Secretariat Audit And Risk Committee
Report To The Northern Ireland Assembly Commission for The Year Ended 31 March 2023
Final ACARC Annual Report 2022-2023.pdf (215.74 kb)
CONTENTS
1. Introduction
2. Assembly Commission Audit and Risk Committee
4. Annual Report and Accounts for the Year Ended 31 March 2022
5. Conclusion
Annex A: Assurance Definitions
CHAIRPERSON’S FOREWORD
I am pleased to present the Annual Report for the year ended 31 March 2023 on behalf of the Assembly Commission Audit and Risk Committee (ACARC). This Report describes how ACARC fulfilled its role of providing support and advice to the Northern Ireland Assembly Commission (the Assembly Commission), the Clerk/Chief Executive and the Senior Management Team (SMT) in order to promote sound governance, internal control, and risk management arrangements. In line with the Assembly Commission’s policy of openness and accessibility, ACARC Annual Reports and the minutes of ACARC meetings are placed on the Assembly Commission website.
I would like to begin by thanking John O’ Dowd MLA who served on ACARC until May 2022 as the Assembly Commission Member. I would also like to thank Dr Maurice Keady, the Independent Member and Trevor Clark MLA, the Assembly Commission Member, who have served on ACARC since May 2022.
During this reporting year, ACARC met on four occasions. This year has been challenging for the Assembly Commission due to the ongoing political circumstances and the fact that the Assembly is not currently conducting normal business. I therefore wish to take this opportunity to acknowledge the resilience and dedication of staff during the year.
Once again, ACARC has been impressed by the diligence of the Assembly Commission in conducting regular self-assessment exercises in the areas of fraud and bribery (which includes whistleblowing), cyber security, and risk management. ACARC has noted the action plans that have arisen from these exercises and the clear progress, illustrated by way of regular monitoring and reporting, against the action plans.
At each meeting, ACARC is presented with a report outlining audit recommendations made, implemented, and outstanding. This enables it to form a clear view of the effort that management invests in continually developing the governance, control and risk arrangements in the organisation and adds considerable value to ACARC.
As part of the consideration of the Annual Report and Accounts for the Year Ended 31 March 2022, ACARC received a comprehensive overview of the financial statements, including a comparison with the prior year and current year’s budgets; considered the clarity and completeness of the information, taking in to account key accounting policies, assurances about the financial systems, and the quality of the control arrangements over the preparation of the accounts; and received a full briefing on the external audit prior to recommending their approval by the Accounting Officer.
Until the end of May 2022, ACARC received regular updates from the acting Head of Internal Audit regarding output progress against the 2022-23 Internal Audit Plan. The acting Head of Internal Audit resigned to take up another post on 31 May 2022. The Director of Legal, Governance and Research provided a summary of the Internal Audit Activity and Assurance memo prepared by the acting Head of Internal Audit at the ACARC meeting on 22 June 2022. At the ACARC meeting on 12 October 2022 she also provided an update on Internal Audit reports which had been substantively overseen by the acting Head of Internal Audit and issued after his departure.
ACARC was advised at its meeting on 22 June 2022 that, in the context of the departure of the acting Head of Internal Audit, SMT would be considering the resources required to deliver the Internal Audit function. At the ACARC meeting on 12 October 2022, SMT advised that it had decided to outsource the Internal Audit function to an external service provider and ACARC members were subsequently consulted on the tender specification.
A contract with an external service provider, EY, has now been entered into for 5 years, including two optional one-year extensions.
Under this contract, EY is required to nominate a senior named individual who will be designated as the Head of Internal Audit. The nominated Head of Internal Audit will attend ACARC meetings and report on the work done and findings. EY will also be required to develop an Internal Audit Charter, an Internal Audit Strategy and an Internal Audit Plan.
Due to resignation and absence within the Assembly Commission’s Internal Audit Unit, prior to EY being appointed there was a six-month period when no Internal Audit activity took place. However, the 2022-23 Internal Audit Plan was an annual plan and following appointment, EY assisted in the completion of the 2022-23 Internal Audit Plan.
EY is required to provide an Annual Assurance Report on the system of internal control in the Assembly Commission. In its 2022-23 Annual Assurance Report, EY’s opinion is that the Assembly Commission has a framework of controls in place that provides Satisfactory Assurance over the effective and efficient achievement of the Assembly Commission’s objectives and management of key risks.
As part of ACARC’s ongoing consideration of risk management procedures, the Corporate Risk Register was reviewed at each meeting and the annual review of Directorate Risk Registers took place in May 2022. Directorate Stewardship Statements were also reviewed in May 2022 and October 2022. All of this information indicates that a constructive and practical approach to risk management is embedded within the organisation and, again, contributes to the assurance that can be provided.
ACARC has completed a self-assessment exercise for the year ended 31 March 2023, which includes comments on ACARC’s effectiveness from the Northern Ireland Audit Office’s representative. The assessment template is based on the National Audit Office’s checklist for Audit Committees. The findings confirm that ACARC is fully compliant with best practice. I am also pleased to report that ACARC achieved all of its targets.
I am grateful to the Assembly Commission for its support and for allowing me as ACARC Chairperson, or Dr Keady as the Independent Member, to attend its meetings and to contribute to its discussions throughout the year. This is very helpful in providing a broader perspective for the work of ACARC.
Finally, my thanks go to the Clerk/Chief Executive, the SMT and the Assembly Commission staff for their ongoing support to ACARC in the achievement of its objectives.
Edward Lord OBE
Chairperson
Assembly Commission Audit and Risk Committee Report to the Northern Ireland Assembly Commission for the Year Ended 31 March 2023
1. Introduction
This Report provides an account of the activity and achievements of ACARC for the year ended 31 March 2023, along with performance against its key objectives for the year.
2. Assembly Commission Audit and Risk Committee
ACARC plays an important role in the overall system of corporate governance in the Assembly Commission. ACARC is independent of the Assembly Commission and aims to support the Clerk/Chief Executive in her role as Accounting Officer. It also provides independent support to the Assembly Commission in monitoring its responsibilities for issues of risk, control and governance and by reviewing the comprehensiveness of assurances.
2.1 Membership
| Member | Position |
|---|---|
|
Edward Lord OBE |
Independent Chairperson |
|
Dr Maurice Keady |
Independent Member |
|
John O’Dowd MLA |
Assembly Commission Member to 16 May 2022 |
|
Trevor Clarke MLA |
Assembly Commission Member from 17 May 2022 |
2.2 Meetings
ACARC normally meets four times a year, although the Chairperson may convene additional meetings should this be necessary. During the year attendance was as follows:
| Member | Meetings invited to and attended |
|---|---|
|
Edward Lord OBE |
100% (4/4) |
|
Dr Maurice Keady |
100% (4/4) |
|
Trevor Clarke MLA |
75% (3/4) |
ACARC meetings are normally attended by the Accounting Officer, all Directors, the Head of Finance, Internal Audit and the Northern Ireland Audit Office (NIAO). Administrative support is provided by the Legal, Governance and Research Services Directorate.
The Chairperson or the Independent Member of ACARC attends meetings of the Assembly Commission as an observer. Edward Lord OBE attended meetings of the Assembly Commission on 28 June 2022 and 10 October 2022. Dr Maurice Keady attended on 13 February 2023.
2.3 Training
Given the comprehensive induction training provided on appointment and existing knowledge and experience, no formal training was deemed necessary during the year.
2.4 Management Information Systems and Controls
At its meetings, ACARC is provided with a number of analyses and reports including:
- An Audit Recommendations Action Log and various self-assessment action plans, together with a statement of the status of each action and a target date for completion.
- Changes to the Corporate Risk Register and progress against planned mitigating actions.
- Copies of Directorate Risk Registers annually for information.
- Copies of Directorate Stewardship Statements every six months for information.
- A progress report from Internal Audit summarising:
- Work performed and a comparison with work planned;
- Key issues emerging from Internal Audit work
- Management responses to audit recommendations
- Changes to the Internal Audit Plan
- An opinion on the overall level of assurance pertaining to the financial year; an
- Any resource issues affecting the delivery of Internal Audit objectives.
- Progress reports from the Northern Ireland Audit Office (NIAO) representative summarising work done and emerging findings.
- The Annual Report and Accounts.
- The NIAO’s Report to Those Charged with Governance.
- The Financial Assistance for Political Parties Scheme audit report.
- Cyber Security and Information Risk Self-Assessment Checklist and Action Plan Monitoring.
- Risk Management Self-Assessment Checklist and Action Plan Monitoring.
- The NIAO Audit Strategy.
- National Fraud Initiative exercise findings.
ACARC is satisfied with the comprehensiveness, reliability and integrity of assurances, the quality of audit, financial reporting and the management of risk.
2.5 Progress Against Key Objectives
| KEY OBJECTIVE | PERFORMANCE |
|---|---|
|
To ensure the effective implementation of audit recommendations, including External and Internal Quality Assurance recommendations. |
The timely implementation of audit recommendations is monitored at each meeting.
|
|
To oversee the handling of key risk areas by the Assembly Commission to ensure that risk is being appropriately managed and value for money secured. |
Corporate Risk Register is reviewed quarterly and Directorate Risk Registers are reviewed annually. The economical, effective and efficient use of resources is considered as part of the ongoing audit programme. |
|
To oversee the timely sign-off of the Annual Report and Accounts. |
The Annual Report and Accounts were signed in line with the timetable agreed with the NIAO. |
|
To promote best practice where possible in the operation of ACARC.
|
ACARC reviewed its Terms of Reference on 16 February 2023 against the requirements of the HM Treasury Audit and Risk Assurance Committee Guidance and the Audit and Risk Assurance Committee Handbook (NI). ACARC completed its self-assessment exercise for the year ended 31 March 2023 against the National Audit Office’s checklist for Audit Committees. ACARC members bring experience from other Boards and Committees, undertake training as necessary and keep abreast of updates and guidance. |
2.6 ACARC Self-Evaluation
On 18 May 2023, ACARC completed its self-assessment checklist for the year ended 31 March 2023 and was fully compliant in all areas.
3. Internal Audit
Internal Audit provides the Accounting Officer and the Assembly Commission, through ACARC, with independent and objective evaluation of risk management, control and governance processes within the Assembly Commission.
Internal Audit examines the adequacy, efficiency and effectiveness of systems, people, and processes to identify potential risks and areas for improvement. Internal Audit will also review and challenge the risk management framework and assess the operation of the framework.
Internal Audit provides findings and recommendations for each engagement, including benchmarking controls and performance against appropriate leading practices with the aim of improving processes and practices within the Assembly Commission.
3.1 Internal Audit Plan
The Internal Audit Plan and associated Resource Plan for 2022-2023 were approved by SMT on 1 April 2022 and noted by ACARC at its meeting on 18 May 2022.
3.2 Internal Audit Activity
Details of Internal Audit reports issued in respect of the Internal Audit Plan 2022-23 are presented below. In summary, nine reviews were undertaken which resulted in either Substantial or Satisfactory assurance and 14 follow-up reviews were undertaken. Definitions of the assurance levels provided by Internal Audit are included at Annex A.
| Report Title | Assurance Rating | Issue Date |
|---|---|---|
|
Follow Up Review of Broadcasting Infrastructure |
Satisfactory |
April 2022 |
|
Follow Up Review of Procurement |
Substantial |
May 2022 |
|
Follow Up Review of Accounts Payable |
Substantial |
May 2022 |
|
Follow Up Review of Youth Assembly |
Substantial |
June 2022 |
|
Annual Audit of Members Expenses 2021/2022 Report (Final) |
Substantial |
June 2022 |
|
Review of FoI Compliance |
Satisfactory |
June 2022 |
|
Review of Information Assurance |
Satisfactory |
June 2022 |
|
Review of Business Office |
Substantial |
July 2022 |
|
Review of the Bill Office |
Substantial |
April 2023 |
|
Review of Engagement |
Substantial |
May 2023 |
|
Review of RaISe |
Satisfactory* |
May 2023 |
|
Review of Members’ Expenses |
Satisfactory* |
May 2023 |
|
Review of Winding Up |
Satisfactory* |
May 2023 |
|
Follow Up of Outstanding Recommendations from Reviews of: PECOS Events Planned and Reactive Maintenance Secretariat Travel Secretariat Pensions Delegated Procurement Information Assurance FOI Compliance Business Office Recruitment and Selection |
Further assurance ratings not provided as all were originally Satisfactory |
May 2023 |
* The highest assurance rating provided by EY is Satisfactory
Recommendations were made in respect of the reviews completed by Internal Audit in order to enhance control, governance and risk management arrangements. The findings and recommendations of each review were discussed at ACARC meetings and no significant issues have arisen. The rate of acceptance and implementation of recommendations remains high.
3.3 Annual Assurance
Internal Audit is required to provide assurance on the system of internal control. It should be noted that assurance can never be absolute. Internal Audit can provide only reasonable assurance that there are no significant weaknesses in the system of internal control.
In assessing the level of assurance to be given, Internal Audit takes the following matters into account:
- Audits undertaken as part of the 2022-23 Internal Audit Plan;
- Any follow-up action taken in respect of audits from previous periods; and
- The proportion of the Internal Audit Plan covered to date.
Internal Audit considers that the Assembly Commission has a framework of controls in place that provides Satisfactory Assurance over the effective and efficient achievement of the Assembly Commission’s objectives and the management of key risks.
Internal Audit is also required to indicate any control issues which it considers to be of significant concern. These control issues may be based on Internal Audit activities for the year, together with Internal Audit’s wider knowledge of the Assembly Commission. Internal Audit did not identify any matters, which it considered that the Assembly Commission should include within the Governance Statement for the 2022-23 year.
4 Annual Report and Accounts for the Year Ended 31 March 2022
Following an examination of the Annual Report and Accounts and the draft Report to Those Charged with Governance, at its meeting on 22 June 2022, ACARC recommended that, as Accounting Officer, the Clerk/Chief Executive sign the Annual Report and Accounts for the Year Ended 31 March 2022.
The Comptroller and Auditor General (C&AG) is responsible for the audit, certification and reporting on the Assembly Commission’s annual financial statements. The C&AG certified the Assembly Commission’s financial statements with an unqualified audit opinion. without modification, on 22 July 2022. The Assembly Commission’s Annual Report and Accounts for the Year Ended 31 March 2022 were then laid in the Assembly on 1 August 2022.
ACARC members appreciated the work of the Assembly Commission and NIAO staff involved in delivering the accounts to the agreed timetable.
5. Conclusion
ACARC is satisfied that it has discharged its duties as guided by its Terms of Reference. Given this, and considering the work of Internal Audit and the NIAO, and the assurances provided to it, ACARC is satisfied that it provides sufficient assurance to the Assembly Commission and to the Accounting Officer, in the discharge of its accountability obligations. ACARC is pleased to note the overall Satisfactory level of assurance from the EY for the year ended 31 March 2023.
Annex A: Assurance Definitions
In-house Internal Audit Function Assurance Ratings
Traditionally public sector Internal Audit assurance ratings were based on four levels of evaluation. DAO (DoF) 07/16 however introduced a revised system of Internal Audit opinions in NICS Departments and Arm’s Length Bodies and removed the “Substantial” assurance rating. ACARC considered DAO (DoF) 07/16 at its meeting on 5 October 2016 and was content for the Assembly Commission to retain the “Substantial” rating. The four levels of evaluation were as follows:
SUBSTANTIAL
There is a robust system of risk management, control and governance which should ensure that objectives are fully achieved.
SATISFACTORY
There is some risk that objectives may not be fully achieved. Some improvements are required to enhance the adequacy and / or effectiveness of risk management, control and governance.
LIMITED
There is considerable risk that the system will fail to meet its objectives. Prompt action is required to improve the adequacy and / or effectiveness of risk management, control and governance.
UNACCEPTABLE
The system has failed or there is a real and substantial risk that the system will fail to meet its objectives. Urgent action is required to improve the adequacy and / or effectiveness of risk management, control and governance.
EY Internal Audit Assurance Ratings
In line with best practice and to ensure consistency with other public sector organisations, EY proposed using the three tier assurance ratings set out in DAO 07/16. This was agreed by ACARC at its meeting on 18 May 2023. The three levels of evaluation now adopted are as follows:
SATISFACTORY
Overall there is a satisfactory system of governance, risk management and control. While there may be some residual risk identified, this should not significantly impact on the achievement of system objectives.
LIMITED
There are significant weaknesses within the governance, risk management and control framework which, if not addressed, could lead to the system objectives not being achieved.
UNACCEPTABLE
The system of governance, risk management and control has failed or there is a real and substantial risk that the system will fail to meet its objectives.
