Annual Report and Accounts 2021 to 2022
Internal control framework
The Gambling Commission has in place a wide range of internal controls to manage the risk of failure to achieve strategic objectives which include the following.
Organisational structure and delegation of authority
The Commission is currently organised into business areas and functions that bring together related operational, project and thematic activity.
Authority to make decisions and authorise expenditure is delegated to the appropriate level of responsibility within each business area.
Policies and procedures
Comprehensive policies and supporting procedures are in place across the Commission at a corporate and operational level. A thorough review of all financial policies was undertaken during 2018-19 to ensure that they remain compliant with Managing Public Money (MPM) and that they reflect best practice.
The Finance and Performance Committee routinely review financial policies. The appropriateness of Commission policies and procedures is periodically reviewed by internal audit as part of the audit plan.
Operational and financial reporting
The Commission reviews and updates its business plan on an annual basis and prepares an annual budget to support the delivery of the plan.
The budget also considers risks and uncertainties to ensure that these can be mitigated where possible. Both of these elements are reviewed and approved by the Board along with progress against the business plan. In this they are supported by the Finance and Performance Committee’s routine scrutiny of the business plan and budget. Financial performance is reported to the Board and Finance and Performance Committee at each meeting. In addition, the Commission also undertakes monthly financial re-forecasts to ensure that financial management of the Commission remains robust. This is reviewed by the Board.
Review and sign-off of actions
The Commission has a series of checks and balances in place across the organisation to ensure that decisions and outcomes are appropriately reviewed. Quality assessment reviews have been undertaken within a number of the compliance areas to ensure that regulatory activity continues to be of high quality.
Management also reviews outputs within a range of frontline and support areas to ensure accuracy and relevance. These controls are subject to internal and external audit review as part of the internal audit plan and external audit fieldwork.
Personal data incidents
There were no substantive data security incidents during 2021-22 (one during 2020-21).
Effectiveness of internal controls
The Commission's senior management reviews the operational effectiveness of the current internal controls using a combination of the Corporate Risk Register, and operational and financial performance reports.
This is supported by the annual programme of internal audit reviews into the design and operation of controls.
In 2021-22 the activities of PricewaterhouseCoopers (PWC), the Commission’s lead internal auditors were supplemented by additional reviews undertaken by the Government Internal Audit Agency (GIAA) to cover any reviews which could potentially cover any aspects of the NL4 programme.
Through their work during the year, PWC have concluded that as a result of the restrictions placed on the scope of their work (outlined previously) they have been unable to gather sufficient evidence and/or information to conclude on the adequacy and effectiveness of the Commission’s arrangements for governance, risk management and control. In recognition of these limitations the Accounting Officer sought additional assurance from the GIAA internal audit programme, to provide a more complete picture of the effectiveness of the controls in place within the Commission.
PWC have undertaken three reviews:
- cyber security – Overall rated 'Needs Improvement' (three high, one medium and one low risk finding)
- medium term financial planning – Overall rated ‘Needs Improvement’ (one high and six medium risk findings)
- data privacy – Overall rating ‘Satisfactory with Exceptions’ (two medium and three low risk findings).
The GIAA has undertaken three reviews, whose findings are supplementary to the PWC conclusions:
- review of National Lottery Licence Competition – Costs (economic and financial) and benefits models for Full Business Case – Overall rated ‘Substantial assurance’ (two low risk findings)
- review of second line oversight of the 4th National Lottery Licence Competition - Phase one review and feedback – Advisory review
- Governance – Overall rated ‘Moderate assurance’ (five medium risk, two low risk findings).
Principal risks and uncertainties facing the Commission
The principal risks and uncertainties are managed through the Commission’s Corporate Risk Register as part of the internal control framework. The most significant risks facing the Commission are as follows.
Most significant risks facing the Commission as of the end of March 2022
|Risks and uncertainties||Existing and planned mitigations|
|Income from fees, grant in aid and the use of available reserves does not cover expenditure. In particular, the withdrawal and adjustment of the Fourth National Lottery Competition cross-charge impacts the sustainability of the Commission’s overall financial position||Existing:
|Novel products are not identified at a sufficiently early stage||Existing:
|The Covid-19 pandemic increases risks to the licensing objectives and National Lottery duties, adversely impacts our ability to respond to risks and prevents sufficient fieldwork leaving data gaps on key metrics.||Existing:
|Disrupted transition from 3NL to 4NL
Risk: There is a risk that the transition from 3NL to 4NL may be disrupted
|The 4th Licence is unable to start immediately following the end of the 3rd Licence||Existing:
Last updated: 31 August 2022
Show updates to this content
No changes to show.