WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY AUDIT COMMITTEE 13/02/04 MINUTES MINUTES of MEETING of the AUDIT COMMITTEE of THE CAIRNGORMS NATIONAL PARK AUTHORITY held at Duke of Gordon Hotel, Kingussie on 13th February 2004 Present: Eric Baird Duncan Bryden Sally Dowden Sheena Slimon In Attendance: Jane Hope, Interim Chief Executive Andy Rinning, Head of Corporate Services Richard Davies, Independent Consultant Apologies: Bob Wilson Welcome 1. Eric Baird welcomed everyone to the meeting, in particular Richard Davies who was attending to give a presentation on Risk Management. Minutes of Last Meeting 2. The Minutes of the last meeting were approved with no changes. There were no matters arising. Current State of Internal Control Systems (paper 1) 3. Andy Rinning introduced the paper which provided the committee with an overview of the current state of internal control systems. He indicated that the external auditor would be starting the process of audit on the CNPA for 2003/04 very shortly, and this would point to any shortcomings in the current internal control system. In discussion the following points were made: a) In response to a question about the CNPA's policy on procurement, Andy Rinning reported that the overriding duty on the organisation was to secure good value for public money, but within that there was scope for maximising the opportunities for businesses within the Park by ensuring that all those with a potential interest in contracts were given the opportunity to bid. This had already been done for example in respect of the recent building work on the CNPA's new offices in Grantown, for which local firms had been invited to bid. The main difficulty with all such procurement was knowing what local interest there may be in bidding for contracts. To this end it was intended to advertise in local papers to seek expressions of interest in work which the CNPA may be putting out to tender in the coming twelve months. This would enable lists to be compiled of potentially interested firms within the Park who could subsequently be invited to bid for contracts as and when they came up. The point was made that in the first year of the CNPA the emphasis had been on expediting work and while every effort had been made to invite local firms to bid for work, often it had proved very difficult to identify local firms. It was recognised that very large contracts may sometimes be difficult for small local firms to bid for, and the possibility of breaking down such contracts into smaller parcels of work should not be overlooked. Nevertheless it had to be recognised that the down-side of this would be additional administrative costs. b) The process for approval of expenditure by the Board was raised. There was to be a meeting of officials the following week to discuss exactly such processes. Approval had been sought on an ad hoc basis in the first year of the CNPA, following a Board paper agreed on 12 September 2003 However, it was recognised that an orderly system for approving decisions on expenditure was now needed which: only involved the Board at an appropriate level; allowed for delegation of approval to the appropriate level; provided for proper assessment of any expenditure on the basis of a cost benefit analysis; and ensured quarterly updates of progress to the Board. Once proposals had been put together, these would be brought to the Board for approval. c) As well as reports on income and expenditure, the CNPA needed to have management accounting systems in place, which enabled analysis of the effectiveness and efficiency of the organisation's activities. Cost benefit appraisal was an important part of this set of systems. One particularly important element of control would be the control of the relatively large number of individual projects, each of which would be initiated by the relevant group, but which needed managing on a coordinated basis. This would be the function of the Project Manager who would be joining the Strategic Policy Group shortly. d) While the financial accounting systems were adequate for the present, it was recognised that these would need to be reviewed as the organisation grew. Expectation was that the current system would be reviewed in 2005. e) It was confirmed that the activities of the Leader+ Local Action Group (LAG) would be covered by the CNPA's audit. f) It was confirmed that papers for all committees including the Audit Committee, were made available on the website (unless confidential). g) In respect of a green office policy, there would need to be a dialogue with members at some point in the future about their need for papers etc. h) While there was no particular type of internal control system where the CNPA was seen to be deficient, it was recognised that one of the biggest challenges was to ensure that systems once put in place, were used and understood by all members of staff. 4. The paper was noted and Andy Rinning congratulated for the progress made in a very short space of time with setting up good internal control systems for the Park Authority. Audit Planning Memorandum 2003/04 (paper 2) 5. Jane Hope introduced the paper which gave the Audit Committee sight of the memorandum from the external Auditor, setting out the objectives and approach which Audit Scotland would adopt in conducting their external audit for 2003/04. 6. The paper was noted and its recommendations agreed. 7. Action a) Next meetings of the Audit Committee to be arranged for 7th May 2004, 13th August 2004, January 2005. b) Jane Hope to write to Bob Clark pointing out two minor amendments needed to the Audit Planning Memorandum as set out in the paper. Risk Management (oral report) 8. Richard Davies, an independent consultant, gave a presentation on risk management. He had done similar work with the Loch Lomond and the Trossachs National Park Authority. He pointed out that like all other Non Departmental Public Bodies, the CNPA had a responsibility to develop and implement systems of internal control, including a system of risk management. He pointed to the importance of not only developing the scheme but also implementing it. The Chief Executive was required to make a statement of internal control at the end of each year as part of the organisation's Annual Report. 9. Risk management was about managing business risks; it was about protecting the organisation's aims and objectives. Business risk could be defined in a number of ways. The definition from the Institute of Internal Auditors was: "any event or action that may adversely affect the ability of an organisation to achieve its objectives and execute its strategies". 10. There are a number of important recommendations in the Scottish Public Finance Manual which the Audit Committee needed to be aware of: a) Management Boards should meet at least twice a year to review key business risks and controls in a structured way. b) Audit Committees should monitor the risk management arrangements and agree a timetable for continuing reviews. c) Risk management should be embedded throughout the organisation in the management and the planning process and in governance arrangements. d) Management Boards should encourage all staff to participate in the risk management process. e) The risk register should be circulated to all members of the organisation so that they are aware of the risk management policy and the controls it deploys to limit risk exposure 11. Why manage risk?: a) Risks are normal; b) Avoiding risks can mean missing opportunities; c) Significant risks should be understood; d) Risks should be controlled. e) Risk management was about thinking ahead, and avoiding surprises. There were some benefits to risk management: a) Better focus on meeting objectives; b) Greater acceptance of responsibility for managing risks; c) Fewer shocks and surprises; d) Encouragement of innovation. 12. Risk management could be broken into a number of stages as follows: a) Defining the objectives (for example an annual review of the Business Plan); b) Identifying the hazards (not all hazards are risks); c) Assess the level of each risk (how likely, and how significant each risk is); d) Assess the internal controls on each risk; e) Produce a register of residual risk; f) Manage those risks. 13. A risk register was essentially a spreadsheet of risks sorted from the highest to the lowest in terms of threat; an explanation of each risk and the objective which it affected; how the risk was controlled; and who managed it. Mr Davies pointed out that risk assessment needed to bear in mind the potential cost of a risk and the cost of controlling it and the balance between the two. An auditor may well concentrate on particular controls if these appeared to be very valuable in reducing a high risk to a low one. Internal controls which had little effect were not worth concentrating on. 14. In managing key risks the organisation had to decide on how to treat each key risk - the choices were between tolerating, treating, transferring, or terminating. Once a decision had been made on how to deal with the risk, the responsibility had to be allocated and a review timetable set. 15. He outlined the process as follows: a) Decide on a time frame and the objectives to be examined; b) Appoint CRSA (Control Risk Self Assessment) workshops to study each main area. c) Bring the risks together and sort them into priority order. d) Report the outcome. e) Wrap up what you have done into a scheme and ensure that it is embedded into the ongoing process of managing the National Park Authority. 16. In discussion the following points were made: a) At Loch Lomond and the Trossachs, a much larger organisation than the CNPA, a number of workshops for staff had been held in order to engage the staff in the process of determining and listing the risks. Approximately three workshops each of one day had been done in each area of work. b) It was difficult to know where to start, given that the number of potential risks was huge. It was therefore suggested that initially the focus should be on statutory functions and duties. c) It was recognised that quite a number of potential areas of risk had already been addressed. For example, the organisation had a health and safety policy for all staff. This was not the same thing as a risk assessment, but it clearly implied that some prior assessment risk had been done. A scheme of risk management would articulate that assessment. d) The fact that the CNPA was at the beginning of the process of doing its strategic planning provided a good opportunity to ensure right at the start of the organisation's life that risk management could be embedded into all the systems being put into place. e) It was anticipated that the risk register should be open to public view. f) It was important to look at risk in a strategic way. 17. Mr Davies was thanked for his useful and helpful presentation. 18. Action: a) Jane Hope and Andy Rinning to further develop and implement arrangements for constructing a risk register. b) To report back to the full Board with that register and trigger a wider discussion of the Board's responsibilities. Appointment of Internal Auditor (paper 3) Commercial in Confidence 19. Jane Hope introduced the paper, which sought the Committee's agreement to a contract specification, process, and list of potential tenderers, as a basis for appointing an internal auditor. 20. The paper was noted and its recommendations agreed. 21. Action: a) Head of Corporate Services and Interim Chief Executive to invite bids for the contract of internal auditor. b) Assessment of bids and interviews of potential bidders to be conducted by a group comprising Eric Baird, Sally Dowden, Andy Rinning, and Jane Hope, on the timetable set out in the paper. AOCB 22. None Date of Next Meeting 23. 7th May 2004, at Glen Clova