Internal audit strategy

Report: 6
Date: 9 December 2002
By: Director of Internal Audit

Summary

This report highlights the changes that have been made to the Internal Audit Strategy to reflect the published Mission of the Authority.

A. Recommendations

1. Members approve the revised Internal Audit Strategy.

B. Supporting information

1. The paper attached at Appendix 1 sets out the future strategy for Internal Audit over the next three to five years. It demonstrates how Internal Audit supports the overall aims and objectives of the Authority and the Metropolitan Police Service while maintaining its professional standards.

2. I have amended the strategy to reflect the Authority’s recently published Mission. My key strategic aim now states ‘Internal Audit will support the Metropolitan Police Authority in its mission to secure an effective and fair police service by providing the Treasurer and the Audit Panel with reports and analyses of the adequacy and effectiveness of internal control within each area or system under review in the MPS. The Director of Internal Audit will provide, at least annually, an assurance on the degree of adequacy and effectiveness of internal control within the whole MPS. I have also emphasised our role in supporting the Treasurer and the Authority in the discharge of statutory functions in relation to audit and control.

3. The targets to achieve our strategic aims have also been amended to take account of the above changes to our strategic aims.

C. Equality and diversity implications

The strategy takes into account the equality and diversity legislation and policies of the MPA.

D. Financial implications

None at this stage.

E. Background papers

None

F. Contact details

Report author: Peter Tickner, Director of Internal Audit

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1

This appendix is also available as a PDF document (see Supporting material).

A1.0 Introduction

1.1. This document sets out the future strategy for Internal Audit over the next three to five years ahead. It is intended to demonstrate how Internal Audit supports the overall aims and objectives of the Metropolitan Police Authority and Metropolitan Police Service while maintaining its professional standards.

A2.0 The Metropolitan Police Authority

Role

2.1 The Metropolitan Police Authority is the relevant statutory authority under the Greater London Authority Act 1999 for the Metropolitan Police Service. In secondary legislation the Accounts and Audit Regulations 1996 (Statutory Instrument 590) charge the relevant statutory authority with responsibility for the provision of a system of internal audit. The Home Office Financial Code of Practice (1994) requires a police authority to form an audit committee chaired by a member of the authority (other than the chair) and operated as recommended by the 1992 Cadbury report.

Audit Panel

2.2 The Metropolitan Police Authority (MPA) has set up an Audit Panel consisting of five members of the MPA to discharge its responsibilities under the legislation and associated Code of Practice. The Treasurer has delegated authority from the MPA to ensure that there are adequate arrangements for the provision of internal audit and is the line manager of the Director of Internal Audit. The Treasurer, the Director of Resources, [1] the Head of Finance and the Director of Internal Audit attend the formal Audit Panel meetings, along with District Audit and any senior police representatives.

A3.0 The role and purpose of internal audit

3.1 Internal Audit is defined as "an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes." (The Institute of Internal Auditors, 1999)

3.2 Internal Audit assists both the Metropolitan Police Authority and the Commissioner in the discharge of their responsibilities for the policing of London.

3.3 Internal Audit is an agent for change for the better. As such Internal Audit advises on best practice and recommends improvements in control to help management reduce the risk of loss, error, fraud or abuse.

A4.0 Strategic aims

4.1 Internal Audit will support the Metropolitan Police Authority in its mission to secure an effective, efficient and fair police service by providing the Treasurer and the Audit Panel with reports and analyses of the adequacy and effectiveness of internal control within each area or system under review in the MPS. The Director of Internal Audit will provide, at least annually, an assurance on the degree of adequacy and effectiveness of internal control within the whole MPS.

4.2 Internal Audit will support the Treasurer and the Metropolitan Police Authority in the discharge of statutory functions in relation to audit and control. [2]

4.3 Internal Audit will contribute to the Metropolitan Police objective of working for a safer London through professional audit reviews with effective recommendations for improving systems that support the policing of London.

4.4 Internal Audit will assist the Commissioner in the discharge of financial responsibility delegated to him by the MPA and contribute to the objective of ensuring that systems are secure and safe against corruption through:

• evaluation of the adequacy and effectiveness of the corporate control framework;
• risk based reviews of all internal systems;
• advice on the adequacy and effectiveness of planned controls in new and developing systems;
• promulgation of best practice across the MPS;
• advice on the prevention and detection of fraud affecting the MPS and, investigation of waste or abuse within the systems that support the policing of London.

4.5 Internal Audit staff and contractors will support the Metropolitan Police by ensuring that they conduct themselves professionally at all times in their role as representatives of the Metropolitan Police Authority.

4.6 Internal Audit will support the Best Value process both through application of published Audit Commission guidance for internal auditors and by ensuring that the Best Value principles are also applied to the work of the Internal Audit Directorate.

4.7 Internal Audit will help ensure the Metropolitan Police Service discharges its national responsibilities prudently and effectively through audit reviews of all systems and resources used by the MPS to support national Home Office policing objectives.

A5.0 Targets to achieve strategic aims

5.1 (4.1) Any reports or analyses requested are provided promptly and accurately within the specified time-scales. All reports to the Metropolitan Police Authority and/or the Commissioner are reviewed and authorised or issued by the Director of Internal Audit.

5.2 (4.2) All staff will make themselves familiar with the published regulations of the MPA, particularly the Financial Regulations and the sections within the Financial Regulations that refer to Internal Audit. [3] The targets set out at 5.1 and 5.2 also apply here. Auditors aim to complete all tasks within the specified time-scales. All staff have a responsibility to ensure that any statutory deadlines are met for work to be provided to either the Treasurer, external auditors, or, the Metropolitan Police Authority.

5.3 (4.3) Reviews carried out meet the standards set out in published CIPFA Guidance for local authority auditing, the professional standards of the Institute of Internal Auditors and the MPA Internal Audit Manual. The annual programme of work agreed by the Audit Panel is carried out to these standards. Each team leader ensures that their agreed programme of work meets these required standards. Assistant Directors carry out post audit evaluations to ensure that standards have been met.

5.4 (4.3 continued) Unless the scope of work for the audit changes, work is completed within the agreed time-scales. Where matters arise during the audit that require urgent or immediate action, an Emerging Findings Note is prepared and issued in advance of the normal reporting process. The Emerging Findings Note must be cleared with the Director of Internal Audit. Except where agreed otherwise, discussion drafts are issued within three weeks of completion of fieldwork and formal draft reports within one week of the discussion wash up meeting. Final reports are issued within one week of receipt of an acceptable written reply to the formal draft report.

5.5 (4.3 continued) The Director of Internal Audit issues post audit questionnaires to the senior line manager responsible for the audited system to establish, inter alia, their view of the effectiveness of recommendations made as a result of the audit. All high-risk audits are followed up six months after the issue of the final report (medium/low risk are followed up within twelve months) to ensure that accepted recommendations have been implemented and are working effectively.

5.6 (4.4) The risk assessment used to update the Audit Needs Assessment clearly shows the link between the overall objectives of the MPA and the MPS, the operational, business and financial risks associated with achieving the objectives and the associated need for internal audit work. Top MPS management and other relevant stakeholders are consulted at regular intervals to ensure that the Audit Needs Assessment appropriately reflects the perceived operational, financial and business risks of the MPS.

5.7 (4.4 continued) There is an annual process to update the risk assessment and establish the priority systems for review in the following financial year. Where, during the course of audit, advisory or investigative work the need to promulgate examples of good practice occurs, Best Practice notes are prepared and issued as soon as practicably possible. Best Practice notes and advice on the prevention and detection of fraud pass through a quality assurance process firstly with senior audit management and secondly with appropriate senior management before issue. Planned control advice on new and developing systems is risk assessed against other planned advice to determine priorities before any significant resources are committed.

5.8 (4.4 continued) Internal auditors, audit team leaders and senior audit management (including the Director of Internal Audit) are appropriately professionally qualified and experienced as auditors. All qualified auditors and more senior audit grades have at least three years internal audit experience. Appropriate professional qualifications for internal auditors are the PIIA or better of the Institute of Internal Auditors, the AAT, a professional accountancy qualification [4] or a Masters degree that includes a substantial element of internal audit work. More senior audit grades have the MIIA or professional accountancy qualification or Masters degree with a substantial element of internal audit work. The Directorate is committed to continuing professional and personal development. Each member of staff is appraised annually, allocated an agreed personal development plan and given time for training. (Standard Job Descriptions for each grade have also been drawn up based on the IAD Strategy, Appendix A2 refers).

5.9 (4.4 continued) Investigations are supervised or conducted by staff with either appropriate detective training/experience or other relevant fraud investigation experience of not less than three years. Investigators have an up to date working knowledge of PACE and other relevant criminal law. They also keep up to date with relevant Personnel policy and rules in relation to behaviour likely to constitute gross misconduct. Analytical work to support specific investigations is carried out or supervised by a member of staff who has been trained as an Analyst. Proactive analytical research in to areas of potential fraud or abuse is risk based in order to determine priorities. Any analytical work involving personal data meets the requirements of the Data Protection Act except where separate arrangements have been agreed with the Information Commissioner.

5.10 (4.4 continued) The results of investigations are recorded and for each investigation there is a report signed by the investigator recommending the appropriate course of action to either the police or those responsible for discipline. The outcomes of investigations are recorded and an assessment both of the quality of our investigation and the appropriateness of action taken on our reports are made once each inquiry has concluded by an officer senior to the individuals who conducted the investigation or wrote the report.

5.11 (4.4 continued) Advisory work, including Internal Audit help-line responses and control advice on new and developing systems is properly recorded and meets the standards set out in our own Internal Audit Manual. Help-line requests receive an initial response within 24 hours (even if this is to confirm that a full response will follow in due course). Any help-line response or request for advice requiring an audit opinion or recommendation is authorised by an Assistant Director or above. Care is taken to ensure that any opinion or recommendation is consistent with or updates any previous advice or audit reports covering the area or subject concerned.

5.12 (4.5) All staff will conduct themselves in accordance with relevant laid down guidance produced by the Metropolitan Police Service, the Metropolitan Police Authority, the Greater London Authority, professional standards or, internally by the Director of Internal Audit. Staff will make themselves familiar with and ensure that they apply MPA published ethical guidance and diversity and equality policies as well as the Code of Ethics of the Institute of Internal Auditors. [5]

5.13 (4.6) Internal Audit draft annual plans are prepared in liaison with those preparing the Best Value review programme so to minimise the risk of duplication of effort and where necessary to ensure that audit work supports the Best Value programme.

5.14 (4.6 continued) Appropriate benchmarking and performance information within Internal Audit is promptly and accurately recorded, compared regularly with other appropriate audit departments and reported to the Audit Panel.

5.15 (4.7) The priority of work in this area is determined in discussion with the relevant external stakeholders (e.g. Home Office Internal Audit and the NAO) and by risk comparison with the programme identified for systems supporting the MPA. All such work is conducted in accordance with the Government Internal Audit Manual and only by staff with appropriate national security clearances.

A6.0 Strategic approach

6.1 All internal audit work is risk based (i.e. priorities determined on the basis of the risk to the Metropolitan Police Service if the work is not carried out). This is achieved by using a risk analysis to prepare an Audit Needs Assessment (ANA). The ANA identifies all systems within the service, determining their relative importance, the frequency with which each should be audited, the inherent and current risk of each system and the anticipated resources to audit that system. The ANA also identifies other review activity that might impact upon the required level of internal audit coverage.

6.2 The approach to achieve the strategy is based around the provision of four distinct types of internal audit service. These are: a core programme of systems audit reviews; reviews of specific operational units; advice on new and developing systems; and, a forensic internal audit service to advise on and investigate potential fraud and abuse. The Directorate is structured in line with the strategic approach, Appendix A3 refers.

6.3 Systems audit reviews. These reviews, based on the standards laid down in the Government Internal Audit Manual and the CIPFA Code of Practice, provide much of the evidence to support the Director of Internal Audit's opinion on the adequacy and effectiveness of internal control. This work is planned to ensure that every auditable system should be audited at least once every five years. Systems deemed to be at higher risk are audited more frequently over the five-year cycle.

6.4 Control advice for new and developing systems. This is a preventative activity designed to add value to the Metropolitan Police Service. Internal Audit expertise on control and best practice in systems is used to assist those responsible for developing systems and creating new systems. Advice given on specific projects is supplemented by general guidance either across the whole of MPS or to specific target audiences through the issue of internal audit Advice Notes.

6.5 Operational unit reviews. These reviews supplement the systems audit programme by evaluating the basic financial and computer controls at local command unit level. Such reviews are designed to cover all boroughs and specialist areas over a five-year cycle. This work is intended to achieve a number of specific objectives. It provides local advice and support on control issues; ensures that the deterrent effect of internal audit in preventing fraud or abuse is used to its full; provides information to support systems audit reviews and; provides a visible internal audit presence at the sharp end of the business.

6.6 Forensic Internal Audit service. Forensic internal auditing goes beyond the systems audit approach to investigate specific concerns. The role is mainly to detect fraud and abuse although those engaged in the work also provide their expertise to help prevent future fraud and abuse. Forensic internal auditing proactively reviews data and information about the business of the Metropolitan Police Service to detect potential fraud and abuse and reactively investigates matters drawn to our attention either through the Right Line, management or staff contact direct or, routine systems audit work. Investigations are designed to establish whether there is any criminality. If criminality is established, the case is handed to the appropriate police officer. If gross misconduct is discovered the matter is referred to the appropriate personnel officer or line manager. If the allegation under investigation is not substantiated then the individual concerned is cleared by our report. Occasionally either in sensitive cases or at the request of MPS or MPA management Forensic Audit investigators will also conduct formal interviews of civil staff as part of the disciplinary process.

6.7 Forensic internal auditing not only helps to enforce the effectiveness of internal controls but also establishes whether there is evidence to substantiate the existence of a crime. This process frees up operational police resources from being involved in investigations within the MPS instead of policing the streets of London.

6.8 Other review activity (including Best Value reviews). To operate effectively internal audit must take into account other review activity in the organisation. Some activity, such as data quality audits and security checks can supplement the overall audit opinion. The quality of local inspection and review activity can also help decide whether there is adequate and effective management supervision and control in an area under examination. Ethical audits and reviews of operational practice inform the audit opinion and can lead to an appropriate adjustment of internal audit priorities and amount of audit coverage.

6.9 Internal Audit operates in liaison with but independently of the inspection and review process at local and central units. Where appropriate, joint working or exchange of information or staff may take place. Internal Audit is not a substitute for nor a duplication of inspection, review and other activity by local management to enable them to have adequate and effective control over the use of staff and other resources assigned to them. Internal Audit however assists and advises local management and those engaged in local inspection and review activity where appropriate.

6.10 Central inspection and review functions, such as the Inspectorate and the Best Value review team, both help supplement the internal audit opinion and also represent areas where is important to ensure that there is mutual co-operation and agreement on priorities in programmes and reviews. This is not only to ensure that programmes of work do not overlap either in subject matter or timing, but also to ensure that the MPS as a whole has the optimal level of audit and review activity consistent with the needs of the organisation. It is the responsibility of the Director of Internal Audit to ensure that the Audit Needs Assessment is comprehensive and to determine where other review activity has reduced risk or reduced the current need for coverage by Internal Audit.

6.11 The Director of Internal Audit takes into account planned Best Value review work in determining Internal Audit priorities in the annual planning and medium term planning process. Work is planned to inform future Best Value reviews, to supplement Best Value reviews or to evaluate the adequacy and effectiveness of the Best Value review process. Internal Audit does not, however, carry out Best Value reviews, as this will compromise the independence of Internal Audit.

6.12 Wherever Internal Audit takes into account other review activity, whether internal or external, there is a need to assess the relevance, quality and adequacy of the other review activity before determining any change to planned internal audit coverage or programmed work. Any such changes are put through the Treasurer to the Audit Panel for approval at the earliest opportunity.

6.13 Any significant change of work affecting the approved Audit Plan will be reported at the earliest opportunity to the Chair of the Audit Panel who will decide whether the matter should be drawn to the attention of the Panel in advance of the next planned meeting.

Issued October 2002

Send an e-mail linking to this page

Feedback