Internal audit progress report

Report: 4
Date: 8 February 2001
By: Director of Internal Audit

Summary

This report sets out progress with the agreed programme of work, staffing and budget of Internal Audit from 3 July 2000 to 31 January 2001.

A. Recommendation

The Audit Panel notes and endorses the progress to date with the programme of Internal Audit work for 2000/2001.

B. Supporting information

Audit programme

1. The current internal audit programme of work commenced on 1 April 2000. At the time of the last Audit Panel meeting, I reported that owing to staff shortages we needed to increase the use of contractors if we were to achieve the programme. Additional work has now gone to our contractors and arrangements are also well in hand to fill some key vacancies in Internal Audit. On the year to date this leaves me short of the planned number of available audit days. However, through improved performance we are likely to achieve 75 per cent of the current programme by the end of the financial year, 10 per cent better than the last financial year. Work carried forward from the previous year is generally complete and of the sixty-one planned new systems audits forty-seven will be undertaken and fourteen postponed, four at management request, four to avoid other review clashes and six through lack of available resources.

2. Appendix 1 to this report summarises brief details about those audits in the 2000/2001 programme where we have issued an agreed final report to line management. All our high-risk recommendations have been accepted.

3. Appendix 1 includes details of three follow-up audits where we have now issued a final report. Only 26 per cent of the high-risk recommendations accepted at the time of the original report for these audits have been fully implemented, although about 18 months has passed since their issue to line management. However, line management in these areas have given assurances that they are making progress with our recommendations.

Stakeholder assessments of internal audit

4. In the last few months we have made good inroads into the audit programme and produced a number of audits that have been particularly valued by the auditees. (One line manager rated our audit of the security of MPS buildings 10 out of 10 on overall value and the other line manager concerned gave it 9 out of 10. Other audits have also been receiving good assessments on their value to MPS managers.) One audit, that of premises licensing, received the following comment from Superintendent Jauch in his memo to Assistant Commissioner Johnston:

"The object of the attached audit report is to ensure that the financial and other arrangements involved in the licensing process are beyond reproach, and I should say at the outset that I have found their work to be both thorough and very useful."

5. District Audit carried out a preliminary review of the way we work and examined some of our recent reports. I am pleased to note that their initial assessment is clearly favourable (while rightly pointing to a few areas where we can further improve). On the quality of our work District Audit's lead Audit Manager has noted:

"It is clear that internal audit work is of the type of quality we would be able to rely on and I intend to work with internal audit to implement a strategy that will allow us to move to a managed audit approach over a period of time."

6. District Audit have also said:

"It is pleasing to note that internal audit are prepared to outsource work where specific expertise is needed and to test the market from time to time by using alternative suppliers."

Strategic approach – key achievements by activity

Systems audits and audits of command units

7. We have identified a number of areas where controls can be significantly strengthened and in the process have as a by-product identified potential savings and instances of failure to recover monies or costs that have been drawn to the attention of appropriate line managers.

8. As a result of our report recommendations on Translators and Interpreters an MPS working group was set up that has now put forward options that will result in savings of at least £400,000 per annum to the MPA.

9. Our review of arrangements for Police and Civil staff outside the UK has identified at least £460,000 that had not been recovered from outside organisations.

10. Assistance to staff at BOCUs has featured in our activities, particularly dealing with problems in property stores and difficulties in reconciling and accounting for imprests.

11. To help improve controls over Police Overtime at local units we issued an Advice Note to the MPS during our audit setting out the key issues BOCU/OCU Commanders and Finance Managers needed to address.

Audit advice on new and developing systems

12. A brief summary of each area where we are offering advice is set out in Appendix 2. Currently we are involved in supporting the Best Value team and the Combating Bureaucracy project. During the year, we have also actively assisted the [Police Officers] Incidental Expenses Working Group and the Covert Accounts group to draw up new and stronger procedures. We have also helped the revitalised Crime Property working group and have representatives providing audit advice on a number of major IS and IT projects.

13. Our expertise in supporting the Combating Bureaucracy team has led to my staff being inundated with requests for help and advice. We have actively helped in streamlining processes.

14. Reviews of IS and IT related activities have led to our support to a number of major projects, including Capita's planned introduction of a new payroll system, the HR Project and the PRISM project. In addition, we have been reviewing the controls over access and related matters for the OTIS network in conjunction with DoI and SEMA in the light of a number of system administration irregularities.

Forensic audit investigations and related work

15. Fifty-two investigations have been started since 1 April 2000, in addition to ongoing cases. This is consistent with our level of work over the previous two years. Twenty three of this year's cases are now complete and twenty seven are actively under investigation.

16. As a direct result of these investigations four staff have been suspended, three arrested on our evidence (one charged) and one has resigned. We also cleared one individual. Changes have also been made to contracts with two suppliers resulting in on-going savings of £175,000 per annum. We have further identified a potential recovery from one contract of £300,000 for past overpayments.

17. Significant work includes more cases related to assistance at property stores, several cases involving access and administration of computer systems, a catering contract and arrangements for police dog care.

18. Work on the award of the Transport Repair and Maintenance contract is ongoing. Our remaining Transport related work is now being completed following the recent publication of Venson's delayed 1999 accounts.

Current staffing

Recruitment

19. Although we are having difficulties at the auditor and forensic auditor basic grades, we have made good progress elsewhere. Current staff numbers (31 out of 43 posts) match the highest in year (following recent recruitment exercises) although we have not been able to reduce the overall level of vacancies. Our current position on recruitment is set out below.

Assistant Director (Systems Audits) - I am pleased to report that Surinder Purewal has accepted our offer to fill this post that became vacant after an internal promotion. Surinder is a qualified accountant and experienced internal auditor and manager, as well as until recently a magistrate and prison visitor. He was rewarded with the MBE last July for services to his community.

Assistant Director (Forensic Audits) - Following retirement of the previous post holder, we have received a number of good applications for the post. At the time of writing this paper, five candidates had been shortlisted for interview in the first week of February.

Audit Team Leader - With the recruitment of a team leader from the Home Office, we now have a full complement at this level.

Auditor - One new member of staff has been recruited, although we still have five vacancies out of twelve posts. We are addressing this through an expanded trainee scheme and seeking temporary staff from agencies.

Internal audit budget

20. The majority of our controllable budget is for staff and contractor costs. Together with other non-pay costs our budget for the first 9 months of the financial year was £992,414, actual spend (including invoiced commitments) £868,687 – an underspend of £123,727. *Allowing for the heavier last quarter use of contractors to support the audit effort and the recharging of advertising costs previously met by the MPS I expect the final outturn to show a spend of £1,291,000, a net underspend of £4,000.

[*figures reported by the MPS to the Finance Planning and Best Value Committee on 22 January showing an underspend of £326,000 do not include our known commitments to December, nor do they include £94,000 of goods and services already received and paid for but not yet recharged to Internal Audit.]

Future developments within internal audit

21. As part of our on going Business Excellence programme, we are developing a communication strategy to develop and improve our relationships with key internal and external stakeholders.

22. We will be working closely with MPS Inspectorate in a series of joint reviews of Borough Command Units. MPS Inspectorate will address performance related issues and Internal Audit will review financial and computer systems.

23. We are introducing a more robust performance management framework following a review carried out by PwC for us. We have also developed in-house a system on a database to track the progress of on going audit and investigative work that will be tested during the next two months before going live in April.

24. Our pilot internal training scheme saw the first two candidates pass all their audit examinations at the first attempt. We plan to start a second scheme for 2001 and the future.

C. Financial implications

There is likely to be an underspend of around £50,000 on the Internal Audit budget.

D. Review arrangements

Progress will be reviewed at the next Audit Panel

E. Background papers

None.

F. Contact details

The author of this report is Peter Tickner, Director of Internal Audit.

For information contact:

MPA general: 020 7202 0202
Media enquiries: 020 7202 0217/18

Appendix 1: Report on internal audit activities as at end of January 2000/01

Glossary of terms

Audit reports are issued to management at various stages of the audit these are summarised as follows:

Draft issued for discussion - at the end of our fieldwork, we issue a draft report to management for discussion. We then hold a meeting to clarify any points that are raised before issuing the formal draft.

Formal draft report - once the report has been discussed with the auditee the formal draft is issued together with a request for a formal response within three weeks.

Final report - when a response is received from the auditee it is incorporated in the report and the final report is issued.

Each audit also has a summary of the main findings and an analysis of the recommendations made. Recommendations are classified as 'high', 'medium' or 'low' risk. Any high risk recommendations rejected by line management are raised with the policy board member responsible and if necessary the Audit Panel.

Systems audits

Final reports

Ethics and accountability

• Draft Report issued June 1999
• Final Report issued August 2000

Summary of findings

The review found many examples of good practice and new initiatives however, the framework of control needs strengthening. Currently there is no specific strategy to guide the MPS's overall approach to the issue of ethics and associated accountability. Work on various aspects of ethical behaviour and accountability is being done in different parts of the Service leading to the lack of a corporate approach. The monitoring and review processes need to be developed to enable the service to evaluate the policies being introduced.

Analysis of recommendations

Management accepted all 10 of the recommendations made:

• 3 high risk
• 4 medium risk
• 3 low risk

Write–offs, losses and special payments

• Draft Report issued April 2000
• Final Report issued August 2000

Summary of findings

Overall, control is generally adequate in this area. We identified some minor weaknesses in the systems for dealing with write-offs, losses and special payments. These relate to the procedures for identification and prevention of recurrence of a loss.

Analysis of recommendations

Management accepted 6 of the 8 recommendations made:

• 7 medium risk (5 accepted, 2 not accepted)
• 1 low risk (1 accepted)

Police and civil staff support outside the UK

• Draft Report issued April 2000
• Final Report issued August 2000

Summary of findings

Controls in place for evaluating and approving police and civil staff support to forces and organisations outside the UK and for recovering all monies due to the MPS are not effective. In particular, inadequate controls are in place to ensure that the MPS recovers all the income that is due for services that are provided. There are discrepancies between the information held by the Personnel and Finance Directorates and as a result we estimate that £460,000 of income has not been reclaimed. In addition, the criteria for evaluating and approving requests for support are unclear and there are no laid down guidelines for agreeing and authorising terms and conditions of support arranged locally.

Analysis of recommendations

Management accepted 33 of the 35 recommendations made:

• 11 high risk (11 accepted)
• 24 medium risk (22 accepted)

Business continuity and recovery procedures

• Draft report issued February 2000
• Final report issued August 2000

Summary of findings

There is a lack of assurance that the MPS possesses adequate arrangements for business continuity and disaster recovery for all critical processes and functions. There was a well structured and controlled approach to preparing the MPS business processes for potential disruption during the Millennium celebrations, especially with respect to Command & Control and the 999 Call Centre functions. However there is no MPS-wide recovery strategy in place to address the needs of the organisation as a whole. Several major MPS applications do not currently have formal recovery plans. A number of key operational processes which are classified as being either "Essential" or "High Priority" have dependencies on computer systems which are not protected by viable Business Continuity or Disaster Recovery plans.

Outsourcing technology service provision to a number of external suppliers has led to responsibility for contingency arrangements resting with third parties but there is uncertainty about the role and responsibilities the suppliers of outsourced services are expected to fulfil.

Analysis of recommendations

Management accepted all 5 recommendations made:

• 3 high risk
• 2 medium risk

Security of computer operating systems

• Draft report issued March 2000
• Final report issued August 2000

Summary of findings

There are established adequate systems for securing and controlling operating systems. Operating systems are for the most part organised and managed in accordance with an overall framework of documented procedures and controls. However, there are significant weaknesses, both across the board and specific to each system. Effective monitoring of systems activity and accesses, use of audit trails, security of back-up and recovery procedures and business continuity planning are required to ensure security of key MPS systems.

Analysis of recommendations

Management accepted all 18 recommendations made:

• 10 high risk
• 7 medium risk
• 1 low risk

IT security, access and usage

• Draft report issued April 2000
• Final report issued August 2000

Summary of findings

Management are in the process of establishing effective systems for the purposes of controlling access to, and usage of, MPS IT applications and are currently considering the service-wide implications of the commitment to comply with the ACPO Information Systems Community Security Policy. However, there are weaknesses that may be common to many existing MPS systems and must be addressed to improve MPS systems security. MPS must ensure that security policies and procedures are consistently followed at user/OCU levels, prescribed Security Operating Procedures (SOPs) are in place and applied consistently, passwords are properly used and controlled, audit trails exist and are monitored and that any security incidents or exceptions are properly reported and followed up.

There is a need to measure the impact of recent developments, such as the outsourcing of IT services, the move towards borough-based policing and the introduction of the Protective Marking System. This process will ensure that there is appropriate risk assessment, management and mitigation in place. MPS is considering the introduction of an information strategy to facilitate the achievement of security objectives.

Analysis of recommendations

Management accepted all 13 recommendations made:

• 6 high risk
• 7 medium risk

Security and controls over voice & radio communications

• Draft report issued June 2000
• Final report issued August 2000

Summary of findings

Overall, we found the control processes supporting Radio and Voice communications to be adequate. However, there are a number of key management processes that are not formally documented and are not subject to a satisfactory level of control. We are also concerned that there should be significant improvements in the effectiveness of security monitoring to ensure that weaknesses and possible breaches of security are identified quickly.

Analysis of recommendations

Management accepted all 23 recommendations made:

• 6 high risk
• 16 medium risk
• 1 low risk

External & internal data communications

• Draft report issued March 2000
• Final report issued September 2000

Overall, we found the security and control processes supporting Internal and External communications to be weak. There is a lack of definitive knowledge of the infrastructure and weaknesses in management of change and configuration management processes. There is a high risk that security incidents in the MPS networks will not be detected and there are insufficient preventative measures in place.

Analysis of recommendations

Management accepted all 12 recommendations made:

• 9 high risk
• 3 medium risk

CRIS

• Draft report issued August 2000
• Final report issued September 2000

Summary of findings

The current CRIS system meets the business needs of the MPS for recording all crimes notified to the MPS. However, the technology used to deliver the CRIS computer system is obsolete and the planned 'refresh system' represents a high-risk strategy as it is based on a new and emerging technology and constrained by a timetable of less than two years. With regard to the existing system, the principal concerns noted in the audit report are weaknesses in system and data security.

Analysis of recommendations

Management accepted all 16 recommendations made:

• 8 high risk
• 8 medium risk

Audit of IS strategy

• Draft report issued April 2000
• Final report issued December 2000

Summary of findings

The processes for formulating the MPS IS strategy and for ensuring that the IS Strategy reflects MPS corporate objectives and priorities require improvement. There are also no formal procedures to measure and monitor progress or to report to top management on delivery of the IS strategy. The appointment of the Director of Information and the setting up of the Information Programme Board to co-ordinate implementation of the strategic approach are indicative of progress being made.

Analysis of recommendations

Management accepted all 13 recommendations made:

• 11 high risk
• 1 medium risk
• 1 low risk

Building security

• Draft report issued August 2000
• Final report issued November 2000

Summary of findings

The control framework in place for building security is not fully effective. Considerable effort has been put into documenting security procedures but yet key building security inspections are not taking place. We found a number of lapses in security during our review. Risk assessments also need to be carried out more effectively and the role of security officers clearly defined and assigned.

Analysis of recommendations

Management accepted 40 of the 42 recommendations made:

• 10 high risk (10 accepted)
• 32 medium risk (30 accepted)

Civil staff allowances and expenses

• Draft report issued September 2000
• Final report Issued December 2000

Summary of findings

The control framework over civil staff allowances and expenses is not adequate. Checks on counter-signatories are not carried out, evidence to support claims is generally not being held and ineffective controls are operating for the monitoring and reconciliation of expenditure.

Analysis of recommendations

Management accepted 18 of the 21 recommendations made:

• 16 medium risk (15 accepted)
• 5 low risk (3 accepted)

Imprest account control

• Draft report issued July 2000
• Final report issued December 2000

Summary of findings

Our overall opinion is that the control framework in place for the administration and management of permanent imprest accounts is not fully effective. Effective controls are not in place for the approval and allocation of funds and the returns for reimbursement are not always properly completed.

Analysis of recommendations

Management accepted 14 of the 17 recommendations made:

• 17 medium risk

Premises licensing

• Draft report issued August 2000
• Final report issued December 2000

Summary of findings

The control framework for the receipting, processing, and recording of application for premises licensing and for communicating the decisions made, is not fully effective. We cannot give an assurance that all applications for premises licenses received are processed promptly, accurately and securely. A significant amount of applications are not being recorded. At a number of BOCUs visited, fees received in relation to Special Order of Exemptions did not always go directly to the Finance Unit and Special Order of Exemption certificates are not treated as controlled stationery.

Analysis of recommendations

Management accepted 27 of the 29 recommendations made:

• 4 high risk (4 accepted)
• 18 medium risk (18 accepted)
• 7 low risk (5 accepted)

Police payroll - allowances and expenses

• Draft report issued July 2000
• Final report issued January 2001

Summary of findings

The control framework in place for the authorisation and payment of police allowances and expenses is not fully effective. There are inadequate controls over the authorisation and legitimacy of claims, and over the accuracy of payments made. There is also a lack of supporting documentation to substantiate claims.

Analysis of recommendations

Management accepted 19 of our 21 recommendations made:

• 3 high risk (3 accepted)
• 10 medium risk (9 accepted)
• 8 low risk (7 accepted)

Resourcing and management of specials

• Draft report issued October 2000
• Final report issued January 2001

Summary of findings

Our main issues are around setting objectives, planning and monitoring performance of Specials. There is a lack of a co-ordinated approach and maximum use is not being made of the resources available.

Analysis of recommendations

Management accepted 25 of the 26 recommendations made:

• 22 medium risk (21 accepted)
• 4 low risk (4 accepted)

Follow-up audits

Control of debtors follow-up

• Draft report issued October 2000
• Final report issued December 2000

Analysis of recommendations

26 were accepted in the original report issued in July 1999.

• 5 high risk (1 implemented, 2 partly implemented, 1 not implemented and 1 no longer applicable)
• 21 medium risk (7 implemented, 2 partly implemented, 12 not implemented)

Progress is now being made to implement those recommendations that were outstanding at the time of our follow-up.

ID suites follow-up

• Draft report issued October 2000
• Final report issued January 2001

Analysis of recommendations

49 recommendations were accepted in the original report issued in June 1999

• 36 high risk (9 implemented, 9 partly implemented, 18 not implemented)
• 13 medium risk (3 implemented, 10 not implemented)

The new management of this function is now making an impact in implementing our recommendations made as a result of the follow-up.

Uniform services follow-up

• Draft report issued September 2000
• Final report issued January 2001

Analysis of recommendations

28 recommendations were accepted in the original report issued in January 1999.

• 21 high risk (6 implemented, 2 partly implemented, 2 no longer applicable, 11 not implemented)
• 5 medium risk (3 implemented, 1 partly implemented, 1 not implemented)
• 2 low risk (2 implemented)

Uniform Services senior management are addressing the issues raised as a result of our follow-up report and progress is being made in implementing our recommendations.

Appendix 2: Systems development & control advice

Best value

We attended the Best Value Programming Board for the earlier part of the year. Following a restructure of the approach to managing Best Value in the MPA and MPS we are now a member of the Best Value Co-ordination Group, set up to support the Best Value reviews. This year to date we have reviewed the Project Initiation Documents for the Crime and Consultation Best Value reviews and have contributed to the risk register drawn up for the Best Value process. We have also advised the Best Value Core Team and Project Teams on audit trails.

Combating bureaucracy

We have been providing on-going support to the Combating Bureaucracy Team, which has been set up by the Commissioner. The Team are looking of ways to streamline processes and increase efficiency. We aim to ensure that the control framework is not compromised when changes to systems are made. Our work has been much appreciated in this area by members of the MPS Management Board.

National fraud initiative

We have the MPS lead for participation in this nation-wide fraud prevention and detection strategy and we have also been designated the liaison point between MPS colleagues, the Audit Commission and other participants. MPS payroll and pensions data was provided to the NFI for the first time in October for data matching. We expect to receive and begin analysis of the output by the end of January.

Incidental expenses working group

We attend the working group, which is chaired by a Commander. The group was set up to discuss the recommendations made by Internal Audit and to decide the way forward. The terms of reference for the group are to devise a transparent, adequately controlled, corporate system that meets both organisational and individual needs.

Covert accounts working group

This group has been set up to progress the implementation of the recommendations made as a result of our review of Covert Accounts. The work of this group is near completion. A new Covert Finance Unit has been established to improve the financial systems that are now in place.

Crime related property

A working group has been set up to progress the implementation of recommendations made in our final report issued in March 1999. Another working group has now been set up to discuss proposals for a new crime property computer system. We attend both groups and provide advice on the control issues that arise.

MPS IT security and security policy

The Director of Information has inaugurated and will chair the Audit and Benefits Management Sub Group (reporting to the Information Management Steering Group) tasked with considering implementation of the recommendations made in recent IS internal audit reports. The board meets for the first in February and will include a representative from Internal Audit. We also provide advice and support to PRS2(2) on security issues particularly in relation to information systems and new technology. We comment on drafts of MetSEC policies and proposed MetSEC Standards at the request of PRS2(2) and attend the Infrastructure Security Project Steering Group meetings chaired by DAC Clark.

MPS corporate personnel system – the PRISM (formerly HRIS) project

We are attending the PRISM Project Board as designated advisors. We have provided a team of experts to comment on control aspects of PRISM modules for the Personnel core product, Duties Management, Overtime, PRISM to Payroll interface. We have also been consulted on the project management methodology and processes and system testing. There is a significant commitment by internal audit to this project.

MPS corporate payroll system - Cyborg

We attend the Cyborg Implementation meetings and also discuss issues and developments with the Payroll Client Unit. We have commented on aspects of the project at each stage including the detailed test plans, the test results, the Capita implementation plans and MPS control of the project.

MPS disposal of assets project

We attend the Project Board and advised the project team on the procedures for disposal of assets and on security of information. We are also advising the IS Client on controls in the permanent arrangements for disposal.

MPS e-commerce project

We attended the MetFIN e-commerce Project Steering Group and advised senior management both on project controls issues and on the testing and implementation of the B2B product.

MPS banking project team

We attended the project team meetings and provided control advice for the implementation of the new banking contract.

MPS scientific support strategy implementation project

The planned systems audit of Identification and Scenes of Crime Support has now been transferred to a systems development audit as a major project is being carried out in this area. It has been agreed with the Acting Director of Identification that we will now provide control advice during the course of the project.

Language services contracts project board

Following the issue of our audit report on Interpreters and Translators Services in August 1999, Linguistic Services have launched a project to examine the payment structure. We have attended project team meetings and provided control advice when required. It is anticipated that savings in excess of £400,000 per annum will be made as a result of this review.

Send an e-mail linking to this page

Feedback