Contents
Report 9 of the 08 April 2005 meeting of the Corporate Governance Committee and provides statements on internal control.
Warning: This is archived material and may be out of date. The Metropolitan Police Authority has been replaced by the Mayor's Office for Policing and Crime (MOPC).
See the MOPC website for further information.
Statements on internal control - interim report
Report: 9
Date: 08 April 2005
By: Treasurer and Commissioner
Summary
The Accounts and Audit Regulations, 2003 requirement for a “sound system of internal control and risk management” applies to the MPA as a public authority and, by extension, the Authority requires the MPS to have a sound system of internal control and risk management. These Regulations require the Authority and, by extension, the Authority requires the Commissioner to sign an annual Statement on Internal Control setting out details of the system of internal control and risk management, the key controls, and how effectively they are being deployed. This necessitates the deployment of an assurance process within the Service (and Authority).
A. Recommendation
That
- members oversee the development and deployment of the Service’s Statement on Internal Control;
- note that the Corporate Governance Committee has approved deployment option 2c at paragraph 10;
- note that a Statements on Internal Control Working Group has been set up to guide the assurance activity within the MPS, and that MPA Internal Audit are represented on the group; and
- note that a draft MPS Statement on Internal Control will be submitted to the Treasurer by 15 June to allow sufficient time for it to be reviewed prior to inclusion within the draft accounts.
B. Supporting information
Accounts and Audit Regulations, 2003
1. The Accounts and Audit Regulations, 2003 requirement for a “sound system of internal control and risk management” applies to the MPA as a public authority and, by extension, the Authority requires the MPS to have a sound system of internal control and risk management.
Statements on internal control
2. There is a statutory obligation on the MPA to publish a Statement on Internal Control (Statement) in the annual accounts setting out details of the MPA/MPS system of internal control and risk management, the key controls and how effectively they are being deployed. As the majority of the Metropolitan Police Service’s controls are deployed within the Service, the Authority requires the MPS to prepare its own Statement.
3. To give the Commissioner the confidence to sign off on a corporate MPS Statement he will require assurance that the Service has a sound system of internal control and risk management. This requires a simple sign-off process at B/OCU, Business Group and corporate levels, on an ‘exception reporting’ basis to avoid bureaucracy.
4. The CIPFA guidance on deploying a Statement process shows the process (represented visually at Figure 1) to be risk-based and therefore inherently non-bureaucratic, limited as it is to key controls to mitigate principal risks to achievement of principal objectives.
Figure 1 - see supporting material
Identifying key controls
5. How do we identify the key controls? There are two main approaches:
6. The simplest approach is to proceed on the basis of the key controls in the MPA’s interim Statement on Internal Control for 2003/04 (one of two Statements included in the CIPFA guidance as good practice).
7. A comparison of the key control areas listed in the MPA interim Statement on Internal Control for 2003/04 with the key control areas advocated by the Good Governance Standard for Public Services [1], the CIPFA/SOLACE Keystone for Community Governance Framework, and the contents of the MPS Corporate Governance Strategic Committee’s ‘Blueprint’ shows that:
- The majority of controls advocated by the good practice guidance are mirrored in both the 2003/04 Statement and CGSC Blueprint;
- Only the Blueprint and the Good Governance Standard covers management information controls;
- Only the CIPFA framework covers community focus controls.
8. The MPS could proceed on the basis of the MPA Statement key controls, enhanced by including controls in the areas of management information and community focus, and statutory obligations, with reasonable assurance that the key controls would have been covered.
9. A more robust approach would be to go through a structured process of identifying our principal objectives, principal risks, and key controls.
10. The principal objectives are our corporate control strategies and associated themes together with the legal obligations. We can identify the principal risks and key controls in one of three ways:
- Option 2a - Using the MPS risk registers (under development)
- Option 2b - Using specialist risk/control mapping process
- Option 2c - Hybrid approach not relying too heavily this year on an immature risk register process, and deploying a programme of risk/control mapping over a three year period.
11. The main benefits and disadvantages of each option are at Appendix 1.
12. For the 2004/05 year a transitional approach will be adopted based on the 2003/04 Statement with the key control areas enhanced on the basis of a review against the CIPFA guidance and the core principles set out in the new Good Governance Standard for Public Services. The key control areas identified are listed at Appendix 2. Each key control area will be signed off to provide the Commissioner with the confidence that the MPS corporate Statement is fit for purpose.
13. Corporate Governance Strategic Committee approved a recommendation from the Risk Management Programme Board (RMPB) to approve the adoption of Option 2c which:
- leverages the MPA best practice interim Statement whilst providing a broader and deeper response and minimising bureaucracy;
- makes appropriate use of our risk registers reflecting their maturity, supplemented by additional sources of assurance such as MPA Internal Audit, MPS Inspectorate, High Risk Self Reviews etc;
- enables the development of a more objective analysis of our key controls over a suitable period.
14. A three-year rolling programme of risk and control mapping will be deployed to strengthen the process, increase objectivity, and ensure an appropriate focus on the key controls as the process matures.
15. Corporate risk Management Group is procuring suitable software from existing budgets to facilitate the programme of risk and control mapping.
Developing the MPS Statement on internal control
16. Although for the current (2004/05) financial year it will be necessary to undertake the Statement compilation / assurance activity during a ‘concentrated’ period following preparation of the risk registers, in future years we will be able to develop a rolling programme of activity to ‘spread the load’ over the full 12 months.
17. The assurance activity will follow the process set out at Appendix 3 with CRMG collating lower-level Statements for each key control area and compiling the MPS Statement for signature by the Commissioner.
18. The timeline for developing the 2004/05 Statement is as follows:
- MPS to submit first draft MPS Statement to Treasurer by 15 June (Statement relating to MPS’s own key controls to same deadline);
- Draft set of accounts to Finance Committee on 18 July;
- Full Authority to sign off Statement on 29 July.
C. Race and equality impact
None provided
D. Financial implications
None provided
E. Background papers
None.
F. Contact details
Report author: Nick Chown, Director of Risk Management, MPS.
For information contact:
MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18
Appendix 1
Statement on internal control deployment options main benefits and disadvantages
Option 1 – Proceed on basis of key controls in 2003/04 Statement
| Benefits | Disadvantages |
|---|---|
| Involves a minimum of administration | Presupposes that the controls listed in the interim Statement are the only key controls |
| And thus keeps the cost in terms of management time to a minimum | Provides a minimum of assurance that the MPS has a sound system of internal control and risk management |
Option 2a – Proceed on basis of key controls from risk registers
| Benefits | Disadvantages |
|---|---|
| Whilst more labour intensive than Option 1, leverages risk registers already being deployed and thus involves less extra work than 2b or 2c | It would be inappropriate to rely too much on the first set of risk registers to be developed by the Service |
| Although providing improved assurance than Option 1, still fails to take advantage of the benefits of using specialist risk/control mapping |
Option 2b – Identify key controls using risk and control mapping
| Benefits | Disadvantages |
|---|---|
| Potential benefits of being able to concentrate on deploying controls that maximise reduction in risk exposure | Requires a half day workshop involving relevant ‘key players’ for each principal objective |
| Potential benefits of identifying redundant or ineffective controls | |
| Leverages risk registers |
Option 2c - Hybrid approach utilising risk registers and deploying a three year risk and control mapping programme
| Benefits | Disadvantages |
|---|---|
| Potential benefits of focusing on deploying controls that maximise reduction in risk exposure | Requires a half day workshop involving relevant ‘key players’ for each principal objective |
| Potential benefits of identifying redundant or ineffective controls | |
| Can be undertaken over a period of time of our choosing | |
| Leverages risk registers |
Appendix 2
Statement on internal control - key control areas
Key Control Area
- Embedding effective Corporate Governance arrangements
- Performance - establishing and monitoring the achievement of objectives to ensure that high quality services are delivered efficiently and effectively
- Facilitating effective strategy, policy and decision-making
- Ensuring compliance with statutory obligations, laws, regulations, guidance and established policies and procedures
- Identifying, assessing and managing the key risks to the Service’s objectives
- The economical, effective, efficient and safe use of resources (financial, human, other) to ensure delivery of quality services
- Securing continuous improvement in the way in which functions are exercised
- Ensuring effective corporate financial management and the reporting of financial management
- Ensuring availability, integrity and security of information – information to be relevant, accurate, up to date, timely, reliable and secure
- Working for and with the community to promote the well being of the community exercising leadership as necessary
- Defining, communicating and monitoring professional standards expected of all personnel
- Defining, communicating and monitoring standards of performance expected of all personnel
Footnotes
1. Developed by the Independent Commission on Good Governance in Public Services chaired by Sir Alan Langlands and of which Sir Ian Blair was a member. [Back]
Supporting material
- Figure 1 [PDF]
Internal Audit plan for April 2005 to March 2006 - Appendix 3 [PDF]
Review of statement on internal control assurance gathering process
Send an e-mail linking to this page
Feedback