RESTRICTED

WEST YORKSHIRE POLICE AND CRIME

COMMISSIONER

External Quality Assurance of Internal Audit of Policing

and Crime Activity

RESTRICTED

1

Contents

1. Background

2. Executive Summary and Opinion

3. Confidentiality & Disclosure

4. Methodology and Scope

5. Observations and Recommendations

6. Limitations

7. Acknowledgements

Appendix A: Conformance with Individual Standards

Appendix B: Independent Assessor’s Statement

RESTRICTED

2

1.0 Background

1.1 In line with Public Sector Internal Audit Standards introduced in 2013 internal

audit activity is subject to external quality assessment every five years by a

qualified independent reviewer form outside the organisation.

1.2 In order to perform external quality assessments in a cost-effective manner the

internal audit units of former Greater Manchester PCC, West Yorkshire PCC and

Merseyside Police and PCC, formed a peer group. A common methodology was

agreed by the peer group together with the Chief Finance Officers of each Force

and PCC and the Joint Audit Committees of each Force/PCC.

2.0 Executive Summary and Opinion

2.1 This assessment was undertaken in July 2017 at the request of the Office of the

West Yorkshire PCC, by the Audit Lead of the Greater Manchester Police and

Crime Commissioner. It was carried out according to the methodology agreed by

the peer group, the Chief Finance Officers of each Force and PCC and the Joint

Audit Committees of each Force/PCC. It covered internal audit activity undertaken

by the WYPCC’s internal audit team during the financial year ended 31st March

2017. The principal objectives of the assessment were:

To review WYPCC’s conformance with Public Sector Internal Audit Standards;

To evaluate the effectiveness of WYPCC internal audit activity; and

To identify opportunities to enhance management and work processes

2.2 In the opinion of the assessor the internal audit activity undertaken by WYPCC’s internal audit unit generally conforms with the Definition of Internal Auditing, the Code of Ethics and the Public Sector Internal Audit Standards as revised in March 2016. A detailed list of conformance against individual standards can be found at Appendix A.

2.3 In making an opinion the peer group has adopted The Institute of Internal Auditor’s

(IIIA) Quality Assessment Manual ratings: “Generally Conforms,” “Partially Conforms,” and “Does Not Conform.” “Generally Conforms” means that an internal audit activity has a charter, policies, and processes that are judged to be in conformance with the Standards. “Partially Conforms” means deficiencies in practice are noted that are judged to deviate from the Standards, but these deficiencies did not preclude the internal audit activity from performing its responsibilities in an acceptable manner. “Does Not Conform” means deficiencies in practice are judged to be so significant as to seriously impair or preclude the internal audit activity from performing adequately in all or in significant areas of its responsibilities.

3.0 Confidentiality and Disclosure

3.1 This report is protectively marked in accordance with the National Protective Marking Scheme. Its contents are confidential and, whilst it is accepted that issues raised may well need to be discussed with other officers within the organisation, the report itself should only be copied/circulated/disclosed to anyone outside of the organisation in line with the organisation’s disclosure policies. This report is prepared for the organisation’s use. No responsibility can be taken to any third party for any reliance they might place upon it.

RESTRICTED

3

4.0 Methodology and Scope

4.1 The methodology adopted by the peer group for the external quality assessments is set out in the table below:

Stage Detail

1 Assessment Preparation

Agreement by all parties regarding:

the programme of peer reviews

the assessment methodology

an appropriate timetable

the allocation of external reviewer resources

a client sponsor.

2 Assessment Process

Assessment will adopt a 5 stage process:

the validation of the CAE’s (HIA/ AMs) PSIAS self-assessment checklist, including any accompanying evidence and the Quality Assurance Improvement Programme (QAIP);

Review of documentation in support of the standards / checklist;

Examine a sample of audit engagements according to the PSIAS and procedures;

Interview key staff/ stakeholders to confirm effectiveness of audit processes;

Undertake an exit meeting with the HIA.

3 Post Assessment Phase

The review should conclude with a detailed report providing an opinion on the Internal Audit activity’s conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards highlighting any areas of partial conformance or areas which do not conform along with recommendations for improvement, where appropriate.

4 Reporting Phase Discussion of the draft report with the HIA to confirm accuracy.

Issue of final report for agreed management responses to the HIA and Sponsor.

Issue final report to the HIA and Sponsor.

HIA / Sponsor to issue final report to their Audit Committee which includes an action plan and implementation dates.

HIA (who performed peer review) presenting report to respective Audit Committee when/ where requested.

4.2 In addition the peer group agreed that external reviewers should possess the

following attributes:

Possess a recognised professional qualification;

Have appropriate experience of internal audit - at least five years at manager

level within the public sector/local government;

Have detailed knowledge of leading practices in internal audit

Have current, in-depth knowledge of the Definition, the Code of Ethics and the

International Standards.

RESTRICTED

4

5.0 Observations and Recommendations

5.1 As part of the Quality Assurance Assessment a range of stakeholders were

contacted to gain an insight into how WYPCC IA operates and how they adhere

to the standards. These included the Chair of the Audit Committee, the PCC

Treasurer, the Force Assistant Chief Officer (Chief Finance Officer) and staff of

the internal audit team. Overall, stakeholders were appreciative of the service

provided and considered it to be ‘valued’ service. It was suggested that a more

formal/robust procedure regarding follow up would further enhance the service

provided.

5.2 The assessment concurs fully with the internal audit activity’s self-assessment

conclusions and the actions identified in their Quality Assurance Improvement

Programme.

5.3 The area’s identified for improvement are summarised below:

Audit Charter

The Audit Charter is due a review and refresh to bring it in line with the latest

changes in the IPPF.

Audit Manual

The ongoing work to revise and update the audit manual needs to be concluded

in order to reflect recent changes to approach, working arrangements and

developments in the audit service.

Audit Skills, Competency and Development and Training

Training needs are identified through the ‘quality assurance processes namely,

file reviews, post audit reviews, individual key performance indicators and

personal development reviews, however this needs to be formally documented

as a specific activity in itself.

International Standards for the Professional Practices of Internal Audit (IPPF)

Following the outcome of the EQA the use of key statement, ‘conducted in

conformance with international standards’ can now be incorporated in key audit

documents and reported accordingly.

Co-ordination and Reliance with Other Assurance Providers

The ongoing work to establish the nature of other assurance providers needs to

be completed and the assurance mapping exercise to refresh and reflect recent

changes and planned organisational changes in the OPCC and the Force should

be carried out.

A more proactive engagement with HMIC should take place.

RESTRICTED

5

5.4 Implementation of the above will improve the value of the services provided by

Internal Audit, advance the implementation of initiative already underway and

contribute to the continuous improvement of WYPCC internal audit function

6.0 Limitations 6.1 The opinions and recommendations contained within this report are based on

our examination of restricted samples of transactions and records together with discussions with the officers responsible for the processes reviewed.

7.0 Acknowledgements 7.1 The Independent Assessor would like to express their thanks and appreciation to

all those who provided support and assistance during the course of this assessment process.

Catherine Folan Risk and Assurance Auditor (Lead) GMCA 6th October 2017

RESTRICTED

6

Appendix A

CONFORMANCE WITH INDIVIDUAL STANDARDS

Quality Assessment Summary

GC

PC

DNC

OVERALL EVALUATION

Y

Quality Assessment Summary By Major Standard

GC

PC

DNC

1010 Recognition of the Definition of Internal Auditing, the Code of Ethics and the Standards in the IA Charter.

An Audit Charter is in place as a separate distinct document to underpin the audit strategy.

This was last reviewed and approved in 2013 and is now due a review and refresh to bring it in line with the latest changes in the IPPF.

Y

1110 Organisational Independence

The Internal Audit function of the Office of the Police and Crime Commissioner provides a joint Internal Audit Service for the PCC and the Force.

The HoIA is not part of the OPCC Executive Management Team. This enhances independence. Unfettered access to the OPCC Executive Team and the Chief Officer Team (COT) is in place.

Furthermore, the HoIA has access to the Audit Committee members without OPCC/ Force officers being present. HoIA can escalate issues where necessary at Audit Committee pre-meetings.

Y

1111 Direct Interaction with Board

The Audit Committee is seen as the “Board” for Public Sector Internal Audit Standards. The HoIA reports quarterly to the Audit Committee.

Y

RESTRICTED

7

1120 Individual Objectivity

All IA staff are required to complete an annual certificate of independence to provide them with the opportunity to declare any matters that might be interpreted as compromising independence/objectivity.

Y

1130

Impairment to Independence or Objectivity

The HoIA has confirmed they are unaware of any impairment.

Y

Quality Assessment Summary By Major Standard

GC

PC

DNC

1210 Proficiency

All staff have appropriate job descriptions and supporting person specifications. All the IA team are either qualified with CMIIA or CCAB status or are studying for IIA.

Qualified staff are required to follow their Institute’s CPD requirements.

Y

1220 Due Professional Care

The audit brief is agreed with the client.

The work of the IA section is underpinned by a comprehensive sets of policies, processes and protocols. These are currently being distilled into a revised/updated audit manual.

Supervisory review of all assignments helps to reinforce the need for due professional care.

The ongoing work to revise and update the audit manual needs to be concluded in order to reflect recent changes to approach and developments in the audit service.

Y

1230 Continuing Professional Development

All the IA team are either qualified with CMIIA or CCAB status or are studying for IIA.

Qualified staff are required to follow their Institute’s CPD requirements.

Training needs are identified through the ‘quality assurance’ processes, namely file review, supervision, post audit reviews, KPI’s and

Y

RESTRICTED

8

personal development reviews, however, this is not formally documented as a specific activity in itself. Individual skills audit for all audit staff needs to be formalised.

1310 Quality Assurance and Improvement Programme

The QAIP has been in place for some time and is well developed. The plan has been shared with the Audit Committee.

The QAIP is a detailed document that captures development opportunities for the Internal Audit Service and demonstrates commitment to continuous improvement.

Y

1311 Internal Assessments

A range of activities are undertaken to review and monitor performance including file review, post audit reviews and assessment against KPI’s.

A self-assessment against the PSIAS has been undertaken by the HoIA every two years.

Y

1312 External Assessments

An external assessment has been undertaken in July 2017 as part of a peer review exercise.

Y

1321 Use of Conforms with the international Standards for the Professional Practice of Internal Auditing (IPPF)

Currently neither conformance nor non-conformance to the IPPF are stated in the audit strategy, audit charter or the annual outturn report.

Y

1322 Disclosure of non-conformance

As above

Y

2010 Planning

There is a well-established process for identifying risk and discussing with stakeholders the best use of audit time.

Plans incorporate flexibility to ensure that any emergent risk can be reasonably be incorporated into plans.

Y

RESTRICTED

9

Quality Assessment Summary By Major Standard

GC

PC

DNC

2020 Communication and Approval

Plan and resourcing requirements reported to Audit Committee.

Y

2030 Resource Management

Sufficient appropriate resources have been put in place to deliver audit plans.

Audit resources are benchmarked against comparable audit functions.

Y

2040 Policies and Procedures

Policies and procedures are in place. These are currently being and brought together in a revised audit manual.

Y

2050 Co-ordination and Reliance

Work is underway to establish the nature of other assurance providers.

An assurance mapping exercise is to be undertaken to reflect recent and planned organisational changes in the OPCC and the Force.

Furthermore, the need for a more proactive engagement with HMIC has been identified.

Y

2060 Reporting to Senior Management and the Board

Audit reports are reported to Head of Department, the ACC in the Force and to the s151 officers for the Force and the OPCC

Results are reported to the Audit Committee on a quarterly basis.

Y

2110 Governance

Internal audit plans and the audit charter promote the development of governance arrangements.

Y

2120 Risk Management

Internal audit contribute to improving risk management within both organisations.

Y

RESTRICTED

10

2130 Control

Internal audit help shape the control environment.

Y

Quality Assessment Summary By Major Standard

GC

PC

DNC

2201 Planning Considerations

Clear evidence that client specific requirements are considered during planning.

Y

2210 Engagement Objectives

Engagement objectives are clearly stated in assignment terms of reference.

Y

2220 Engagement Scope

Engagement scope is clearly set out in audit brief

Y

2230 Engagement Resource Allocation

Internal audit has sound practices for ensuring the right resources are matched to assignments.

Y

2240 Engagement Work Programme

Detailed work programmes are prepared for each assignment.

Y

2310 Identifying Information

Engagement objectives are supported by the identification of sufficient, relevant, reliable evidence.

Y

2320

Analysis and Evaluation

The review confirmed that conclusions are based on sound analysis and evaluation of evidence.

Y

Quality Assessment Summary By Major Standard

GC

PC

DNC

2330 Documenting Information

A sound audit trail was found to exist linking conclusions with supporting evidence.

Y

RESTRICTED

11

2340 Engagement Supervision

Audits are supervised and reviewed by experienced and qualified supervisors.

Y

2410 Criteria for Communicating

Assessment noted that reports communicate objectives, scope, conclusions and action plans.

Y

2420 Quality of Communications

Reports were found to be accurate, objective, clear, concise, constructive, complete and in the main, timely.

Y

2421 Errors and Omissions

No errors or omissions were noted in final reports.

Y

2430 Use of ‘conducted in conformance with the International Standards for the Professional Practice of Internal Audit

Once results of self-assessment are evaluated and confirmed through the EQA exercise this statement will be incorporated in all the audit strategy and audit charter.

Y

2431 Engagement Disclosure of Non Conformance

Currently neither conformance nor non-conformance are stated in audit reports or accompanying polices/ strategy documents.

Y

2440

Disseminating Results

Audit communications are provided to an appropriate level of senior management and distributed in accordance with the audit brief.

Y

2450 Overall Opinions

There is a methodology and process in place to evaluate the cumulative results of audit assignments and audit findings to express the annual opinion.

Y

2500 Monitoring Progress

Follow up on fundamental and significant recommendations takes place.

Updates are reported on a bi annual basis to the Audit Committee.

Y

RESTRICTED

12

2600 Communicating the Acceptance of Risks

A level of engagement, co-operation and communication as part of the audit planning and reporting process helps to mitigate this risk.

This is also formally documented in the Annual Strategy and reported in the Annual Audit Opinion.

Y

RATING DEFINITIONS

“Generally Conforms” (GC) means the assessor has concluded the following:

For individual standards, that the internal audit activity conforms to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or elements of the Code of Ethics (both Principles and Rules of Conduct) in all material respects.

For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity achieves general conformity to a majority of the individual standards and/or elements of the Code of Ethics, and at least partial conformity to others, within the section/category.

For the internal audit activity overall, there may be opportunities for improvement, but these should not represent situations where the internal audit activity has not implemented the Standards or the Code of Ethics, has not applied them effectively, or has not achieved their stated objectives.

“Partially Conforms” (PC) means the assessor has concluded the following:

For individual standards, the internal audit activity is making good faith efforts to conform to the requirements of the standard (e.g., 1000, 1010, 2000, 2010, etc.) or element of the Code of Ethics (both Principles and Rules of Conduct) but falls short of achieving some major objectives.

For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity partially achieves conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.

For the internal audit activity overall, there will be significant opportunities for improvement in effectively applying the Standards or Code of Ethics and/or achieving their objectives. Some deficiencies may be beyond the control of the internal audit activity and may result in recommendations to senior management or the board of the organisation.

“Does Not Conform” (DNC) means the assessor has concluded the following:

For individual standards, the internal audit activity is not aware of, is not making good faith efforts to conform to, or is failing to achieve many/all of the

RESTRICTED

13

objectives of the standard (e.g., 1000, 1010, 2000, 2010, etc.) and/or elements of the Code of Ethics (both Principles and Rules of Conduct).

For the sections (Attribute and Performance) and major categories (e.g., 1000, 1100, 2000, 2100, etc.), the internal audit activity does not achieve conformance with a majority of the individual standards within the section/category and/or elements of the Code of Ethics.

For the internal audit activity overall, there will be deficiencies that will usually have a significant negative impact on the internal audit activity’s effectiveness and its potential to add value to the organisation. These may also represent significant opportunities for improvement, including actions by senior management or the board.

RESTRICTED

14

Appendix B

INDEPENDENT ASSESSOR’S STATEMENT I was engaged as Independent Assessor to conduct an independent assessment of the West Yorkshire PCC’s Internal Audit Unit in accordance with the agreed methodology set out in paragraphs 4.1-4.2 above.

In acting as Independent Assessor, I am fully independent of the organisation and have the necessary knowledge and skills to undertake this engagement. The assessment, conducted during July 2017, consisted primarily of a review and test of the procedures and results of the self-assessment, review of a sample of audit engagements and interviews with key audit staff. In addition, discussions were conducted with the PCC Treasurer, the Force Assistant Chief Officer (Chief Finance Officer), and the audit committee chair.

Based on the evidence identified during the assessment I concur fully with the internal audit activity’s self-assessment conclusions and in my opinion the internal audit activity undertaken by WYPCC’s internal audit unit generally conforms with the Definition of Internal Auditing, the Code of Ethics and the Public Sector Internal Audit Standards as revised in March 2016.

Catherine Folan, CMIIA, QIAL, CIA 6th October 2017