A civil servant has been publicly praised for accepting personal responsibility for one of the multiple failures which may have contributed to the cash for ash scandal.
Elaine Dolan, who was head of the internal audit in Arlene Foster’s department during the design of the RHI scheme and the first year and a half of its operation, told Sir Patrick Coghlin’s public inquiry that an auditor working under her had not done enough to query what officials were telling him.
When asked if the work – which was part of a project management review – had been performed to an adequate standard, Ms Dolan said: “The answer to that is no.”
She said that she couldn’t understand why some of the problems weren’t identified in the audit but suspected that the auditor was assured by officials in the department’s energy division that Ofgem, which ran the scheme for the department, had the appropriate arrangements in place and the auditor “took management’s word for it without challenge”.
Ms Dolan said that the auditor was not actually one of her staff but that the work had effectively been subcontracted to accountants ASM and that his report had not come to her directly but been checked by one of the managers working under her.
Nevertheless, when asked who was responsible for the failure, Ms Dolan said: “Overall, I was head of audit and had responsibility for the quality of the service. So who was responsible? Ultimately, I was responsible.”
At the end of Ms Dolan’s evidence session, Dame Una O’Brien, a former permanent secretary of Whitehall’s Department of Health, thanked the auditor for her evidence “and particularly I want to thank you for what you’ve said today in taking responsibility for those areas where the internal audit service did not perform its role adequately.
“They’re perhaps words we hear too infrequently so far in this inquiry. I appreciate it takes a lot, given the nature of your work, for you to have come and said that and thank you for being so frank with the inquiry.”
As head of internal audit, Ms Dolan oversaw a team of 13 staff, as well as a budget to sub-contract some of its work to private auditors.
She accepted that with hindsight there were actions which should have been undertaken but said that based on what she knew at the time she did not believe her actions were “unreasonable”, adding: “I wasn’t aware of the complexity of the scheme, nobody was flagging any risks to me in relation to the scheme, none of the key risks were sitting on a divisional or corporate risk register that I recollect, I think I was assured that Ofgem were going to be involved in the delivery of the scheme...”
The inquiry’s technical assessor, Dr Keith MacLean, asked her if she was surprised that no risks relating to RHI were appearing on risk registers. Ms Dolan said that at that point in time the scheme was being developed but said there was a “valid question” around why risks weren’t “escalated and monitored”.
She went on to say: “It certainly wasn’t up to me to do the identification [of risks]; it was up to me to ensure there was a satisfactory and an adequate process in place. But identifying risks rests with management.”
Dr MacLean asked: “If no one was flagging the risks to you, what should have been happening?” Ms Dolan said that if an issue was “escalated” to go into a risk register then she would decide whether to do an audit.
Dr MacLean replied: “The point is – if nobody’s flagging it up, then there’s nobody actually going looking. I would have thought that was the sort of role that audit ... I’ve certainly lived through some uncomfortable audits in the past because maybe I’ve not thought about flagging something up, or they’ve picked up something new that hadn’t even been thought about, and that was a proactive role ... we’re hearing almost an endemic lack of flagging up of issues and risks. Was that not then the role of an auditor to go in and uncover them?”
Ms Dolan replied: “The role of audit was to ensure there was a satisfactory process in place for risk management. The identification of risks rests purely with management and also the board have a role in risk identification ... so audit had no responsibility in relation to the identification of risks.”