WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. FRONT PAGE Deloitte Cairngorms National Park Authority Proposed Internal Audit Plan 2008-09 January 2009 This report and the work connected therewith is subject to the Terms & Conditions of the contract between Cairngorms National Park Authority and Deloitte LLP. This report is for the sole use of management and should not be released to any third party. It is provided in accordance with our Statement of Responsibility. PAGE 2 Contents Page Executive summary 1 Audit Needs Assessment 2 2008/09 Internal Audit plan (summary) 3 2008/09 Internal Audit project plan 4 Statement of Responsibility 5 PAGE 3 Executive summary Introduction We are pleased to present our Strategic Internal Audit Plan for Cairngorms National Park Authority (CNPA) for 2008-09. Over the next few pages, we will detail the process implemented to produce the draft strategic plan, set out our planned Internal Audit input over the next year, and briefly summarise the scope of the audits planned for 2008/09. Our work will be undertaken in accordance with a range of professional Audit Standards including the HM Treasury Government Internal Audit Standards (GIAS). Audit Needs Assessment As with previous years, our audit needs assessment has been informed by the following factors: • Risk analysis informed by the CNPA Risk Register; • Discussions with senior management; • Previous audit plans and reports; and • Review of legislation. In agreement with the Audit Committee and senior management, we had postponed the development of the audit plan until the revision of the risk register, which took place in December 2008. With the revised risk register in development, we have identified five reviews which feature in the organisational risk register and were highlighted through discussions with management. The resultant plan aims to provide coverage of the key risk areas facing CNPA. ©2009 Deloitte LLP PAGE 4 Audit Needs Assessment Sources of Data In considering the focus of our internal audit service for the next three years we obtained information from the following sources: • Risk analysis informed by the Risk Register • Discussions with senior management • Previous audit plans and reports • Review of legislation. Inclusion of Risk Areas in the Strategic Plan CNPA participated in a risk management workshop in December 2008 which reviewed the existing risk register. Using the organisation risk management strategy, the results of the workshop identified 20 risks for management action. Some of these risks had and will have an impact on our work and this is reflected in our strategic plan. This process has resulted in the plans detailed on page 3. We have aimed to cover the highest risk areas to the organisation whilst also maintaining adequate and effective coverage of key business systems, both financial and operational. Our financial controls reviews will consist of detailed follow up work on the key weaknesses identified in the previous year as well as an assessment over the controls in place over the BACS system which has recently been introduced. Our deep understanding of the key financial processes in place as well as continued follow up by internal audit and senior management allows for a more focused audit plan. As a result, the key area of focus in terms of financial risk is procurement. This review will assess whether the arrangements in place over the management of expenditure is efficient, effective and demonstrates value for money. This will be measured in terms of financial and budgetary controls as well as assessing the structure and operation of the operational teams with procurement responsibility. We have increased our focus on operational controls and have already undertaken two project management reviews at the request of the Audit Committee. A further area of focus is to be the HR appraisal process. Staffing issues were scored highly in the risk register and the appraisal process in particular was referred to by senior management. We will continue to assess the controls in place in key project and risk areas and existing key business systems, in order to provide the correct level of assurance to management and the Audit Committee at the correct time. A key part of the internal audit process is the implementation of recommendations raised during our reviews. We will continue to undertake regular follow-up testing to support the ongoing work undertaken by the Head of Corporate Services and to provide management and the Audit Committee with assurance that action is being taken in this regard. ©2009 Deloitte LLP PAGE 5 Draft Internal Audit Plan 2008/09 Audit Area Audit Budget Days Audit Committee to be presented to Financial Management Processes Detailed Financial Controls Follow Up / Review of BACS processes 7 March Procurement 7 May Legal, Regulatory and Business Risk Management HR Appraisal Process 4 March Operational Reviews Project Management 10 March Follow-Up Reviews Follow Up 2007/08 2 Ongoing Contract Management Audit Committee Attendance, Planning 5 Ongoing 35 ©2009 Deloitte LLP PAGE 6 2008/09 Internal Audit Project Plan Proposed Project Plan commencing 1 April 2008 Financial Controls Follow Up This review will update the controls assessment completed in the previous year, with a particular focus and detailed testing in the areas where recommendations had been raised but management actions have not yet been fully implemented. 4 days Review of BACS processes We will review the arrangements for BACS payments, recently introduced by CNPA, assessing whether the controls in place are adequate and effective and that payments made to and from the organisation are done so in a timeous manner. 3 days Procurement Our review will assess the arrangements in place over procurement of items across throughout CNPA, the most efficient use of contracts and the planning undertaken to ensure expenditure is managed effectively, demonstrating value for money and adhering to financial regulations. 7 days HR AppraisalProcess Our review of the HR Appraisal Process will assess the systems in place in terms of its link to the organisation structure, the appropriateness of target setting and the links between stated objectives and the Corporate Plan and individual work plans. We will also assess the level to which the appraisal process is understood and adopted by staff. 4 days ProjectManagement Our project management reviews will relate to the Point of Entry Signage Project and the Land Management Support Officers Project. The review will assess whether there was an appropriate rationale for the project from the outset, with clear aims and objectives which are aligned to the Corporate and Operational Plans. The review will also assess whether the rationale for the project has been delivered and whether outcomes can be clearly demonstrated. 10 days ©2009 DeloitteLLP PAGE 7 Statement of Responsibility We take responsibility for this report which is prepared on the basis of the limitations set out below. The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal control system. Deloitte LLP January 2009 In this document references to Deloitte are references to Deloitte LLP. In this document Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. In the UK, Deloitte LLP is the member firm of Deloitte Touche Tohmatsu and services are provided by Deloitte LLP and its subsidiaries. Deloitte LLP is authorised and regulated by the Financial Services Authority. ©2008 Deloitte LLP. All rights reserved. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members’ names is available for inspection at Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm’s principal place of business and registered office. ©2009 DeloitteLLP