Statement on the System of Internal Control

Scope of Responsibility

The Board acknowledges its responsibility under Section 7.3 of the Code of Practice for the Governance of State Bodies for ensuring that an effective system of internal control is maintained and operated.

Purpose of the System of Internal Control

The system of internal control is designed to manage risk to a tolerable level rather than to eliminate it and can only therefore provide reasonable and not absolute assurance that assets are safeguarded, transactions authorised and properly recorded, and that material errors or irregularities are either prevented or detected in a timely way.

The system of internal control which accords with guidance issued by the Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation, has been in place in Uisce Éireann for the year ended 31 December 2025 and up to the date of approval of the financial statements.

Management of Risk

All employees of Uisce Éireann have a responsibility for the effective management of risk which includes designing, operating and monitoring the systems of internal control for Uisce Éireann. The Chief Executive Officer is the accountable executive with ultimate responsibility. The Chief Executive Officer delegates clear roles and responsibilities for effective risk management and for ensuring the systems of internal control are operating effectively to his Executive Team and their reports.

Risk and Control Environment

The Board ensures the Company has appropriate systems of internal control and risk management in place through use of the following structures and systems:

Audit and Risk Committee

Uisce Éireann has an Audit and Risk Committee (the “ARC”) comprising four non-executive Uisce Éireann Board Members who have the necessary expertise for the role. The ARC provides oversight of the risk and control environment on behalf of the Uisce Éireann Board and is responsible for assisting the Uisce Éireann Board in discharging its responsibilities as they relate to this area. On a quarterly basis the ARC performs a substantive review of the Uisce Éireann principal risks, prepared by management, ensuring oversight of the key risks and reviewing the effectiveness of management’s responses to key risk exposures facing the Company. The ARC also considers quarterly updates on the control environment from the Integrated Assurance Forum.

Three Lines Model

Uisce Éireann operates an integrated assurance and risk management framework which further consolidates and co-ordinates in a structured manner all risk management and assurance activities in the organisation across the “Three Lines” model. This ensures that Uisce Éireann maximises risk, assurance and governance oversight and control to build organisational resilience and follows leading practice to support compliance obligations and governance requirements.

Underpinning this three lines model, additional assurance is also provided by external auditors and other independent assurance providers and regulatory bodies e.g. the Office of the Comptroller and Auditor General (C&AG). This is often referred to as the “Fourth Line”.

Organisational Risk Management

Uisce Éireann has an embedded Organisational Risk Management (ORM) function which is responsible for the design and implementation of an ORM framework and for ensuring that sufficient risk management experience and skills are available throughout Uisce Éireann. The Head of Organisational Risk and Resilience reports to the Strategy, Resilience and Regulation Director and attends ARC meetings. In addition, the Uisce Éireann Risk Management Committee, chaired by the Chief Executive Officer, meets quarterly.

In particular, the Organisational Risk Management function:

  • Ensures that adequate and consistent ORM four step process and oversight are in place for defining, assessing, managing, monitoring and reporting of risks to which Uisce Éireann is exposed.
  • Ensures that oversight is maintained and an assessment is undertaken of the Uisce Éireann risk profile including principal risks, emerging and trending risks and high impact low probability risks, including a description of these risks and associated mitigation measures or strategies and their effectiveness.
  • Develops and implements the overall ORM Framework, risk strategy, risk appetite and ORM policies and procedures.
  • Embeds an appropriate risk management culture.

Integrated Assurance Forum

The Integrated Assurance Forum (IAF) ensures that the review of the effectiveness of the Internal Control environment is carried out in a co-ordinated and structured manner with appropriate evidence and sign offs in place.
Each Directorate maintains a register of key controls and each key control is self- assessed quarterly for effectiveness Continuous control monitoring is performed and reported quarterly. A summary of the IAF discussions are provided to the ARC.

The membership for the IAF is the Uisce Éireann CEO and all direct reports of the CEO. There is a strong “tone from the top” with support from Senior Management and Executive nominated Pillar Leads and Champions in place across the business. The Champion network is working successfully and is aware of the importance of the Integrated Assurance process including the role it plays to support the business.

As part of the end of year forum, management are required to confirm that:

  • They are satisfied with the effectiveness of the control environment in the period.
  • There are no material exceptions or breaches of key controls in the period.
  • Action plans and timelines are agreed for controls requiring enhancement.

Furthermore, in instances where control issues have been identified, they have either been subsequently addressed, have actions assigned to them since identification, or have mitigating controls in place.

Management has considered the items brought to the attention of the ARC in 2025 and has assessed several items in detail against the criteria outlined in the guidance documentation on the Code of Practice for the Governance of State Bodies, issued by the Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation.

Internal Audit

Uisce Éireann has an established Internal Audit function which is adequately resourced and conducts a programme of work agreed with the ARC. The Head of Internal Audit reports directly to the ARC and to the Chief Financial Officer.

The Internal Audit function provides a systematic and disciplined approach to evaluate and improve the effectiveness of Uisce Éireann’s, governance, risk management and internal control.

In particular, the Internal Audit function:

  • Evaluates risk exposure relating to the achievement of Uisce Éireann’s strategic objectives.
  • Evaluates the systems established to ensure compliance with policies, plans, procedures, laws and regulations.
  • Evaluates the means of safeguarding assets.
  • Monitors and evaluates the effectiveness of the risk management processes.
  • Performs advisory services related to governance, risk management and control as appropriate.

Elements of Control Environment

In addition to the key structures referred to above, the Board confirms that a control environment, containing the following elements, is in place in Uisce Éireann;

  • Responsibility by management at all levels within Uisce Éireann for internal control and risk management over respective business functions.
  • Established processes to identify and evaluate business risks by identifying the nature, extent and financial implication of risks facing Uisce Éireann including the extent and categories which it regards as acceptable. Other processes to identify and evaluate business risks include assessing the likelihood of identified risks occurring and assessing Uisce Éireann’s ability to manage and mitigate the risks that do occur through associated mitigation plans and strategies.
  • A comprehensive listing of key controls is maintained by each business function, which are self-assessed on a quarterly basis with action plans implemented as required.
  • An internal control framework assessment that involves undertaking an extensive risk assessment, reviewing the operation and effectiveness of key control policies and processes, internal control self-assessment reporting and monthly performance reporting, supported by assurance activities of Integrated Assurance and Internal Audit.
  • Systematic reviews of internal financial and operational controls by Integrated Assurance and Internal Audit. In these reviews, emphasis is focused on areas of greater risk as identified by risk assessment.
  • Appropriate segregation of duties and documentation of processes and controls that are focused on preventing and detecting fraud.
  • Internal policies requiring all employees to act with integrity and maintain the highest ethical standards. These policies include the Code of Business Conduct, Anti-Fraud Policy, Anti- Bribery and Anti-Corruption Policy, Regulation of Lobbying Policy and Protected Disclosures Policy.
  • A comprehensive anti-fraud programme including an anti-fraud policy, training and communication and a fraud response plan.
  • The Corporate Governance Framework that includes financial control and risk assessment. This is monitored by Uisce Éireann management and the Internal Audit and Risk Management functions.
  • Clearly defined organisational structure, with defined authority limits and reporting mechanisms to higher levels of management and to the Uisce Éireann Board.
  • A comprehensive set of policies and procedures relating to operational and financial controls, including capital expenditure. Large capital projects require Board approval and are closely monitored by the Investment/ Infrastructure and Sustainability Committee.
  • A comprehensive budgeting system with an annual budget and quarterly forecasts which are reviewed and agreed by the Uisce Éireann Board.
  • A comprehensive system of financial reporting.
  • A comprehensive set of management information and performance indicators is produced quarterly enabling progress against longer-term objectives and annual budgets to be monitored, trends evaluated and variances acted upon.

Ongoing Monitoring and Review

Uisce Éireann has a robust framework to review the adequacy and monitor the effectiveness of internal controls covering financial, operational, compliance and risk management processes. The Board is satisfied that the system of internal control in place is appropriate for the business.

The monitoring and review of the effectiveness of the system of internal control in respect of Uisce Éireann is informed by the work of employees within Uisce Éireann responsible for the development, maintenance and oversight of the internal control framework and the work of the Internal Audit function. This is supplemented by the ARC who oversee the work of the Integrated Assurance, Organisational Risk Management and Internal Audit functions and comments made by the External Auditor in their management letter and/or other reports. Control deficiencies are communicated to those responsible for taking corrective action, to management and to the Board of Uisce Éireann, where relevant, in a timely way.

Capital and Operational Expenditure

The Infrastructure Guidelines were published by Department of Public Expenditure, Infrastructure, Public Service Reform and Digitalisation in December 2023, replacing the Public Spending Code. The Department of Public Expenditure, NDP Delivery and Reform guidance on the Quality Assurance Process to be followed to provide a summary overview of how compliant an organisation is with the Public Spending Code, includes a three-point rating scale:

  • Scope for significant improvements
  • Compliant but with some improvement necessary
  • Broadly compliant

Uisce Éireann’s self-assessment completed in line with this guidance, confirms that robust and effective systems are in place to ensure that the requirements of the Infrastructure Guidelines are broadly complied with, as per the above rating scale. As would be expected, these systems remain under continuous review and minor enhancements continue to be made. The Programme for Government contained an ambition to review the Infrastructure Guidelines, this along with the Accelerating Infrastructure Report and Action Plan published by Government in December 2025 is likely to lead to amendment to the guidelines. Uisce Éireann looks forward to continued engagement with the Department of Housing, Local Government and Heritage on the drafting of the Water Services Sector Specific Guidelines to align with the requirements of the updated Infrastructure Guidelines, when published.

The Uisce Éireann Procurement Policy (PD02) details the procedures to be followed by Uisce Éireann to support procurement requirements in the organisation. Application of PD02 ensures EU and Irish laws relating to public procurement are adhered to, tender processes are appropriately managed and governance and management oversight of the procurement process is maintained across the Company.

The Uisce Éireann Expenditure and Contract Approval Policy is aligned with the principles, including the value for money guidelines for the evaluation, planning and management of public investment projects, as set out in the Infrastructure Guidelines.

All capital expenditure must have regard to national and EU procurement requirements in addition to compliance with any requirements that may be set by the Commission for Regulation of Utilities (‘CRU’), environmental and planning related requirements and national, regional and local infrastructural priorities. Appropriate and proportionate financial and economic appraisal methodologies as required by the Infrastructure Guidelines are used in respect of capital projects and programmes in order to facilitate effective decision making. Capital projects and programmes are assessed and delivered using a gated approval process, aligned with the requirements of the Infrastructure Guidelines and the draft Water Sector Specific Guidelines.

The capital commitments process for Uisce Éireann operates on the basis that the company requests the relevant Ministerial consents in advance for an overall envelope of capital approvals to be entered into during the following financial year. Separately, Ministerial consents are requested by Uisce Éireann in advance of committing to any individual capital project costing €50m or greater. Ministerial consents are submitted to the parent Department (DHLGH) and other relevant government departments involved in the consenting process for the specific application. In parallel with the submission of Ministerial consents to the DHLGH, the Ministerial consent requests are submitted to NewERA who provide project specific financial and commercial advice to DHLGH, in advance of the granting of Ministerial consent by DHLGH.

Capital investments including contracts with a value in excess of €1m are presented to the Expenditure Approval Committee including its sub-committees for detailed review and approval. All infrastructure capital expenditure greater than €20m requires the approval of the Board. Capital expenditure for non-infrastructure investment greater than €10m requires the approval of the Board.

The Board is kept appraised of the status of capital projects and programmes as they progress including updates on implementation against plan, time scales and quality. Budget and variance reporting is also regularly presented to the Board. All projects have specific objectives against which they are measured. Tenders and subsequent contracts include strict delivery requirements as well as KPIs which are used to measure performance throughout the course of the contract. Post project reviews and financial close reports are presented to the Expenditure Approval Committee, the Investment, Infrastructure and Sustainability Committee and to the Uisce Éireann Board for evaluation depending on the value of the project or programme.

Project close out meetings and annual programme reviews facilitate a key ‘lessons learned’ approach which are then assessed, tracked and implemented as part of existing and future projects across the organisation as appropriate.

Review of Effectiveness

Uisce Éireann has procedures to monitor the effectiveness of its system of internal control.

The Board has reviewed the effectiveness of the system of internal control up to the date of approval of the Financial Statements, covering financial, operational and compliance controls and risk management systems for 2025 and will ensure a similar review is performed for 2026. A detailed review was performed by the Audit and Risk Committee, which reported on its findings to the Board.

Internal Control Reporting

During 2025, Uisce Éireann continued to implement the required systems, processes and procedures necessary to ensure robust internal control reporting through applying policies and internal control frameworks. The following items are noted:

Transfer of accountability for Water Services Functions

A Master Co-operation Agreement (MCA) was in operation with all 31 Local Authorities which provides for Uisce Éireann to have full accountability for Water Services Functions and for Uisce Éireann to have the necessary Management and Direction of Local Authority Water Services Staff. In preparation for this, controls and processes were established to ensure that Uisce Éireann was in a position to assume its new responsibilities when the MCA became operational. Operation of the MCA has brought staff under Uisce Éireann direct Management and Direction since August 2023. Controls and processes will continue to evolve and mature as services are standardised.

The MCA also provides that Uisce Éireann and each Local Authority will enter into a Support Services Agreement (SSA), setting out the support services which the Local Authority has agreed to provide Uisce Éireann in support of the delivery of Water Services Functions and the period over which these will transition to Uisce Éireann. SSAs are in place with 29 of the 31 Local Authorities at the end of 2025. Again, during the transitional phase, the controls and processes around these areas will continue to evolve and mature within Uisce Éireann.

Prior to the operation of each MCA (and SSA for support services), there is/was continued reliance on a range of controls operated by Local Authorities pursuant to the Service Level Agreement. These controls along with associated processes and procedures also will continue to evolve and mature.

While the Local Authorities retain statutory responsibility in respect of non-water services such as flood measures for example, Uisce Éireann has agreed pursuant to the MCA to provide support to the Local Authorities for critical non-water services areas for a period of 24 months from the coming into operation of the MCA in that Local Authority. The critical non-water services required by each Local Authority from Uisce Éireann are detailed in the SSA. Controls and processes have been put in place in order to deliver the critical non-water services to the Local Authorities and these controls and process will continue to evolve and mature.

Regulatory Actions

Uisce Éireann delivers water services in the context of a legacy of underinvestment in water infrastructure over decades. While Uisce Éireann is proactively dealing with these issues, they have led to some delays in delivery due to a combination of reasons including for example, aging of the infrastructure managed by Uisce Éireann, the scale of works and investment required, delays in delivering capital works due to delays in the planning and other statutory processes, the supply chain and resource availability.

Commission for Regulation of Utilities (CRU) Revenue Adjustment: The CRU sets Uisce Éireann’s allowed revenues through a five-year Revenue Control. Its draft determination of the look back on RC3 (2020–2024) in November 2025 noted Uisce Éireann had recovered €119.7m less revenue than it was entitled to (‘under recovery’). Within this under recovery, a negative revenue adjustment of €31m has been imposed on Uisce Éireann. The CRU believes that Uisce Éireann has underperformed in relation to two targets set during the RC3 final determination (for years 2020 to 2024):

  • Leakage performance target – maximum penalty €20m
  • Non-domestic revenue collection – approx. €11m

Uisce Éireann has assessed its controls in this regard and, in its response to the CRU on this matter, Uisce Éireann has strongly defended its position in relation to this revenue adjustment, challenging the methodology for the calculations of the targets and outlining elements outside of Uisce Éireann control that have not been considered as mitigating factors (specifically the Covid pandemic and demand growth driven by population increases). The determination by the CRU currently remains draft and is subject to change following further consultation.

Environmental Protection Agency (EPA), Inland Fisheries Ireland (IFI): Drinking water and wastewater compliance issues exist as identified in the EPA’s Annual 2024 Drinking Water Report and the 2024 Annual Urban Wastewater Report. Uisce Éireann has been dealing with a number of enforcement actions taken by the EPA and IFI.

Engagement with the EPA is ongoing to provide updates on actions to address these matters which include compliance driven interventions set out in the Uisce Éireann capital investment plan, as well as operational enhancements.

Connections Refunds Payments

In April 2023 the Government introduced a package of housing support measures, including a scheme for the refund of Uisce Éireann Standard Connection Charges. A project was established to process the refunds in accordance with the requirements of the scheme. In a very small number of cases, the incorrect beneficiary received the refund, to a value of €191,630, representing 0.08% of the value of the scheme. Payments to the incorrect beneficiaries have been recovered and the correct beneficiaries have been paid. All refund files were reconfirmed for the correct payment details. The scheme is now closed and enhanced processes and controls are now in place to reduce the risk of recurrence on remaining refunds due.

Procurement

During 2025, expenditure was incurred in two instances where procurement procedures were not fully complied with, representing 0.015% of overall procurement expenditure. Steps have been taken to ensure that corrective actions are put in place.

Category

Activity detail

Corrective action Taken

Estimated value

Services

Resource was brought in through incorrect framework lot.

Training and awareness provided to framework users.

€78,472

Services

Risk Assessments are required under Section 19 of the Safety, Health and Welfare at Work Act 2005 and section 20(4) of that Act requires that these are brought to the attention of employees.

When implementing the new Safety Management System which brought the existing Local Authority systems onto one consolidated platform, it was identified that not all end users were able to access the Risk Assessments on the new online platform. As an interim measure, safety material and training collateral had to be issued urgently and distributed to site crews to bring relevant risks to their attention to ensure continued awareness of control measures and maintain safe working practices.

Training and awareness has been provided in relation to planning and execution of procurement competitions.

€190,000

Fraud

In March 2021 Ervia and Uisce Éireann were informed by a Local Authority of an alleged fraud which had taken place locally by a former Local Authority employee relating to the provision of water services. The alleged fraud is the subject of an ongoing investigation by the Garda National Economic Crime Bureau (GNECB). This matter will take a number of years to reach a full legal conclusion and the Board Audit and Risk Committee will be kept updated on all developments.

During 2025 Uisce Éireann identified a fraud which had been carried out by a supplier to Uisce Éireann. The value involved was minor, and the funds were recovered in full. The matter was reported to the Board Audit and Risk Committee and to An Garda Síochána and has been concluded.

Notwithstanding the matters noted above, the Board is satisfied with the overall control environment for Uisce Éireann and that effective systems of internal control are maintained and operated with no material breaches noted in the year.

For and on behalf of the Board of Uisce Éireann:

Jerry Grant

Chairperson

Cathy Mannion

Board Member

Date of Approval
28 April 2026