Cookies on the Gambling Commission website

The Gambling Commission website uses cookies to make the site work better for you. Some of these cookies are essential to how the site functions and others are optional. Optional cookies help us remember your settings, measure your use of the site and personalise how we communicate with you. Any data collected is anonymised and we do not set optional cookies unless you consent.

Set cookie preferences

You've accepted all cookies. You can change your cookie settings at any time.

Skip to main content


Annual Report and Accounts 2020 to 2021

The Gambling Commission's 2020 to 2021 Annual Report and Accounts

  1. Contents
  2. Internal control framework

Internal control framework

The Commission has in place a wide range of internal controls to manage the risk of failure to achieve strategic objectives which include:

Organisational structure and delegation of authority

The Commission is currently organised into business areas and functions that bring together related operational, project and thematic activity.

Authority to make decisions and authorise expenditure is delegated to the appropriate level of responsibility within each business area.

Policies and procedures

Comprehensive policies and supporting procedures are in place across the Commission at a corporate and operational level. A thorough review of all financial policies was undertaken during 2018/19 to ensure that they remain compliant with Managing Public Money (MPM) and that they reflect best practice.

An updated suite of financial policies, reviewed under the MPM project, was in place during the financial year. The Finance and Performance Committee will routinely review financial policies on an approved schedule. The appropriateness of Commission policies and procedures is periodically reviewed by internal audit as part of the audit plan.

Operational and financial reporting

The Commission reviews and updates its business plan on an annual basis and prepares an annual budget to support the delivery of the plan.

The budget also considers risks and uncertainties to ensure that these can be mitigated where possible. Both of these elements are reviewed and approved by the Board along with progress against the business plan. In this they are supported by the Finance and Performance Committee’s routine scrutiny of the business plan and budget. Financial performance is reported to the Board and Finance and Performance Committee at each meeting. In addition, the Commission also undertakes monthly financial re-forecasts to ensure that financial management of the Commission remains robust. This is reviewed by the Board.

Review and sign-off of actions

The Commission has a series of checks and balances in place across the organisation to ensure that decisions and outcomes are appropriately reviewed. Quality assessment reviews have been undertaken within a number of the compliance areas to ensure that regulatory activity continues to be of high quality. Management also reviews outputs within a range of frontline and support areas to ensure accuracy and relevance. These controls are subject to internal and external audit review as part of the internal audit plan and external audit fieldwork.

Public Interest Disclosure Policy

The Commission has a public interest disclosure policy in place for the confidential reporting of unlawful conduct or malpractice. The policy is available online for all employees and is available to the public via the website. As part of their induction programme all new Commission employees are required to confirm in writing that they have read the Code of Conduct, including the public interest disclosure policy.

Personal data incidents

There was one substantive data security incident during 2020-21 (nil during 2019-20).

Effectiveness of internal controls

The Commission's senior management reviews the operational effectiveness of the current internal controls using a combination of the Corporate Risk Register, and operational and financial performance reports.

This is supported by the annual programme of internal audit reviews into the design of controls and whether those controls have been operating effectively.

Through their work during the year, the internal auditors have concluded:

Major improvement required

We identified some significant weaknesses and non-compliance (during the year and at year end) in the framework of governance, risk management and control which put the achievement of organisational objectives at risk. Major improvements are required to improve the adequacy and effectiveness of governance, risk management and control.

Internal auditors’ statement

PWC acknowledge that the internal audit 2020/21 which was developed in conjunction with management and approved by the Audit and Risk Committee was designed to focus on areas of higher risk at the Commission.

The key factors that contributed to their opinion are summarised as follows:

Of the five risk rated reports that we issued in 2020/21, three reports were rated as ‘Needs Improvement’. These reports were:

  • Business Continuity/Disaster Recovery
  • National Lottery 4 – ITA Evaluation Model
  • Information and Intelligence Management.

As a result of the work completed we identified

  • 3 high risk findings
  • 11 medium risk findings
  • 6 low risk findings.

At the year end, we tested the implementation of 25 internal audit recommendations (which were due for action during the year).

We obtained evidence to show that 24 out of 25 of these actions, (including all five of the high-risk findings due for implementation by 31 March 2021) had been addressed. Two of these five high risk actions related to reports completed from the 2020/21 internal audit plan. We also completed two advisory reviews which focused on governance and risk management and performance management/reporting. The Commission had identified that the processes and controls in both of these areas needed strengthening. Our role was to assess the Commission’s plans for making improvements and we made a number of recommendations, to strengthen core areas of the control environment.

We note the positive and constructive communications we have had with management in agreeing recommendations and action plans. We also recognise the focus being placed on follow-up of recommendations by the Audit and Risk Committee. The senior management of the organisation has taken steps to ensure that all agreed audit recommendations are actioned in an appropriate timescale, and all high-risk findings which were due by the end of the year have been completed.

Principal risks and uncertainties facing the Commission

The principal risks and uncertainties are managed through the Commission’s Corporate Risk Register as part of the internal control framework. The most significant risks facing the Commission as of the end of March 2020 are:

Risks and uncertaintiesExisting and Planned Mitigations
Income from fees, grant in aid and the use of available reserves does not cover expenditure.


  • Progress with fees review and liaison with DCMS.
  • Income re-forecasting.
  • The Commission’s MTFP including robust cost saving plans.
  • Further financial management controls.


  • Review of Fees Framework – linked to the Gambling Act Review.
The COVID-19 pandemic increases risks to the licensing objectives and NL duties, adversely impacts our ability to respond to risks and prevents sufficient fieldwork leaving data gaps on key metrics.


  • Comprehensive homeworking arrangements allow full range of regulatory activities to be undertaken.
  • Alternative vehicles to collect data.
  • Close cross functional working and intelligence monitoring ensures identification and response to any changing risks.


  • Move to new methods of data collection. Consultation response due July 2021.
Competition fails to generate sufficient market interest, competitive tension and sufficient credible bids to obtain a successful 4th Licence holder.


  • Multiple rounds of market engagement completed before launch of competition, including making draft Invitation To Apply (ITA) and Licence available to potential applicants.
  • Outline Business Case and Addendum approved by DCMS and HMT May 2020.
  • Competition launched in August 2020 with Selection Questionnaire made available to potential applicants.
  • ITA issued to successful applicants in October 2020, with applications due mid-April 2021.
  • Extensive process of clarification questions and responses with all applicants during preparation of Phase 1 applications and separate process of feedback on listenability of proposed new games in portfolio.
  • Throughout the year the potential impact of COVID-19 impact on the competition was kept under review.


  • Assessment of Phase 1 applications and feedback to applicants in mid-July 2021, with no down-select at Phase 1.
  • In addition to applicant specific feedback, applicant notes will be issued to provide further guidance to applicants generally.
  • Lessons learned from Phase 1 will be built into Phase 2 evaluation.
  • Full Business Case to be submitted to DCMS and HMT in Q3 21/22.
There is a risk of failing to transition from the Third to Fourth licence in a coherent way.


  • Licensing obligations are currently in place to support an effective handover (for example, asset condition is guaranteed for two years post expiry of the Third Licence).
  • Appointed dedicated internal leads for the management of the transition risk and associated decisions on technology.
  • Heads of Terms of Enabling agreement to be shared with market before competition launch.
  • Heads of Terms of Co-operation agreement to be shared with market before competition launch.
  • The Commission has provided the incumbent and applicants with an Enforcement Statement of Practice in respect of transition.
  • The onboarding of the TTO Work Package: Providing expertise and experience in supporting / assuring the transition.
  • Review of applicant transition plans at Phase 1 against the time allocated for the Implementation Stage.


  • Review of applicant transition plans at Phase 2 against the time allocated for the Implementation Stage.
  • The proposed approach to document execution of the Co-operation Agreement, Enabling Agreement and Deed of Commitment is intended to mitigate the risk of poor cooperation between the parties, non-compliance, and reduce delay to transition due to negotiation
A substantive reduction in the Commission’s delivery capacity affects our ability to meet our stated outcomes and duties.


  • Home working arrangements and IT support in place to support colleagues.
  • Business plans continually reviewed to identify impact of reduced resources on deliverables.
  • Monitor Sickness Absence and provide advice to managers in line with policy.
  • Provision and promotion of Wellbeing support including Employee Assistance Programme and Occupational Health Services including provision of bespoke ‘Talking Thru the Pandemic’ wellbeing sessions.


  • Senior Leadership Team Deep dive session to review the risk impact and mitigations, and work priorities.
  • Covid Working Group developing plans regarding longer term working arrangements.
  • Detailed analysis of attrition data to identify trends and issues to resolve.
The Bet Index case reveals the challenge of co-regulation.


  • Enforcement casework including suspension.
  • Close working with key stakeholders including DCMS, Administrators, solicitors and FCA.
  • Significant comms with MPs, journalists, and consumers (via website).
  • Review of comparable products in the market.


  • Developing a Memorandum of Understanding with the FCA to contain a framework to engage and resolve any future regulatory remit challenges.
Is this page useful?
Back to top