IRELAND 22 November 2017
Report 73: Internal Control and Governance in FAS - Summary of Findings
The examination reported below focused on the processing of transactions at FÁS Head Office and governance arrangements for the organisation. It also reviewed the management of the Competency Development Programme and the administration of foreign travel and business expenses.
Overall Examination Findings
The examination found that FÁS had a governance structure that is consistent with its governing legislation and with the Code of Practice for the Governance of State Bodies. It had also a plan of internal control, which, if fully implemented, would have provided sufficient assurance that its transactions were processed in a safe and regular manner.
However, failure to fully implement elements of the plan of control exposed FÁS to the risk of losses as well as the risk of failing to achieve best value for money. The exposures arose from the fact that
- authorisation limits were breached when certain transactions were being initiated
- there were deficiencies in the conduct of tender processes when goods and services were being acquired
- payments were made in the absence of supporting documentation
- confirmation orders for purchases already effected were issued in many instances
- the system of risk management adopted by the Board in 2005 did not function effectively.
Key units failed to detect or react appropriately to non-compliance with internal procedures.
Notwithstanding these procedural deficiencies, the examination found, based on substantive testing of 2008 transactions initiated by Head Office sections, that payments for the transactions sampled were properly chargeable in the FÁS financial statements.
FÁS has begun taking steps to address the control deficiencies identified and, in particular
- the Board has approved a revised set of procurement procedures that include a requirement for managers to make annual declarations of compliance
- training workshops have been held to increase the level of awareness of those procurement procedures
- policies relating to the use of credit cards and revised procedures governing foreign travel were adopted by the Board during 2009 and the use of credit cards curtailed.
The examination also found that considerable scope exists to improve the depth and quality of reporting both in regard to rule compliance and business performance.
In one relatively new programme ? the Competency Development Programme ? the examination found that
- in its administration, monitoring visits to external training providers were not as frequent as envisaged under FÁS?s own procedures
- programme output was not recorded in terms of results such as persons achieving certification
- there was no evaluation of the extent to which the training objectives of the programme were achieved.
The findings of this examination would suggest the need for adjustments to systems, procedures and practices employed by FÁS. These arise in the following areas:
Ongoing identification and mitigation of risk based on an analysis of the control systems and experience derived from transaction processing is key to safe administration of public money.
Responsibility for drawing up individual risk registers lies with the divisions in FÁS while responsibility for compiling and maintaining a consolidated register lies with the Risk Management Committee (the Executive Board). Coordination of the risk management function is the responsibility of Internal Audit. Risk management in FÁS has not operated as envisaged when the Board approved the current risk policy in 2005 ? risk registers and action plans were not kept up-to-date, reporting procedures approved by the Board have not operated as envisaged and there has not been any annual review of the effectiveness of the risk management system.
The Statement of Internal Financial Control for 2008 set out some actions that FÁS proposed to improve the risk management system in the agency.
It is important to ensure that risk management functions operate so that FÁS can make a proportionate, cost-effective response to potential exposures and that factors that impede the operation of pre-established controls can be surfaced and dealt with as appropriate. Greater internal control would ensue if the risk management function were assigned to a separate unit so that Internal Audit can independently review its operation.
Internal Financial Control
FÁS had a plan of control that was adequate but which did not always operate effectively and as intended.
FÁS would benefit from a comprehensive review of its control regime designed to balance its need to control its transaction processing with the pursuit of organisational effectiveness. A paramount consideration should be ensuring that the needs of the population it serves are met in an appropriate and timely manner and that personal initiative and a culture of service are encouraged and fostered. FÁS stated that it intends to carry out a general review of its systems and internal controls.
Communications between Control Units
One of the reasons the control regime did not operate effectively was a poor level of communication between two key units - the Procurement and Financial Accounting units. This, in effect, undermined the operation of key checks and balances. The production of ?confirmation orders? ? the examination found that 17% of Head Office purchase orders in 2008 were ?confirmation orders? ? reduced the efficacy of the Procurement Unit as a ?gateway control? at the transaction initiation stage. In summary
- There was no communication of contract awards by the Procurement Unit to Financial Accounting.
- In the case of purchase orders, there was a practice of generating post-hoc documentation in instances where goods or services had already been acquired without the Procurement Unit?s involvement.
- Financial Accounting failed to notify the Procurement Unit, which has responsibility for procurement in Head Office, when invoices were presented for payment without the appropriate documentation.
An effective separation of functions needs to be established and mechanisms for reporting non-compliance with procedures put in place. In particular, FÁS should consider maintaining a central register of contracts awarded. Breaches of procurement procedures should be reported.
In general, there is a requirement for Government agencies to follow a competitive process carried out in an open, objective and transparent manner. Agencies may depart from this requirement in exceptional circumstances under both national and EU procurement rules.
FÁS should specify the circumstances in which departures from competitive procurement processes may occur and put in place a mechanism to ensure that all such departures, including those due to urgency or the use of services for which there is only one supplier, are approved at the appropriate level and the extent of departures reported to the Board.
A key set-piece which affords an opportunity to review compliance is the development of the annual report from the Chair of the Board to the Minister as required under the Code of Practice for the Governance of State Bodies. This report is supported by a Compliance Register. The emphasis in reporting through the Compliance Register process needs to shift to a confirmation of the effective operation of controls. FÁS has taken some steps to address this in regard to procurement ? from the end of 2009, managers with responsibility for procurement will be required to make annual declarations that any procurement carried out in their units has been done in accordance with required procedures.
The purpose of the Board?s annual review of compliance with internal control is to confirm actual compliance and any reservations should be reported in a way that allows the Board to take them into account in the course of its review.
One option would be to require managers to make declarations ? similar to those being introduced in regard to procurement ? for other requirements of the Code of Practice for the Governance of State Bodies. All of the declarations should be supported by evidence and reviewed by Internal Audit, on a sample basis.
Annual Review of Internal Controls
In its Statement on the System of Internal Financial Control the Board noted that the Audit Committee, on behalf of the Board, conducted a review of the effectiveness of the system of internal financial control.
The Board should assume direct responsibility for the annual review of the Compliance Register and the Statement of Internal Financial Control as the Audit Committee is itself an element in the overall plan of control.
The Audit Committee, which is a sub-committee of the Board, has the responsibility, with management, to review the activities of the internal audit function. An external review of the internal audit function found, inter alia, that not all of its recommendations are implemented in a timely manner.
The extended timescale in finalising the investigation into allegations relating to the Corporate Affairs section meant that remediation of certain deficiencies was delayed.
Recommendations should be classified by Internal Audit in terms of their significance. The most important ones should be escalated to Director level if not dealt with by management and followed up with re-audit where appropriate. In order to ensure that the Board of FÁS is informed at the earliest opportunity of significant matters identified by Internal Audit that may impact on governance, control and accountability a mechanism for facilitating timely reporting, including interim reporting where appropriate, should be put in place.
Financial information presented to the Board was sufficient to allow it to identify variances from budget at programme level but not to identify them below that level. The Board was not aware of overspends on advertising and promotion although the Executive Board was.
Financial and activity information presented to the Board should identify and provide in-depth explanations of significant expenditure or activity variances.
Delegation of review functions to a Board sub-committee could improve control in this area. Because emerging circumstances can dictate that budgets be adjusted especially in an organisation of the scale of FÁS, budgetary reviews should take place in the course of each financial year.
A clear focus on outcomes is best achieved through implementing a performance management system that captures, and appropriately distinguishes between outputs, performance measures and other indicators. Currently, the Board is presented annually with a report on progress in implementing strategy. For 2008, the report included a checklist setting out performance against target for around 80 items covering a wide range of different measures.
Performance reporting to the Board would be improved through reporting separately on operational performance measured, to the extent possible, against quantifiable targets, change management actions set out in terms of time-bound activities and stakeholder satisfaction ratings.
Competency Development Programme
Expenditure on the Competency Development Programme amounted to ?126 million in the six years from 2003 to 2008. Over 90% of the expenditure was paid to external training providers. In four years of rapid expansion from 2005 to 2008 training was provided to over 100,000 participants. New commitments under the programme ended in early 2009.
The examination found that there were gaps in monitoring of the training delivered by the external training providers ? around half of courses reviewed by the examination or Internal Audit in FÁS had not been the subject of a monitoring visit.
In addition, there were deficits in the information collected which hindered FÁS?s capacity to assess the achievement of the programme?s objectives. In particular, the extent to which participants achieved certification was not recorded.
FÁS should, when using external training, assure itself of the delivery and quality of training through
- appropriate monitoring of courses provided by external training providers
- recording outcomes in terms of certification achieved by participants.
A positive feature of the use of external training provision in the case of the Competency Development Programme was that it allowed for a rapid expansion of the programme in response to the perceived need at the time.
FÁS incurred around ?3 million on flight costs in the period 2002-2008. It is obliged to operate in accordance with the appropriate foreign travel policy issued by the Department of Finance. Prior to 2009, when the Board adopted a set of foreign travel procedures, FÁS did not have a written foreign travel policy although it had notified staff of procedures to be followed when booking flights. Around one-third of flights (in value) in the period under review were booked outside those FÁS internal procedures.
A comparison of the class of travel used by FÁS with that used by 20 other public sector bodies surveyed in the course of the examination found that FÁS used business class for a lower proportion of long-haul flights but for a higher proportion of short-haul flights than the other organisations. First-class flights were used by FÁS personnel in four instances.
Over one-quarter of all flight costs were incurred on the Science Challenge Programme and over ?200,000 of this was for travel by non-FÁS personnel. Some of the costs incurred for non-FÁS personnel were for Ministers or civil servants who were involved in promoting FÁS programmes.
The Department of Finance?s revised foreign travel policy issued in July 2009 provides that organisations should not fund the travel costs of those who have no direct connection with the organisation other than in exceptional circumstances.
FÁS should amend its travel policy to explicitly address the circumstances in which travel costs of external persons may be charged as business expenses.
When travel is undertaken by Ministers or civil servants, in order to associate the costs with the business of the Department (which may coincide with promotional activity of State Bodies), it would be preferable in the interests of transparency, and in order to ensure that the costs are allocated to the appropriate service, if all such expenses were discharged by the relevant Department and charged to its Vote.
FÁS incurred around ?1.7 million in business expenses in the period 2002 to 2008. Tests on a sample of payments showed that there was, generally, an identified business purpose for expenditure reviewed and regard for economy in incurring those expenses. However, the examination also noted some instances where there was no stated business purpose for expenditure including that incurred on golf fundraising events, on concert and match tickets as well as associated hospitality. Limousine services were also used when more economical forms of transport would have been appropriate.
Clear guidelines covering, inter alia, the nature of expenses that can be incurred and the requirement to clearly document the business purpose of the expenditure when claiming reimbursement should be set out.
Use of Credit Cards
Controls over the use of credit cards were weak with payments being made prior to receipt of supporting documentation or authorisation. This gave rise to expenditure where the business purpose turned out to be unclear or the expenditure did not appear to be economic.
The introduction of a credit card policy in 2009 has strengthened internal control in this area. More generally, credit cards form part of banking arrangements and Board approval for their issue should also be sought.