WARNING - By their nature, text files cannot include scanned images and tables. 
The process of converting documents to text only, can cause formatting changes and 
misinterpretation of the contents can sometimes result. Wherever possible you 
should refer to the pdf version of this document.


CAIRNGORMS NATIONAL PARK AUTHORITY 
Audit Committee Paper 2 Anex 1 25/08/06 


Cairngorms National Park Authority 
Review of Financial Ledger 
Internal Audit 2005/2006 

March 2006 
Strictly Private and Confidential 


DRAFT – FOR DISCUSSION PURPOSES ONLY 

This report and the work connected therewith are subject to the Terms and Conditions of the engagement letter between the Cairngorms National Park Authority and Deloitte & Touche LLP. The report is produced solely for the 
use of the Cairngorms National Park Authority. Its contents should not be quoted or referred to in whole or in part without our prior written consent except as required by law. Deloitte & Touche LLP will accept no 
responsibility to any third party, as the report has not been prepared, and is not intended for any other purpose. This report is prepared on the basis of the limitations on Page 12. 



Contents 

Section 1 Executive summary  Page 1
Section 2 Detailed findings and recommendtions  Page 4
Section 3 Statement of responsibility   Page 12

Appendices 

Appendix A  Scope and objectives  Page 13
Appendix B  Personnel interviewed 



Section 1 - Executive summary 


1.1 Introduction 

This review of Financial Ledger is part of our coverage of core financial areas as required in the audit plan approved by the Audit Committee. Appendix A 
shows the detailed scope and objectives of our review. 

1.2 Background 

Cairngorms National Park Authority (CNPA) uses the Sage Accounting system. Two separate ledgers are maintained within Sage, one for core funds (those 
that relate to the operational plan, and central costs such as Board fees, staff costs and accommodation) and one for project funds. Each ledger is managed by 
a finance processing officer, who are overseen by the Finance Manager. The core ledger has recorded approximately 1300 invoices at a total value of Ł1.3m 
in this financial year. This gives an average value per invoice of Ł985. The project ledger has recorded approximately 360 invoices this year at a total value 
of Ł351k. This gives an average value per invoice of Ł974. 

Financial procedures were finalised in January and have been made available to all staff on the shared network. 

The main transactions in Sage relate to the payment of invoices. All invoices are recorded on a spreadsheet when they arrive in the office. These are stamped 
and issued to the relevant Head of Group for authorisation. All core invoices are then passed to the Finance Manager for further authorisation prior to 
processing in the ledger. All project invoices are authorised by the relevant Project Manager prior to ledger entry. All transactions in Sage are allocated a 
number when input. This number (sequentially assigned) is used as the basis for filing of all transaction documentation relating to ledger input. 

The ledger is password controlled and only the Finance Manager and processing staff have full user access. A number of member of the senior management 
team have read only access and the IT Manager has IT access rights. 

Month end procedures are performed on the 10th of the month by the finance processing staff and a processing checklist is completed. Bank reconciliations 
are performed by finance processing staff and each staff member performs the others reconciliation, e.g. project officer performs core reconciliation and vice 
versa. These reconciliations are reviewed and signed off by the Finance Manager as evidence of review. Monthly income and expenditure reports are issued 
to the Management Team as part of the month end process. The Finance Committee are updated on a quarterly basis as to financial progress. Finance 
Committee minutes and papers are forwarded to all Board members. Updates are issued to members as appropriate between formal meetings, and 
particularly over the final quarter of the year. 

Journal entries are performed by finance staff and authorised by the Finance Manager. All back up is held as part of the audit trail. 

All staff are allocated a network password and those who are identified as Sage users have a username and password. A back up is performed on a daily 
basis by the Finance Department to the organisation’s shared drive. A daily server back up is performed by the IT Manager. 


Section 1 - Executive summary (continued) 

1.3 Approach 

The following approach was used in order to complete this review: 

• Discussions were held with the Finance Manager and processing staff to document the systems in place regarding input to ledger, journal 
authorisation, use of suspense accounts, ledger security and financial reporting; 

• An evaluation of mitigating controls against risks was performed in order to identify key controls and areas that were subsequently tested. 

1.4 Conclusion 

The following table details our overall assessment of the control environment against each audit objective: 

Headings:  
Objectives 
Overall Assessment 
Report Ref. 

All transactions of the organisation are recorded 
**** 
-

All input to the financial ledger is complete, accurate, timely and valid 
*** 
2.4 

All journals within the financial ledger are authorised and documented 
*** 
2.1 

Output from the ledger is controlled, secure, timely and appropriate to need 
*** 
2.2 

Data within the financial ledger is secure and free from risks of loss or corruption
 *** 
2.7 

The structure of the financial ledger reflects the information needs of the organisation 
*** 
2.3 

Financial reports reflect actual financial position and contain appropriate supporting information 
*** 
2.5; 2.6 

Key: 
**** Arrangements accord with good practice and are operating satisfactorily (recommendations are in respect of minor matters). 
*** Adequate arrangements are in place, but certain matters noted as requiring improvement. 
** Arrangements in place offer scope for improvement. 
* Inadequate level of control and unacceptable level of risk. 


Section 1 - Executive summary (continued) 

1.4 Conclusion (continued) 

In overall terms, the control environment is generally adequate, although we have identified certain weaknesses that require improvement. These were as 
follows: 

• From a sample of 20 journal entries selected for testing, 15 had not been authorised by the Finance Manager and 11 did not have appropriate back up 
attached. In addition, it was noted that the Finance Manager authorised his own journal entries. (Recommendation 2.1); 

• One bank reconciliation from September could not be located, as bank reconciliations are not filed. In addition, one case was noted in January where the 
bank reconciliation calculation did not accurately reflect the back up ledger information. This had been signed off as reviewed by the Finance Manager. 
(Recommendation 2.2); 

• The accounting system is not closed down and reopened in the new accounting period as part of the month end procedure. (Recommendation 2.3); 

• Balances totalling approximately Ł8,600 have been sitting in project and core suspense accounts since July 2005. (Recommendation 2.4); 

• There are no journal or exception reports produced from the accounting system. (Recommendation 2.5); 

• The Finance Manager’s review of the trial balance is performed on an informal basis and is not signed off and filed as part of the month end process. 
(Recommendation 2.6); 

• IT back ups to the shared drive are not named so that they are easily identifiable by date. Also daily server back up tapes are held at the IT Manager’s 
home. Finance staff did not have copies of the IT security policy. Finally, the Sage accounting system does not require staff to change passwords. 
(Recommendation 2.7). 

Our detailed findings and recommendations are within Section 2 of this report. In total, we identified seven recommendations as follows: 

Headings:
Description 
Priority 
Number 

Major issues that we consider need to be brought to the attention of Management and the Audit Committee 
1 
0 

Important issues which should be addressed by management in their areas of responsibility 
2 
5 

Minor issues where management may wish to consider our recommendations 
3 
2 

Key 
7 


1.5 Acknowledgements 

We would like to take the opportunity to thank all of the CNPA staff involved in assisting us in this audit. The findings and recommendations in this report 
were discussed with the Head of Corporate Services at the conclusion of our fieldwork. 


Section 2 - Detailed findings and recommendations (continued) 

2.1 Journal Entries 

Headings:
Finding 
Recommendation 
Rationale 
Management Response
Responsibility / Deadline
Priority

Finding
All journals are input to the ledger by the Finance 
Processing staff and authorised by the Finance 
Manager. All back up documentation is held on 
file as part of the audit trail in the finance 
department. The following issues were noted 
during testing: 

• 15 of the 20 journals selected for testing 
had not been authorised by the Finance 
Manager. 6 of these related to visa card 
and petty cash reimbursements totalling 
almost Ł1,000.00. 

• 11 of the 15 journals selected for testing 
did not have appropriate back up attached. 

Recommendations
All journal entries, which are created by finance 
processing staff, should be authorised by the 
Finance Manager. 

Rationale
There is a risk of unnecessary or inappropriate journal 
entries being made 

Management Response 
Recommendation agreed and action initiated following audit exit meeting. 

Responsibility / Deadline
Head of Corporate Services to finalise revised procedures by end 
September 2006. 

Priority
Two 


Section 2 - Detailed findings and recommendations (continued) 

2.2 Bank Reconciliations 

Finding 
Bank reconciliations are completed as part of the 
month end procedure by finance processing staff 
for the core and project accounts. The Finance 
Manager checks and signs off the reconciliations as 
confirmation that they have been checked. 

Bank reconciliations for both project and current 
accounts from September 2005 to January 2006 
were obtained and calculations reperformed. The 
following issues were noted: 

• Bank reconciliations are not presently filed 
and the core account reconciliation for 
September could not be located. 

• The amount on the bank reconciliation memo 
for the core account for December 2005 stated 
that the amount in the trial balance to be 
reconciled was Ł69,464.64. Following a 
reperformance of the reconciliation using the 
source documentation, it was apparent that the 
figure on the memo was documented in error 
and the actual trial balance figure was 
Ł64,464.64. This memo had been signed off 
by the Finance Manager as confirmation that it 
had been checked. 

• Bank reconciliations for January had not been 
signed as evidence of review by the Finance 
Manager. 

Recommendation
The Finance Manager should review bank 
reconciliations and only sign off when the 
reconciliation has been performed to source data. 
All bank reconciliations should be appropriately 
filed when reviewed. 

Rationale
Discrepancies in the ledger information and bank 
statement may not be identified. 


Management Response 
Recommendation agreed. 

Responsibility / Deadline
Finance Manager to finalise revised 
procedures by end September 2006. 

Priority
Two 


Section 2 - Detailed findings and recommendations (continued) 

2.3 Month End Procedures 

Finding 
There is a month end procedure in place and 
processing staff have a checklist of duties to 
complete. 

However, there is no official shut down of the 
accounting system between one accounting period 
and the next, although the Sage system does have 
this facility. Therefore, after month end procedures 
have been completed, it is dependent on the 
processing staff ensuring that they enter all 
information in the correct period. 

Recommendation
The accounting system should be closed down as 
part of the month end procedures and reopened for 
the new accounting period. As a result, it would 
not be possible to enter balances in the previous 
accounting period without performing a journal 
entry. 

Rationale
Information may not be accurately reflected in the 
correct accounting period, leading to inaccurate financial 
reporting. Regular errors that are picked up may result 
in an increased number of corrective journals being 
entered. 

Management Response 
Recommendation agreed. 

Responsibility / deadline
Finance Manager to finalise revised 
procedures by end September 2006. 

Priority
Two 


Section 2 - Detailed findings and recommendations (continued) 

2.4 Suspense Accounts 

Finding 
CNPA use 3 main suspense accounts, the creditors’ 
project suspense account, the creditors’ core 
suspense account and the mispostings account. At 
the time of our review, there was a total of Ł8,624 
outstanding in the 2 creditors’ accounts. 

Ł8,280 related to an Ł8,000 contribution to a deer-
culling programme, which is to be reversed once 
the final 2004/05 expenditure has been completed. 
The remaining Ł280 relates to the finance of a 
balloon launch. There have been discussions as to 
whether this should be funded by the Integrated 
Grant Programme or by core expenditure. 

The remaining Ł344 relates to 5 minor balances, 2 
of which were in the suspense account waiting for a 
new code to be set up. This has now been 
completed; however, the balances have still to be 
reversed. 

Recommendation
The Finance Manager should ensure that all 
suspense accounts are regularly reviewed and are 
cleared on a monthly basis. 

Any balances in the suspense account which require 
new codes created, should be reversed as soon as 
the code is set up. This should be within the month 
that the entry is made to the suspense account. 

Rationale
Balances may not be accurately reflected in the correct 
accounting period that can lead to inaccurate financial 
reporting. 

Management Response 
Recommendation agreed. 

Responsibility / deadline
Finance Manager to finalise revised 
procedures by end September 2006. 

Prioirity
Two 


Section 2 - Detailed findings and recommendations (continued) 

2.5 Financial Reporting 

Finding 
Management are provided with income and 
expenditure reports on a monthly basis. These are 
produced as part of the month end procedure. 
However, there are no other reports produced from 
Sage. 

Recommendation
Monthly journal and exception reports should be 
generated and independently reviewed to ensure 
that all journals are appropriate and that there are no 
significant changes from month to month. This 
should include an ageing creditor report to identify 
any outstanding debts over 30 days. 

Rationale
Exceptional circumstances during each accounting 
period may not be identified. 

Management Response 
Recommendation agreed. 

Responsibility / deadline
Head of Corporate Services and 
Finance Manager to agree schedule 
of month-end control reports by 
end November 2006. 

Prioirity
Three 


Section 2 - Detailed findings and recommendations (continued) 

2.6 Trial Balance Review 

Finding 
The Finance Manager stated that he does review 
the trial balance on a monthly basis. However, this 
is performed on screen and is not signed off and 
filed. 

Processing staff do print a trial balance as part of 
the bank reconciliation process; however, this is to 
obtain the current account balance to reconcile to 
the statement. This is not reviewed in full. 

Recommendation
The trial balance should be printed, reviewed, 
signed off and filed as part of the month end 
process. The Finance Manager should assume 
responsibility for this process. 

Rationale
Without evidence of review, there is no guarantee that 
all variances are identified and investigated. 

Management Response 
Recommendation agreed. 

Responsibility / deadline
Finance Manager to finalise revised 
procedures by end September 2006. 

Priority
Two 


Section 2 - Detailed findings and recommendations 

2.7 IT Security 

Finding 
From discussions with Finance and IT staff, it was 
noted that finance processing staff perform a daily 
back up to the S drive; however, the date of the 
back up is not documented as part of the back up 
title. 

There is also no prompt within Sage to change 
passwords on a regular basis. There is no character 
length of password or format that should be used. 
Discussions with staff and observation of practice 
also noted that it is possible to access Sage on any 
PC with any log in, as long as it is loaded on that 
machine. This does not require the user to log off 
and re-enter network password. 

Finance staff did not have a copy of and could not 
demonstrate an awareness of the IT security policy. 

Recommendation
Finance processing staff should ensure that the title 
of the daily back up performed includes the date 
that the back up was taken. 

The Sage system should be amended so that users 
are prompted to change passwords on a monthly 
basis. 

Finance staff should be provided with a copy of the 
IT security policy. They should be aware of IT 
security issues and aware of procedures regarding 
back ups and password changes. 

Rationale
Inappropriate access to financial information may be 
granted if password information is inappropriately 
obtained. In addition, the present IT security processes 
could result in a total loss of information in the event of 
an emergency with the server. 

Management Response  
Recommendation agreed. 

Responsibility / deadline
Finance Manager to finalise revised 
procedures by end September 2006, 
liaising with Business Services and 
Information Systems Managers. 

Prioirity
Three 


Section 3 - Statement of responsibility 

Statement of Responsibility 

We take responsibility for this report which is prepared on the basis of the limitations set out below. 

The matters raised in this report are only those which came to our attention during the course of our internal audit work and are not necessarily a comprehensive statement of all the 
weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. 
The performance of internal audit work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices. We 
emphasise that the responsibility for a sound system of internal controls and the prevention and detection of fraud and other irregularities rests with management and work 
performed by internal audit should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify all circumstances of fraud or 
irregularity. Auditors, in conducting their work, are required to have regards to the possibility of fraud or irregularities. Even sound systems of internal control can only provide 
reasonable and not absolute assurance and may not be proof against collusive fraud. Internal audit procedures are designed to focus on areas as identified by management as being 
of greatest risk and significance and as such we rely on management to provide us full access to their accounting records and transactions for the purposes of our audit work and to 
ensure the authenticity of these documents. Effective and timely implementation of our recommendations by management is important for the maintenance of a reliable internal 
control system. 

Deloitte & Touche LLP 

In this document Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein 
(association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and 
independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”, “Deloitte Touche Tohmatsu”, or other related names. Services are provided by the member 
firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein. 

In the UK, Deloitte & Touche LLP is the member firm of Deloitte Touche Tohmatsu and services are provided by Deloitte & Touche LLP and its subsidiaries. Deloitte & Touche 
LLP is authorised and regulated by the Financial Services Authority. 

©2006 Deloitte & Touche LLP. All rights reserved. 

Deloitte & Touche LLP is a limited liability partnership registered in England and Wales with registered number OC303675. A list of members’ names is available for inspection at 
Stonecutter Court, 1 Stonecutter Street, London EC4A 4TR, United Kingdom, the firm’s principal place of business and registered office. 


Appendix A -Scope and objectives 

Scope 

Good financial planning, financial management and reporting are achieved through a sound system of control within the financial ledger. Our review will assess the 
controls in place to ensure the validity, timeliness and completeness and accuracy of entries to the financial ledger. Additionally, we will assess the controls in 
place to ensure the accuracy and completeness of reporting to management and the Board. 

Objectives 

Accordingly, the control objectives of this audit will be to assess the controls in place to ensure that: 

• All transactions of the organisation are recorded; 

• All input to the financial ledger is complete, accurate, timely and valid; 

• All journals within the financial ledger are authorised and documented; 

• Output from the ledger is controlled, secure, timely and appropriate to need; 

• Data within the financial ledger is secure and free from risks of loss or corruption; 

• The structure of the financial ledger reflects the information needs of the organisation; 

• Financial reports reflect actual financial position and contain appropriate supporting documentation 


Appendix B -Personnel interviewed 

• David Cameron – Head of Corporate Services 

• Denby Pettitt – Finance Manager 

• Mandy Matheson – Finance Assistant 

• Diane Buchan – Finance Assistant