Internal Audit
Annual Report
2012/13*
* Devon & Cornwall Police Authority
April 2012 to November 2012
and
Office of the Police & Crime Commissioner for Devon & Cornwall
November 2012 – March 2013
The definition of the professional practice of internal auditing is set out below. The
internal audit service provided to the Force and OPCC embodies all the key
principles contained within this definition and this report aims to demonstrate strict
adherence to these principles.
The definition of Internal Audit
“Internal Auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organisation’s operations. It helps an organisation accomplish
its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control and governance processes.”
Chartered Institute of Internal Auditors/CIPFA
Contents
page
Introduction
1
Audit Resources
2
Transition
2
Joint Internal Audit Strategy
3
The Role of Internal Audit in Assurance
3
Risk Management
3
Anti Fraud & Corruption
4
Audit Groups & Collaboration
4
Annual Internal Audit Opinion 2012/13
5
Completion of the 2012/13 Internal Audit Plan
7
Equality & Diversity
7
Summary & Conclusions
7
Appendix A
8
Appendix B
10
Introduction
1.1
The Head of Internal Audit is required to provide an annual report on its
activities and an opinion on the overall adequacy and effectiveness of the
controls in place to mitigate significant business risks. The work of internal
audit, culminating in an annual opinion, forms a part of the Force and OPCC’s
overall assurance framework and should be used to inform the annual
assurance statement which in turn, supports the annual governance
statements of both organisations. This annual report contains my opinion on
the effectiveness of the internal control environment within the OPCC and
Force.
1.2
The evaluation of the adequacy of the control infrastructure, assessed from a
combination of risk based audits, advisory work and the results of continuous
audit work carried out during the year, informs that opinion. In practice, audit
advice and consultancy is provided in real time as issues arise, and
opportunities to improve operations present themselves. Therefore audit
activity is designed to be dynamic and responsive to emergent risk. Limited
audit resource cannot provide assurance over all risk exposure in a large and
complex organisation. However, the planning of audit work is designed to
adjust rapidly to the changing risk landscape and to complement other
sources of assurance.
1.3
This is the first annual internal audit report to the Joint Audit Committee (JAC)
since the abolition of Police Authorities in November 2012. An “end of term”
report was produced for the last Corporate Governance Committee meeting in
September 2012 before its business was handed over to the JAC. The report
summarises all of the work delivered by internal audit. It gives an insight on
background activity and provides where appropriate an assurance opinion on
the adequacy and effectiveness of the controls in place for each area of risk
subject to audit scrutiny.
1
Audit Resources
2.1
Being an exceptional year of unprecedented change, the internal audit plan
for 2012/13 was subject to significant adjustment with the greater proportion of
internal audit resource redirected from its traditional assurance role to
consultancy work on the new governance structure. This type of activity,
although legitimately within the scope of the definition of internal audit, has
not, in my opinion, provided sufficient independent assurance over the full
range of risks identified in corporate registers (see paragraph 9.1 below). The
shortfall in resource applied to pure assurance work has been reported to the
Joint Audit Committee together with plans to address the issue. For example,
reversion to “business as usual” for the OPCC will enable internal audit to
refocus on the current risk landscape. The development of assurance
mapping will also help the organisation to highlight any imbalances in
assurance derived from all sources.
2.2
OPCC Financial Regulations require a competitive process to take place as
the service level agreement with Devon Audit Partnership expires at the end
on March 2014. Internal audit services will be subject to a tendering exercise
during 2013/14 and a contract with an external provider is expected to be
awarded with effect from 1 April 2014.In view of limited resources, discussions
are currently underway with the statutory Chief Finance Officers (CFO’s) to
ensure the adequacy of future internal audit funding.
Transition
3.1
During the year, Police Authorities across the country were busily preparing
for the election to office of Police & Crime Commissioners through national
and local transition plans and projects. Very significant risks associated with
the transition plan for Devon & Cornwall Police Authority were identified by the
transition project board. In particular, the Chair, Members, the Chief Executive
and Treasurer of the Police Authority were determined that there should be no
“governance vacuum” over the critical period before and after the elections.
Devon & Cornwall were the first authority nationally to appoint and set a work
plan for a joint audit committee who were ready to take on oversight of the
governance of the business from day one, the 22nd November 2012.
3.2
Transition risks were mitigated by a range of clearly defined actions assigned
by the transition project board to senior management and their policy team
leading up to and beyond November. A number of these actions were tasked
to internal audit who were well placed to assist in the development of key
components of the OPCC governance framework including:
A joint internal audit strategy (see 4.1 below)

The joint risk management framework (see 5.1 below)

The integrated assurance framework (see 6.2 below)

An enabled risk management and action tracking process

The joint anti-fraud and corruption strategy (see 7.1 below)

Development of the joint audit committee
2
3.3
It was also tasked with a number of deliverables including:

the co-ordination of a due diligence exercise on assets and liabilities to be
transferred to the Police & Crime Commissioner (Stage 1 or statutory
transfer)

Project support – action and milestone progress reporting and providing
evidence for gateway reviews

Technical support (development and further integration of the OPCC and
Force’s risk management system)

Providing professional advice and support to the development of a joint
risk register (see 5.1 below)

Providing consultancy to the newly formed joint risk review group (see 5.1
below)
Joint Internal Audit Strategy
4.1
Up to November 2012, internal audit activity was focused on the mitigation of
threats to achieving the outcomes set out in the Authority’s strategic plan
(2010-14) and could be linked to one or more of them. A new joint internal
audit strategy has been developed. The strategy will for the first time, cover
the assurance needs of both the OPCC and the Force which are two distinct
auditable bodies. The Financial Management Code of Practice issued by the
Home Office advises that a single internal audit service should continue to
cover both organisations. Early agreement by the Chief Financial Officers was
obtained to support the development of a joint audit strategy.
Risk Management
5.1
Internal Audit provides an advisory role to help Management improve
governance, risk management and internal control arrangements. The
development of a joint risk management framework prepared the ground for
closer alignment of the corporate risk management structures in the OPCC
and Force. In February 2013 the Joint Management Board took the decision
to develop a joint corporate risk register supported by a newly formed joint risk
review group (JRRG). This group consists mainly of Force planning and
performance managers and policy officers of the OPCC. During March 2013
the JRRG produced a high level joint register of uncertainties associated with
the delivery of the PCC’s Police & Crime Plan. A fully fledged corporate risk
register including mitigating actions is scheduled to be in place by the end of
June 2013. Internal audit have helped to facilitate and support this initiative
throughout.
The Role of Internal Audit in Assurance
6.1
The responsibility for maintaining risk management, control and governance
systems rests with senior management of both the OPCC & Force who,
together with the policies, strategies and procedures and other internal
sources of assurance, provide the first and second lines of defence in the
assurance framework. The work of internal audit forms the third line of
defence. Its purpose is to provide the OPCC & Force through the Joint Audit
Committee with an independent and objective assessment of governance,
3
risk management and internal control, and the effectiveness of each of these
in achieving the organisation’s agreed objectives.
6.2
Progress has been made toward the development of an integrated assurance
framework during the year and this initiative is now gathering pace, facilitated
by the implementation of a joint risk & performance management framework.
Assurance mapping will provide the means to identify the appetite for
assurance against corporate risks. It will be designed to identify assurance
gaps or where there is over-assurance disproportionate to the risk in question.
Anti Fraud & Corruption
7.1
The payroll continuous assurance audit work at Devon & Cornwall was cited
as good practice in the 2011 Audit Commission’s report “Protecting the Public
Purse” which reviews anti-fraud & corruption measures across the public
sector, including the National Fraud Initiative (NFI). Continuous assurance
mechanisms are now ready to be applied to accounts payable as planned.
This will replace the need for the creditor element of the bi-annual NFI
investigatory work by providing almost real time assurance. We have also
worked with other public sector bodies in the South West in the coordination
of counter fraud activity. Through this forum, fraud alerts and advice are
disseminated to members and shared with Management of the OPCC and
Force.
Audit Groups & Collaboration
8.1
The Head of Internal Audit provides secretarial support to the national Police
Audit Group (PAG) chaired by the Director of Audit, Risk & Assurance of the
Mayor’s Office for Policing and Crime (MOPAC). This is an influential
professional support and networking group, which has a close working
relationship with the Association of Policing & Crime Chief Executives
(APAC2E) and the Police and Crime Commissioners Treasurers’ Society
(PACCTS). The annual PAG conference is attended by internal auditors and
contractors representing all police organisations in England, Wales and
Northern Ireland.
8.2
The Head of Internal Audit established a South-West police audit sub-group
which last met in November 2012. The purpose of the group is to explore
opportunities for collaborative working in the region. The first collaboration will
take place in 2013 when Devon & Cornwall internal audit will lead on a post
implementation review of the South West Police Procurement Department
(SWPPD) hosted by Devon and Cornwall. Assurance will be provided to each
of the other participating OPCC’s/Forces (Dorset, Gloucestershire and
Wiltshire).
8.3
The joint working protocol with the Audit Commission terminated on the
handover to Grant Thornton. A similar protocol is now in place with the new
provider. Regular meetings between internal and external audit continue to
be held to ensure co-ordination of audit activities. We remain committed to
maintaining this strong relationship.
4
Annual Internal Audit Opinion 2012/13
9.1
Based on limited control assurance work undertaken in 2012/13* I am able to
give only moderate assurance that the control environment is fully effective or
sufficiently mature to cope with all the impacts of change
* see paragraph 2.1 above
9.2
However, a positive assurance opinion can be applied to the transformation of
governance and risk management arrangements for the year ended 31st
March 2013. In September 2012, Devon & Cornwall were the first and only in
the police family to establish a joint audit committee working in shadow,
enabling a smooth and seamless handover of scrutiny and challenge from the
Corporate Governance Committee. This decision, which attracted significant
interest from across the country, is highly regarded and has been identified as
good practice by the external auditor. The appointment of the former chair of
the Corporate Governance Committee as a co-opted member has proven to
be particularly effective in ensuring continuity. Early engagement has, in my
opinion, given Devon & Cornwall strategic advantage over others in the police
family who even at the time of writing, have only just established their audit
committees. The risk of a “governance vacuum” has in my opinion been
effectively mitigated.
9.3
The impact of transitional change programmes continues to expose both
organisations to high levels of risk. Significant overspend on the Force change
programme and delays to the delivery of critical systems have highlighted
weaknesses in programme and project management. This will form part of the
audit plan for 2013/14 and will supplement assurance opinions already
provided by the OPCC’s change programme advisor.
9.4
Follow-up arrangements for recommendations made by internal audit and / or
other independent and internal assurance providers need strengthening. The
organisational learning database intended for this purpose has not been fully
effective or adequately resourced. I recommend that the ‘actions module’ in
Covalent should be used to track progress of agreed recommendations with
overdue actions escalated through formal monitoring reports to senior
management teams and to the JAC. It is unclear at this stage who will take on
responsibility for driving and administering action tracking mechanisms at a
corporate level. Decisions on how assurance can be delivered by
management and how these assurances can be evidenced and mapped are
urgently needed.
9.5
A considerable amount of available audit resource has been redirected to
non-audit activity. Technical expertise and support to the tracking of risk and
action reporting mechanisms have been regularly called upon by the project
board. A consequence of this has been a reduction in independent assurance
coverage. However, this background work has added considerable value to
the transition project and will benefit internal audit in the longer run, as it will
help to ensure that scarce resource can be targeted more effectively.
9.6
Development of an integrated risk management, performance and assurance
framework is well under way. This will be a key component in the governance
toolkit enabling the Police and Crime Commissioner and his officers to hold
the Chief Constable to account for the delivery of the Strategic Policing
5
Requirement and Police & Crime Plan. The Joint Management Board and the
the Joint Audit Committee are now, in my opinion, better equipped to oversee
the management of strategic risk at a corporate and portfolio level.
6
Completion of the 2012/13 Internal Audit Plan
10.1 2012/13 was a transitional year for Internal Audit. Not all of the planned audit
assignments were completed as a result of audit resource being directed
away from core activity to support the transition project (as already
commented in 2.1 above). Therefore, the 2012/13 audit plan was flexed to
respond to changing priorities.
10.2 Appendix A and B below report the results of the work done during 2012/13,
with an assurance indicator/opinion provided where applicable. Appendix A is
a simple table summary of the work. This is split into ‘business as usual’ and
‘transition’ (the two key aspects of the plan as published in March 2012).
Appendix B provides more detail of each piece of work by providing context,
describing important findings and any related plans for 2013/14.
10.3 The assurance indicator applicable to each item of audit activity will form
internal audit’s contribution to integrated assurance mapping. This will
combine with indicators from other sources of assurance (i.e. the first and
second lines of defence and external providers) to form the assurance map
referred to in para. 6.2 above.
Equality & Diversity
11.1 The Authority and OPCC’s commitment in relation to equality and diversity is
considered in all audits and investigations. Internal audit demonstrate due
regard to the equality duties in line with the Equality Act 2010, which are:



To eliminate unlawful discrimination, harassment and victimisation and
other conduct prohibited by the Equality Act 2010;
To advance equality of opportunity between people from different groups;
To foster good relations between people from different groups.
Summary & Conclusions
12.1 Management in both organisations demonstrate a high level of commitment to
developing a joint approach to risk management systems and processes. We
welcome the “open” approach adopted by the both the OPCC and Force
enabling the work of internal audit to be conducted effectively. Examples of
control weaknesses need to be seen in the context of an organisation which is
generally well managed. We are committed to supporting both the OPCC and
Force through the considerable challenges that lie ahead.
12.2 Finally we would like to use this report to thank the OPCC management team,
the Force Chief Officer Group and their staff, for their willingness to engage
positively in the audit process.
For further information, please contact:Ed Wardle
Head of Internal Audit
01392 225552
ed.wardle@devonandcornwall.pnn.police.uk
7
Appendix A
2012/13 summary (for detail see appendix B)
The following table sets out the work delivered during 2012/13. Each area of work records the relevant time period for the work, the
date any report was issued (or is planned), the audit opinion given (where relevant), an indication of the complexity of the work
involved, whether the work is research and development (R&D) or routine, whether the service provided was assurance or
advisory, and finally whether the outputs support core audit objectives.
Work and Summary
Business As Usual
GRS/Myself
Redundancy Calculations
Information Assurance Maturity
Model
Continuous Auditing: Payroll
Continuous Auditing: Invoice
processing, creditor and payroll
data management
Data Analysis
Continuous Auditing: Development
of IDEA
NFI co-ordination (12/13)
Period
Aug 2012 Sep 2012
Dec 2012 Feb 2013
Feb 2013 Mar 2013
monthly
Jan 2012 Mar 2012
Oct 2012 - to
date
Oct 2012 - to
date
NFI investigation (12/13)
Apr 2013 - to
date
Internal Controls
ongoing
*Based on data available – see appendix B.
Report
Issued
Audit Opinion
Complexity
Type
Service
Core
Audit
12Sep2012
Good Standard*
high
R&D
assurance
yes
26Jul2012
Good Standard
medium
routine assurance
yes
29Apr2013
Good Standard
medium
routine assurance
yes
monthly
Good Standard
high
routine assurance
yes
10Apr2013
Improvements
Required
high
R&D
assurance
yes
2013/14
n/a
high
R&D
advisory
yes
2013/14
n/a
medium
routine
n/a
yes
2013/14
TBC
low
2013/14
n/a
high
8
routine assurance
R&D
n/a
yes
yes
Work and Summary
Period
Report
Issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Integrated Assurance
Apr 2012 Oct 2012
02Oct2012
n/a
high
R&D
advisory
yes
continuous
n/a
n/a
various
various
advisory
yes
n/a
n/a
n/a
n/a
n/a
n/a
n/a
ongoing
Mar 2012 Jul 2012
Sep 2012 - to
date
Sep 2012 Oct 2012
various
n/a
high
R&D
advisory
yes
02Oct2012
Good Standard
high
n/a
n/a
medium
R&D
advisory
yes
Jan 2013
n/a
medium
R&D
n/a
yes
Sep-12
Oct 2012
n/a
low
routine
advisory
yes
continuous
n/a
n/a
high
R&D
advisory
yes
continuous
n/a
n/a
high
R&D
advisory
partial
continuous
n/a
n/a
low
routine
n/a
no
Ad Hoc Requests for Advice and
Consultancy
Audits provisionally planned but
not delivered
Transition
Governance Framework
Due Diligence
Joint Audit Committee
Joint Internal Audit Strategy and
Charter
Anti-Fraud & Corruption Strategy
Developing Risk Management
within OPCC and alongside the
Force
Developing and maximising the
use of Covalent
Project Support
9
one-off assurance
partial
Appendix B
Detail of 2012/13
The following tables follow the same layout as in Appendix A but include detail of the work done, any important findings and plans
for 2013/14.
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Business As Usual
GRS/Myself
Aug 2012 12Sep2012 Good Standard*
high
R&D
assurance
yes
Sep 2012
Finance required an analysis tool to cross match GRS roster data and Myself unsocial hours claims. The work was delayed for four
months whilst the Force arranged system access.
An Excel Spreadsheet tool was successfully developed in the year ready to be deployed by Finance. The tool showed that the
majority of claims were consistent with rosters; however, there were a significant minority of mismatches and omissions between
the two systems. Recommendations were made which were accepted, with Finance keen to take ownership of the analysis tool
going forward.
*However, finance identified that the standard report available in GRS may not provide the most valuable roster information for this
exercise and were to seek an improvement to the system. We await the results of this; the audit work remains on hold and we hope
will be taken forward once again once the Force deploy IDEA analysis software (scheduled for 2013/14)**.
** (see ‘Continuous Auditing: Development of IDEA’ below)
Redundancy Calculations
Dec 2012 26Jul2012
Good Standard
medium
routine assurance
yes
Feb 2013
The overall processes surrounding redundancy calculations appeared sound and suitably robust. We are confident that calculations
made were accurate and that overall, employees had been properly identified and reported. However, some procedural errors were
identified and some processes would benefit from minor improvements. The data quality issues arising from the audit are not
systematic, but concern the accuracy and timeliness of data provided in a limited amount of cases. The issues identified would not
have resulted in incorrect payments only poor management information.
10
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Information Assurance
Feb 2013 29Apr2013
Good Standard
medium
routine assurance
yes
Maturity Model
Mar 2013
The Force seeks independent assurance of the annual IAMM assessment (which forms part of their annual return to the Cabinet
Office). The Force is not mandated to obtain this assurance but it is recommended, and it has been provided for the last three
years. The IAMM covers embedding an information risk management culture within the organisation; implementing best practice
information assurance measures, and; effective compliance.
The IAMM is a very detailed framework and requires significant time to review. We recommended some adjustments to the claim
(all positively responded to) and concluded a good standard of management and control. The Force's information assurance
maturity continues to rise in line with national expectation. The Information Assurance Unit takes a very open, honest and
constructive approach to the assessment.
Continuous Auditing: Payroll
Monthly
Monthly
Good Standard
high
routine assurance
yes
This work is now an established monthly routine. Although it cannot offer complete assurance over the payroll, it does provide
assurance at the macro level and can help focus further investigation at a more detailed level. This is an example of risk based
auditing in practice and has created interest from other audit providers, as well as being an example of best practice in the Audit
Commission's 'Protecting the Public Purse' in 2011. We continue to refine the process being applied and during the year additional
statistical rigour was incorporated into the analysis. The process provides its greatest value when we are able to engage with the
Force to resolve queries. A good working relationship has long been established with Payroll.
11
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Continuous Auditing: Invoice
processing, creditor and
Jan 2012 Improvements
10Apr2013
high
R&D
assurance
yes
payroll data management Data
Mar 2012
Required
Analysis
In our opinion improvements were required in specific areas and fairly extensive recommendations were made accordingly. These
were accepted by management and should help to ensure that organisational objectives are not put at risk.
We analysed data from April 2010 to September 2012 for values over £10k. A key finding was that (primarily during 2010 as
corporate services transformation was taking place) weak internal control provided insufficient checks over accuracy of input
resulting in some duplicate payments being made (all bar one identified and refunded prior to our audit). In one case a decision,
taken in conjunction with the supplier, was taken to offset these overpayments against outstanding invoices (representing
inappropriate accounting at that time). In another case the failure by both the creditor and the Force to monitor and transact
invoices accurately has resulted in an un-refunded invoice of £120k. The Force is now working with this supplier to correctly restate the supplier account and obtain the refund.
This work utilised new analysis software called IDEA and prepares the foundations to undertake in-house NFI work on creditors in
2013/14 – see below.
Continuous Auditing:
Oct 2012 - to
2013/14
n/a
high
R&D
advisory
yes
Development of IDEA
date
IDEA software (purchased by Internal Audit in 2012) was deployed fully for the first time on 'Continuous Auditing: Invoice
processing...' (see above). IDEA is a powerful data analysis tool which can be used to identify anomalous, inconsistent or illogical
data (it is not limited to financial data, and can be applied to any rule based data set). Although potentially complex, the routines
used can be converted into standardised scripts and be used by less trained staff.
This audit was identified to develop our knowledge and understanding of the capabilities and possibilities of the product. It also
acted as a vehicle to gain a much greater understanding of the Agresso finance system.
Although an intermediate IDEA user course in November 2012 was cancelled by the supplier, we made significant strides in
advancing our practical knowledge by self study and hope to benefit from an intermediate and / or advanced course in 2013/14. We
are pleased to note that two members of Force finance have been indentified as users of IDEA from 2013/14. The Force's access
to 'continuous' data analysis tools can only strengthen financial management. We will be working with them in sharing our
knowledge and also providing any localised training and support.
12
Work and Summary
period
report
issued
Audit Opinion
NFI co-ordination (12/13)
Complexity
Type
Service
Core
Audit
Oct 2012 - to
2013/14
n/a
medium
routine
n/a
yes
date
This national data matching exercise requires extensive datasets in a precise format to be uploaded to the national body every
other October. The work is covered by an Act of Parliament and takes due consideration of the requirements of the Data Protection
Act. We work closely with the FIMS team and Pension Services to upload the data and resolve any formatting issues. We also act
as key contacts, setting up and managing access for other staff, and also providing training in the use and concepts behind the
system.
NFI investigation (12/13)
Apr 2013 - to
2013/14
TBC
low
routine assurance
yes
date
This national data matching exercise identifies a high volume of records many of which are inevitably false positives; however, each
still has to be established as such and any genuine issues resolved.
The majority of this bi-annual verification work has been borne by Payroll and Exchequer; however the techniques we developed to
carrying out the 'Continuous Auditing: Invoice processing...’ audit were intended to prove the concept of continuous (monthly or
quarterly) assurance over the data, thereby providing a higher quality of assurance and reducing much of the bulk of the work
required for NFI. For this year we have therefore taken on some of the initial review of NFI matches (thereby removing this
requirement from Exchequer) by utilising our findings from IDEA which will be forwarded to Exchequer.
The value in utilising IDEA in this way has been positively acknowledge by the Head of Finance who is keen to build the necessary
skills within his team. We will be working closely with them during 2013 to achieve this (see developing IDEA above).
Controls
occasional
2013/14
n/a
high
R&D
n/a
yes
A key aspect of assurance and risk management is an understanding and measurement of the control environment, which is itself a
core responsibility of management. Although, we were unable to focus as much attention in this area as we had planned due to the
commitments of the Transition Project, internal audit is committed to this work. Providing information and guidance on control is a
principle role for internal audit. An enhanced knowledge and quantification of control will improve its application, which in turn will
lead to a reduced risk exposure and an increase in assurance for both organisations.
We have already pulled together a body of knowledge to ensure we are able to offer best practice advice and guidance to both the
OPCC and the Force. The mechanisms to record and monitor controls, and the packages to provide training for managers to help
identify and report on the controls, are planned for 2013/14.
13
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Integrated Assurance
Apr 2012 02Oct2012
n/a
high
R&D
advisory
yes
Framework
Oct 2012
Internal audit have championed the development of and integrated assurance framework supported by an assurance mapping
mechanism. In essence, the framework will be designed to provide assurance on the effectiveness, efficiency and economy of
controls operated by the OPCC and the Force to mitigate key business risks identified in their respective corporate risk registers. It
is proposed that assurance activity will be aligned directly to risk registers. Risks covered by the framework will be those identified
as direct or indirect threats to the achievement of stated objectives set out primarily in the Police & Crime Plan, as well as the Chief
Constable’s business and policing plans that support its delivery.
Ad Hoc Requests for Advice
continuous
n/a
n/a
various
various
advisory
yes
and Consultancy
Internal audit are frequently approached to give advice on matters of risk and control over a large range of activities. We are always
pleased to assist where we can and appreciate the trust placed in internal audit to give informed, independent and objective advice
on any assurance issue, to management in either organisation. However, some requests are more urgent or complex than others
and will consume more audit resource. Some examples during the year were:• Use of fuel cards
• Year end stock-take
• Agency staff time recording
• National Police Air Service
• Firearms Inventory
• Seized and Found Property
• Annual Assurance and Governance Statements
• Carbon Reduction Commitment
• Tendering issues
• NFI pension overpayments
14
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
audits provisionally planned
n/a
n/a
n/a
n/a
n/a
n/a
n/a
but not delivered
Our audit plan for 2012/13 (as presented to Corporate Governance Committee in March 2012) contained a number of audit areas
which have not been covered during the year. These were areas identified by the Treasurer (who had statutory responsibility for
internal audit for the Police Authority) and agreed by Corporate Governance Committee as potential risks to 'business as usual' at
the beginning of the year. However, it was recognised at that time that a significant block of audit resource would be needed for the
Transition project. The developing priorities of the Transition project led to a rebalancing of this plan and some (but not all) aspects
of 'business as usual' part of the plan were not completed. These are listed below:
CIS; STORM; Payroll turbulence resulting from Winsor review; Auto-enrollment (effective April 2013) & NEST; Implementation of
new insurer; and, Treasury Management (new system implementation)
15
Work and Summary
period
report
issued
Audit Opinion
Transition
Due diligence – Transition
Complexity
Type
Service
Core
Audit
Mar 2012 02Oct2012
Good Standard
high
one-off assurance partial
Jul 2012
Internal audit worked closely with the Force and the Treasurer to co-ordinate a due diligence exercise in preparation for the
statutory transfer of assets and liabilities to the Police and Crime Commissioner on 22nd November. A checklist provided by
solicitors Field Fisher Waterhouse (FFW) was used to assemble supporting evidence on major asset groups, contracts, and
compliance with legal responsibilities to enable a broad assurance opinion to be reached for each area reviewed or to determine
where there was insufficient evidence to form such an opinion.
Generally, a high level of assurance can be given to the integrity of records relating to land and buildings and the vehicle fleet. We
did not secure sufficient assurance on IT assets and infrastructure, and in particular, disaster recovery and business continuity
arrangements to form a firm opinion.
The outsourced contract with Capita for IT facilities management is complex and laden with risk. Dependency on the effectiveness
and value for money of contractual arrangements with Capita is a very significant risk to the operational effectiveness of the Force.
Based on internal audit work during 2011/12 on works orders and re-charging arrangements between the Force and Capita we can
give only qualified assurance that IT risks are adequately managed. (Note: the contract for IT facilities management is to be
retendered in 2014)
Good assurance can be given on recording and administration of contracts in place with the Police Authority at the point of transfer
to the PCC. The scope of the review did not however cover the effectiveness of contract management.
The FFW checklist also included a high level review of legal compliance in respect of environmental law and waste management,
Health & Safety, data protection and FOI, general legal compliance and insurance. We did not secure sufficient assurance
evidence in these areas to form a firm opinion, however no particular concerns emerged. More assurance work is required.
There was insufficient evidence to form an opinion on intellectual property. However, this is not believed to be a major issue for a
protective service such as policing.
Development of the Joint Audit Sep 2012 - to
n/a
n/a
medium
R&D
advisory
yes
Committee
date
Internal audit made a significant contribution to the familiarisation and induction programme for new members of the Joint Audit
Committee both when working in shadow, and from 22nd November 2012 when responsibility for governance oversight was
transferred from the Authority’s Corporate Governance Committee. As with his predecessor, unfettered access has been
established with the Chair of the JAC and regular informal meetings with the Head of Internal Audit to discuss emergent risks and
issues take place when required.
16
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Joint Internal Audit Strategy
Sep 2012 Jan 2013
n/a
medium
R&D
n/a
yes
and Charter
Oct 2012
In preparation for transition, an updated internal audit strategy and charter which reflected organisational restructure were
developed by the Head of Internal Audit. This is a joint internal audit strategy which applies to both the OPCC and Force as two
separate clients. The charter is a requirement of the new Public Sector Internal Audit Standards which came into effect on 1 April
2013.
Governance Framework
ongoing
various
n/a
high
R&D
advisory
yes
Internal audit have worked in an advisory capacity to the OPCC in respect of key components of the governance framework
The new risk management framework has resulted in the establishment of a joint corporate risk register and a joint risk review
group. By-products of these mechanisms still in development are: an integrated assurance framework; and, an enabled risk
management and action tracking process. Proposals for integration with the performance framework are under consideration by the
Joint Management Board.
Joint Anti-Fraud & Corruption
Sep-12
Oct 2012
n/a
low
routine
advisory
yes
Strategy
Internal audit play an active role in anti-fraud and corruption arrangements for the OPCC and Force. A new joint strategy was
developed in consultation with the Chief Financial Officers of the Force & OPCC (Section 151 Officers) and the Head of the
Professional Standards Department (PSD).
To supplement the strategy, a formal Memorandum of Understanding between internal audit and PSD has been maintained and
reissued to reflect the changes in the organisational structure of the OPCC and Force.
Quarterly meetings between the Treasurer, Head of Internal Audit, and the Head of Professional Standards take place to identify
any emergent fraud and corruption risks, or vulnerability to them. These meetings can result in internal audit or Professional
Standards investigations where appropriate.
The Head of Internal Audit co-ordinates the completion and submission of the annual fraud return to the Audit Commission on
behalf of the OPCC and Force. It is pleasing to note that a nil return was able to be submitted for the year 2012/13
17
Work and Summary
period
report
issued
Audit Opinion
Complexity
Type
Service
Core
Audit
Developing Joint Risk
Management processes for the
OPCC and Force
continuous
n/a
n/a
high
R&D
advisory
yes
Throughout the year considerable audit time (in partnership with the Force Planning & Performance manager) has been provided
to:
 assure that legacy risks from the Police Authority had been appropriately carried forward post Transition;
 develop the mechanisms for a Joint Risk Register;
 consolidate the interim OPCC risk register, legacy registers and emerging risks into the current Joint Risk Register; and,
 facilitate joint workshops to finalise Uncertainties and to begin identifying Causes and the appropriate mitigating actions
This is resource well spent as a robust and embedded risk management will directly assist a leaner, sharper, risk based audit
service.
Developing and maximising
continuous
n/a
n/a
high
R&D
advisory
partial
the use of Covalent
Significant development and underpinning continues to be achieved through the Risk Management Design Group (represented by
Internal Audit and senior Force Planning & Performance officers). Through the year we have:








developed opportunities to track and report activity against national codes (e.g. SPR, CIPFA Good Governance);
developed mechanisms to inter-link core actions, risks and PIs across multiple frameworks;
continued to develop a robust, logical and controlled management of system access, permissions and report layouts;
maintained sufficient knowledge of the product suite to signpost and support opportunities for a wider use;
provided conceptual outlines of how system data can be reported;
provided administrative support to a growing and diverse user population;
acted as a local help desk (bespoke to how the product has been deployed here); and,
endeavoured to keep abreast of the supplier's rolling program of product enhancements
NB - The system is highly definable, flexible and continues to evolve. To extract the maximum benefit both organisations should not
under-estimate the dedicated time needed. The current grace and favour arrangements are not sustainable.
18
report
Core
Audit Opinion
Complexity
Type
Service
issued
Audit
Project Support - Transition
continuous
n/a
n/a
low
routine
n/a
no
Significant audit time has been used by the Police Authority and the OPCC throughout the Transition Project (i.e. both pre and post
November 2012). This resource has been used to support and facilitate the recording, monitoring and reporting of risk and progress
of the project. This work is not audit related but draws upon skill sets of audit staff. This work continues to be required and therefore
has a negative impact on the resource available to deliver direct audit days.
Work and Summary
period
19