west yorkshire police and crime …€¦ · qualified independent reviewer form outside the ......
TRANSCRIPT
RESTRICTED
WEST YORKSHIRE POLICE AND CRIME
COMMISSIONER
External Quality Assurance of Internal Audit of Policing
and Crime Activity
RESTRICTED
1
Contents
1. Background
2. Executive Summary and Opinion
3. Confidentiality & Disclosure
4. Methodology and Scope
5. Observations and Recommendations
6. Limitations
7. Acknowledgements
Appendix A: Conformance with Individual Standards
Appendix B: Independent Assessor’s Statement
RESTRICTED
2
1.0 Background
1.1 In line with Public Sector Internal Audit Standards introduced in 2013 internal
audit activity is subject to external quality assessment every five years by a
qualified independent reviewer form outside the organisation.
1.2 In order to perform external quality assessments in a cost-effective manner the
internal audit units of former Greater Manchester PCC, West Yorkshire PCC and
Merseyside Police and PCC, formed a peer group. A common methodology was
agreed by the peer group together with the Chief Finance Officers of each Force
and PCC and the Joint Audit Committees of each Force/PCC.
2.0 Executive Summary and Opinion
2.1 This assessment was undertaken in July 2017 at the request of the Office of the
West Yorkshire PCC, by the Audit Lead of the Greater Manchester Police and
Crime Commissioner. It was carried out according to the methodology agreed by
the peer group, the Chief Finance Officers of each Force and PCC and the Joint
Audit Committees of each Force/PCC. It covered internal audit activity undertaken
by the WYPCC’s internal audit team during the financial year ended 31st March
2017. The principal objectives of the assessment were:
To review WYPCC’s conformance with Public Sector Internal Audit Standards;
To evaluate the effectiveness of WYPCC internal audit activity; and
To identify opportunities to enhance management and work processes
2.2 In the opinion of the assessor the internal audit activity undertaken by WYPCC’s internal audit unit generally conforms with the Definition of Internal Auditing, the Code of Ethics and the Public Sector Internal Audit Standards as revised in March 2016. A detailed list of conformance against individual standards can be found at Appendix A.
2.3 In making an opinion the peer group has adopted The Institute of Internal Auditor’s
(IIIA) Quality Assessment Manual ratings: “Generally Conforms,” “Partially Conforms,” and “Does Not Conform.” “Generally Conforms” means that an internal audit activity has a charter, policies, and processes that are judged to be in conformance with the Standards. “Partially Conforms” means deficiencies in practice are noted that are judged to deviate from the Standards, but these deficiencies did not preclude the internal audit activity from performing its responsibilities in an acceptable manner. “Does Not Conform” means deficiencies in practice are judged to be so significant as to seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities.
3.0 Confidentiality and Disclosure
3.1 This report is protectively marked in accordance with the National Protective Marking Scheme. Its contents are confidential and, whilst it is accepted that issues raised may well need to be discussed with other officers within the organisation, the report itself should only be copied/circulated/disclosed to anyone outside of the organisation in line with the organisation’s disclosure policies. This report is prepared for the organisation’s use. No responsibility can be taken to any third party for any reliance they might place upon it.
RESTRICTED
3
4.0 Methodology and Scope
4.1 The methodology adopted by the peer group for the external quality assessments is set out in the table below:
Stage Detail
1 Assessment Preparation
Agreement by all parties regarding:
the programme of peer reviews
the assessment methodology
an appropriate timetable
the allocation of external reviewer resources
a client sponsor.
2 Assessment Process
Assessment will adopt a 5 stage process:
the validation of the CAE’s (HIA/ AMs) PSIAS self-assessment checklist, including any accompanying evidence and the Quality Assurance Improvement Programme (QAIP);
Review of documentation in support of the standards / checklist;
Examine a sample of audit engagements according to the PSIAS and procedures;
Interview key staff/ stakeholders to confirm effectiveness of audit processes;
Undertake an exit meeting with the HIA.
3 Post Assessment Phase
The review should conclude with a detailed report providing an opinion on the Internal Audit activity’s conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards highlighting any areas of partial conformance or areas which do not conform along with recommendations for improvement, where appropriate.
4 Reporting Phase Discussion of the draft report with the HIA to confirm accuracy.
Issue of final report for agreed management responses to the HIA and Sponsor.
Issue final report to the HIA and Sponsor.
HIA / Sponsor to issue final report to their Audit Committee which includes an action plan and implementation dates.
HIA (who performed peer review) presenting report to respective Audit Committee when/ where requested.
4.2 In addition the peer group agreed that external reviewers should possess the
following attributes:
Possess a recognised professional qualification;
Have appropriate experience of internal audit - at least five years at manager
level within the public sector/local government;
Have detailed knowledge of leading practices in internal audit
Have current, in-depth knowledge of the Definition, the Code of Ethics and the
International Standards.
RESTRICTED
4
5.0 Observations and Recommendations
5.1 As part of the Quality Assurance Assessment a range of stakeholders were
contacted to gain an insight into how WYPCC IA operates and how they adhere
to the standards. These included the Chair of the Audit Committee, the PCC
Treasurer, the Force Assistant Chief Officer (Chief Finance Officer) and staff of
the internal audit team. Overall, stakeholders were appreciative of the service
provided and considered it to be ‘valued’ service. It was suggested that a more
formal/robust procedure regarding follow up would further enhance the service
provided.
5.2 The assessment concurs fully with the internal audit activity’s self-assessment
conclusions and the actions identified in their Quality Assurance Improvement
Programme.
5.3 The area’s identified for improvement are summarised below:
Audit Charter
The Audit Charter is due a review and refresh to bring it in line with the latest
changes in the IPPF.
Audit Manual
The ongoing work to revise and update the audit manual needs to be concluded
in order to reflect recent changes to approach, working arrangements and
developments in the audit service.
Audit Skills, Competency and Development and Training
Training needs are identified through the ‘quality assurance processes namely,
file reviews, post audit reviews, individual key performance indicators and
personal development reviews, however this needs to be formally documented
as a specific activity in itself.
International Standards for the Professional Practices of Internal Audit (IPPF)
Following the outcome of the EQA the use of key statement, ‘conducted in
conformance with international standards’ can now be incorporated in key audit
documents and reported accordingly.
Co-ordination and Reliance with Other Assurance Providers
The ongoing work to establish the nature of other assurance providers needs to
be completed and the assurance mapping exercise to refresh and reflect recent
changes and planned organisational changes in the OPCC and the Force should
be carried out.
A more proactive engagement with HMIC should take place.
RESTRICTED
5
5.4 Implementation of the above will improve the value of the services provided by
Internal Audit, advance the implementation of initiative already underway and
contribute to the continuous improvement of WYPCC internal audit function
6.0 Limitations 6.1 The opinions and recommendations contained within this report are based on
our examination of restricted samples of transactions and records together with discussions with the officers responsible for the processes reviewed.
7.0 Acknowledgements 7.1 The Independent Assessor would like to express their thanks and appreciation to
all those who provided support and assistance during the course of this assessment process.
Catherine Folan Risk and Assurance Auditor (Lead) GMCA 6th October 2017
RESTRICTED
6
Appendix A
CONFORMANCE WITH INDIVIDUAL STANDARDS
Quality Assessment Summary
GC
PC
DNC
OVERALL EVALUATION
Y
Quality Assessment Summary By Major Standard
GC
PC
DNC
1010 Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the IA Charter.
An Audit Charter is in place as a separate distinct document to underpin the audit strategy.
This was last reviewed and approved in 2013 and is now due a review and refresh to bring it in line with the latest changes in the IPPF.
Y
1110 Organisational Independence
The Internal Audit function of the Office of the Police and Crime Commissioner provides a joint Internal Audit Service for the PCC and the Force.
The HoIA is not part of the OPCC Executive Management Team. This enhances independence. Unfettered access to the OPCC Executive Team and the Chief Officer Team (COT) is in place.
Furthermore, the HoIA has access to the Audit Committee members without OPCC/ Force officers being present. HoIA can escalate issues where necessary at Audit Committee pre-meetings.
Y
1111 Direct Interaction with Board
The Audit Committee is seen as the “Board” for Public Sector Internal Audit Standards. The HoIA reports quarterly to the Audit Committee.
Y
RESTRICTED
7
1120 Individual Objectivity
All IA staff are required to complete an annual certificate of independence to provide them with the opportunity to declare any matters that might be interpreted as compromising independence/objectivity.
Y
1130
Impairment to Independence or Objectivity
The HoIA has confirmed they are unaware of any impairment.
Y
Quality Assessment Summary By Major Standard
GC
PC
DNC
1210 Proficiency
All staff have appropriate job descriptions and supporting person specifications. All the IA team are either qualified with CMIIA or CCAB status or are studying for IIA.
Qualified staff are required to follow their Institute’s CPD requirements.
Y
1220 Due Professional Care
The audit brief is agreed with the client.
The work of the IA section is underpinned by a comprehensive sets of policies, processes and protocols. These are currently being distilled into a revised/updated audit manual.
Supervisory review of all assignments helps to reinforce the need for due professional care.
The ongoing work to revise and update the audit manual needs to be concluded in order to reflect recent changes to approach and developments in the audit service.
Y
1230 Continuing Professional Development
All the IA team are either qualified with CMIIA or CCAB status or are studying for IIA.
Qualified staff are required to follow their Institute’s CPD requirements.
Training needs are identified through the ‘quality assurance’ processes, namely file review, supervision, post audit reviews, KPI’s and
Y
RESTRICTED
8
personal development reviews, however, this is not formally documented as a specific activity in itself. Individual skills audit for all audit staff needs to be formalised.
1310 Quality Assurance and Improvement Programme
The QAIP has been in place for some time and is well developed. The plan has been shared with the Audit Committee.
The QAIP is a detailed document that captures development opportunities for the Internal Audit Service and demonstrates commitment to continuous improvement.
Y
1311 Internal Assessments
A range of activities are undertaken to review and monitor performance including file review, post audit reviews and assessment against KPI’s.
A self-assessment against the PSIAS has been undertaken by the HoIA every two years.
Y
1312 External Assessments
An external assessment has been undertaken in July 2017 as part of a peer review exercise.
Y
1321 Use of Conforms with the international Standards for the Professional Practice of Internal Auditing (IPPF)
Currently neither conformance nor non-conformance to the IPPF are stated in the audit strategy, audit charter or the annual outturn report.
Y
1322 Disclosure of non-conformance
As above
Y
2010 Planning
There is a well-established process for identifying risk and discussing with stakeholders the best use of audit time.
Plans incorporate flexibility to ensure that any emergent risk can be reasonably be incorporated into plans.
Y
RESTRICTED
9
Quality Assessment Summary By Major Standard
GC
PC
DNC
2020 Communication and Approval
Plan and resourcing requirements reported to Audit Committee.
Y
2030 Resource Management
Sufficient appropriate resources have been put in place to deliver audit plans.
Audit resources are benchmarked against comparable audit functions.
Y
2040 Policies and Procedures
Policies and procedures are in place. These are currently being and brought together in a revised audit manual.
Y
2050 Co-ordination and Reliance
Work is underway to establish the nature of other assurance providers.
An assurance mapping exercise is to be undertaken to reflect recent and planned organisational changes in the OPCC and the Force.
Furthermore, the need for a more proactive engagement with HMIC has been identified.
Y
2060 Reporting to Senior Management and the Board
Audit reports are reported to Head of Department, the ACC in the Force and to the s151 officers for the Force and the OPCC
Results are reported to the Audit Committee on a quarterly basis.
Y
2110 Governance
Internal audit plans and the audit charter promote the development of governance arrangements.
Y
2120 Risk Management
Internal audit contribute to improving risk management within both organisations.
Y
RESTRICTED
10
2130 Control
Internal audit help shape the control environment.
Y
Quality Assessment Summary By Major Standard
GC
PC
DNC
2201 Planning Considerations
Clear evidence that client specific requirements are considered during planning.
Y
2210 Engagement Objectives
Engagement objectives are clearly stated in assignment terms of reference.
Y
2220 Engagement Scope
Engagement scope is clearly set out in audit brief
Y
2230 Engagement Resource Allocation
Internal audit has sound practices for ensuring the right resources are matched to assignments.
Y
2240 Engagement Work Programme
Detailed work programmes are prepared for each assignment.
Y
2310 Identifying Information
Engagement objectives are supported by the identification of sufficient, relevant, reliable evidence.
Y
2320
Analysis and Evaluation
The review confirmed that conclusions are based on sound analysis and evaluation of evidence.
Y
Quality Assessment Summary By Major Standard
GC
PC
DNC
2330 Documenting Information
A sound audit trail was found to exist linking conclusions with supporting evidence.
Y
RESTRICTED
11
2340 Engagement Supervision
Audits are supervised and reviewed by experienced and qualified supervisors.
Y
2410 Criteria for Communicating
Assessment noted that reports communicate objectives, scope, conclusions and action plans.
Y
2420 Quality of Communications
Reports were found to be accurate, objective, clear, concise, constructive, complete and in the main, timely.
Y
2421 Errors and Omissions
No errors or omissions were noted in final reports.
Y
2430 Use of ‘conducted in conformance with the International Standards for the Professional Practice of Internal Audit
Once results of self-assessment are evaluated and confirmed through the EQA exercise this statement will be incorporated in all the audit strategy and audit charter.
Y
2431 Engagement Disclosure of Non Conformance
Currently neither conformance nor non-conformance are stated in audit reports or accompanying polices/ strategy documents.
Y
2440
Disseminating Results
Audit communications are provided to an appropriate level of senior management and distributed in accordance with the audit brief.
Y
2450 Overall Opinions
There is a methodology and process in place to evaluate the cumulative results of audit assignments and audit findings to express the annual opinion.
Y
2500 Monitoring Progress
Follow up on fundamental and significant recommendations takes place.
Updates are reported on a bi annual basis to the Audit Committee.
Y
RESTRICTED
12
2600 Communicating the Acceptance of Risks
A level of engagement, co-operation and communication as part of the audit planning and reporting process helps to mitigate this risk.
This is also formally documented in the Annual Strategy and reported in the Annual Audit Opinion.
Y
RATING DEFINITIONS
“Generally Conforms” (GC) means the assessor has concluded the following:
For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the Code of Ethics (both Principles and Rules of Conduct) in all material respects.
For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category.
For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.
“Partially Conforms” (PC) means the assessor has concluded the following:
For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives.
For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.
For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organisation.
“Does Not Conform” (DNC) means the assessor has concluded the following:
For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the
RESTRICTED
13
objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct).
For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.
For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness and its potential to add value to the organisation. These may also represent significant opportunities for improvement, including actions by senior management or the board.
RESTRICTED
14
Appendix B
INDEPENDENT ASSESSOR’S STATEMENT I was engaged as Independent Assessor to conduct an independent assessment of the West Yorkshire PCC’s Internal Audit Unit in accordance with the agreed methodology set out in paragraphs 4.1-4.2 above.
In acting as Independent Assessor, I am fully independent of the organisation and have the necessary knowledge and skills to undertake this engagement. The assessment, conducted during July 2017, consisted primarily of a review and test of the procedures and results of the self-assessment, review of a sample of audit engagements and interviews with key audit staff. In addition, discussions were conducted with the PCC Treasurer, the Force Assistant Chief Officer (Chief Finance Officer), and the audit committee chair.
Based on the evidence identified during the assessment I concur fully with the internal audit activity’s self-assessment conclusions and in my opinion the internal audit activity undertaken by WYPCC’s internal audit unit generally conforms with the Definition of Internal Auditing, the Code of Ethics and the Public Sector Internal Audit Standards as revised in March 2016.
Catherine Folan, CMIIA, QIAL, CIA 6th October 2017