National Assembly for Wales

Annual Report and Statement of Accounts of the Assembly Commission: 2007-08

This is a Flash Object


Statement on Internal Control

Scope of responsibility

As Principal Accounting Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of the policies, aims and objectives of the National Assembly for Wales Commission, whilst safeguarding the public funds and assets for which I am personally responsible, in accordance with the responsibilities assigned to me by the Treasury.  It is incumbent on me, as the Principal Accounting Officer, to combine these duties with my duty to serve the Commissioners, to whom I am responsible and from whom I derive my authority.

The Assembly Commission sets the strategic aims, objectives, policies and values for the organisation and, in accordance with the provisions of paragraph 7 of Schedule 2 to the Government of Wales Act 2006, has delegated its functions, including its responsibility for the management of staff, to me as Chief Executive and Clerk to the Assembly, subject to certain exceptions and conditions.  The work of the Assembly and the Commission attracts significant public interest and media coverage, and has wide-ranging political sensitivities.

During 2007-08 I, as the Principal Accounting Officer, was advised by:

  • The Assembly Commission, in terms of policy, values, strategic direction, risks and opportunities;
  • The Assembly Parliamentary Service Executive Board, consisting of the Chief Operating Officer, the Director of Assembly Business and the Director of Legal Services, and chaired by me, in terms of service development, delivery and capacity to achieve;
  • The Operations Board and Parliamentary Services Board comprising the various Heads of Service, and other staff whose duties include a governance and financial management remit;
  • The Commission’s Corporate Governance Committee - fulfilling the role of an Audit Committee - consisting of one Commissioner and three independent advisers to the Commission - one of whom is the Chairman;
  • The Commission’s internal auditors (RSM Bentley Jennison) and the Wales Audit Office.

The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of our policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically. The system of internal control was developed during the year, following the creation of the Assembly Commission in May 2007.  The system was in place as at 31 March 2008 and up to the date of approval of the annual report and accounts, and accords with Treasury guidance.

Capacity to handle risk

The Executive Board has taken the lead in establishing a risk and benefits management regime, consistent with best practice, throughout the organisation and has worked through the Heads of Service to begin to instil a cultural change which realises opportunities through improved handling of risks.  The Risk and Benefits Management Policy is a key foundation block in the Commission’s system of internal control and corporate governance arrangements.  It will help ensure that:

  • Management and all staff are aware of risk management, weakspots and how to suggest improvements;
  • Effective risk and benefits management takes place at operational, corporate and strategic levels;
  • Significant risks are appropriately flagged and reported to the Executive Board and Commission as necessary;
  • The Commission complies with the best public sector practice in operating a sound risk management framework as part of its internal control environment.

The risk and control framework

The Commission has a statutory duty to provide the Assembly with the property, staff and services required for its purposes.  There are two distinct risk environments within this:

  • Risks to the reputation and credibility of the National Assembly for Wales; and
  • Risks that the Commission encounters as a service delivery organisation: including risks to the achievement of its objectives, and day to day corporate and operational risks.

The Commission’s risk framework forms part of a much wider system of internal control to support effective Corporate Governance.  The Governance Framework was approved by the Assembly Commission at its first meeting in June 2007, and has been developed and extended throughout the organisation over the course of the year.  Specifically, the Commission has:

  • Appointed four independent persons to advise the Commission, Executive Board and me as Chief Executive, as necessary;  
  • Established a Corporate Governance Committee, to advise me as Accounting Officer.  One Commissioner and three of the independent advisers sit on the Committee, one as Chair.  The Committee’s work programme follows the best-practice model for an Audit Committee;
  • Developed policies, service delivery plans, and working practices, including a Finance Forum, to support the Governance Framework;
  • Undertaken regular reviews of financial performance and progress on key issues, and is now developing key performance measures to improve strategic and corporate performance reporting.

The risk framework covers the entire organisation and encourages the taking of controlled and managed risks designed to maximise new opportunities.  The risk appetite sets out how we manage and report on risks, following a process of combining the impact and probability levels of residual risks. In particular:

  • Risks to the Strategic Goals, and Corporate Risks, are managed by the Executive Board;
  • Operational Risks are managed by Heads of Service, in liaison with their Director where necessary;
  • Risks rated as Significant are managed by the Executive Board, advised by the Corporate Governance Committee, informing Assembly Commissioners where necessary.

An important Corporate Risk which has come to the fore this year is that of Information Security.  I commissioned an information security review in the autumn of 2007 and a number of measures have been taken as a result, including encryption, improved guidance, and increasing awareness of information security issues and the reputational risks in any weaknesses.  Work is still in hand in developing an information asset register and tracking central advice to ensure our practices meet or exceed good security standards going forward.  The Chief Operating Officer is the Commission’s Senior Information Risk Owner.

Work is now underway to embed the process of risk management in the day to day operational procedures building on the agreed framework.  The Risk Management Forum is taking the lead on this, sharing good practice and promoting regular review of risk registers, supported by the Directors through monthly discussions with service managers.

Assembly Members

Standing Orders provide for the Commission to determine and pay the Members’ salaries and allowances. The rules are set out in published ‘Determinations’ and supplementary notes.  The Allowances Determination is based on the principle that Members are primarily responsible for identifying, claiming and certifying their own expenses and ensuring that the amounts claimed have been properly incurred in accordance with the rules.  

During 2007-08 a Review Panel was established, consisting of one Commissioner and four independent members, to undertake a review of Members’ pay and allowances.  The Assembly Commission considered the Panel’s report and published a new Determination in March 2008, largely relating to Members’ pay.  Arising from this work, a new Review Panel will be established during 2008-09 to undertake a more detailed review of support for Assembly Members, and surrounding controls.    

The Assembly’s Commissioner for Standards is an independent person appointed by the Assembly.  The Commissioner provides advice and assistance on any matters of principle relating to the conduct of Assembly Members, and is an independent investigator of complaints that Members of the Assembly have breached any Code, Protocol or resolution of the Assembly.  The Commissioner is committed to: building a robust Standards regime within the National Assembly; working with all Assembly Members on all matters relating to Standards; and ensuring openness and transparency in the 'Standards' process.

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors, the Directors who have responsibility for the development and maintenance of the internal control framework, the Corporate Governance Committee, and comments made by the external auditors in their management letter and other reports.

I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Executive Board and the Corporate Governance Committee, and a plan to address weaknesses and ensure continuous improvement of the system is in place.

Internal audit reports have provided assurances against the Internal Audit Strategy for the year, with agreed action plans in place to address recommendations arising. Based on the audits completed in the year, the Internal Audit Opinion gives assurance that the risk management, control and governance processes to manage the achievement of the Commission’s goals are adequate and effective. The Wales Audit Office Audit Strategy for 2007-08 reflects the risks facing the Commission in producing its Accounts for 2007-08.

The core of my review of effectiveness was a self-review process, completed between November 2007 and February 2008, encompassing the Corporate Governance and Corporate Planning frameworks; leadership and business management arrangements; and, awareness of the control environment and engagement with it.

Arising from the above, Directors provided me with an Interim Assurance Statement for their area of responsibility, followed up with a final Assurance Statement at the year-end.  

The review has identified the following areas for strengthening and improvement:

  • Business continuity arrangements need to be documented in more detail and brought together in a cohesive plan;
  • Information Security arrangements, in their broadest sense, require tightening in accordance with Cabinet Office guidance and other best practice standards;
  • Whilst the governance and risk frameworks are firmly in place, further action is needed to truly embed processes and a risk aware culture.  My review identified an opportunity to improve co-ordination of, and access to, guidance supporting the system of internal control, as well as improve risk reporting arrangements;
  • Future focus needs to be placed on reviewing performance against plans, and of monitoring performance in key areas;
  • Delivery of an improved ICT service, which places greater control with the Assembly Commission and addresses risk areas within the current contractual arrangements, has also been flagged as a key issue;
  • We have planned and responded well to the increasing demands of the Third Assembly and the new legislative powers. To secure future successful delivery we will need an appropriate balance between the growing demands placed on us, resources made available to us, and increased efficiencies.

In summary, I am satisfied that the weaknesses that have been identified through the review process have been addressed, or are in the process of being addressed, and that the system of internal control has developed effectively over the course of the year.

Claire Clancy
Chief Executive and Clerk to the Assembly		 Date: 10 July 2008