Annual Report and Accounts 2020 to 2021
Internal control framework
The Commission has in place a wide range of internal controls to manage the risk of failure to achieve strategic objectives which include:
Organisational structure and delegation of authority
The Commission is currently organised into business areas and functions that bring together related operational, project and thematic activity.
Authority to make decisions and authorise expenditure is delegated to the appropriate level of responsibility within each business area.
Policies and procedures
Comprehensive policies and supporting procedures are in place across the Commission at a corporate and operational level. A thorough review of all financial policies was undertaken during 2018/19 to ensure that they remain compliant with Managing Public Money (MPM) and that they reflect best practice.
An updated suite of financial policies, reviewed under the MPM project, was in place during the financial year. The Finance and Performance Committee will routinely review financial policies on an approved schedule. The appropriateness of Commission policies and procedures is periodically reviewed by internal audit as part of the audit plan.
Operational and financial reporting
The Commission reviews and updates its business plan on an annual basis and prepares an annual budget to support the delivery of the plan.
The budget also considers risks and uncertainties to ensure that these can be mitigated where possible. Both of these elements are reviewed and approved by the Board along with progress against the business plan. In this they are supported by the Finance and Performance Committee’s routine scrutiny of the business plan and budget. Financial performance is reported to the Board and Finance and Performance Committee at each meeting. In addition, the Commission also undertakes monthly financial re-forecasts to ensure that financial management of the Commission remains robust. This is reviewed by the Board.
Review and sign-off of actions
The Commission has a series of checks and balances in place across the organisation to ensure that decisions and outcomes are appropriately reviewed. Quality assessment reviews have been undertaken within a number of the compliance areas to ensure that regulatory activity continues to be of high quality. Management also reviews outputs within a range of frontline and support areas to ensure accuracy and relevance. These controls are subject to internal and external audit review as part of the internal audit plan and external audit fieldwork.
Public Interest Disclosure Policy
The Commission has a public interest disclosure policy in place for the confidential reporting of unlawful conduct or malpractice. The policy is available online for all employees and is available to the public via the website. As part of their induction programme all new Commission employees are required to confirm in writing that they have read the Code of Conduct, including the public interest disclosure policy.
Personal data incidents
There was one substantive data security incident during 2020-21 (nil during 2019-20).
Effectiveness of internal controls
The Commission's senior management reviews the operational effectiveness of the current internal controls using a combination of the Corporate Risk Register, and operational and financial performance reports.
This is supported by the annual programme of internal audit reviews into the design of controls and whether those controls have been operating effectively.
Through their work during the year, the internal auditors have concluded:
Major improvement required
We identified some significant weaknesses and non-compliance (during the year and at year end) in the framework of governance, risk management and control which put the achievement of organisational objectives at risk. Major improvements are required to improve the adequacy and effectiveness of governance, risk management and control.
Internal auditors’ statement
PWC acknowledge that the internal audit 2020/21 which was developed in conjunction with management and approved by the Audit and Risk Committee was designed to focus on areas of higher risk at the Commission.
The key factors that contributed to their opinion are summarised as follows:
Of the five risk rated reports that we issued in 2020/21, three reports were rated as ‘Needs Improvement’. These reports were:
- Business Continuity/Disaster Recovery
- National Lottery 4 – ITA Evaluation Model
- Information and Intelligence Management.
As a result of the work completed we identified
- 3 high risk findings
- 11 medium risk findings
- 6 low risk findings.
At the year end, we tested the implementation of 25 internal audit recommendations (which were due for action during the year).
We obtained evidence to show that 24 out of 25 of these actions, (including all five of the high-risk findings due for implementation by 31 March 2021) had been addressed. Two of these five high risk actions related to reports completed from the 2020/21 internal audit plan. We also completed two advisory reviews which focused on governance and risk management and performance management/reporting. The Commission had identified that the processes and controls in both of these areas needed strengthening. Our role was to assess the Commission’s plans for making improvements and we made a number of recommendations, to strengthen core areas of the control environment.
We note the positive and constructive communications we have had with management in agreeing recommendations and action plans. We also recognise the focus being placed on follow-up of recommendations by the Audit and Risk Committee. The senior management of the organisation has taken steps to ensure that all agreed audit recommendations are actioned in an appropriate timescale, and all high-risk findings which were due by the end of the year have been completed.
Principal risks and uncertainties facing the Commission
The principal risks and uncertainties are managed through the Commission’s Corporate Risk Register as part of the internal control framework. The most significant risks facing the Commission as of the end of March 2020 are:
|Risks and uncertainties||Existing and Planned Mitigations|
|Income from fees, grant in aid and the use of available reserves does not cover expenditure.|
|The COVID-19 pandemic increases risks to the licensing objectives and NL duties, adversely impacts our ability to respond to risks and prevents sufficient fieldwork leaving data gaps on key metrics.|
|Competition fails to generate sufficient market interest, competitive tension and sufficient credible bids to obtain a successful 4th Licence holder.|
|There is a risk of failing to transition from the Third to Fourth licence in a coherent way.|
|A substantive reduction in the Commission’s delivery capacity affects our ability to meet our stated outcomes and duties.|
|The Bet Index case reveals the challenge of co-regulation.|
Last updated: 14 July 2022
Show updates to this content
No changes to show.