Annual Implementation Report for the year ended 31 March 2023

The Board finalised the work on risk appetite and this has now been embedded in the risk process.

The integration of Pullman Rail into the group risk and internal framework is almost complete but was delayed because of the changes to TfW’s operating model.

During the year ended 31 March 2023, the internal management structure of TfW was changed to better reflect its operations. Significant work has taken place so that the internal control framework is aligned with the new operating model and that oversight and accountability are appropriately allocated.

Feedback from TfW’s board evaluation suggest that the quality of the risk discussions at Board meetings has improved. The quality of the discussion at the Audit and Risk Committee on risk related matters by all participants gives greater assurance and comfort that all parts of the organisation now understand and are engaged in the risk process.

Good progress has been made on the fraud risk assessment and a first draft of the assessment was reviewed by the Audit and Risk Committee at its meeting in June 2023. It is planned the work will be finalised before the end of the year.

The cultural aspects of the control environment has been reinforced by the launch of TfW’s Code of Ethics in 2023 with supportive training.

There have been no changes to the proposed approach.

Fraud risk is built into every assignment carried out by both the second line assurance team and internal audit. The process of alerting key members of management and the Chair of the Audit and Risk Committee appears to work well, with only two such incidents raised during the year. These have been fully investigated and appropriate action has been taken. None of these instances were in any way material to TfW or its financial reporting.

Excellent progress continues to be made on this project although it has been slightly delayed by the changes to the operating model. TfW’s leadership is committed to ensuring that the project is as successful as possible.

A full pilot was carried out in the payroll function. All key controls were in place. However, many controls were manual giving rise to a greater risk of error and a number of controls were either duplicated or were poorly designed and hence were not effective. TfW’s management is alerted to the fact that the project, as well as its primary purpose, gives rise to efficiency opportunities and the ability to use staff for more valuable tasks.

The work on non-financial information is not as well advanced. But the need for it to be carried out to the same standard as for financial controls is now clear. Ffor example, TfW’s gender pay gap information has had to be restated for a second year running.

The work on enhancing financial and non-financial internal controls will continue during the year ending 31 March 2024, but is not scheduled to be finalised until the end of the period of this Audit and Assurance Policy.

There have been no changes in the approach being adopted.

As the work on the enhanced internal control process is still very much work-in-progress, there has been little opportunity to see how the assurance activity is working in practice.

However, the work done to date has given comfort to the Audit and Risk Committee that (as far as the financial controls is concerned) there appear to be no material control weaknesses.

The Audit and Risk Committee is not satisfied that all the non-financial information has a documented system with appropriate internal controls to ensure that it is reported accurately. Management has agreed that the situation is planned to improve significantly by the 31 March 2024 reporting date.

A considerable amount of work has taken place in the last 12 months to ensure that the three lines of defence model is implemented across the entire TfW group. The focus has primarily been on the rail operations, although progress has also been made in Pullman Rail. This work has clearly taken more time than anticipated because of the change in TfW’s operating model.

The Audit and Risk Committee is now satisfied that the three lines of defence model operates effectively.

There have been no significant changes.

The second line assurance team is now operating effectively and attends the Audit and Risk Committee to discuss the work it has carried out. There is now far greater clarity within the organisation on the role that this assurance team plays within the three lines of defence model. The purpose they serve and the work that they carry out is better understood, and hence more effective. 

The work of the third line of defence is commented upon more fully in the next section.

The 2022/23 programme was satisfactorily completed. In addition, certain ad hoc work was carried out at the request of management which did not impede the completion of the programme.

The detailed programme for 2023/24 has been approved and is broadly in-line with the three-year plan.

None.

The Audit and Risk Committee has received many excellent reports from internal audit during the year. No individual finding or collection of findings was considered material and those reports that had an adverse conclusion were generally known to management and action was well underway by the time the report was finalised.

The Audit and Risk Committee takes a lot of assurance from the work carried out by internal audit and recognises it as high quality and value-adding.

It is also reassuring that management is supportive of internal audit and the overwhelming majority of recommendations are agreed swiftly and implemented by management. The implementation of recommendations is closely followed up by internal audit and the Audit and Risk Committee has access to internal audit’s data to see for itself how speedily actions are being implemented.

The Resilience Statement has been prepared on the same basis as 2022/23. The two stress tests included in the Audit and Assurance Policy will remain for the year ending 31 March 2024. One of the tests is likely to change for the year ending 31 March 2025.

None.

Given the nature of TfW—which is explained in the Resilience Statement—the Audit and Risk Committee has determined that there is little benefit in seeking internal or external assurance on the Resilience Statement.

An external audit tender in accordance with the process set out in the Audit and Assurance Policy was finalised during the year ended 31 March 2023.

Only the incumbent auditor submitted a formal tender. Several firms determined that they did not have the capability to carry out the audit and some of the larger firms either had actual or potential conflicts of interest.

The Audit and Risk Committee was disappointed that there was little competition. However, the committee was satisfied that the process it had adopted was sufficiently open and robust to satisfy its requirements whileendeavouring to satisfy the regulator’s desire for a competitive market.

The Audit and Risk Committee had been satisfied with KPMG’s performance for the last four years and was happy to recommend to the Board that they be appointed for a further five-year period.

None.

The Audit and Risk Committee is satisfied that the external auditor provides an appropriate level of external assurance. It is also helpful, using the firm’s wider knowledge base, in providing guidance on industry and market practice.

The materiality used by TfW in preparing the financial statements was the same as set out in the Audit and Assurance Policy.

None.

N/A

There were no significant changes in the scope of work carried out by the external auditors for the year ended 31 March 2023. The materiality for the TfW Group, agreed with the Audit and Risk Committee was £60 million and the reporting threshold for misstatements to be reported to the Audit and Risk Committee was £3 million.

None.

The potential involvement of the external auditors in providing assurance on non-financial information has been deferred for a further year until the Audit and Risk Committee is satisfied with the level of internal assurance carried out.

Considerable work has been carried out during the year on the KPIs that are used to monitor business performance. Some KPIs have been enhanced.

None.

As commented above the Audit and Assurance Committee will oversee the work carried out on non-financial information to ensure there is appropriate internal assurance and consider, if appropriate, external assurance. The Audit and Risk Committee is hopeful that it will be able to finalise its plans in time for the next Annual Implementation Report.