1. Scope of responsibility
As Accounting Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of EPSRC’s policies, aims and objectives, whilst safeguarding the public funds and organisational assets for which I am personally responsible, in accordance with the responsibilities assigned to me and described in ‘Managing Public Money’.
2. The purpose of the system of internal control
The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure and to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. The system of internal control is based on an ongoing process designed to identify and prioritise the risks to the achievement of organisational policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised and to manage them efficiently, effectively and economically. The system of internal control has been in place in EPSRC for the year ended 31 March 2010 and up to the date of approval of the Annual Report and Accounts and it accords with Treasury guidance.
3. Capacity to handle risk
EPSRC Leadership Team
The EPSRC Leadership Team (ELT), comprising the Chief Executive, Directors and Associate Directors is the executive body for EPSRC and provides leadership and guidance on risk management issues. ELT has agreed a Corporate Risk Management Policy and regularly considers risk matters at its monthly formal meeting. In particular it reviews the Corporate Risk Register which includes any risks which are of a corporate nature and are assigned to individual Directors. This register also includes any Directorate and project risks which have been given a red residual risk score. Such risks are escalated to ELT which will then consider the appropriate action to take.
Performance and Risk Management System
EPSRC implemented the Performance and Risk Management (PRM) System in 2006. PRM is based on the Balanced Scorecard Model and brings together performance measures, actions and risk under EPSRC objectives. The Communications, Information and Strategy Directorate maintains the PRM system and provides reports on both Performance and Risk to ELT and Directorate management. These risks have been evaluated, to include consideration of the desired level of risk appetite having regard to EPSRC strategies and priorities; controls have been assessed and responsibilities for management of risks assigned at various levels.
EPSRC’s risk register is accessible to all staff through the PRM intranet site. Other documents, such as the EPSRC risk policy, are linked to PRM. General risk awareness is made available to staff through issued guidance and the corporate induction, with more detailed training in risk assessment and management being provided to the Directorate ‘risk champions’ which has extended the skill base across EPSRC. This Group meets regularly to share issues and consider ways of continuously developing and enhancing the risk management framework.
The Associate Director of Operations is responsible for the Business Assurance function within EPSRC, including the coordination of risk management activities. These activities cover: provision of advice and guidance to Directorates; organising training courses; reviewing quarterly reports from the Directorates and Business Critical Projects; providing commentaries to ELT; representing EPSRC at the meetings of the RCUK Risk Management Network and liaising with Internal Audit on its audit activities. RCUK Risk Management Network Group has been established by RCUK which meets on a six monthly basis to support sharing of knowledge and approaches to risk management across the Research Councils. This now includes membership of RCUK SSC Ltd.
EPSRC’s fraud policy, response plan and whistle blowing policy are made aware to all new members of staff as part of the induction process. Fraud guidance is available to all staff on the Intranet ensuring that there is an awareness of their responsibilities to report fraud and the process by which to do so. During 2009/10 no instances of fraud were reported.
4. The risk and control framework
The Council of EPSRC
The Council of EPSRC has a responsibility to ensure that high standards of corporate governance are observed at all times. The Council periodically receives information about risk management. It also receives a report at each meeting and an annual report from the Resource Audit Committee which includes comment on risk management and Business Critical Projects. The Council has responsibility for decisions on major capital projects after having reviewed the business case and the risks involved in the venture.
The Resource Audit Committee
The Resource Audit Committee (RAC) is a committee of the Council tasked with monitoring standards of internal control and propriety, economy, efficiency and effectiveness and for evaluating the extent to which systems and procedures are appropriate to allow EPSRC’s objectives to be met. RAC’s responsibilities include: examining the manner in which management ensures and monitors the adequacy of the nature, extent and effectiveness of internal control systems; paying particular attention to risks and contingency plans on all Business Critical Projects; and monitoring the nature and scope of the work of both External and Internal Audit. RAC makes recommendations to ELT and reports to the Council following its meetings.
Directors and Directorates
ELT delegates responsibility for each of the Corporate Risks to one or more of the Directors. Each Director bears a responsibility for these and the risks associated with his/her Directorate’s activities. A Director may choose to delegate responsibility for the day-to-day management of risk and associated mitigation or contingency plans to a member of the Directorate staff. The Directors and their senior managers review the risk register for their own Directorate on a regular basis: to consider new risks or new elements to an existing risk; for changes in status (changes in the likelihood of occurrence or in the impact that would be felt should the risk be realised) as a result of factors internal or external to the Council; for progress in mitigating risks; to determine whether or not the existing controls are adequate; and to determine whether further actions are required. In addition proposed projects or initiatives are considered at an early stage to assess the potential risks and to determine the balance of benefits and risks. The relevant Director or delegated staff member will then make a decision on whether or not to proceed, or will seek a decision from ELT. Each Directorate has an individual responsible for co-ordinating risk management activities.
Research Councils’ Internal Audit Service
The Research Councils Internal Audit Service (RCIAS) and ELT work together to agree the range of audits to be carried out each year. RAC confirms the annual Audit Plan. The results of these audits are used by ELT in its decision making on what actions are necessary to maintain high standards in EPSRC’s corporate governance and risk management procedures. The RCIAS carries out audits relevant to EPSRC’s risk management activities on a regular basis. In 2009/10 audits included: Readiness to Migrate to the Shared Services Centre (three separate reviews) and Risk Management.
In addition to the advice resulting from audits, Internal Audit guidance is welcomed as a source of updated best practice.
EPSRC has in place a system of controls which includes:
- annual Directors’ Statements of Internal Control;
- Funding Assurance Programme (FAP) visits by officials to Higher Education Institutions and Office-based tests. The objective of these visits is to obtain assurance that Research Grant funds are used for the purpose for which they are given and that Grants are managed in accordance with the terms and conditions under which they are awarded;
- ongoing review of risks and the necessary resulting actions;
- responsibility for managing risks delegated to the appropriate level within the organisation;
- regular management review of risks and Business Critical Projects; and
- regular external review of risk management procedures.
5. RCUK Shared Services Centre Development
The Shared Services Centre (SSC) implementation is a Business Critical Project that will deliver a shared administrative support service for all UK Research Councils. This includes the main administrative activities in Human Resources, Payroll, Finance and Procurement, IT and Grants Processing.
EPSRC migrated Human Resources to RCUK Shared Services Centre Ltd (RCUK SSC Ltd) in February 2009, Payroll in May 2009 and Finance and Operational Procurement in November 2009.
EPSRC monitors and manages risks associated with the integrity of data maintained by the RCUK SSC Ltd, the service provided by RCUK SSC Ltd and the development of the new Grants Processing System.
All financial controls in EPSRC remained unchanged up to the migration of Finance and Procurement in November 2009. The decisions to migrate functions were joint decisions between EPSRC and RCUK SSC Ltd and were taken on assurance that the RCUK SSC Ltd systems and processes were sufficiently robust to provide support services to EPSRC. Grants Processing is due to migrate to RCUK SSC Ltd in 2010/11. The controls within the Grants module remain unchanged. The new interface’s processes and controls are being robustly tested by all Research Councils in preparation for migration. Following EPSRC’s migration of Finance, a number of process and technical issues have emerged which have been and continue to be addressed by the Service Review Group comprising representatives of all migrated Councils together with RCUK SSC Ltd.
All known issues have been captured to form an orderly focus for resolution and a basis for entry into full service delivery. During 2009/10 RCUK SSC Ltd has put considerable effort into establishing the security and controls framework now in operation. Following migration, it became apparent that more work was required to provide the assurances necessary to validate the security and controls framework within the Shared Services Centre. To compensate for the limited assurance available on the security and controls framework within RCUK SSC Ltd, EPSRC have implemented additional internal controls and checks. For example, the management information provided to EPSRC is incomplete at the present time. To compensate for this, EPSRC has created bespoke financial reports to ensure that we can continue to meet our financial reporting obligations. Additional checks around coding and postings are also undertaken. These and other compensating controls will be maintained until the Service Review Group confirm that all outstanding issues have been resolved satisfactorily and reliance can be placed upon the systems security and controls framework within the Shared Services Centre.
6. Key control and assurance areas
EPSRC has the following key control and assurance areas:
- Governance and risk management of the SSC implementation project is provided by the RCUK SSC Ltd Project Board on behalf of the Research Councils. An RCUK SSC Project Audit Committee comprising representatives from each Research Council’s Audit Committee operates to provide oversight and assurance on risk management and control of the project. EPSRC has its own Project Group which manages its participation and associated risks in the project. The high level risks and mitigation strategies are scrutinised by ELT on a regular basis. Governance arrangements are also monitored by EPSRC’s Audit Committee.
- RCUK SSC Ltd has a Board of Directors and Audit Committee which provides a corporate governance framework in line with statutory and best practice requirements. Directors have been appointed by Research Councils as shareholders, with the EPSRC nominee being EPSRC’s Director of Research Base.
- As a stakeholder EPSRC manages its participation and associated risks in this project. The high level risks and mitigation strategies are regularly scrutinised by ELT. Governance arrangements are regularly monitored by EPSRC’s Resource Audit Committee.
- Internal Audit assurance has been provided on the RCUK SSC Ltd business operations (supporting that Company’s annual Statement on Internal Control), the readiness of each Research Council to transfer to RCUK SSC Ltd live operations and independent assurance on project delivery.
- A comprehensive Internal Audit strategy relating to the RCUK SSC Ltd project and operations for 2010/11 and beyond has been developed. A feature of this strategy is that the control framework operating within the SSC and the interfaces with the respective Research Councils will be tested end to end after the implementation of the solution.
- A number of Internal Audit Reviews of the processes operated by the SSC have provided limited assurance. The findings of each of these reviews is actively considered by EPSRC and, where additional internal controls are not already in place, action is taken to mitigate weaknesses identified.
7. Delays in the 2009-10 Account Process
The planned pre-recess sign off of the annual report and accounts was delayed this year. This is in part due to the migration of the finance, HR and payroll functions to the SSC during the reporting year and the subsequent control and assurance issues detailed above and also due to difficulties in agreeing related party and other transactions between the Research Councils and the RCUK Shared Services Centre Ltd owing to weaknesses in the robustness of some information. We also experienced considerable delays in the completion of payroll and bank reconciliations. In addition by migrating the finance function to the SSC in December 2009, there was little time to resolve issues prior to year end. EPSRC, together with the other Research Councils and RCIAS, are working to ensure that the SSC systems and processes are sufficiently robust to ensure that the production of the 2010-11 accounts is significantly improved. We also need to make sure that there are clearly defined responsibilities in place for the controls operating at the SSC and overall monitoring by EPSRC.
8. Review of effectiveness
As Accounting Officer, I also have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by:
- Regular reports by the Research Councils’ Internal Audit Service including the Head of Internal Audit’s independent opinion on the adequacy and effectiveness of EPSRC’s systems of internal control. All completed EPSRC specific audits undertaken during 2009/10 received an assurance rating of ‘Substantial Assurance’. The areas covered are as follows:
- EPSRC Research Grants
- Risk Management
- Information Security and Assurance
- Energy Technology Institute
- RCUK SSC-Transitional Assurance and Readiness Stage 3
- EPSRC Leadership Team members who have responsibility for the development and maintenance of the internal control framework and who provide annual reports on their stewardship and management of risk within their Directorates;
- comments made by the external auditors in their management letter and other reports;
- EPSRC's Resource Audit Committee’s review of internal controls and risk management processes;
- Research award validation procedures under the Cross-Council annual Funding Assurance Programme which provide assurance on the regularity of research project expenditure at Universities and other research bodies;
- Measures in place at a cross-Research Council level to obtain assurance on the operation of Transparent Approach to Costing at Universities supporting cost data used in Full Economic Costing of funded research proposals.
I have been advised by the Council and the Audit Committee on the implications of the result of my review of the effectiveness of the system of internal control. A plan is in place to address weaknesses and ensure continuous improvement of the system.
Professor David Delpy Accounting Officer
25th November 2010