I thank the Chairman and other members for the invitation to attend the committee today to deal with matters related to the internal audit function in FÁS, its scope, practice and processes, and in particular to deal with issues surrounding INV. 137. I am one of the IBEC nominees appointed to the FÁS board by the Minister. By way of background, I became a non-executive director of FÁS in January 2006 and was appointed chairman of the audit committee at the first meeting of the board in 2006. I am currently employed as HR organisational development director with a large construction company.
Over the past 35 years or so, I have been engaged at senior manager-director level in the area of business restructuring, HR-industrial relations, and leadership of major change programmes in a wide range of international and indigenous companies in the automotive, electronic, shipping, financial services, luxury branded goods, construction and retail businesses.
In the course of my working life, I have spent a short time in an internal audit function and have managed large departments in various businesses, both international and indigenous, that have been audited by both internal and external audit teams connected with those businesses.
In addition, as a HR professional, I have regularly undertaken or reviewed formal disciplinary procedures, hearings and investigations carried out on foot of internal audit reports in heavily unionised environments, indeed, where the outcomes have covered the whole spectrum of disciplinary actions from "no action" to "dismissal" and subsequent prosecution and imprisonment of the people investigated. I say that to give the committee a flavour that I do have a reasonable experience of the area.
At the hearing today, I see my main role as that of assisting the committee, as best I can, to clearly see and understand the following in respect of FÁS: (1) the role and function of the audit committee; (2) the internal audit function itself; how it works: (a) the role of audit investigations, and (b) audit reports; (3) INV.137 — the timeline of events. There are some issues in that which, I hope, will give clarity to the committee; and (4) separation of powers. In particular, I would like to take the committee through how the "separation of powers" in the structure operated in this case, as between the audit committee, the internal audit function, and the executive/line management.
The separation of powers ensures that the exercise of due diligence/compliance, fair treatment and due process, particularly in the context of any disciplinary investigation — that could potentially result in serious disciplinary sanctions up to and including dismissal against an individual — offers the best protection for both the organisation and for staff against improper processes, procedures and actions in matters in this critical area of corporate governance.
If the committee so wishes, I can then elaborate separately on: what the audit committee has done to address the issues raised in INV.137 in terms of future practice; how the procurement concerns have been addressed to date; and the audit function and its structure and scope, which has been the subject of a major review by PWC at our instigation, since I became chairman of the audit committee, in an effort to benchmark it against best practice.
Beyond that, I will endeavour to assist the committee in any questions it may have on these matters or other matters related to the overview of the audit function since 2006. I believe it is very important to see these complex issues in a comprehensive context as, clearly, some of the commentary on the situation and events involved has been of the "soundbite" variety, and has shown a distinct lack of knowledge of the internal audit function in large, complex organisations.
Any fair assessment of the issues under review by the Committee of Public Accounts, or any other investigative body, requires a clear appreciation of the risk management processes of FÁS and the checks and balances that exist within the system to ensure its efficient and effective operation.
This opening statement endeavours to provide the committee with as clear a picture of that contextual framework as I possibly can.
I will now deal with the role and function of the audit committee. The audit committee is a sub-committee of the FÁS board. It has a membership of three non-executive directors. Ordinarily, it meets between four and six times a year. Its meetings are normally attended by the head of audit and two audit managers. Other directors, managers or specialists may attend as required, depending on whether it is dealing with their particular area. The committee meets at least once, but sometimes twice, per year with the Comptroller and Auditor General or his representatives. Part of these meetings with the Comptroller and Auditor General are attended by the head of internal audit and his two managers; part of them are not, and are purely a discussion between the non-executive directors and the Comptroller and Auditor General's people.
The role and functions of the audit committee are, broadly speaking, as follows: (1) it ensures that the organisation has identified and understands the main risks/exposures, financial, operational and reputational, involved in its business; (2) it ensures that the organisation has suitable arrangements in place to eliminate, reduce, mitigate or control and manage the risks identified; (3) the committee acts to support and protect, as necessary, the independence and integrity of the audit processes and the audit function; (4) it oversees and regularly reviews the work of the internal audit function (a) identifying new risks, (b) identifying trends, (c) looking at the quality and quantity of internal audit work; (d) productivity and efficiency; (e) resourcing quality and quantity of skills appropriate to needs of the business or function; (f) structure and organisation; and (g) relationships with organisation or client. The audit committee can commission investigations, analyses and special reports into matters of particular concern, importance or risk — new or emerging — in or for the organisation. These can also be commissioned or requested by the executive line management; (5) it interfaces with the Comptroller and Auditor General on a regular basis to review: (a) compliance with public sector audit policy; (b) quality and quantity of internal audit work against the Comptroller and Auditor General's standards; (c) areas of particular focus and attention; (d) quality/responsiveness of FÁS generally to the Comptroller and Auditor General as its external auditor; effectiveness of risk identification and control agendas. It reports to the board to give assurance on performance and the independence of the internal audit function and on any matters of significance to the board in the areas of risk or potential liability or exposure; it can seek additional resources or support for the function; and it approves certification for annual accounts. It liaises with the DG-executive management on matters of general concern in areas of identifying and managing risk-exposure issues and specific issues of material concern; it follows up to ensure delivery of control-management commitments given in respect of identified risks or control efficiencies; it ensures follow up on the internal audit reports to ensure a management response is obtained in a timely fashion and suitable corrective action is taken; and it represents the internal audit function with the DG and executive management in matters of structure, procedure, staffing, resources etc.
I will deal with how the internal audit function works. It comprises two parts, namely, audit investigations and audit reports. Audit investigations are conducted by internal auditors on a planned basis — set by the internal audit in conjunction with the audit committee each year — across the various divisions of FÁS. The focus of these investigations is generally on the areas of significant potential monetary risk to the organisation, namely, community enterprise activity, special funding areas, Safepass, payroll and procurement. Focus on these areas would be quite common in internal audits.
For example, with regard to community enterprise activity, FÁS acts essentially as a conduit for Government funding and €360 million passes through to community enterprise entities. In the context of a €1 billion company, that funding of €360 million is a big area of potential risk. We tend to focus to quite an extent on that because it involves an area across which money is physically moved and it must be accounted for. I cite that example to give members a flavour of what I am referring to.
It must also be noted that the audit investigations are, by their nature, almost exclusively involved in examining activities that have already happened. Furthermore, it is important to understand that in large organisations, the internal audit process is, generally speaking, in the nature of sampling rather than item by item review.
Audit investigations are aimed at identifying processes, risks or exposures under the following broad headings. Either there is no control in place because we did not know the risk existed or there is no control in place even though we knew the risk existed; inadequate control is in place, even though we know the risk existed; we have a control in place, but that control has failed; the control has been manipulated or bypassed by somebody; or there has been human intervention in the system either by error, suspected fraud or malfeasance. Broadly speaking, they are the areas the audit function will examine.
The investigation should identify the cause or causes of the problems and seek: to minimise or reduce any loss to date — that relates to dealing with the past situation; to identify action to be taken to correct problems and avoid any repetition — these can involve new processes to solve problems, new controls, extra control gates or sign offs, sometimes requiring education and training and sometimes discipline; to allow management time to provide management response, review response and agree remedial actions, if any, to be taken; to agree implementation with line management and ensure it is carried out and re-audit if necessary; and to pass any incidents of human interference or negligence or potential fraud or malfeasance to the executive for investigation.
The outcome of the audit investigation is an audit report and it is a popular misconception to view an audit report as a definitive document, an end in itself, but this is not a correct view. Any audit report must be viewed in the context of the report itself and the management response provided by the line management or executive management to get a complete understanding of the issues involved and to help identify the remedial actions, if any, to be taken.
In reality, audit reports represent the views or opinions of a "sceptical, detached, questioning, critical and independent observer" who holds a mirror up to processes or activities in a given function or area. The management response to any audit report is a critical and fundamentally balancing element in that overall audit exercise. The management response can cover a range of possibilities as follows: (1) if the audit report is simply wrong or based on incorrect data, assumptions or interpretations used by the auditor, the line manager can point out the error made; (2) the line manager can explain why this action was taken on a particular occasion, there may have been special circumstances or some mitigating or justifying factor on a specific occasion, but the process generally operates in compliance with requirements; (3) it is a once off error, it will not recur, for example, it is normally a system fault or a training issue might solve it; or (4) the management can accept the finding, adopt the action recommended by the auditor or propose or agree an alternative effective corrective action. Clearly, when a reason is given under (2) or (3), the validity of that is a matter for judgment and discussion between the audit function and the line management. This approach places the auditor in the position of an internal consultant rather than that of a policeman, with the line manager having the right to contribute to ensuring that the finding is correct and any remedial action is appropriate to the scale of the problems highlighted.
I want to turn to INV. 137 and go through the sequence of events. When I took up the role as chairman of the audit committee, there was an awareness that INV. 137 was in train and had been for quite a considerable time. At the first board meeting I commented on the fact that it was unusual for an investigation go on for quite so long. Later towards the first half of the year, the DG, Mr. Rody Molloy, and Mr. Gerry Pyke, the company secretary, sought a meeting with the audit committee regarding the format of INV. 137. Audit 137 came about as a result of an anonymous letter to the Minister at the time. The director general wanted the report to be split into two reports, one which would deal with the contents of the anonymous letter to the then Minister, Deputy Harney, and part two would deal with the other issues identified by the internal auditors during the investigation. What happened was, in 2004, when the audit team was sent in it went through the various issues raised in the letter, of which there were seven, but in the course of doing that, it discovered a wide-range of other irregularities, which it had to pursue internally and externally in regard to FÁS, all connected with the corporate affairs function and with issues related to the procurement practices. The DG stressed to me at the time, and I must record this, that no dilution of any items or topic was being requested by him, it was purely that the report would be split into two.
We then had a meeting with the audit committee, which was attended by the director general, Mr. Rody Molloy, Mr. Pyke and Mr. Terry Corcoran, who was then head of internal audit and two of the audit managers. The audit committee could not get the parties to agree on a format. The audit team claimed that splitting the report was not possible and that, even unwittingly, it would cause some dilution. The audit committee ended up dividing the parties into two and, almost as happens at a labour relations conference, we did some shuttle diplomacy between the two but we could not get common ground and so there was no conclusion to that.
The audit committee then reviewed the situation and, on balance, strictly subject to no dilution of any items of content, we were willing to agree to support the director general's request. I was then delegated to discuss or consult the head of internal audit before the final decision was made.
As chairman of the audit committee, I met with the head of internal audit. Mr. Corcoran refused to split the report. He undertook to write to the director general explaining his reasons. He made it clear to me that, under audit practice guidelines, he alone, as the head of internal audit, could decide on the content and structure of audit reports. It was not open to the audit committee to instruct him to split it, this was purely his decision.
As chairman of the audit committee, I noted that position and I informed the head of internal audit that we would seek independent external advice on the situation, which is our right. The head of internal audit wrote to the director general, as he promised, setting out his reasons for refusing to comply with the request to split the report. We, as an audit committee, then took independent professional advice from a senior practising audit manager and a senior lawyer. On the basis of that advice, the audit committee allowed audit report INV. 137 to be issued as a single report to the director general, in other words, siding with the head of internal audit, because the legal advice was that the report could have been split subsequently by the director general had he so wished because he had commissioned the report.
Once the report was issued, the director general then sought a further meeting with the audit committee to deal with complaints and concerns about the conduct of the audit investigation, some of which he had and some of which had come to his attention by virtue of representatives acting for the person who was being investigated. At the meeting with the audit committee, the director general presented a document to the committee and he advised us that copy of same had been sent to the respondent executive whose actions are the subject of INV. 137.
I then asked the head of internal audit to provide the committee with a written response to each of the issues in the DG's document, of which there were 22 separate points. The members may have a copy of the document. The written response was provided by the head of internal audit and reviewed by the audit committee.
The chairman of the audit committee then wrote to the director general advising that the audit committee does not accept the complaints or concerns raised by the director general and advises that the audit committee wishes to have the matters identified in audit report INV. 137 dealt with by way of a disciplinary investigation under the disciplinary procedures. The DG confirms that he has requested Mr. Christy Cooney, who is here, to organise the investigation. The chairman of the audit committee then writes to Mr. Cooney requesting details of matters or items to be investigated, sometimes known as the charge sheet, the process to be followed and the identity of the investigator appointed. The reason for that is that this is an investigation that had been going on for three or four years. There were a list of items to be investigated and, as an audit committee with responsibility to the board, we needed to be sure that all the issues identified in that audit report were noted on the charge sheet and would be included in the investigation. We needed to be satisfied that the process to be followed and the person who would conduct it would be of sufficient competence and seniority for there to be a likelihood of a proper result.
In an exchange of correspondence between myself and Mr. Cooney, I insisted that, in fulfilment of our duties to the board, the audit committee must ensure that all material issues identified in INV. 137 are included in the investigation, and we must satisfy ourselves that the investigation is properly structured and in the hands of a suitably qualified, experienced and competent person of sufficient seniority in the organisation. I need to state that was the limit of what we needed. We had no involvement in the investigation after that.