Appendix 5: Other Evidence considered by the Committee

5.5 Northern Ireland Audit Office: Response dated 27 October 2021 - Annual Report and Accounts 2020/21

NIAO

Kieran Donnelly CB Comptroller & Auditor General

Northern Ireland Audit Office

1 Bradford Court

Upper Galwally

Belfast

BT8 6RB

Direct Line: (028) 9025 1107

E-mail: kieran.donnelly@niauditoffice.gov.uk

www.niauditoffice.gov.uk

@NIAuditOffice

Mr Daniel McCrossan MLA

Chairperson, Audit Committee

Room 254

Northern Ireland Assembly

Parliament Buildings

Ballymiscaw

Stormont

Belfast

BT4 3XX

27 October 2021

Dear Daniel

Annual Report and Accounts 2020-2021

Thank you for your correspondence of 29 September 2021, seeking further information/clarification around the Northern Ireland Audit Office: Annual Report and Accounts for year ended 31 March 2021. To ensure clarity, I will address each of the matters in chronological order as set out in your letter.

1. To provide further information on the reasons why and the steps being taken to address the shortfalls where performance did not meet targets

In the section referred to in your correspondence, there are five key performance targets, two of which were fully achieved. My response will focus on those three targets where there were shortfalls and, where necessary, provide you with the context within which my Office was working across the reporting period.

Target 1: To produce 32 public reports in 2020-21 as per the NIAO Public Reporting Programme (2019-22)

When the pandemic first hit in March 2020, I pulled back my staff from all on-site audit work as the public service focused its energy on the pandemic. Throughout 2020, I was committed to ensuring that our audit work did not disrupt the efforts of severely stretched public bodies to deal with a most challenging set of circumstances. Despite these restrictions we progressed our audit work much further than I could have imagined at the outset whilst working and engaging with audited bodies remotely.

On 19 June 2020, I wrote out to all our key stakeholders, informing them that I had decided to re-prioritise my Public Reporting Programme in response to the pandemic; in effect the target set for the publication of reports at the outset was no longer appropriate. Some studies, for example, “Promoting entrepreneurial culture and supporting business startups”, and “Responding to an ageing population” were deferred to create space for audit work on higher risk covid-related expenditure.

Given these circumstances. I believe that progress on delivering 22 reports in the reporting period was a considerable achievement. This is testament to the commitment and professionalism of both my staff and those in the audited bodies who facilitated the auditing process.

Target 2 - To certify 149 accounts; to certify 80 per cent of audited bodies accounts within seven months of their year-end and 100 per cent within twelve months of their year-end.

As a direct result of the onset of Covid-19, and following agreement with DoF, it was decided to extend the dates for submission of the 2019-20 accounts and audits as follows:

• Central government accounts to be submitted by 4th August 2020 (rather than May 2020), with the statutory deadline for certification 31st October 2020.
• Local government accounts to be submitted by 31st August 2020 (rather than 30 June 2020), for certification by 31st December 2020.

Despite the delays in submission of accounts, and the knock on effect this had on the work programme, I gave a commitment to progress audits as quickly as possible after accounts were received. As a result, I worked closely with DoF to develop arrangements for carrying out audits remotely. This led to, what I consider to be, quite an achievement in the delivery of financial audits as we achieved certification of 126 accounts against a target of 149. Of the 126 accounts certified, 56 per cent of audits were delivered within seven months (2019-20: 80 per cent) and 83 per cent within 12 months (2019-20: 88 per cent).

Target 3 - Annual confirmation of compliance with the International Standard on Quality Control (ISQC 1), to ensure that our financial audit has complied with our audit methodology and professional auditing standards.

The quality of work of my Office is fundamental and quality control is built into every aspect of it. The annual confirmation of compliance with the International Standard on Quality Control (ISQC 1) is one component of a larger jigsaw that ensures that quality remains at the forefront of all that we do in both our public reporting and our financial audits.

Leadership on compliance rests with me, and my Chief Operating Officer is responsible for overseeing the design and implementation of quality assurance arrangements; all staff have a responsibility to deliver quality audit work. We also ensure that audit firms who support the Office by carrying out audit or other specific assignments on our behalf on a contractual basis also have policies in place in respect of ISQC 1 quality control arrangements.

We have regular training in place for all staff to ensure that they understand the ethical and professional standards to which they must adhere. We have a compliance partner function in place at the top of the organisation to ensure compliance with the standards and for creating a culture of professionalism, rigour and openness to challenge. The Chief Operating Officer is NIAO’s compliance partner.

The Office has a code of conduct where staff have a duty to declare any private interests relating to their public duties and to take steps to resolve conflicts arising in a way which protects the public interest. This must be signed on an annual basis by all staff. We have firm guidelines and measures in place to prevent conflict of interest. In terms of our people, quality is at the centre of all that we do; in recruitment training, learning and development strategy and in our performance assessment system.

For the vast majority of audits, there are two review stages, the first comprising a review of all audit tests and working papers and the second confirming that sufficient and appropriate audit evidence has been obtained to support the recommended audit opinion. Where significant matters arise that requires professional judgement, the Office has a designated Technical Director who can provide guidance before deciding the appropriate response. In such cases, we may also conduct a peer review, completed by an independent director before certification.

All of these procedures and controls work towards the completion of a quality audit that complies with legal and regulatory requirements and professional standards. It is against this backdrop that we conduct an annual financial audit quality assurance programme which covers the work of all engagement directors, including audit work contracted out to private sector firms.

In our 2020-21 exercise a representative sample of eight audits was independently reviewed in the programme. These reviews, which encompassed both central government and local government audit, were peer reviewed by teams from other audit offices and, for the first time, the Institute of Chartered Accounts for England and Wales (ICAEW).

Six of the eight audit opinions were found to be appropriate, with only limited improvements required. However, in two cases reviewers concluded that while the audits were generally compliant with ISAs (UK) and the Financial Audit Manual, there were a number of areas for improvements in the audit approach and/or the evidence obtained.

Training and guidance subsequently provided should address these issues. Areas for improvement have been communicated in a guidance paper, and all financial audit staff have been given time to consider in detail and action matters arising within their audit files. In addition, audit managers have been asked to discuss recommendations and guidance included in this paper with their audit teams.

I am therefore satisfied that lessons have been learned from this exercise that reaches across the whole financial audit function and that an appropriate and proportionate response has been completed. Furthermore I have just recently further strengthened the review process by agreeing that all reviews will be undertaken by ICAEW for 2021 and 2022.

2. Details of any significant work being carried out to address the risk factors identified in relation to the Corporate Plan 2021-24 (making an impact; valuing our people and managing resources; and transforming our business – external and internal)

How we manage risk is detailed in our Risk Management Strategy (RMS) which we review on an ongoing basis. The strategy sets out NIAO’s underlying approach to risk management, outlines key aspects of the risk management process, identifies the main reporting procedures, and documents my roles and responsibilities and those of the Senior Management Team (SMT), the NIAO Audit and Risk Assurance Committee (ARAC) and other key parties.

The strategic aims, objectives and priorities of the Office which underpin these vision, purpose and values are set out in the Corporate Plan and cover a rolling three-year period. These are translated into action in the annual business plan. As risk management is a key factor in the achievement of these aims and objectives, it is essential that strategic and operational risks which could affect delivery and outcomes are identified and actively managed. These are outlined in our corporate risk register.

My Office’s approach to risk management is guided by professional best practice¹, and takes full cognisance of the context and environment in which it operates. Because of its public profile and the very nature of its work, the Office must uphold the highest standards in its own operations, and be able to stand the test of independent scrutiny and retain its credibility and reputation with the Assembly, audited bodies and other stakeholders. At the same time, it must ensure that it promotes and secures value for money in its use of public funds.

Risk management in NIAO is more than having a set of risk management processes (risk identification and assessment, risk treatment, risk monitoring and risk reporting). It also includes the application of the principles of: governance and leadership; integration; collaboration and best information and continual improvement.

In relation to all of these principles, the Office focuses on proportionate risk management as an integral part of the way it undertakes business activities. Each risk identified is linked to the corresponding strategic priority. It is managed in a structured way, taking on board the combination of the likelihood of something happening, and the impact which arises if it does actually happen to assess the inherent risk. We then set out the actions, if any, we take to constrain the risk to an acceptable level in accordance with our risk appetite. The risk that remains, taking on board these actions, is our residual risk. In applying these principles, we are accurately assessing the relative significance and prioritisation of each risk.

Throughout my tenure, I have made it clear that risk management belongs to the whole of the Office. I am responsible for ensuring that my office has an effective risk management approach in place and that it is fundamental to how the organization is directed, managed and controlled at all levels. My Senior Management Team (SMT) is responsible for developing and implementing strategy and policies, co-ordinating risk management activities and reviewing and challenging processes, ensuring always that risk management closely integrates with the Office’s strategic and corporate priorities.

The Audit Risk and Assurance Committee (ARAC), through my Board, is responsible for supporting and advising me on the strategic processes for risk, control and governance and the Governance Statement and for considering assurances relating to the management of risk. Internal Audit provides independent assurance on the overall adequacy and effectiveness of the framework of governance, risk management and internal control.

I have also established a Corporate Risk Register Working Group which is responsible for directly briefing the SMT, and by extension the ARAC, on risk management developments. The Group is also responsible for the ongoing monitoring and oversight of the corporate risk register, maintaining close collaboration with all stakeholders and ensuring any themes emerging from risk registers that exist at a project level are assessed and considered at a corporate level. It fulfils these responsibilities by meeting regularly (as a minimum on a quarterly basis) to update the corporate risk register for the SMT to consider and endorse.

Staff also have a responsibility to maintain awareness of the risk management strategy and the key risks faced by the NIAO, to proactively report any emerging risks or changes to risks that they identify and to ensure that they carry out any duties relating to controls in place to address risks.

An example of a key risk identified in my Corporate Risk Register is a “Failure to provide timely and high quality outputs to support and promote public sector accountability and improvement.” On top of a range of controls I already have in place to mitigate this risk, I have also initiated, with my Senior Management Team, an ongoing programme of assessment of resourcing/pressures for financial audits and public reporting delivery.

Through the application of the system I have outlined, I am confident that I can identify, manage and monitor the risk factors associated with each of the strategic priorities in my Corporate Plan 2021-24.

3. The action being taken in an effort to increase opinion that the Public Reporting Programme addresses salient issues and challenges stemming from the COVID-19 pandemic.

Only last month, I published my updated rolling forward work programme on public reporting. This is my third public reporting programme which covers 2021 to 2023. It builds on the strategic approach we adopted for the first time in 2018, but reflects a more flexible approach in responding to new and emerging challenges in the public sector.

In developing the programme, we provided our elected representatives and public sector bodies with advance notice of our public reporting programme and an opportunity to engage with, and prepare for, the audit process. It also provided an understanding of the NIAO’s public reporting priorities and how they reflect the priorities of the Executive.

In coming to a conclusion on our final programme, we reviewed the outcomes of the Programme for Government, identified key risks across central government, considered concerns raised by officials, service users and elected representatives, and our own experience in identifying significant emerging issues. In consideration of these themes, we ensured that our programme was cross sectoral and not too narrowly focused,

In consulting on this programme, we applied our stakeholder engagement framework where we have committed to open, two-way communication that involves us listening to our stakeholders, keeping them informed and being clear about how their contributions are being used. The framework sets out the standards to which we aspire in building consistent, open and respectful working relationships, and provided my staff with the tools needed to support them through our stakeholder engagement activities in the development of the Public Reporting Programme.

In addressing the covid-19 pandemic and the impact it has had on my programme, I have already produced two overview reports on the NI Executive’s response. I am currently finalising reports on PPE and the Small Business Grants Support Schemes and Ministerial Directions (42 of 46 Ministerial Directions issued since March 2020 were on covid-related expenditure). I also published a report during the Summer on Sports Sustainability Grants. In addition I have addressed Covid related issues in reports including Investment in Broadband and studies into Welfare Reform. Additional re-prioritisations may occur as issues arise.

I trust that this response explains the detail that you have requested in your correspondence. However, should you need any further information, please do not hesitate in contacting me.

Yours sincerely.

KIERAN DONNELLY CB

Comptroller and Auditor General

¹ HM Treasury's Orange Book on Management of Risk – Principles and Concepts (the 'Orange Book'), DAO 04/20

Audit Committee

Room 254 Parliament Buildings

Ballymiscaw

Stormont

Belfast BT4 3XX

Tel: 028 9052 1843

Email: committee.audit@niassembly.gov.uk

Mr Kieran Donnelly CB

Comptroller and Auditor General

Issued via email to: kieran.donnelly@niauditoffice.gov.uk

29 September 2021

Dear Kieran

Annual Report and Accounts 2020-2021

At its meeting on 29 September 2021, the Audit Committee considered the Northern Ireland Audit Office: Annual Report and Accounts for year ended 31 March 2021.

In preparation for its scrutiny of the forthcoming NIAO draft budget, the Committee agreed to seek further information/clarification on a number of issues:

• In cases where performance did not meet targets (page 29), further information on the reasons why and the steps being taken to address the shortfalls;
• Details of any significant work being carried out to address the risk factors identified in relation to the Corporate Plan 2021-24 (making an impact; valuing our people and managing resources; and transforming our business – external and internal);
• The action being taken in an effort to increase opinion that the Public Reporting Programme addresses salient issues and challenges stemming from the COVID-19 pandemic.

I would appreciate a response by 14 October 2021.

Yours sincerely

DANIEL MCCROSSAN MLA

Chairperson, Audit Committee