Contents
Report 7 of the 26 Oct 2000 meeting of the Audit Panel and discusses MPA's internal audit risk assessment.
Warning: This is archived material and may be out of date. The Metropolitan Police Authority has been replaced by the Mayor's Office for Policing and Crime (MOPC).
See the MOPC website for further information.
Internal audit strategy
Report: 7
Date: 28 September 2000
By: Director of Internal Audit
Summary
The annual Internal Audit programme of work is determined by a risk-based Audit Needs Assessment (ANA) that identifies the priorities for audit over the next five years ahead. The ANA is updated annually and would normally be presented, along with the Annual Programme, to the Audit Panel prior to the beginning of the year. The Appendices to this report explain the risk analysis process and set out the summary Audit Needs Assessment and Annual Programme approved by the MPS Audit Committee in February 2000. The Audit Panel is invited to note the approach and raise any questions of the process. The Audit Panel is asked to endorse the Annual Plan for the remainder of 2000/2001 that was approved by the previous Audit Committee of the MPS.
A. Supporting information
Introduction
1. The Internal Audit Directorate has a well-developed methodology of risk assessment for determining its programme of systems audits. The appendices to this report have been prepared to describe the risk assessment process and the resulting audit programme that is being carried out in 2000/2001.
2. The Audit Needs Assessment (ANA) identifies all systems within the service, determining their relative importance, the frequency with which each should be audited, the inherent and current risk of each system and the anticipated resources to audit that system. Appendix 1 explains the risk analysis methodology used by the Internal Audit Directorate in detail. The latest version of the ANA summarising all the MPS systems to be reviewed over a five-year cycle is shown at Appendix 2.
3. The ANA is used to help determine the Internal Audit Annual Plan. A breakdown of planned audit activity for 2000/2001 (approved by the previous Audit Committee of the MPS) is at Appendix 3. This plan was based on the predicted resources available at April 2000. The detailed programme of new systems for 2000/2001 see Appendix 4. Similar information will be provided to the Audit Panel at an appropriate future meeting to determine the internal audit programme for 2001/2002.
B. Recommendations
- The Audit Panel endorses the risk-based approach and Audit Needs Assessment.
- The Audit Panel endorses the 2000/2001 Annual Plan that was approved by the previous Audit Committee of the MPS.
C. Financial implications
There are no financial implications.
D. Review arrangements
The Audit Needs Assessment will be updated annually and presented to the Audit Panel for approval.
Progress against the Annual Plan will be reported at each Audit Panel Meeting.
E. Background papers
The following is a statutory list of background papers (under the Local Government Act 1972 S.100 D) which disclose facts or matters on which the report is based and which have been relied on to a material extent in preparing this report. They are available on request either to the contact officer listed below or to the Clerk to the Police Authority at the address indicated on the agenda.
F. Contact details
The author of this report is Peter Martin.
For information contact:
MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18
Introduction
The risk elements chosen are designed to give a balance between the influence of financial, operational and business risks. There are seven elements, some of which are physical measures and others judgmental opinions, each with a minimum score of 1 and a maximum score of 5 (where in practical terms 1 represents the lowest risk and 5 the highest risk). The result for each element on each system is added together and then the total expressed as a percentage of the maximum of 35. The result of this calculation determines the risk ranking score of each system relative to all other systems. Three of the elements relate to pure financial risk (the physical measures of expenditure, income and other funds affected) a fourth, expected quality of control, makes up the Financial Risk calculation. These elements added to the sensitivity of the system/data and time since last audit give the Business Risk calculation. The final element, a judgement of the impact on operational police objectives, combined with the sensitivity element, gives the Operational Risk. The sum of all seven elements is used to measure the current total risk of the system.
Inherent risk and current risk of systems
One of the seven elements is the time since the last audit. To establish the inherent risk of the system (as opposed to the current risk) this is ignored and each system ranked against the other six elements. Where a system has been audited under the current systems audit approach the follow up audit will establish that there has been an improvement in control and will measure the degree of improvement. That result reduces the current system risk in two ways. First, the implementation of recommendations improves the quality of control. Thus the system reduces in risk. Second, the recent presence of Internal Audit focuses minds on control and improves the control environment. It is this element that moves a system down the risk ranking on current risk although over time as the system deteriorates or develops the impact will lessen.
Thus we measure both the inherent risk and the current risk. The current risk is used to determine the annual plan of work and the inherent risk the level of coverage of systems audit work over the next five years ahead.
For current risk, high risk systems are determined as those that score between 25 and 35 out of 35 (70 per cent and above), medium risk 15 to 24 (42 per cent to 69 per cent) and low risk from 9 to 14 (30 to 41 per cent).
For inherent risk, high risk systems are determined as those that score between 20 and 30 out of 30 (60 per cent or more), medium risk 9 to 18 (40 to 59 per cent) and low risk from 3 to 8 (30 to 39 per cent).
Item (a) - Expenditure per annum
(scored on a scale of 1 to 5 where 1 = £0 to £1 million and 5 = above £45 million)
The calculation is banded to reflect the relative importance of the expenditure on the system in relation to other systems in the MPS. Actual figures are used where possible for the previous financial year. Figures are checked annually.
Item (b) -Income per annum
(scored on a scale of 1 to 5 where 1 = £0 to £0.2 million and 5 = above £9 million)
The calculation is banded to reflect the relative importance of income from the system in relation to other systems in the MPS. Income is weighted by a factor of 5 compared to expenditure because (1) it is at more risk pound for pound and (2) we always know what has been spent, but we only know what has been declared with income. Actual figures are used where possible for the previous financial year. Figures are checked annually.
Item (c) - Other funds affected
(scored on a scale of 1 to 5 where 1 = £0 to £10 million and 5 = above £450 million).
The calculation is banded to reflect the relative importance of the impact of the system on other systems in or managed by the MPS. This allows for systems that in themselves cost or earn little but which are critical to activities elsewhere to have that reflected in their financial risk element. Examples would be Treasury Management and parts of Command and Control. Actual figures are used where possible for the previous financial year. Figures are checked annually.
Item (d) - Sensitivity of system and/or data
(scored on a scale of 1 to 5 where 1 = no sensitivity and 5 = extreme sensitivity).
This is a judgement based on top management/senior management views coupled with the knowledge and experience of Internal Audit and other review bodies. It is designed to ensure that the greater risk to the MPS from more sensitive systems is reflected in the priority ranking of systems to be audited.
Item (e) - Time since last audit
(scored from 1 year = 1 to 5 years = 5).
The maximum time allowed is 5 years - on the grounds that any system that has not been audited within at least 5 years will be at its maximum risk of control decay. Conversely, if it has been audited since the new approach on my appointment, and the audit has been followed up effectively then we expect control to be at its relative best. No account is taken of interim audit health checks - the result of these is reflected in the next category - Item (f).
Item (f) - Expected quality of control
(scored on a scale of 1 to 5 where 1 = excellent control and 5 = non-existent).
This measures aspects of control, which are inherent in the system or known from evidence since the last systems audit or from an interim health check. It also takes into account the known or suspected history of fraud or abuse of the system since the last audit.
Item (g) - Impact on operational objectives
(scored on a scale of 1 to 5 where 1 = no impact and 5 = critical impact).
This item adds an element into the calculation to allow for the nature of the activities of the MPS. Operational activities have varying degrees of relationship with the current objectives of the MPS. The Risk Analysis and Audit Needs Assessment needs to reflect the relative significance of operations in relation to MPS objectives, which are affected by the system being audited. It also needs to reflect the relative impact of the system on the operational activity concerned.
Send an e-mail linking to this page
Feedback