The Annual Audit Letter for West Mercia Police and Crime Commissioner and Chief Constable Year ended 31 March 2015 October 2015 John Gregory Director and Engagement Lead T +44 (0)121 232 5333 E john.gregory@uk.gt.com Sarah Good T 0121 232 5334 E sarah.l.good@uk.gt.com Laurelin Griffiths In charge auditor T 0121 232 5409 E laurelin.h.griffiths@uk.gt.com 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15
Contents Section Page 1. Key messages 3 Appendices A How we have worked with you during the year. 6 B Key issues and recommendations 7 C Summary of reports and audit fees 11 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 2
Key messages Our Annual Audit Letter summarises the key findings arising from the work that we have carried out at Police and Crime Commissioner ("PCC") for the West Mercia and the Chief Constable for West Mercia ("Chief Constable") for the year ended 31 March 2015 The Letter is intended to communicate key messages to the PCC, Chief Constable and external stakeholders, including members of the public. Our annual work programme, which includes nationally prescribed and locally determined work, has been undertaken in accordance with the Audit Plan that we issued on the 1 st July 2015 and was conducted in accordance with the Audit Commission's Code of Audit Practice, International Standards on Auditing (UK and Ireland) and other guidance issued by the Audit Commission and Public Sector Audit Appointments Limited. Financial statements audit (including audit opinion) We reported our findings arising from the audit of the financial statements to the PCC and Chief Constable in our Audit Findings Report, which was also considered by the Joint Audit Committee on 21 September 2015. The key messages reported were: We received draft financial statements and accompanying working papers in accordance with the timetable set by the PCC and Chief Constable and ahead of the statutury deadline of 30 June 2015. The financial statements submitted for audit were of good quality, delivered by an effective closedown process and supported by excellent working papers. Of particular note was the speed and efficiency queries were responded to by staff across all departments. We did identify a relatively small number of disclosure errors, and requested some adjustments to improve the presentation of the financial statements. The presentation of intra-group funding from the PCC to the Chief Constable was updated in the Comprehensive Income and Expenditure Statements (CIES) for both organisations. The funding cost previously shown within 'other comprehensive income and expenditure' is now included within the net cost of services. This amendment is as a result of clarified national guidance to promote consistency of presentation across police bodies. We issued an unqualified opinion on the PCC's and Chief Constable's 2014/15 financial statements on 21 st September 2015, meeting the deadline set by the Department for Communities and Local Government. Our opinion confirms that the financial statements give a true and fair view of the PCC's and Chief Constable's financial position and of the income and expenditure recorded by the PCC and Chief Constable. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 3
Key messages Value for Money (VfM) conclusion We issued an unqualified VfM conclusion for 2014/15 on 21 st September 2015. On the basis of our work, and having regard to the guidance on the specified criteria published by the Audit Commission, we are satisfied that in all significant respects both organisations put in place proper arrangements to secure economy, efficiency and effectiveness in their use of resources for the year ending 31 March 2015. The PCC and CC has demonstrated a drive and commitment to making changes in response to the recent reductions in Government funding. There is an understanding of the current financial position and finance is a continuing thread evidenced through all elements of the corporate planning processes. Within the 2014/15 budget the Chief Constable and PCC identified savings of 6.3m which enabled a balanced budget to be achieved in 2014/15. These substantial savings have again been achieved and the budget was underspent by 10.8m. The additional savings have mainly arisin from staff vacancies in year. The updated MTFS highlights the on-going significant financial challenges faced. The MTFP shows that the budget deficit for 2015/16 of 4m has been balanced by a contribution from reserves, with an additional planned spend of a further 2m for in year developments funded from reserves. The PCC has significant useable reserves ( 71.7m) and a track record of delivering financial performance in line with budgets. The level of reserves and planned use of reserves allows the PCC to invest in changes to improve productivity going forward. One of the most significant challenges going forwards is the uncertainty over the impact of changes being made nationally to the funding formula for PCCs. The findings from HMIC's PEEL assessment (Police Effectiveness Efficiency Legitimacy) highlighted that the West Mercia Police force provided 'value for money' and was rated as good over its efficiency and its ability to prevent offending and deal with anti-social behaviour.. Our work found that both bodies have good arrangements in place to secure financial resilience. In particular: a robust corporate strategy, medium term financial strategy and savings plan are in place the PCC delivered its overall savings target arrangements for governance processes including risk management and the production of the Annual Governance Statement are satisfactory financial management is sound with effective reporting of variances from plans 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 4
Key messages continued Audit fee Our fee for 2014/15 was 70,680 excluding VAT which was in line with our planned fee for the year and is unchanged from the previous year. Further detail is included within appendix B. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 5
Appendix A: How we have worked with you during the year Audit Committee Members PCC, CC and Senior Management Teams We: We: Provided assurance on financial reporting and financial resilience by giving a timely audit opinion and value for money conclusion Shared our thinking on key issues, including offering members copies of our first national report, which evaluated how the sector is responding to the Police Reform and Social Responsibility Act 2011 (PRSRA), 'The future of policing accountability: Learning the lessons' Met regularly with the Audit Committee to ensure you were kept up to date with the audit progress, as well as emerging issues affecting the wider Police Sector Provided independent external audit commentary and insight in your key issues trough senior attendance at every audit committee. 1 2 Ensured a smooth external audit process through regular dialogue and meetings to promptly discuss financial accounts opinion audit Met with the Senior Officers, including periodic meetings with the PCC and the Chief Constable, to discuss your major challenges, share our insight into national sector issues and provide support where possible. We provided assurance around the data transfer to the new ledger. Liaised with Internal Audit to minimise duplication We hosted the Third National Conference for Police and Crime Panels which members of the PCP came to. The focus of the conference was on the future of policing accountability ahead of the general election in May 2015. We worked with the finance department to further improve the accounts production process and to strengthen controls and systems Provided regular, timely and transparent reports from our work and briefing notes on key sector developments Invited you to attend our seminars for police audit committee members Provided you with copies of our national report on audit committee effectiveness in the police sector 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 6
Appendix B: Key issues and recommendations This appendix summarises the recommendations made during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 1. Lack of movers' access administration for Active Directory There is no formal process to ensure that access rights and folder permissions are removed and not accumulated by staff as they move roles internally. During a period of change it is likely that users will move departments, shifts and functions and if there isn't a process to manage user amendments there is a risk that users will accumulate inappropriate or unsegregated duties Recommendation Management should introduce a formal user change management process which should be used consistently to manage user access rights and folder permissions. This should include consideration of segregation of duties and role based access control across the organisation. 2. Weak logical access controls There is no limit to the number of failed access attempts permitted on the systems under review in the Forces' shared services. We acknowledge the Forces' reluctance to impose restrictions on serving officers when they may require access urgently and the limitations of the ICT service desk coverage to support them 24/7. However, we consider that this is a control weakness that should be addressed urgently due to a combination of deficiencies identified in this report that undermine the controls in place:. There is a risk that systems can be accessed by those without authorisation or authority internally by having easy to guess and unlimited attempts. This may lead to the loss of critical and sensitive data. Recommendation Management should consider enabling account lockout controls within Active Directory to address the risk of password cracking. The best practice recommended number of attempts permitted is between 3-10 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 7 Medium High Management response: The appointment of business Information Asset Owners has been identified as part of the Network Accreditation Remediation Action Plan, responsibilities will include the management of access rights to folders. Responsible office: Head of Financial Management and Business Change. Due date: 2015/16 Management response: We have previously accepted the risk relating to Active Directory lock out settings. This is will be discussed further with the Head of ICT with potentially adding the risk to the ICT risk register. Specifically in relation to the finance systems - Since the upgrade in April 2014, all efinancials applications lock users out after 3 attempts and require unlocking on the server before access can be granted again. Passwords are a minimum of 8 characters long, including a number, and have to be changed every 30 days. There is a log of the previous 13 passwords for each user and passwords cannot be re-used until they are no longer in the log. Responsible office: : Head of Financial Management and Business Change Due date:.2015/16
Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 3. Absence of logical access review for Active Directory and EFinancials Our review of user accounts and associated permissions for Active Directory and ABS EFinancials identified that they are not being formally and proactively reviewed for appropriateness. If periodic reviews of user accounts are not conducted on a regular basis, there is an increased risk that segregation of duties may be circumvented resulting from individuals changing roles without their access rights being reviewed and amended accordingly, affecting the integrity of financial data. This control weakness was also raised in 2013/14. Medium Management response: Information Asset Owners will have responsibility for reviewing of access rights relevant to their area of business. Specifically in relation to the finance systems - The system has only been operational since April 2014. Procedures are being implemented to send user access lists out to managers quarterly to check for leavers and internal moves. Responsible office: Head of Financial Management and Business Change. Due date: 2015/16. Recommendation Regular reviews of ABS EFinancials user accounts should take place at least annually with sufficient evidence to enable a third-party to confirm when the reviews were performed, who was involved, and what access changed as a result. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 8
Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 4. Lack of security log reviews There is no documented process to review audit logs from the network or efinancials systems on a periodic basis. While this is mitigated to some extent by monitoring inactive accounts and disabling them, this does not provide data relating to access attempts to inactive accounts or activities of accounts with elevated permissions. However, there is no lockout policy and therefore abuse of system privileges or persistent attempt to access an unused account would not be identified. There is a risk that unusual activity or security events taking place within the network or efinancials systems might not be detected in a timely manner in the absence of such a control. Given the criticality of the data in these systems, it is advisable that there are processes to identify any unauthorised access, thereby reducing the risk of fraud, manipulation or error. Recommendation Management should identify the more critical audit logs and review them on a periodic basis for any anomalies. Medium Management response:. The development of audit provision for IT Security has been identified as part of the Network Accreditation Remediation Action Plan. Specifically in relation to the finance systems - As mention in point 2, users are locked out of efin applications after 3 failed log in attempts. Intervention is required by the Systems team at this point to re-enable the account. A user log exists, but can only be run for individual users. A security log covering all users would require a bespoke piece of work from ABS and is not being considered at this time. Responsible office: : Head of Financial Management and Business Change. Due date:. During 2015/16. 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 9
Appendix B: Key issues and recommendations (Continued) This appendix summarised the significant recommendations identified during the 2014/15 audit. No. Issue and recommendation Priority Management response/ responsible office/ due date 5. Assets not valued To undertake a review of the assets not valued by the valuer to ensure that there valuation is not materially incorrect. Recommendation In 2016/17 to undertake a review of the assets not valued by the external valuer to demonstrate that they are not materially misstated. 6. Split of land and buildings Our review of valuations performed by Lambert Smith Hampton it was identified that they do not provide a valuation split between land and buildings where the value is below 2m. There is a risk that the value of buildings may be materially misstated going forward as incorrect depreciation rates may be applied. Recommendation In 2015/16 obtain valuation splits for land and building from the valuer 7. Recommendation The PCC and Chief Constable request Internal Audit to undertake an external review of their self assessment to demonstrate compliance with the Public Sector Internal Audit Standards. High High Medium Management response:. A documented management review will take place in consultation with the valuers during the closedown process for the 2015/16 Accounts Responsible office: Head of Accountancy and Financial Services Due date: April/May 2016 Management response:. The valuer will be instructed to split the valuations for the 2015/16 Accounts between land and buildings. Responsible office: Head of Accountancy and Financial Services Due date: April/May 2016 Management response:. An external review needs to be undertaken within 5 years of the implementation of the standards and the 5 years have not yet elapsed. As the Internal Audit service was restructured during 2015, Warwickshire County Council will be carrying out an external assessment during 2016/17 when the service has settled into its new combined service structure. Responsible office: Head of Internal Audit Due date: 2016/17 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 10
Appendix C: Reports issued and fees We confirm below the fees charged for the audit and non-audit services. Fees for audit services Police and Crime Commissioner audit Per Audit plan Actual fees 45,680 45,680 Chief Constable audit 25,000 25,000 Total audit fees 70,680 70,680 Fees for other services Service Fees Audit related services Nil Non-audit related services Nil Reports issued Report Date issued Audit Plan 1 st July 2015 Audit Findings Report 21 st September 2015 Annual Audit Letter October 2015 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15 11
2015 Grant Thornton UK LLP. All rights reserved. 'Grant Thornton' means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton is a member firm of Grant Thornton International Ltd (Grant Thornton International). References to 'Grant Thornton' are to the brand under which the Grant Thornton member firms operate and refer to one or more member firms, as the context requires. Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered independently by member firms, which are not responsible for the services or activities of one another. Grant Thornton International does not provide services to clients. grant-thornton.co.uk 2015 Grant Thornton UK LLP Annual Audit Letter 2014/15