The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable



Similar documents
The Annual Audit Letter for West Midlands Fire & Rescue Authority

The Annual Audit Letter for Torbay Council

The Annual Audit Letter for North Middlesex University Hospital NHS Trust

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

The Audit Findings for London Borough of Richmond upon Thames

Scottish Sports Council Group and Lottery Fund

Appendix C Accountant in Bankruptcy. Annual report on the 2013/14 audit

The Audit Findings for NHS Dorset Clinical Commissioning Group

The Audit Findings for NHS Bristol Clinical Commissioning Group

Argyll and Bute Council

Manchester City Council

The Audit Plan for West Mercia Energy Joint Committee

Police and Crime Commissioner for Staffordshire and Chief Constable of Staffordshire

Aberdeen City Council IT Security (Network and perimeter)

Ref: Issue Raised Recommendation Priority Management Response Implementation Network and ABS E-Financials 1. Account security settings

Informing the audit risk assessment Enquiries to those charged with governance Calderdale Council. Year ended 31 March 2013

Informing the audit risk assessment for Cannock Chase District Council

Informing the audit risk assessment for West Midlands Integrated Transport Authority Pension Fund

How To Audit Health And Care Professions Council Security Arrangements

Annual Governance Statement 2013/14

Note the Chief Internal Auditor s findings to date and gain assurance from Officers that key issues raised are being addressed.

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF INTERNET- BASED NETWORK SECURITY

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Information Commissioner's Office

REVIEW OF THE FIREWALL ARRANGEMENTS

Annual Audit Letter. Kettering General Hospital NHS Foundation Trust Audit 2010/11

August 2012 Report No

Interim Audit Report. Borough of Broxbourne Audit 2010/11

Opinion on the robustness of the budget and the adequacy of the reserves. Helen Martin Ext. 7483

Northumberland National Park Authority Report on the audit for the year ended 31 March 2012

Information Commissioner's Office

DRAFT. Informing the audit risk assessment for Cheshire Fire Authority. Year ending 31 March 2013 xx April 2013

DRAFT. Report to Governors on the Quality Report 2015/16. Royal United Hospitals Bath NHS Foundation Trust] Year ended 31 March May 2016

Financial Planning Assessment Vale of Glamorgan County Borough Council. Audit year: Issued: January 2015 Document reference: 620A2014

Chief Constable. of Durham Constabulary

Committees Date: Subject: Public Report of: For Information Summary

High level review of the general IT control environment

London Borough of Newham Updated 25 October 2013

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Aberdeen City Council

2 Matters to report from internal audit work completed during the period

How To Audit A Windows Active Directory System

Report to Governors on the Quality Report 2013/14

Information Commissioner's Office

Dacorum Borough Council Final Internal Audit Report

Audit of Business Continuity Planning

F I N A N C I A L R E G U L A T I O N S

Accelerating your financial close arrangements

Information Security Incident Management Policy September 2013

Brighton and Sussex University Hospital NHS Trust

Internal Audit - progress report and plan

Derbyshire County Council Performance and Improvement Framework. January 2012

WEST LOTHIAN COLLEGE

AUDIT COMMITTEE TERMS OF REFERENCE

Implementation of Internal Audit Recommendations: Summary of Progress Report by Head of Finance

Section 7 Internal Control Framework

Sickness Reporting Audit Final Report

West Middlesex University Hospital NHS Trust

Internal Audit Strategic and Annual Plans 2015/16

WEST MERCIA BUDGET 2013/14 MEDIUM TERM FINANCIAL PLAN 2013/14 TO 2017/18. Report of the Treasurer, Director of Finance, Chief Executive and

Audit and Governance Committee Report. 4 July quarter. Internal audit activity report. one 2011/2012 1/2012. Purpose of Report. Report No.

Annual Governance Statement

Report on the 2009/10 Audit to Accountant in Bankruptcy and the Auditor General for Scotland October 2010

The NHS Foundation Trust Code of Governance

External Audit Reviews. Report by Director of Finance

Asset Register. 1.2 Definitions

Informatics Policy. Information Governance. Network Account and Password Management Policy

MANAGEMENT LETTER. Nassau Health Care Corporation and Subsidiaries Year Ended December 31, Ernst & Young LLP

Annual Report of Internal Audit 2012/13

HARLOW COUNCIL PERFORMANCE MANAGEMENT FRAMEWORK

Performance Management and Service Improvement Framework

Annual Audit Letter. Basildon and Thurrock University Hospitals NHS Foundation Trust Audit 2009/10 August 2010

POLICE AND CRIME PLANS

States of Jersey Comptroller & Auditor General

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT

Registers of Scotland. Annual report on the 2012/13 audit

BERMUDA MONETARY AUTHORITY

Internal Control Systems

Aberdeen City Council IT Asset Management

Royal Borough of Kensington and Chelsea. Data Quality Framework. ACE: A Framework for better quality data and performance information

Income, innovation and investment Contents

E Lighting Group Holdings Limited 壹 照 明 集 團 控 股 有 限 公 司 (incorporated in the Cayman Islands with limited liability) Stock Code : 8222

Appendix 1C. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA PAYROLL CONTROL FRAMEWORK

Housing Related Support Contract Management Framework 2009/10

Cumbria Constabulary. Business Continuity Planning

Audit Quality Thematic Review

Certification of 2014/15 approved local authority grant claims and returns. Technical guidance note GN/GEN/15

The University s responsibilities and its arrangements for internal audit Internal audit protocol 2014/15 to 2016/17

Auditing data protection a guide to ICO data protection audits

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

Informing the audit risk assessment for East Staffordshire Borough Council

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Data Quality Policy. Appendix A. 1. Why do we need a Data Quality Policy? Scope of this Policy Principles of data quality...

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Financial Resilience Assessment Bridgend County Borough Council. Audit year: Issued: March 2016 Document reference: 210A2016

Monitoring requirements and global quality assurance

Report 6c. Final Internal Audit Report Network and Communications. April 2008

Outcome performance measures Quarterly report

Business Plan for Financial Management and Business Effectiveness Unit - May 2011 to 30 September 2013

Transcription:

The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com Sarah Good T 0121 232 5334 E sarah.l.good@uk.gt.com Laurelin Griffiths In charge auditor T 0121 232 5409 E laurelin.h.griffiths@uk.gt.com 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15

Contents Section Page 1. Key messages 3 Appendices A How we have worked with you during the year. 6 B Key issues and recommendations 7 C Summary of reports and audit fees 11 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 2

Key messages Our Annual Audit Letter summarises the key findings arising from the work that we have carried out at Police and Crime Commissioner ("PCC") for the West Mercia and the Chief Constable for West Mercia ("Chief Constable") for the year ended 31 March 2015 The Letter is intended to communicate key messages to the PCC, Chief Constable and external stakeholders, including members of the public. Our annual work programme, which includes nationally prescribed and locally determined work, has been undertaken in accordance with the Audit Plan that we issued on the 1 st July 2015 and was conducted in accordance with the Audit Commission's Code of Audit Practice, International Standards on Auditing (UK and Ireland) and other guidance issued by the Audit Commission and Public Sector Audit Appointments Limited. Financial statements audit (including audit opinion) We reported our findings arising from the audit of the financial statements to the PCC and Chief Constable in our Audit Findings Report, which was also considered by the Joint Audit Committee on 21 September 2015. The key messages reported were: We received draft financial statements and accompanying working papers in accordance with the timetable set by the PCC and Chief Constable and ahead of the statutury deadline of 30 June 2015. The financial statements submitted for audit were of good quality, delivered by an effective closedown process and supported by excellent working papers. Of particular note was the speed and efficiency queries were responded to by staff across all departments. We did identify a relatively small number of disclosure errors, and requested some adjustments to improve the presentation of the financial statements. The presentation of intra-group funding from the PCC to the Chief Constable was updated in the Comprehensive Income and Expenditure Statements (CIES) for both organisations. The funding cost previously shown within 'other comprehensive income and expenditure' is now included within the net cost of services. This amendment is as a result of clarified national guidance to promote consistency of presentation across police bodies. We issued an unqualified opinion on the PCC's and Chief Constable's 2014/15 financial statements on 21 st September 2015, meeting the deadline set by the Department for Communities and Local Government. Our opinion confirms that the financial statements give a true and fair view of the PCC's and Chief Constable's financial position and of the income and expenditure recorded by the PCC and Chief Constable. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 3

Key messages Value for Money (VfM) conclusion We issued an unqualified VfM conclusion for 2014/15 on 21 st September 2015. On the basis of our work, and having regard to the guidance on the specified criteria published by the Audit Commission, we are satisfied that in all significant respects both organisations put in place proper arrangements to secure economy, efficiency and effectiveness in their use of resources for the year ending 31 March 2015. The PCC and CC has demonstrated a drive and commitment to making changes in response to the recent reductions in Government funding. There is an understanding of the current financial position and finance is a continuing thread evidenced through all elements of the corporate planning processes. Within the 2014/15 budget the Chief Constable and PCC identified savings of 6.3m which enabled a balanced budget to be achieved in 2014/15. These substantial savings have again been achieved and the budget was underspent by 10.8m. The additional savings have mainly arisin from staff vacancies in year. The updated MTFS highlights the on-going significant financial challenges faced. The MTFP shows that the budget deficit for 2015/16 of 4m has been balanced by a contribution from reserves, with an additional planned spend of a further 2m for in year developments funded from reserves. The PCC has significant useable reserves ( 71.7m) and a track record of delivering financial performance in line with budgets. The level of reserves and planned use of reserves allows the PCC to invest in changes to improve productivity going forward. One of the most significant challenges going forwards is the uncertainty over the impact of changes being made nationally to the funding formula for PCCs. The findings from HMIC's PEEL assessment (Police Effectiveness Efficiency Legitimacy) highlighted that the West Mercia Police force provided 'value for money' and was rated as good over its efficiency and its ability to prevent offending and deal with anti-social behaviour.. Our work found that both bodies have good arrangements in place to secure financial resilience. In particular: a robust corporate strategy, medium term financial strategy and savings plan are in place the PCC delivered its overall savings target arrangements for governance processes including risk management and the production of the Annual Governance Statement are satisfactory financial management is sound with effective reporting of variances from plans 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 4

Key messages continued Audit fee Our fee for 2014/15 was 70,680 excluding VAT which was in line with our planned fee for the year and is unchanged from the previous year. Further detail is included within appendix B. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 5

Appendix A: How we have worked with you during the year Audit Committee Members PCC, CC and Senior Management Teams We: We: Provided assurance on financial reporting and financial resilience by giving a timely audit opinion and value for money conclusion Shared our thinking on key issues, including offering members copies of our first national report, which evaluated how the sector is responding to the Police Reform and Social Responsibility Act 2011 (PRSRA), 'The future of policing accountability: Learning the lessons' Met regularly with the Audit Committee to ensure you were kept up to date with the audit progress, as well as emerging issues affecting the wider Police Sector Provided independent external audit commentary and insight in your key issues trough senior attendance at every audit committee. 1 2 Ensured a smooth external audit process through regular dialogue and meetings to promptly discuss financial accounts opinion audit Met with the Senior Officers, including periodic meetings with the PCC and the Chief Constable, to discuss your major challenges, share our insight into national sector issues and provide support where possible. We provided assurance around the data transfer to the new ledger. Liaised with Internal Audit to minimise duplication We hosted the Third National Conference for Police and Crime Panels which members of the PCP came to. The focus of the conference was on the future of policing accountability ahead of the general election in May 2015. We worked with the finance department to further improve the accounts production process and to strengthen controls and systems Provided regular, timely and transparent reports from our work and briefing notes on key sector developments Invited you to attend our seminars for police audit committee members Provided you with copies of our national report on audit committee effectiveness in the police sector 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 6

Appendix B: Key issues and recommendations This appendix summarises the recommendations made during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 1. Lack of movers' access administration for Active Directory There is no formal process to ensure that access rights and folder permissions are removed and not accumulated by staff as they move roles internally. During a period of change it is likely that users will move departments, shifts and functions and if there isn't a process to manage user amendments there is a risk that users will accumulate inappropriate or unsegregated duties Recommendation Management should introduce a formal user change management process which should be used consistently to manage user access rights and folder permissions. This should include consideration of segregation of duties and role based access control across the organisation. 2. Weak logical access controls There is no limit to the number of failed access attempts permitted on the systems under review in the Forces' shared services. We acknowledge the Forces' reluctance to impose restrictions on serving officers when they may require access urgently and the limitations of the ICT service desk coverage to support them 24/7. However, we consider that this is a control weakness that should be addressed urgently due to a combination of deficiencies identified in this report that undermine the controls in place:. There is a risk that systems can be accessed by those without authorisation or authority internally by having easy to guess and unlimited attempts. This may lead to the loss of critical and sensitive data. Recommendation Management should consider enabling account lockout controls within Active Directory to address the risk of password cracking. The best practice recommended number of attempts permitted is between 3-10 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 7 Medium High Management response: The appointment of business Information Asset Owners has been identified as part of the Network Accreditation Remediation Action Plan, responsibilities will include the management of access rights to folders. Responsible office: Head of Financial Management and Business Change. Due date: 2015/16 Management response: We have previously accepted the risk relating to Active Directory lock out settings. This is will be discussed further with the Head of ICT with potentially adding the risk to the ICT risk register. Specifically in relation to the finance systems - Since the upgrade in April 2014, all efinancials applications lock users out after 3 attempts and require unlocking on the server before access can be granted again. Passwords are a minimum of 8 characters long, including a number, and have to be changed every 30 days. There is a log of the previous 13 passwords for each user and passwords cannot be re-used until they are no longer in the log. Responsible office: : Head of Financial Management and Business Change Due date:.2015/16

Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 3. Absence of logical access review for Active Directory and EFinancials Our review of user accounts and associated permissions for Active Directory and ABS EFinancials identified that they are not being formally and proactively reviewed for appropriateness. If periodic reviews of user accounts are not conducted on a regular basis, there is an increased risk that segregation of duties may be circumvented resulting from individuals changing roles without their access rights being reviewed and amended accordingly, affecting the integrity of financial data. This control weakness was also raised in 2013/14. Medium Management response: Information Asset Owners will have responsibility for reviewing of access rights relevant to their area of business. Specifically in relation to the finance systems - The system has only been operational since April 2014. Procedures are being implemented to send user access lists out to managers quarterly to check for leavers and internal moves. Responsible office: Head of Financial Management and Business Change. Due date: 2015/16. Recommendation Regular reviews of ABS EFinancials user accounts should take place at least annually with sufficient evidence to enable a third-party to confirm when the reviews were performed, who was involved, and what access changed as a result. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 8

Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 4. Lack of security log reviews There is no documented process to review audit logs from the network or efinancials systems on a periodic basis. While this is mitigated to some extent by monitoring inactive accounts and disabling them, this does not provide data relating to access attempts to inactive accounts or activities of accounts with elevated permissions. However, there is no lockout policy and therefore abuse of system privileges or persistent attempt to access an unused account would not be identified. There is a risk that unusual activity or security events taking place within the network or efinancials systems might not be detected in a timely manner in the absence of such a control. Given the criticality of the data in these systems, it is advisable that there are processes to identify any unauthorised access, thereby reducing the risk of fraud, manipulation or error. Recommendation Management should identify the more critical audit logs and review them on a periodic basis for any anomalies. Medium Management response:. The development of audit provision for IT Security has been identified as part of the Network Accreditation Remediation Action Plan. Specifically in relation to the finance systems - As mention in point 2, users are locked out of efin applications after 3 failed log in attempts. Intervention is required by the Systems team at this point to re-enable the account. A user log exists, but can only be run for individual users. A security log covering all users would require a bespoke piece of work from ABS and is not being considered at this time. Responsible office: : Head of Financial Management and Business Change. Due date:. During 2015/16. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 9

Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 5. Assets not valued To undertake a review of the assets not valued by the valuer to ensure that there valuation is not materially incorrect. Recommendation In 2016/17 to undertake a review of the assets not valued by the external valuer to demonstrate that they are not materially misstated. 6. Split of land and buildings Our review of valuations performed by Lambert Smith Hampton it was identified that they do not provide a valuation split between land and buildings where the value is below 2m. There is a risk that the value of buildings may be materially misstated going forward as incorrect depreciation rates may be applied. Recommendation In 2015/16 obtain valuation splits for land and building from the valuer 7. Recommendation The PCC and Chief Constable request Internal Audit to undertake an external review of their self assessment to demonstrate compliance with the Public Sector Internal Audit Standards. High High Medium Management response:. A documented management review will take place in consultation with the valuers during the closedown process for the 2015/16 Accounts Responsible office: Head of Accountancy and Financial Services Due date: April/May 2016 Management response:. The valuer will be instructed to split the valuations for the 2015/16 Accounts between land and buildings. Responsible office: Head of Accountancy and Financial Services Due date: April/May 2016 Management response:. An external review needs to be undertaken within 5 years of the implementation of the standards and the 5 years have not yet elapsed. As the Internal Audit service was restructured during 2015, Warwickshire County Council will be carrying out an external assessment during 2016/17 when the service has settled into its new combined service structure. Responsible office: Head of Internal Audit Due date: 2016/17 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 10

Appendix C: Reports issued and fees We confirm below the fees charged for the audit and non-audit services. Fees for audit services Police and Crime Commissioner audit Per Audit plan Actual fees 45,680 45,680 Chief Constable audit 25,000 25,000 Total audit fees 70,680 70,680 Fees for other services Service Fees Audit related services Nil Non-audit related services Nil Reports issued Report Date issued Audit Plan 1 st July 2015 Audit Findings Report 21 st September 2015 Annual Audit Letter October 2015 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 11

2015 Grant Thornton UK LLP. All rights reserved. 'Grant Thornton' means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to 'Grant Thornton' are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients. grant-thornton.co.uk 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information