WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY Audit Committee Paper 4 Annex 1 21/08/09 CNPA: OVERVIEW OF RECOMMENDATIONS IN INTERNAL AUDIT REPORTS IT CONTINGENCY PLANNING – March 2006 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 23 2 The organisation should finalise and formalise the business continuity plan at the earliest opportunity. IS Mgr May 2006 In Progress Draft plan prepared but subject to further review as a result of installation of new information assets. 25 2 Management should implement the following key actions and controls: 1. An overall business continuity plan is in place. 2. A series of smaller IT contingency plans are in place to support the overall plan. 3. Management have identified and maintain records of their critical systems. 4. A contingency/recovery plan is in place for each system identified as being critical. 5. A formal risk assessment process has identified all risks (likelihood and impact). 6. All significant IT risks have been added to the organisation’s risk register. 7. The Management Team ratifies all contingency/ risk decisions and activities. 8. The overall continuity plan is tested on an annual basis and updated as required. 9. All testing results are reported to the Management Team and actions are delegated. 10. Each individual IT and departmental contingency plan is subject to six-monthly testing. 11. Each department operating a critical system has communicated their expected recovery time. 12. Each critical hardware element is fully insured against loss. 13. Continuity plans are treated as being controlled documents IS Mgr / BS Mgr / HoCS June 2006 In Progress/Completed 1. BC Plan in draft and being finalised. 2. Business system small enough to negate smaller plans. 3. Contained within draft BC Plan. 4. Contained within draft BC Plan. 5. See item 24 6. To be added as appropriate. 7. Risk Register reviewed by MT. 8. Testing will be programmed once BC Plan finalised. 9. Results will be reported when testing completed. 10. Not considered appropriate. 11. Not considered appropriate – included in BC Plan. 12. CNPA operates a policy of self insuring. 13. The BC Plan will be treated as a controlled document. SERVER SECURITY – March 2006 PAGE 2 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 28 2 Management must ensure that there is a review of all the SekChek findings and that there are actions taken to address the issues. IS Mgr Sept 2006 In Progress SekCheck findings have been reviewed and actions being taken as appropriate GRANT AWARDS – March 2006 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 38 3 Files should be created for projects as soon as an intent to apply is established. As a result, all relevant documentation can be added to the file. All files should also be signed out of the filing room when used. Administrative staff should perform an audit each month, selecting a practical sample of files missing from the central filing room. Files should be reconciled to the file sign-out book to ensure the control is operating effectively. Any variances should be reported to management. Business Services Manager Dec 2006 And ongoing In Progress Guidance on opening and closing files is available to staff. Admin staff have responsibility for opening and closing files and maintaining the file record management system. A review is being carried out to improve the filing system with a view to moving towards an electronic document and records management system. Appropriate audit arrangements for file management being considered. Deloitte Current Status – June 2009 This review is being continued. The grant process has changed and almost all applications will go through the grants team who create and manage the filing process. RISK MANAGEMENT – August 2006 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 41 3 The Finance Manager should ensure that the use of the Risk Register is included in the guidance notes for Project Officers. Project Officers should also be made aware of the location of the Risk Register. HoCS / Fin Mgr March 2007 In progress Deloitte Current Status – no change June 2009 The EJF has been amended to include consideration of risk management. It includes a statement to say the project should include risk in terms of overall strategic risk. However, it does not yet make reference to alignment with the risk register. PLANNING APPLICATION: LAGGAN COUNTRY HOTEL – February 2007 PAGE 3 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 51 3 Consider the development of a glossary of terms frequently used in planning discussions. Head of Planning tbc We have considered this and decided that the preferred solution would be to make the language used in reports and discussion more straightforward rather than have a list that would be long and never exhaustive. We continue to pursue use of simple language. 52 3 Review standard speaking notes for the Committee Chair in inviting individuals to speak, in order to ensure clarity of process for each determination. Head of Planning tbc The Chair introduces himself to all speakers before the meeting and explains the process. During the meeting he clearly sets out the procedure for people speaking at Committee including the order of presentation, time allocated and where to sit when speaking. 53 3 Review the layout of meeting rooms, particularly where applicants or objectors have notified officers of their Head of Planning tbc Completed This has been done in liaison with Andy Rinning. There intention to speak. are constraints with the venues we use, but some improvements have been made and we are seeking further improvements, including more imaginative use of technology. PAGE 4 HEALTH & SAFETY – August 2007 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 62 2 CNPA must ensure that all staff complete their personal and generic risk assessments as soon as possible in order to comply with Health & Safety policy. Business Services Manager / HR Manager Oct 2007 In Progress Instructions have been issued for their completion and deadline set for March 2008. Deloitte Current Status – June 2009 A reminder to all staff was issued as part of the spring appraisal process but not all staff have yet completed this. The new HR Manager who commenced post at the start of June 2009 is to take this forward. 63 3 The appointment of a Safety Representative should be formalised and the appointment conveyed to all staff. H of CS Mar 2008 Completed Responsibility contained in job description of BS Manager and displayed on safety notices throughout the building. Deloitte Current Status – June 2009 This review is still ongoing. However, this is now included in the Business Services Manager’s job description. PROCUREMENT SERVICE IMPROVEMENT RECOMMENDATIONS (arising from review) – August 2007 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 64 - The intended tender evaluation criteria should be set out explicitly in the Commissioning Brief for each contract, in order to ensure tenders can be constructed in as clear a format as possible and to assist officers in tender evaluation. Finance Manager - Completed The Commissioning Brief template has been altered so that the evaluation criteria and the weighting applied to each criteria are known by prospective tenderers in advance of them submitting a tender. This has applied to all tenders issued by the Authority since June 2007. 65 - The tender evaluation process should capture specific, agreed feedback on each tender submission for use in feeding back to organisations if they are unsuccessful in their bid. It is important that the Authority recognises the resource put into development of tenders by organisations and seeks to assist them in better focusing their efforts and understanding why they have not been successful with Finance Manager Completed Since starting to use the public tender website to advertise tenders in April 2007, the importance of feedback has increased as tenders are publicised to a wider audience. The standard scoring sheet used now includes sections for narrative comments on strengths PAGE 5 Item / Priority / Recommendation / Action / Deadline / Progress/Comments tender proposals. Feedback is often sought from Corporate Services staff who may have had a limited involvement in the assessment and it is also vital that such information is available in the event that the assessing officers are not available when feedback is requested. - - and weaknesses of each bid as well as the numeric scoring of tenders. 66 - Acceptable ranges of variation in assessment scores should be set for each tender evaluation and differences beyond this tolerance level should be considered further by the assessment panel prior to finalising the evaluation and contract award process. This process need not result in any change, or agreement to move to the average score: the potential for differences of opinion is accepted. However, such differences should be tested prior to their being accepted in an evaluation. Finance Manager - Completed Tenders are scored with each individual evaluation criteria being rated between 0 and 5, where a zero score shows the tender “completely fails to meet the standard” and a score of 5 shows the tender “meets standard exactly as specified”. Tenders are generally scored by at least three individuals and if the range of scores on a criteria is greater than 1 the evaluation is investigated. For example, if the scores received on a criteria were 4,4,2 then this would be looked at but if the scores were 4,4,3 or 4,3,3 the variance would not be looked at. As another example if the scores were 4,3,2 these would also be looked at since the difference between the highest and lowest score is greater than 1. PLANNING SERVICES (arising from complaint investigation) – August 2007 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 67 - That the Planning Group consider the content of the standard call-in letter with a view to considering whether the information given on dates for determination may be improved. Specifically, the standard call-in letter does not currently refer either to the national statutory period for determination nor to any anticipated period for reaching decision on the application. It is suggested that the standard call-in letter could set out the date for decision given by the statutory period, together with a statement around the potential requirement to seek to extend this date should - - - PAGE 6 Item / Priority / Recommendation / Action / Deadline / Progress/Comments initial investigation highlight any complex issues or matters requiring further information. The letter might also indicate when an update to this date for determination may be issued. 68 - That the Planning Group update the standard information on the Authority’s planning processes and provide this to all applicants or agents along with the call-in notification. - - - 69 - The impact of changes made as a result of implementing these and other recommendations and suggestions, in terms of any increase in pressure from applicants/agents to meet specific dates at the expense of completeness of information should be monitored closely by the Planning Group, in order to adequately review the appropriateness of the Authority’s Planning procedures to the aims and objectives for the service. - - - Suggested services areas for further review 70 - The Planning Group consider whether changes in their processes may make them more user-friendly for applicants. For example issuing duplicate letters requesting an extended time period to make a decision on an application, and ask applicants/agents to sign and return one copy, and/or making explicit in the letter that an email confirmation is acceptable. - - - 71 - The Planning Group consider, in light of the timetable for implementation of the e-Planning project, whether it would be feasible and helpful to applicants to make available opportunities to highlight what, if any, information or comment has been received on their application. - - - 72 - It may be worthwhile revisiting the issue of the balance between determination time and the capacity to work with applicants to seek a positive outcome with the Planning Committee. This would allow the Committee to consider reaffirming and making explicit its preferred service standards. - - - REVIEW OF PROJECT MANAGEMENT – August 2007 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 74 2 The project officer should ensure that all missing information Finance April 2008 Deloitte Current Status – June 2009 PAGE 7 Item / Priority / Recommendation / Action / Deadline / Progress/Comments is obtained for the file. A checklist should be retained on file, detailing the minimum number of documents required in order to maintain a satisfactory file and should be completed when each document is received. Manager - This has still to be completed CNPA update: currently working with Programme Managers to establish who should retain relevant documentation (eg. Tenders v. Correspondence) REVIEW OF PENSION PROCESSES – May 2008 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 91 3 A policy surrounding staff pension arrangements should be prepared and distributed to staff. This should include the following criteria: • Roles and responsibilities of HR and payroll staff; • Reporting and communication requirements; • General guidance for new employees HR Manager March 2009 Deloitte Current Status – June 2009 This has been drafted and will be included in the staff handbook. CNPA update: expanded section on pension scheme now in staff handbook and HR/Payroll procedures in place. 92 3 Management should ensure that details of the staff pension schemes are included in the job advertisements, as per the guidance in the Employer’s Pension Guide. HR Manager Ongoing Deloitte Current Status – June 2009 The wording for external adverts has been considered but has not yet been taken forward with HR due to a vacancy in the manager’s post. CNPA update: this is not mandatory and is being considered by the new HR Manager PROJECT MANAGEMENT REVIEW – POINT OF ENTRY SIGNAGE – December 2008 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 93 2 With the vast majority of the project now complete, CNPA should look to commence a project review, which would be finalised upon completion of the project. As a starting point this should assess: • Key success factors; Completed Review of the project to date submitted to Finance Committee in February 2009. Also, project closure review document completed by project team. PAGE 8 Item / Priority / Recommendation / Action / Deadline / Progress/Comments • Areas for development; • Any bottlenecks in the process; • Whether the planning process was robust and where it required significant revision; • The management overview and reporting; and, • Lessons learnt that could be taken forward to streamline future project. 94 2 CNPA should ensure that intangible benefits have been achieved Pete Crane 2010 The Authority will be commissioning a visitor survey during 2009 and this will provide an opportunity, through comparison of current results with the previous survey results, to assess whether any impact is made to the outcome as a whole. It is very difficult to differentiate between the contribution made by this project as opposed to other work conducted over the period between surveys. The costs of commissioning a more specific survey would have to be carefully balanced against the potential benefit. 95 2 When a list is being compiled of companies that are to be invited to tender for work, the reasons for selecting these companies and for excluding others should be formally documented. - - - Noted for consideration in current revisions to procurement guidance. It has been CNPA policy that contracts of this value should be awarded following invitation to tender to at least 3 companies. In this regard, the practice adopted actually exceeds minimum requirements. We have not to date required disclosure of reasons for excluding others and in this regard the practice adopted by the project was, therefore, not a breach of policy. 96 2 Prior to invitations to tender being issued, a tendering assessment document should be developed, and disseminated to the scoring panel. - - Completed Procurement practice has moved on from that in place at the time this tender was let and a formal tender scoring and assessment document is now in place and required for such tender evaluation practices. 97 2 The actual costs incurred to date should be calculated, as well as the predicted future funding receipts and expenditure - - Completed Agreed and actioned through the paper to PAGE 9 Item / Priority / Recommendation / Action / Deadline / Progress/Comments of the project. This should be compared to the budget and provided to the Board. Finance Committee in February 2009. PROJECT MANAGEMENT REVIEW – LAND MANAGEMENT SUPPORT OFFICERS – December 2008 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 98 2 CNPA should: • Look to identify the barriers to entry that the landowners are experiencing; • Identify the most efficient method of developing information resources that can be issued to interested parties to ease the barriers to entry; • Identify the types of projects that the various land managers would be interested in participating in; • Identify the various types of projects and levels of funding that are available through the SRDP; and, • Look to match interested landowners within the park area to SRDP supported projects. Project Manager (FC) Ongoing Recommendation agreed – this is what the LMSO’s are currently doing. Having had the initial phase of awareness raising and promotion, they are now working on more proactive targeting, including for example catchment management and designated site options. They are compiling evidence on the barriers to entry and potential improvements to provide feedback to the SG on the implementation of the scheme. They are also working with independent advisors and agents to encourage them to promote applications that will contribute to the Park Plan. 99 2 CNPA should continue making applications to SGRPID and also look to identify any other possible means of obtaining this information. In monitoring the success of the project in helping to deliver the National Park Plan, CNPA should: • Obtain information on the number of applications made within the CNPA area; • Obtain information on the type and value of successful applications made within the CNPA area; and, • Have follow-up meetings with organisations or individuals who have made either successful or unsuccessful applications and assist with any other potential applications. Project Sponsor (HT) with Project Manager (FC) End Jan 2009 Agreed it is vital that a set of performance measures are established against which to monitor the success of the project. These measures must be appropriate to the type of project and capable of relatively easy data capture. 100 2 As part of the ongoing budgetary review process the salaries and related project expenditure should be reallocated to specifically defined project financial codes. Finance Manager Dec 2008 Recommendation agreed REVIEW OF FINANCIAL CONTROLS – April 2009 PAGE 10 Item / Priority / Recommendation / Action / Deadline / Progress/Comments 101 2 Management should ensure that the Financial Regulations and Procedure document is updated reflecting all changes within the organisation. The document should be reviewed twice a year in line with the review time frames set out in the document. All changes should be fully communicated to all relevant staff. Finance Mgr / Head of Cor Services June 2009 The Financial Regulations have been under review, along with general financial and management reporting systems, during 2008/09 with a view to updating at the start of 2009/10. This timeframe has been dictated by the introduction of a new organisational structure which gives greater budgetary responsibility to Programme and Project managers. For this new structure, budgetary approval levels and acceptable levels of supporting documentation have required to be reviewed and approved. The testing and implementation of the CNPA’s new Internet banking system in the second half of 2008/09 have also produced new procedures to add to the Regulations along with those regarding Programme and Project Managers. The Financial Regulations have been updated for both of these in June 2009. 102 2 A cash logbook should be maintained to allow a clear audit trail for all receipts and payments. A cheque log should be maintained to detail all the cheque payments and to ensure all cheques are used in sequence. The log should provide the following information: Cheque No, Payee, Reason for payment/cancellation and authorisation. The issue regarding a cash/cheque log has been highlighted in previous audit reports. Finance Mgr, MM/DB June 2009 Processes regarding cash management and spoilt/unused cheques have been updated in the Financial Procedures. Cash pay-in slips and corresponding invoices should be cross- referenced to allow reconciliation. A listing of cheque payments from Sage will be reviewed for unused cheques at each month end and the reasons for any spoilt cheques documented. A cheque received register has been set up. It is not thought necessary to set up a cheque payment register (Sage accounting records deemed sufficient). 103 2 To allow for efficient management of cash resources, cheques should be banked as soon as possible. The mail log should be reviewed periodically to identify instances in delays in the banking of cheques. All exceptions should be explained. The log should be updated to provide further Finance Mgr, MM/DB June 2009 The volume of transactions that require a visit to the bank rarely justify more than one visit per week, which in turn dictates average banking times. All cheques received are kept in the safe prior to banking and the risk of PAGE 11 Item / Priority / Recommendation / Action / Deadline / Progress/Comments detail of the account into which each of the cheques is to be banked. misplacement is deemed low. However, a new procedure of banking cheques daily where the total is material (>£1,000) has been added to financial procedures. Admin staff who update the mail log do not know which bank account cheques should be posted to and, with only two bank accounts, there is deemed to be no need to specify the account to be paid into. 104 3 All BACS transfers should be supported by sufficient evidence and documentation on file Finance Mgr, MM/DB June 2009 Agreed – all BACS payments should have supporting documentation. The exception to this rule would be where a failed payment batch (e.g. incorrect sort code) is resent or an inter-company bank transfer has been verbally approved by the Fin Mgr. The only occasion when a lack of segregation of duties may occur is when a failed payment batch is prepared (‘cloned’) by the Fin Mgr then authorised, with the original failed payment having been properly prepared and authorised by three different people. Normally, all payments are prepared by the Fin Assistants, who cannot authorise any payments other than inter-co transfers. 105 3 All bank reconciliations should be reviewed each month and signed off as evidence of review. Management should ensure that reconciling items highlighted by the bank reconciliation are resolved in a timely manner. Items with an age of greater than six months, which are therefore unlikely to be resolved, should be written back as appropriate. Finance Mgr, MM/DB June 2009 All bank reconciliations are reviewed and no month end is closed off without this review. Authorised bank reconciliations now on file (bank reconciliations had been approved and either not filed or approved electronically and not signed off physically). Physical evidence of electronic review of reconciliations to be kept in future as required. Normally, reconciling items highlighted in the bank reconciliations are resolved in a timely manner. Where this does not occur, the reconciling item will not be deemed material and the reason for its PAGE 12 Item / Priority / Recommendation / Action / Deadline / Progress/Comments existence known about and waiting further action (e.g. response from a supplier). 106 3 An independent person should review all journals prior to posting to allow for segregation of duties. Each month a report of all journals posted in the period should be downloaded from the Sage system and this should be reviewed and signed off by the Finance Manager to provide assurance over the journals that have been posted. Finance Manager June 2009 All journals posted by Finance Assistants should be signed off by the Finance Manager. Instances do occur where the Finance Manager posts his own journals as part of month/year end review procedures and these may not have been signed off. The system of budgetary review and reporting is deemed sufficient to identify any material mis-postings or errors. Finance Manager to evidence own journals in future. 107 3 A distribution list should be prepared with a related e-mail group to ensure that all relevant stakeholders receive reports on a timely basis. Finance Manager June 2009 The Management Team are the only recipients of monthly summary reports, with Programme Managers receiving monthly operational reports on their area of responsibility. Financial regulations to be updated to reflect this. We do not intend to use e-mail groups as these can become out of date with recipients not amended. 108 3 A standard fixed asset form should be developed which documents the disposal of all fixed assets including assets with nil book value. The form should capture the following details: • The asset number and description; • Net book value of the asset; • Expected sale proceeds; • Details of Requestor; and, • Approval by Finance Once the asset is disposed the asset register should be updated to reflect the disposal. The Financial Regulations and Procedure document should be updated to document the disposal process. Finance Mgr, MM/DB June 2009 Finance Committee approval was sought for the disposal of two motor vehicles during the 2008/09 financial year, as this was the first time such disposal had taken place. Finance procedures will be updated to ensure all fixed asset disposals are managed through Finance.