Assembly Commission Audit and Risk Committee: Annual Report to the Northern Ireland Assembly Commission for the year ended 31 March 2025

Annual Report Year Ending 31 March 2025.pdf (207.16 kb)

2 Assembly Commission Audit and Risk Committee

4 Annual Report and Accounts for the Year Ended 31 March 2024

CHAIRPERSON'S FOREWORD

I am pleased to present the Annual Report for the year ended 31 March 2025 on behalf of ACARC. This Report describes how ACARC fulfilled its role of providing support and advice to the Northern Ireland Assembly Commission (the Assembly Commission), the Clerk/Chief Executive and the Senior Management Team (SMT) in order to promote sound governance, internal control, and risk management arrangements. In line with the Assembly Commission's policy of openness and accessibility, ACARC Annual Reports and the minutes of ACARC meetings are placed on the Assembly Commission website.

During this reporting year, ACARC met on four occasions. It has been a very busy and challenging year for Assembly Commission staff due to the resumption of normal Assembly business on 3 February 2024, at short notice, after a two-year hiatus. This has involved recruiting and inducting a large number of staff to fill vacant posts and rebuilding staffing and Assembly structures.

I therefore wish to commend the staff for the impressive way that they have enabled the successful operation of the Assembly and its Committees during the year and for the excellence, positivity and collaboration they have demonstrated in doing so.

The Assembly Commission conducts biennial self-assessments in the areas of fraud and bribery (which includes whistleblowing), cyber security and risk management. The Cyber Security Self-Assessment was completed following the finalisation of the Independent Technical Review of Cyber Security and considered by ACARC in November 2024. The Fraud and Bribery Self-Assessment was considered by ACARC in November 2024. This also informed the development of the revised Fraud Prevention and Anti-Bribery Policy which was presented in February 2025.

ACARC has noted the action plans that have arisen from these self-assessments and the clear progress, illustrated by way for regular monitoring and reporting, against the action plans.

At each meeting, ACARC is presented with a report outlining audit recommendations made, implemented, and outstanding. This enables it to form a clear view of the effort that management invests in continually developing the governance, control and risk arrangements in the organisation, and adds considerable value to ACARC. Fraud and Whistleblowing are also standing agenda items.

As part of ACARC's ongoing consideration of risk management procedures, ACARC considered an updated Corporate Governance Framework in February 2025. The Corporate Risk Register is routinely reviewed at each meeting and the annual review of Directorate Risk Registers took place in May 2024. Directorate Stewardship Statements were reviewed in May 2024 and November 2024. All of this information indicates that a constructive and practical approach to risk management is embedded within the organisation and, contributes to the assurance that can be provided by ACARC.

The Assembly Commission's Internal Auditor, EY, is required to provide an Annual Assurance Report to the Accounting Officer on the system of internal control in the Assembly Commission. In its 2024-25 Annual Assurance Report, EY's opinion is that the Assembly Commission has a framework of controls in place that provides Satisfactory Assurance over the effective and efficient achievement of the Assembly Commission's objectives and management of key risks

To assist its consideration of the Annual Report and Accounts for the Year Ended 31 March 2024, ACARC received a comprehensive overview of the financial statements, including a comparison with the prior year and current year budgets; considered the clarity and completeness of the information, taking in to account key accounting policies, assurances about the financial systems, and the quality of the control arrangements over the preparation of the accounts; and received a full briefing on the external audit prior to recommending their approval by the Accounting Officer.

ACARC has completed its annual self-assessment exercise for the year ended 31 March 2025 and is satisfied that it operates in accordance with the good practice principles set out in the HM Treasury Audit and Risk Assurance Handbook dated July 2024 and the NIAO 'Effective Audit and Risk Assurance Committees - A Good Practice Guide' dated 31 March 2025. I am also pleased to report that ACARC achieved all of its objectives for the year.

I am grateful to the Assembly Commission for its support and for inviting the Chairperson or Independent Member to attend its meetings and to contribute to its discussions. I also wish to acknowledge the importance of the Assembly Commission Member on ACARC as this helps to ensure that there is effective communication between the Assembly Commission and ACARC. This is very helpful in providing a broader perspective for the work of ACARC.

Finally, my thanks go to my ACARC colleagues, Dr Maurice Keady, Ivor Johnston and Nuala McAlister MLA, and her predecessor Robbie Butler MLA, to the Clerk/Chief Executive, the SMT and the Assembly Commission staff for their ongoing contribution and support to ACARC in the achievement of its objectives.

David Murphy

Chairperson

1 Introduction

This Report provides an account of the activity and achievements of ACARC for the year ended 31 March 2025, along with performance against its key objectives for the year.

2 Assembly Commission Audit and Risk Committee

ACARC plays an important role in the overall system of corporate governance in the Assembly Commission. ACARC is independent of the Assembly Commission and aims to support the Clerk/Chief Executive in her role as Accounting Officer. It also provides independent support to the Assembly Commission and the Senior Management Team (SMT) in monitoring their responsibilities for governance, risk management and control and by reviewing the reliability and integrity of these assurances.

2.1 Membership

Member	Position
Dr Maurice Keady	Independent Member Acting Chairperson to 9 November 2024
Robbie Butler MLA	Assembly Commission Member to 2 October 2024
Nuala McAllister MLA	Assembly Commission Member from 2 October 2024
David Murphy	Chairperson appointed 9 November 2024
Ivor Johnston	Independent Member appointed 8 November 2024

2.2 Meetings

ACARC met four times during the year and attendance was as follows:

Member	Meetings invited to and attended
Dr Maurice Keady	75% (3/4)
Robbie Butler MLA	100% (2/2)
Nuala McAllister MLA	100% (2/2)
David Murphy	100% (2/2)
Ivor Johnston	100% (2/2)

ACARC meetings are normally attended by the Accounting Officer, Directors, the Head of Finance, Internal Audit and the Northern Ireland Audit Office (NIAO). Administrative support is provided by the Legal, Governance and Research Services Directorate.

The Chairperson or the Independent Member of ACARC is generally invited to attend meetings of the Assembly Commission as an observer. Dr Maurice Keady attended three meetings of the Assembly Commission on 16 May 2024, 20 June 2024 and 16 October 2024 as Independent Member and Acting Chairperson. David Murphy attended one meeting of the Assembly Commission on 15 January 2025 as Chairperson.

2.3 Training

Given the comprehensive induction training provided on appointment and existing knowledge and experience, no formal training was deemed necessary during the year.

2.4 Management Information

For each meeting ACARC is provided with:

A report summarising any significant changes to the Assembly Commission's strategic risks and a copy of the Corporate Risk Register;
A progress report from the Head of Internal Audit summarising:
- Work performed (and a comparison with work planned);
- Key issues emerging from the work of Internal Audit;
- Management responses to audit recommendations;
- Changes to the agreed Internal Audit Plan; and
- Any resourcing issues affecting the delivery of the objectives of Internal Audit.

Copies of all Internal Audit Reports;
A progress report from the NIAO representative summarising work done and emerging findings;
An Audit Recommendations Action Log and various self-assessment action plans, together with a statement of the status of each action and a target date for completion.

As and when appropriate, ACARC will also be provided with:

Proposals for the review of Terms of Reference of Internal Audit / the Internal Audit Charter;
The Internal Audit Strategy;
The Head of Internal Audit's Annual Opinion and Report;
Quality Assurance reports on the Internal Audit function;
The draft annual report and accounts of the Assembly Commission;
The draft Governance Statement;
A report on any changes to accounting policies;
The NIAO Audit Strategy;
The NIAO's Report To Those Charged With Governance;
A report on any proposals to tender for audit functions;
A report on co-operation between Internal and External Audit;
Relevant reports from other assurance providers, for example, Gateway reviews;
Reports on the management of major incidents, "near misses", fraud and whistleblowing cases and lessons learned;
The Assembly Commission's Risk Management Strategy;
Stewardship Statements;
Directorate Risk Registers; and
Self-Assessment Checklists.

2.5 Progress Against Key Objectives

Key Objective	Performance
To ensure the effective implementation of audit recommendations, including External and Internal Quality Assurance recommendations.	The timely implementation of audit recommendations is monitored at each meeting.
To oversee the handling of key risk areas by the Assembly Commission to ensure that risk is being appropriately managed and value for money secured.	Corporate Risk Register is reviewed quarterly, and Directorate Risk Registers are reviewed annually. The economical, effective and efficient use of resources is considered as part of the ongoing audit programme.
To oversee the timely sign-off of the Annual Report and Accounts.	The Annual Report and Accounts were signed in line with the timetable agreed with the NIAO.
To promote best practice where possible in the operation of ACARC.	ACARC last reviewed its Terms of Reference on 19 February 2025 against the requirements of the HM Treasury Audit and Risk Assurance Committee Guidance and the DoF Audit and Risk Assurance Committee Handbook (NI). ACARC completed its self-assessment exercise for the year ended 31 March 2025 against the NIAO 'Effective Audit and Risk Assurance Committees - A Good Practice Guide' Self-Assessment Checklist, published 31 March 2025. ACARC members bring experience from other Boards and Committees, undertake training as necessary and keep abreast of updates and guidance.

2.6 ACARC Self-Evaluation

On 16 May 2025, ACARC completed its self-assessment checklist for the year ended 31 March 2025 is satisfied that it operates in accordance with the good practice principles set out in the HM Treasury Audit and Risk Assurance Handbook dated July 2024 and the NIAO 'Effective Audit and Risk Assurance Committees - A Good Practice Guide' dated 31 March 2025.

3 Internal Audit

Internal Audit provides the Accounting Officer and the Assembly Commission, through ACARC, with independent and objective assurance by evaluating the effectiveness of risk management, internal control and governance processes within the Assembly Commission.

Internal Audit provides findings and recommendations for each engagement, including benchmarking controls and performance against appropriate leading practices with the aim of improving processes and practices within the Assembly Commission.

3.1 Internal Audit Plan

The Internal Audit Strategy and Value Charter agreed in June 2023 was updated in May 2024 and considered by ACARC at its meeting on 16 May 2024. This included a review of the three-year Internal Audit Plan 2023-24 to 2025-26 and the Internal Audit Plan 2024-25.

3.2 Internal Audit Activity

Details of Internal Audit reports issued in respect of the Internal Audit Plan 2024-25 are presented below. In summary, nine reviews were undertaken of which, 8 resulted in a Satisfactory assurance and one resulted in a Limited assurance.

The Limited assurance related to a review of Information Services Office, including Cyber Security Arrangements which contained one Priority One recommendation in relation to the Cyber Security Assurance Review Action Plan, seven Priority Two recommendations and one Priority Three recommendation.

Report Title	Assurance Rating	Issue Date
Review of Human Resources Arrangements	Satisfactory	October 2024
Review of Payroll Arrangements	Satisfactory	November 2024
Review of Information Retention and Disposal	Satisfactory	December 2024
Review of Building Services	Satisfactory	January 2025
Review of Information Services Office, including Cyber Security	Limited	8 May 2025
Statutory Committee Review (including sample from all Statutory Committees)	Satisfactory	8 May 2025
Review of Clerking and Member Support Office, with a focus on the Parliamentary Excellence Programme	Satisfactory	8 May 2025
Review of Members Costs	Satisfactory	May 2025
Review of Delegated Procurement across all Business Areas	Satisfactory	May 2025

The findings and recommendations of each review were discussed at ACARC meetings, and no significant issues have arisen. The rate of acceptance and implementation of recommendations remains high.

3.3 Annual Assurance

Internal Audit is required to provide the Accounting Officer with a formal annual opinion on the adequacy, reliability and effectiveness of the Assembly Commission's system of risk management, control and governance. It should be noted that assurance can never be absolute. Internal Audit can provide only reasonable assurance that there are no significant weaknesses in the system of internal control.

In assessing the level of assurance to be given, Internal Audit takes the following matters into account:

Audits undertaken as part of the 2024-25 Internal Audit Plan; and
Any follow-up action taken in respect of audits from previous periods.

Internal Audit considers that the Assembly Commission has a framework of controls in place that provides Satisfactory Assurance over the effective and efficient achievement of the Assembly Commission's objectives and the management of key risks.

Internal Audit is also required to indicate any control issues which it considers to be of significant concern. These control issues may be based on Internal Audit activities for the year, together with Internal Audit's wider knowledge of the Assembly Commission.

Issues were identified in the following areas:

IT and Cyber Security;
Delegated Procurement;
System Implementation; and
Finance Department Resource.

ACARC is satisfied that the Assembly Commission has adequate plans to address the issues.

4 Annual Report and Accounts for the Year Ended 31 March 2024

Following an examination of the Annual Report and Accounts and the draft Report to Those Charged with Governance, at its meeting on 26 June 2024, ACARC recommended that, as Accounting Officer, the Clerk/Chief Executive sign the Annual Report and Accounts for the Year Ended 31 March 2024.

The Comptroller and Auditor General (C&AG) is responsible for the audit, certification and reporting on the Assembly Commission's annual financial statements. The C&AG certified the Assembly Commission's financial statements with an unqualified 'true and fair' opinion and technical qualified regularity opinion, because of the updated estimate of the roof repair costs, on 2 July 2024.

The Assembly Commission's Annual Report and Accounts for the Year Ended 31 March 2024 were then laid before the Northern Ireland Assembly under section 10(4) of the Government Resources and Accounts Act (Northern Ireland) 2001 by the Department of Finance on 5 July 2024.

ACARC members appreciated the work of the Assembly Commission and NIAO staff involved in delivering the audit and accounts to the agreed timetable.

5 Conclusion

ACARC is satisfied that it has discharged its duties as guided by its Terms of Reference. Given this and considering the work of Internal Audit and the NIAO, and the assurances provided to it, ACARC is satisfied that it provides sufficient assurance to the Assembly Commission and to the Accounting Officer, in the discharge of its accountability obligations. ACARC is pleased to note the overall Satisfactory Assurance from Internal Audit for the year ended 31 March 2025.

Annex A: Assurance Definitions

EY Internal Audit Assurance Ratings

In line with best practice and to ensure consistency with other public sector organisations, EY utilise the three tier assurance ratings set out in DAO 07/16. This was agreed by ACARC at its meeting on 18 May 2023. The three levels of evaluation now adopted are as follows:

SATISFACTORY

Overall, there is a satisfactory system of governance, risk management and control. While there may be some residual risk identified, this should not significantly impact on the achievement of system objectives.

LIMITED

There are significant weaknesses within the governance, risk management and control framework which, if not addressed, could lead to the system objectives not being achieved.

UNACCEPTABLE

The system of governance, risk management and control has failed or there is a real and substantial risk that the system will fail to meet its objectives.