WARNING - By their nature, text files cannot include scanned images and tables. The process of converting documents to text only, can cause formatting changes and misinterpretation of the contents can sometimes result. Wherever possible you should refer to the pdf version of this document. CAIRNGORMS NATIONAL PARK AUTHORITY Audit Committee Paper 3 24/08/07 CAIRNGORMS NATIONAL PARK AUTHORITY FOR DECISION Title: 2006/07 ACCOUNTS: STATEMENT OF INTERNAL CONTROL Prepared by: David Cameron, Head of Corporate Services Purpose To seek the Committee’s approval for the Statement of Internal Control, to be included in the accounts for 2006/07. Recommendations The Committee is requested to: a) Approve the draft Statement of Internal Control, set out in Annex 1, for inclusion in the accounts for 2006/07. Executive Summary Draft accounts for the year ended 31 March 2007 have been prepared. External audit review of the accounts is also nearing completion. An element of the Committee’s remit is to provide advice to the Accountable Officer on their completion of the Statement of Internal Control, which forms part of the preface to the accounts. Accordingly, the Audit Committee is requested to consider a draft Statement of Internal Control in light of their experience of internal and external auditors’ reports, and of reports from the Authority’s management, brought to the Committee over the course of the year. STATEMENT OF INTERNAL CONTROL For the period ended 31 March 2007 Scope of Responsibility 1. As Accountable Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of the organisation's policies, aims and objectives, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me in the Management Statement for the Cairngorms National Park Authority. In discharging this responsibility I am held accountable by the Authority’s Board, and by Scottish Ministers. In particular, the Authority’s Board has Finance and Audit Committees in place, each of which has remits to ensure elements of the Authority’s internal control systems, including risk management systems, are in place and function effectively. 2. The Scottish Public Finance Manual (SPFM) is issued by the Scottish Ministers to provide guidance to the Scottish Executive and other relevant bodies on the proper handling of public funds. It is mainly designed to ensure compliance with statutory and parliamentary requirements; promote value for money; ensure high standards of propriety; secure effective accountability and risk management within organisation’s; and hence ensure good systems of internal control. An element of my responsibility as Accountable Officer is to ensure the Authority’s internal control systems comply with the requirements of the SPFM. Purpose of the System of Internal Control 3. The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. 4. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of departmental policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. 5. The system of internal control has been in place in the Cairngorms National Park Authority for the year ended 31 March 2007 and up to the date of approval of the annual report and accounts, and accords with Treasury guidance. 6. The internal audit function is an integral element of the Authority’s internal control systems. Deloitte LLP were appointed as the Authority’s internal auditors in June 2004 and have undertaken a comprehensive review of key internal control systems since their appointment. Over the course of the year to 31 March, the internal auditors have reported to the Audit Committee on their independent reviews of the Authority’s financial ledger; grant award systems; cash flow management; risk management; the Authority’s computerised HR system; and the coverage of financial controls. Work is ongoing on a review of health and safety management. The Board’s Audit Committee has considered reports on each of these reviews and approved management actions required to address any recommendations made. Recommendations made were for improvements to control systems, with all reviews finding adequate control systems to be in place and operational. Capacity to Handle Risk 7. Leadership for the process of risk management within the organisation is provided at the highest level, with the Board’s recognition of the importance of risk management in the activities of the organisation, and through the Board’s adoption of risk based monitoring reports for delivery of Corporate and Operational Plan objectives and for wider assessment of organisational performance. 8. The Board’s Audit Committee and Management Team are also each actively involved in leading on embedding risk management processes throughout the organisation. Both these groups consider the management of strategic risk at regular intervals, reviewing and updating the strategic risk register and seeking to ensure that the required actions to manage risk at a strategic level are appropriately reflected and incorporated in operational delivery plans. Accordingly, a risk management focus has been developed into key control processes, including quarterly organisational performance monitoring and project initiation and delivery documents. The Risk and Control Framework 9. The Authority’s strategic risk management processes are based on a schedule of key risks and risk management strategy approved by the Audit Committee in March 2005. Risk appetite is set within the agreed risk management strategy. This process has given rise to the Authority’s Strategic Risk Register, setting out responses to key risks and officers responsible for their management, which was subsequently approved by the Audit Committee in March 2006. The Strategic Risk Register is reviewed and updated quarterly by the Authority’s Management Team and at each Audit Committee, and maintains an audit trail of action taken. 10. The Authority has also adopted a risk based approach to the management and monitoring of its Operational and Corporate Plan delivery, and of key aspects of organisational performance, whereby any increased risk to achievement of targets is assessed, reported to Board and Management Team, and, where required, remedial action determined and implemented. 11. More generally, the organisation is committed to a process of continuous development and improvement: developing systems in response to any relevant reviews and developments in best practice in this area. In particular, in the period covering the year to 31 March and up to the signing of the accounts the organisation has: a) Implemented a “balanced scorecard” model to further assist in monitoring and controlling key organisational risks around the Authority’s finances, its staffing, its governance and its delivery of key outcomes; b) Acted on a range of internal audit recommendations for further improvements in the internal control framework; c) Initiated a process of Best Value reviews of service delivery in order to seek continuous improvement in risk management and service standards. d) Developed a control framework within which public stakeholders will, along with the Authority, deliver priority actions set out in the National Park Plan agreed by Scottish Ministers. This framework will also support the management of risks by these public stakeholders in their delivery of National Park Plan actions. Review of Effectiveness 12. As Accountable Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the Authority who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letter and other reports. I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Board, the Audit Committee and a plan to address weaknesses and ensure continuous improvement of the system is in place. 13. Advice from independent internal and external auditors forms a key and essential element in informing my review of the effectiveness of the systems of internal control within the Authority. The Board’s Audit Committee also plays a vital role in this regard, through its review of audit recommendations arising from reviews of internal control systems and its consideration of proposed management action. In particular, the Audit Committee is tasked with monitoring the operation of the internal control function and bringing any material matters to the attention of the full Board. Detailed findings of all audit reviews are made available to both management and the Audit Committee. The Audit Committee produces an Annual Report to the Board assessing the adequacy and effectiveness of the Authority’s internal controls. 14. Senior Managers on the Authority’s Management Team also play an important role in implementing control systems and advising on any improvements required. The Head of Corporate Services is particularly involved in implementing a variety of internal control process, ensuring a continuing process of review and improvement to these systems, and taking a leading role in embedding the principles of risk management throughout the organisation. 15. Appropriate action is in place to address any weaknesses identified and to ensure the continuous improvement of the system. 16. The internal auditors have reported that, overall, adequate internal controls were in place within the Authority over the course of 2006-07. Jane Hope, Chief Executive August 2007