Internal audit strategy

Report: 6
Date: 28 September 2000
By: Treasurer

Summary

The Appendix to this report is the draft Strategy for Internal Audit prepared by the Director of Internal Audit. It covers the role and responsibilities of Internal Audit and sets out the overall framework within which Internal Audit staff are expected to perform their duties. The Strategy also outlines the scope of Internal Audit work and standards and performance targets for Internal Audit staff. The Audit Panel is invited to endorse the Strategy, subject to review, as the framework for Internal Audit work.

A. Supporting information

Introduction

1. The Strategy for Internal Audit in the MPA has evolved over the last five years since the current Director of Internal Audit has held office. The attached Appendix 1, "The Strategy for Internal Audit in the MPS" also clarifies the statutory position for internal audit and sets out the overall responsibility of the Audit Panel and the Treasurer.

2. The Panel may be particularly interested in parts 3 and 4 of Appendix 1, which cover the Role and Purpose and the Strategic Aims of Internal Audit. Part 5 gives specific targets for achieving the strategy and also sets out the process for reporting the results of audit work.

3. Part 6 of Appendix 1 sets out the Director of Internal Audit’s Strategic Approach, highlighting the use of a risk-based methodology to determine priorities in the audit programme. The approach is based around a four-pronged service. About two-thirds of the work is a rolling programme of reviews of systems over a five year cycle (including BOCUs) coupled with providing audit advice on developing systems. About a third of the work is investigations into civil staff and contractors (the "Forensic Audit" service).

B. Recommendations

1. The Audit Panel endorses the Strategy for Internal Audit set out in Appendix 1.
2. The Strategy is approved for publication to all key stakeholders.

C. Financial implications

There are no financial implications.

D. Review arrangements

None.

E. Background papers

The following is a statutory list of background papers (under the Local Government Act 1972 S.100 D) which disclose facts or matters on which the report is based and which have been relied on to a material extent in preparing this report. They are available on request either to the contact officer listed below or to the Clerk to the Police Authority at the address indicated on the agenda.

F. Contact details

The author of this report is the Treasurer. The author of the Internal Audit Strategy paper is the Director of Internal Audit.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1: The strategy for internal audit in the MPS

1. Introduction

1.1 This paper sets out the future strategy for Internal Audit over the next three to five years ahead. The strategy is intended to demonstrate how Internal Audit supports the overall aims and objectives of the Metropolitan Police Service (MPS).

2. The Metropolitan Police Authority role

2.1 The Metropolitan Police Authority is the relevant statutory authority under the Greater London Authority Act 1999 for the Metropolitan Police Service. In secondary legislation the Accounts and Audit Regulations 1996 (Statutory Instrument 590) charge the relevant statutory authority with responsibility for the provision of a system of internal audit. The Home Office Financial Code of Practice (1994) requires a police authority to form an audit committee chaired by a member of the authority (other than the chair) and operated as recommended by the 1992 Cadbury report.

Audit Panel
2.2 The Metropolitan Police Authority (MPA) has set up an Audit Panel consisting of four members of the MPA to discharge its responsibilities under the legislation and associated Code of Practice. The Treasurer has delegated authority from the MPA to ensure that there are adequate arrangements for the provision of internal audit and is the line manager of the Director of Internal Audit. The Treasurer, Deputy Commissioner, Director of Resources, Director of Finance and Director of Internal Audit attend the formal Audit Panel meetings.

3. The role and purpose of internal audit

3.1 Internal Audit is defined as "an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes." (The Institute of Internal Auditors, 1999).

3.2 Internal Audit assists both the Metropolitan Police Authority and the Commissioner in the discharge of their responsibilities for the policing of London.

3.3 Internal Audit is an agent for change for the better. As such Internal Audit advises on best practice and recommends improvements in control to help management reduce the risk of loss, error, fraud or abuse.

4. Strategic aims

4.1 Internal Audit will contribute to the Metropolitan Police Service objective of working for a safer London through professional audit reviews with effective recommendations for improving systems that support the policing of London.

4.2 Internal Audit will contribute to the Commissioner's objective of ensuring that systems are secure and safe against corruption through: evaluation of the adequacy and effectiveness of the corporate control framework; risk based reviews of all internal systems; advice on the adequacy and effectiveness of planned controls in new and developing systems; promulgation of best practice across the MPS; advice on the prevention and detection of fraud affecting the MPS and, investigation of waste or abuse within the systems that support the policing of London.

4.3 Internal Audit will support the Metropolitan Police Authority by providing the Treasurer and the Audit Panel with reports and analyses of the adequacy and effectiveness of internal control within the MPS.

4.4 Internal Audit will support the Treasurer and the Metropolitan Police Authority in the discharge of statutory functions in relation to audit and control. To this end the Director of Internal Audit will provide, at least annually, an assurance on the adequacy and effectiveness of internal control within the MPS.

4.5 Internal Audit staff and contractors will support the Metropolitan Police Service by ensuring that they conduct themselves professionally at all times in their role as representatives of the Metropolitan Police Authority.

4.6 Internal Audit will support the Best Value process both through application of published Audit Commission guidance for internal auditors and by ensuring that the Best Value principles are also applied to the work of the Internal Audit Directorate.

4.7 Internal Audit will help ensure the Metropolitan Police Service discharges its national responsibilities prudently and effectively through audit reviews of all systems and resources used by the MPS to support national Home Office policing objectives.

5. Targets to achieve strategic aims

5.1 (4.1) Reviews carried out will meet the standards set out in the Government Internal Audit Manual and the MPS Internal Audit Manual. The annual programme of work agreed by the Audit Panel will be carried out to these standards. Each team leader will ensure that their agreed programme of work meets these required standards. Assistant Directors will carry out post audit evaluations to ensure that standards have been met.

5.2 (4.1 continued) Unless the scope of work for the audit changes, work will be completed within the agreed time-scales. Where matters arise during the audit that require urgent or immediate action, an Emerging Findings Note will be prepared and issued in advance of the normal reporting process. The Emerging Findings Note must be cleared with the Director of Internal Audit. Except where agreed otherwise, discussion drafts will be issued within three weeks of completion of fieldwork and formal draft reports within one week of the discussion wash up meeting. Final reports will be issued within one week of receipt of an acceptable written reply to the formal draft report.

5.3 (4.1 continued) The Director of Internal Audit will issue post audit questionnaires to the senior line manager responsible for the audited system to establish, inter alia, their view of the effectiveness of recommendations made as a result of the audit. All audits will be followed up six months after the issue of the final report to ensure that accepted recommendations have been implemented and are working effectively.

5.4 (4.1 continued) The risk assessment used to update the Audit Needs Assessment will clearly show the link between the overall objectives of the MPS, the operational, business and financial risks associated with achieving the objectives and the associated need for internal audit work. Top MPS management and other relevant stakeholders will be consulted at regular intervals to ensure that the Audit Needs Assessment appropriately reflects the perceived operational, financial and business risks of the MPS.

5.5 (4.2) There will be an annual process to update the risk assessment and establish the priority systems for review in the following financial year. Where, during the course of audit, advisory or investigative work the need to promulgate examples of good practice occurs, Best Practice notes should be prepared and issued as soon as practicably possible. Best Practice notes and advice on the prevention and detection of fraud will pass through a quality assurance process firstly with senior audit management and secondly with appropriate senior management before issue. Planned control advice on new and developing systems must be risk assessed against other planned advice to determine priorities before any significant resources are committed.

5.6 (4.2 continued) Internal auditors, audit team leaders and senior audit management (including the Director of Internal Audit) must be appropriately professionally qualified and experienced as auditors. All qualified auditors and more senior audit grades must have at least three years internal audit experience. Appropriate professional qualifications for internal auditors are the PIIA or better of the Institute of Internal Auditors, the AAT, a professional accountancy qualification3 or a Masters degree that includes a substantial element of internal audit work. More senior audit grades must have the MIIA or professional accountancy qualification or Masters degree with a substantial element of internal audit work.

5.7 (4.2 continued) Investigations will be supervised or conducted by staff with either appropriate detective training/experience or other relevant fraud investigation experience of not less than three years. Investigators must have an up to date working knowledge of PACE and other relevant criminal law. They must also keep up to date with relevant Personnel policy and rules in relation to behaviour likely to constitute gross misconduct. Analytical work to support specific investigations must be carried out or supervised by a member of staff who has been trained as an Analyst. Proactive analytical research in to areas of potential fraud or abuse will be risk based in order to determine priorities. Any analytical work involving personal data must meet the requirements of the Data Protection Act except where separate arrangements have been agreed with the Data Protection Registrar.

5.8 (4.2 continued) The results of investigations will be recorded and for each investigation there will be a report signed by the investigator recommending the appropriate course of action to either the police or those responsible for discipline. The outcomes of investigations will be recorded and an assessment both of the quality of our investigation and the appropriateness of action taken on our reports will be made once each inquiry has concluded by an officer senior to the individuals who conducted the investigation or wrote the report.

5.9 (4.2 continued) Advisory work, including Internal Audit help-line responses and control advice on new and developing systems must be properly recorded and meet the standards set out in the Government Internal Audit Manual and our own Internal Audit Manual. Help-line requests must receive an initial response within 24 hours (even if this is to confirm that a full response will follow in due course). Any help-line response or request for advice requiring an audit opinion or recommendation must be authorised by an Assistant Director or above. Care must be taken to ensure that any opinion or recommendation is consistent with or updates any previous advice or audit reports covering the area or subject concerned.

5.10 (4.3) Any such reports or analyses requested must be provided promptly and accurately within the specified time-scales. All reports to the Metropolitan Police Authority and/or the Commissioner must be reviewed and authorised or issued by the Director of Internal Audit.

5.11 (4.4) The targets set out at 5.1 and 5.2 also apply here. Auditors will aim to complete all tasks within the specified time-scales. All staff have a responsibility to ensure that any statutory deadlines are met for work to be provided to either the Treasurer, external auditors, or, the Metropolitan Police Authority.

5.12 (4.5) All staff will conduct themselves in accordance with laid down guidance produced by the Metropolitan Police Service, the Metropolitan Police Authority, the Greater London Authority, professional standards or, internally by the Director of Internal Audit. Staff will familiarise themselves and ensure that they apply the leadership principles, the diversity strategy, MPS ethical guidance and the Code of Ethics of the Institute of Internal Auditors.

5.13 (4.6) Internal Audit draft annual plans will be prepared in liaison with those preparing the Best Value review programme so to minimise the risk of duplication of effort and where necessary to ensure that audit work supports the Best Value programme.

5.14 (4.6 continued) Appropriate benchmarking and performance information within Internal Audit will be promptly and accurately recorded, compared regularly with other appropriate audit departments and reported to the Audit Panel.

5.15 (4.7) The priority of work in this area will be determined in discussion with the relevant external stakeholders (e.g. Home Office Internal Audit and the NAO) and by risk comparison with the programme identified for systems supporting the MP A. All such work will be conducted in accordance with the Government Internal Audit Manual and only by staff with appropriate national security clearances.

6. Strategic approach

6.1 All internal audit work should be risk based (i.e. priorities determined on the basis of the risk to the Metropolitan Police Service if the work is not carried out). This is achieved by using a risk analysis to prepare an Audit Needs Assessment (ANA). The ANA will identify all systems within the service, determining their relative importance, the frequency with which each should be audited, the inherent and current risk of each system and the anticipated resources to audit that system. The ANA will also identify other review activity that might impact upon the required level of internal audit coverage.

6.2 The approach to achieve the strategy is based around the provision of four distinct types of internal audit service. These are: a core programme of systems audit reviews; reviews of specific operational units; advice on new and developing systems; and, a forensic internal audit service to advise on and investigate potential fraud and abuse.

Systems audit reviews
6.3 These reviews, based on the standards laid down in the Government Internal Audit Manual and the CIPFA Code of Practice, provide much of the evidence to support the Director of Internal Audit's opinion on the adequacy and effectiveness of internal control. This work is planned to ensure that every auditable system should be audited at least once every five years. Systems deemed to be at higher risk are audited more frequently over the five-year cycle.

Control advice for new and developing systems
6.4 This is a preventative activity designed to add value to the Metropolitan Police Service. Internal Audit expertise on control and best practice in systems is used to assist those responsible for developing systems and creating new systems. Advice given on specific projects is supplemented by general guidance either across the whole of MPS or to specific target audiences through the issue of internal audit Advice Notes.

Operational unit reviews
6.5 These reviews supplement the systems audit programme by evaluating the basic financial and computer controls at local command unit level. Such reviews are designed to cover all boroughs and specialist areas over a five-year cycle. This work is intended to achieve a number of specific objectives. Particularly: to provide local advice and support on control issues; to ensure that the deterrent effect of internal audit in preventing fraud or abuse is used to its full; to provide information to support systems audit reviews and; to provide a visible internal audit presence at the sharp end of the business.

Forensic internal audit service
6.6 Forensic internal auditing goes beyond the systems audit approach to investigate specific concerns. The role is mainly to detect fraud and abuse although those engaged in the work also provide their expertise to help prevent future fraud and abuse. Forensic internal auditing proactively reviews data and information about the business of the Metropolitan Police Service to detect potential fraud and abuse and reactively investigates matters drawn to our attention either through the Right Line, management or staff contact direct or, routine systems audit work. Investigations are designed to establish whether there is any criminality. If criminality is established, the case is handed to the appropriate police officer. If gross misconduct is discovered, the matter is referred to the appropriate personnel officer or line manager. If the allegation under investigation is not substantiated then the individual concerned is cleared by our report.

6.7 Forensic internal auditing not only helps to enforce the effectiveness of internal controls but also establishes whether there is evidence to substantiate the existence of a crime. This process frees up operational police resources from being involved in investigations within the MPS instead of policing the streets of London.

Other review activity (including Best Value reviews)
6.8 To operate effectively internal audit must take into account other review activity in the organisation. Some activity, such as data quality audits and security checks can supplement the overall audit opinion. The quality of local inspection and review activity can also help decide whether there is adequate and effective management supervision and control in an area under examination. Ethical audits and reviews of operational practice inform the audit opinion and can lead to an appropriate adjustment of internal audit priorities and amount of audit coverage.

6.9 Internal Audit operates in liaison with but independently of the inspection and review process at local and central units. Where appropriate, joint working or exchange of information or staff may take place. Internal Audit is neither a substitute for nor a duplication of inspection, review and other activity by local management to enable them to have adequate and effective control over the use of staff and other resources assigned to them. Internal Audit will however assist and advise local management and those engaged in local inspection and review activity where appropriate.

6.10 Central inspection and review functions, such as the Inspectorate and the Best Value review team, both help supplement the internal audit opinion and also represent areas where is important to ensure that there is mutual co-operation and agreement on priorities in programmes and reviews. This is not only to ensure that programmes of work do not overlap either in subject matter or timing, but also to ensure that the MPS as a whole has the optimal level of audit and review activity consistent with the needs of the organisation. It is the responsibility of the Director of Internal Audit to ensure that the Audit Needs Assessment is comprehensive and to determine where other review activity has reduced risk or reduced the current need for coverage by Internal Audit.

6.11 The Director of Internal Audit will take into account planned Best Value review work in determining Internal Audit priorities in the annual planning and medium term planning process. Work will be planned either to inform future Best Value reviews, to supplement Best Value reviews or to evaluate the adequacy and effectiveness of the Best Value review process. Internal Audit will not, however, carry out Best Value reviews, as this will compromise the independence of Internal Audit.

6.12 Wherever Internal Audit takes into account other review activity, whether internal or external, there is a need to assess the relevance, quality and adequacy of the other review activity before determining any change to planned internal audit coverage or programmed work. Any such changes must be put through the Treasurer to the Audit Panel for approval at the earliest opportunity.

Peter Tickner
Director of Internal Audit

Send an e-mail linking to this page

Feedback