HES is an arms-length body, which receives Scottish government funding, maintaining more than 300 historic sites including Edinburgh Castle.
The annual audit of its accounts revealed weaknesses in the financial management of electronic purchasing cards (which allow employees to pay for goods and services) and hospitality.
About one in four staff members had one of these purchasing cards – £1.9m was spend on 400 cards in 2024/25.
It also found the board had not properly scrutinised the cancellation of a £2.9m specialist archive storage project – with a further £500,000 likely to be spent.
Mr Boyle said HES had operated without a chief executive or accountable officer for almost six months this year when the Scottish government should have provided a substitute.
HES has published its annual report and accounts, external, highlighting an increase in visitors to its sites (4.7 million).
It also said heritage tourism had generated £935m for Scotland’s economy.
A HES spokesperson acknowledged “the serious governance issues and cultural problems” identified in Mr Boyle’s report.
They said: “We are committed to rebuilding trust through strong governance, clear processes, and a culture of accountability.
“We have strengthened internal controls and compliance monitoring and are updating relevant policies and procedures.”
The Scottish government said it was working closely with HES to resolve the issues raised.