal Auditor's opinion on the Park Authority’s internal control system. The auditor found that enough work was completed to confirm that the Park Authority had effective risk management, control, and governance processes in place to help it achieve its objectives and deliver good value for money. A weak level of assurance was noted for a Follow Up Review, which will be addressed in the next audit cycle. The Audit and Risk Committee is asked to consider this report and endorse the inclusion of the auditor's opinion in the Park Authority's Governance Statement.

This document contains the Cairngorms National Park Authority's Internal Audit Annual Report for 2025/26, prepared in May 2026. The report concludes that the Park Authority generally has adequate and effective risk management, control, and governance processes in place to help achieve its goals and ensure value for money. While most audit areas showed strong or substantial controls, the Follow Up Review received a weak assurance rating, with one high priority recommendation concerning procurement and the development of Key Performance Indicators. Benchmarking against other similar organisations showed that the Park Authority had a higher number of recommendations overall. The report also highlights that most key performance indicators for the internal audit were met, though there were delays in management responses to draft reports and the submission of the annual report.

This document contains an internal audit review of the Cairngorms National Park Authority's IT disaster recovery procedures. The review looked at how the Park Authority would cope with IT problems, especially with current hybrid working and cloud-based services, aiming to make practical recommendations. It highlighted areas of good practice already in place while also suggesting improvements to strengthen the IT systems' ability to recover from issues. These recommendations included developing clearer documentation, defining roles and responsibilities, reviewing backup plans, establishing testing processes, and creating a cyber incident response plan. All the suggested improvements were accepted by the Park Authority's management.

This document contains an advisory review of the Cairngorms National Park Authority's IT Disaster Recovery arrangements, conducted in May 2026 as part of its internal audit plan for 2025-26. The review assessed the Park Authority's recovery planning, documentation, and mitigation measures, considering current hybrid working, cloud services, and recent digitisation, to provide practical recommendations for strengthening IT resilience. It identified areas of good practice, such as existing IT policies and the adoption of cloud-based services, but also raised six key action points for improvement. These recommendations include establishing a comprehensive IT Disaster Recovery framework and documentation, clearly defining system criticality and recovery expectations, enhancing backup arrangements and third-party assurance, implementing structured testing for IT Disaster Recovery, improving Geographic Information System (GIS) data management, and integrating cyber incident scenarios into recovery planning. The overall aim is to further develop and formalise the Park Authority’s IT resilience.

This document contains the findings of an internal audit of the Cairngorms National Park Authority's complaints procedure, which aimed to check if their arrangements were good enough, followed best practice, and met current laws. The auditor concluded there's substantial assurance that appropriate complaints handling systems are in place, highlighting areas like robust policies, clear processes, and continuous learning from feedback. However, three recommendations were made: a medium priority one to ensure 'Stage Two' complaints are acknowledged and monitored within three working days, and two low priority ones concerning clarifying vexatious complaints procedures and strengthening the complaints log. The Park Authority's management has accepted these recommendations.

This document contains an internal audit report from May 2026 on the complaints handling processes at the Cairngorms National Park Authority, which concludes with a 'Substantial' level of assurance. This means their controls are mostly good, but there are some areas to improve. The report highlights many positive aspects, such as a strong Complaints Handling Policy aligned with national guidelines, staff training, a commitment to learning from past complaints, and clear information on their website. However, it also suggests three main improvements: ensuring all second-stage complaints are formally acknowledged and tracked promptly, adding clearer procedures for dealing with difficult or ‘vexatious’ complaints, and making sure the complaints log is always accurate and complete. The audit also noted that the Authority should add a review schedule to its Complaints Handling Policy and has recently changed how it handles complaints made directly to the Board.

This document contains an audit progress report from Forvis Mazars for the Cairngorms National Park Authority, dated June 2026. It gives an update on the 2025/26 external audit, explaining that planning, risk assessment, and interim work are finished, and the financial statements audit is set to start on 6 July 2026. The report also shares insights from recent publications and events, covering discussions from the Scottish Public Sector Resilience and Readiness Forum on public sector transformation and cyber resilience, advice on protecting against emerging cyber threats for local authorities, and an Audit Scotland report detailing the challenges and recommendations for the public sector to achieve Scotland's net-zero climate goals.

This document contains a paper for the Cairngorms National Park Authority's Audit and Risk Committee about external audit assurances. It presents a request for information from Mazars, the external auditors, to the Park Authority’s Management and those responsible for governance. The committee is asked to consider the auditor's request and Management's responses, and to confirm that its governance processes cover the items for which assurance is sought. Management has already reviewed the auditor's request and believes it can provide the appropriate governance assurances, and committee members are asked to carefully consider each question before deciding if they can provide the assurances the auditor is looking for.

This document contains a briefing note from Mazars to the Audit and Risk Committee of the Cairngorms National Park Authority, dated 06 February 2026, outlining key audit requirements for the 2025/26 financial statements. The note specifically covers International Standards on Auditing (ISAs) related to fraud (ISA 240), compliance with laws and regulations (ISA 250), litigation and claims (ISA 501), and the 'going concern' assumption (ISA 570). Mazars is seeking an update from the Committee on how it oversees management's processes and responsibilities in these areas, including preventing and detecting fraud, ensuring legal adherence, managing potential legal issues, and confirming the organisation's continued operation. This requested information will help Mazars plan the final stage of their audit of the Cairngorms National Park Authority’s 2025/26 accounts.

This document contains the Cairngorms National Park Authority's responses to questions about fraud, internal controls, legal compliance, and its ability to continue operating. It shows that the Park Authority's management and its committees, the Resources Committee and Audit and Risk Committee, have clear processes for overseeing and responding to fraud risks, including regular reviews of financial statements and audit reports. They rely on senior management's knowledge and integrity and use measures like staff interest registers and delegated authorities to manage risks, particularly in high-risk roles. While cyber security is noted as the main external fraud risk, effective controls are in place. For the period 2025/26, no actual fraud, material internal control breaches, or significant fraud risks were identified, nor are there any known litigations. The Park Authority is confident in its financial stability, supported by ongoing funding from the Scottish Government and a substantial grant for its Cairngorms 2030 programme.

This document contains a paper for the Audit and Risk Committee, asking them to review how the Cairngorms National Park Authority manages its strategic risks and the risks for its Cairngorms 2030 programme. The most recent strategic risk register was checked in May 2026, and while 3 of the 14 active risks are now being managed, one important risk about IT disaster recovery and planning for unexpected events is worsening and needs significant work. Most other strategic risks are stable or improving. For the Cairngorms 2030 programme, the overall risk profile is currently low, but there is some uncertainty about funding for specific community projects and making sure promised match funding is secured. The Committee is invited to share their views on these risk registers.

This document contains a risk management overview for the Cairngorms 2030 Programme for Q1 2026, prepared by David Clyne, Head of Cairngorms 2030. It highlights the main challenges as securing funding and meeting timelines for Transport Scotland and active travel projects, which could lead to programme delays, failure, or a loss of partner support and insufficient match funding. To manage these "amber" status risks, the Park Authority is engaging with the Scottish Government, reprioritizing projects, and conducting financial reappraisals. While these key areas show some risk for Q1 2026, they are projected to improve to a "green" (low risk) status, with risks concerning the Park Authority's budget management, procurement standards, and staffing already well-managed.

This document contains an update for the Audit and Risk Committee regarding the development of the Cairngorms 2030 Communities Fund, a £1 million community grants fund being established by the Cairngorms National Park Authority and its partners. The paper explains that the Community Grants Panel is progressing well with creating the grant criteria and decision-making processes, with the project largely on schedule. It highlights important risks as the project nears completion and prepares to shift from the design stage to delivering the grants. These risks include making sure the new fund is clearly distinct from other community funds and ensuring a smooth transition of project oversight, which the Community Grants Manager will help facilitate given their long-standing involvement.

This document contains the Cairngorms National Park Authority's first Annual Procurement Report for the financial year 2025-2026, detailing a total spend of £4,493,126 across 53 contracts. This spend included regulated, unregulated, grant-funded, and framework agreement projects. The report highlights the Park Authority's commitment to procurement that aligns with strategic objectives, embedding principles such as Fair Work First, sustainability, and ethical practices. It also emphasizes delivering community benefits, strengthening local supply chains, and encouraging innovative, outcomes-based solutions from suppliers, all in compliance with Scottish public procurement legislation. Future procurement plans for 2026 to 2028 are also outlined.

This document contains a draft governance statement for the Cairngorms National Park Authority, prepared for its Audit and Risk Committee. It details how the Park Authority ensures good governance and accountability, with the Accountable Officer overseeing internal controls and public funds according to the Scottish Public Finance Manual. The Board, comprising 19 members, provides leadership through regular meetings and specialist sub-committees, including the Audit and Risk Committee, which monitors financial accounts, audits, and strategic risks. The document highlights the Park Authority's commitment to self-evaluation, continuous improvement, and robust risk management, supported by internal and external audits. It also covers initiatives in shared services with partner organisations, data security, and business continuity planning to ensure effective operations and achieve strategic goals.

This document contains an update for the financial year 2025/26 on how the Cairngorms National Park Authority manages information requests, data protection requests, and formal complaints. The Park Authority received 57 information requests, a slight increase, and responded to 93% of them within the required timeframes, which is a strong performance compared to other public bodies. Most requests were from individuals and handled by corporate services. There were no subject access requests relating to personal data. Notably, the number of formal complaints received significantly reduced to three, with planning being the most common topic. This report allows the Audit and Risk Committee to review these activities and the Park Authority's performance.