WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY AUDIT COMMITTEE 24/03/06 MINUTES CAIRNGORMS NATIONAL PARK AUTHORITY Draft Minutes of the Audit Committee Held at the Park Authority Offices, Ballater Friday 24 March 2006 Present Eric Baird (Chair) Bob Wilson Duncan Bryden Sue Walker In Attendance David Cameron Bob Clark, Audit Scotland Stuart Sands, Deloitte Duncan Geddes, Deloitte Apologies Sally Dowden, Jane Hope Welcome 1. The Chair welcomed all present to the meeting. Apologies 2. Apologies were noted as indicated above. Minutes of Meeting of 16 December 2005 3. The minutes of the meeting 16 December 2005 were agreed without amendment. Matters Arising 4. With regard to point 28 of the minute of December 2005, David Cameron confirmed that a letter had been sent to the Scottish Executive raising the Committee’s concerns on the potentially misleading financial statements, and consequent high risk of public confusion and adverse perception of the level of financial control in the Authority, stemming from current Executive accounting requirements. 5. Members considered the appropriate point at which the Committee should again consider how to tackle its role in considering the achievement of intended outcomes of activities through projects undertaken by the Authority. Members agreed they would revisit this at the August 2006 meeting, after Board consideration of the outcome of the 2005/06 Operational Plan. External Audit: Audit Planning Memorandum 2005/06 (Paper 1) 6. Bob Clark of Audit Scotland introduced this paper to members, highlighting in particular the intended external audit approach for the year: a. High level testing of controls; b. Review of the work of internal audit; c. Review of the accounts. 7. In response to a question on the auditors’ determination of “materiality”, Bob Clark clarified that their typical test was set at 1% of income. This would be further influenced by consideration of the type of transaction involved, i.e. remuneration transactions would be treated as more sensitive than many other types. 8. Bob Clark indicated that the fee for the audit had been set at the mid-point of the suggested range for organisations of the size of the Authority. The final fee level would be dependent on the quality of working papers; coverage of internal audit work; and the delivery of work by the Authority’s staff in accordance with suggested timetable in the Planning Memorandum. With reference to the timetable, the key date was the planned clearance meeting by 11 August. 9. Bob Clark clarified that Audit Scotland procedures had changed again and that he would once again be responsible for signing off the auditors’ certificate. The timetable sought to conform to good practice of having accounts signed off within 6 months of the year end and he assured members that this fell well within the statutory timeframe which required the Authority’s accounts to be laid before Parliament by 31 December. 10. Members agreed the proposals set out in the Audit Planning Memorandum for the 2005/06 external audit. Review of IT Contingency Planning (Paper 2) 11. Duncan Geddes introduced Deloitte’s internal audit report on the Authority’s IT Contingency Planning and highlighted the three recommendations made, aimed at improving the overall level of internal control and risk management of the Authority’s IT operations. The overall findings of the audit review indicated that current arrangements in place for contingency planning offered scope for improvement. 12. Stuart Sands highlighted that the recommendation on specific risk assessment of the IT operations was the key point for action. This recommendation did not suggest any problems with the organisation’s strategic risk management processes, but highlighted that, as a relatively new organisation, the Authority had yet to undertake some lower level, specific risk assessments around individual operational systems. 13. In discussion, members noted that some of the risk around relatively low staffing levels was mitigated by outsourced support contracts in place. Members also noted that there may be opportunities for joint working with larger organisations. 14. Members also noted that the current multi-site working arrangements carried with it a number of advantages as well as disadvantages. 15. The Committee accepted the internal auditors’ report and agreed the management responses made to recommendations. Review of Server Security (Paper 3) 16. Duncan Geddes introduced this paper, which presented the results of Deloitte’s review of the Authority’s server security. The study had utilised a third-party tool called “SekChek” to reviewed the IT security parameters and controls over the main server, analysis system wide security defaults, user parameters, and sought to identify any security weaknesses. 17. Overall, the review had shown that adequate security arrangements were in place and that the Authority’s server security results were above average for other similar IT domains in operation within the government sector. Three recommendations for action had been put forward, to further improve server security. 18. In discussion, members noted that password protection rules were built into initial user log-in to the network prior to accessing systems, but that lower level password controls may be improved when logging into individual systems to enhance overall security. 19. The internal auditors indicated there agreement to the relative priority suggested by management responses to their recommendations, and the associated timetable for action. 20. Members suggested that a number of the issues highlighted may be resolved through production of regular internal management reports reviewing the number of system users and accounts. David Cameron agreed this would be appropriate for his internal control purposes. 21. In response to a question on whether the SekCheck test should be repeated annually, the internal auditors and Head of Corporate Services agreed it would be more appropriate to build this into each three-year internal audit plan, and undertake more frequently if there were any step-changes in the Authority’s IT operations. 22. The Committee accepted the internal auditors’ report and agreed the management responses made to recommendations Strategic Risk Register (Paper 4) 23. David Cameron introduced this paper by highlighting Audit Scotland’s previous recommendation, that some further work was required on the schedule of strategic risks agreed previously by the Committee to establish a formal risk register. This paper presented the results of that work, establishing a formal risk register, and identifying in that register action to be taken in managing key risks and officers who would be responsible for doing so. 24. In discussion, members welcomed progress on development of the risk register. Members accepted that work to date had necessarily been conducted primarily be Corporate Services staff. Members particularly welcomed the proposal that future monitoring and development of the risk register would be undertaken by the full Management Team in order to ensure acceptance, buy-in and delivery of required actions. 25. Members considered the strategic risk identified on the need to develop more fully the Authority’s Health and Safety policy. 26. Members agreed that the Board should be made fully aware of their responsibility for Health and Safety within the organisation, and how this responsibility was ultimately discharged. This responsibility should be flagged up by way of a short paper and presented to the Board at an appropriate point. 27. Members welcomed the paper and acknowledged the underpinning work that had gone into development of the Authority’s strategic risk management processes. Update on Internal Audit Recommendations (Paper 5) 28. David Cameron indicated that this paper presented the standard update of progress made on actions relating to recommendations made following previous internal audit reviews. The current report highlighted good progress having been made across all areas covered by previous reviews. 29. Stuart Sands pointed out to the Committee that he felt this paper represented best practice in terms of demonstrating ongoing commitment to addressing audit issues and reporting to Audit Committees and was welcomes by his firm. He felt this set an example which his firm would hope other clients would follow. 30. Members noted the report. Any Other Business: Deloitte CNPA Service Report as at 15/3/06 31. The Committee noted a progress report on audits agreed as part of the 2005/06 audit programme. In addition to those presented at today’s meeting, two further draft reports had been issued and a number of new reviews were due to commence prior to the next Committee meeting. 32. In response to a question on the scope of upcoming work on risk management, Stuart Sands confirmed that the auditors would have regard to the stage of development of the organisation and would not, therefore, undertake testing against processes expected of a fully developed, mature organisation. 33. Bob Clark also clarified that it was not essential for internal audit reports to have been seen by Audit Committees for reliance to be placed on them by Audit Scotland in undertaking external audit work. The main reference for the external auditors would be on the draft management responses. 34. Members agreed that the Head of Corporate Services should issue an interim update to members with any new, finalised internal audit reports if their production did not fit well with the established timing of Committee meetings. Date of Next Meeting 35. The next meeting of the Committee would be Friday, 25 August, in Ballater.