NOT PROTECTIVELY MARKED. Item Number 5.10 Gary Devlin, Partner, Scott- Moncrieff Recommendation to Members Members are requested to note the report.

Transcription

1 NOT PROTECTIVELY MARKED Meeting Audit Committee Date 24 July 2018 Location Pacific Quay, Glasgow Title of Paper Internal Audit Annual Report Item Number 5.10 Presented By Gary Devlin, Partner, Scott- Moncrieff Recommendation to Members Members are requested to note the report. Appendix Attached Internal Audit Annual Report PURPOSE The Annual Report summarises our conclusions and key findings from the internal audit work undertaken at the Scottish Police Authority during the year ended 31 March 2018, including our overall opinion on the Scottish Police Authority s internal control system. The paper is presented in line with the internal audit contract with Scottish Police Authority. The paper is submitted for noting. Audit Committee Public Session NOT PROTECTIVELY MARKED 1

2 NOT PROTECTIVELY MARKED 1. BACKGROUND 1.1 The Scottish Public Finance Manual requires internal audit to provide annual audit assurance to the Accountable Officer and Audit Committee on the adequacy and effectiveness of the internal control system and the extent to which it can be relied upon. That opinion is contained within our annual report. The annual report forms part of the assurance required by the Accountable Officer to enable them to sign the Governance Statement to be provided alongside the accounts for which they are directly responsible. 2. FURTHER DETAIL ON THE REPORT TOPIC 2.1 This Annual Report summarises our conclusions and key findings from the internal audit work undertaken at the Scottish Police Authority during the year ended 31 March 2018, including our overall opinion on the Scottish Police Authority s internal control system. 2.2 The report documents: the scope and responsibilities between management and internal audit; our planning process; the cover achieved in the year; confirmation of our independence; states our conformance with the Public Sector Internal Audit Standards; and our overall internal audit opinion for the audit year 2017/ In our opinion, the internal control environment operated by the SPA and PS continued to improve during the financial year, however areas of significant weaknesses in the framework of internal controls continued to be identified. As a result, the internal control environment operated by the SPA and PS during 2017/18 cannot yet be fully relied upon to provide an appropriate level of assurance regarding the effective and efficient achievement of objectives and the management of key risks. Arrangements to promote value for money and deliver best value are adequate, with scope for improvement. 2.4 The key contributing factor to this opinion is that we have raised 70 actions within our 2017/18 audits, including 9 at Grade 4 and 36 at Grade 3. This represents 64% of total findings that have been Audit Committee Public Session NOT PROTECTIVELY MARKED 2

3 NOT PROTECTIVELY MARKED categorised as very high risk exposure (major concerns requiring immediate senior management attention) and high risk exposure (absence / failure of key controls). 2.5 The 9 Grade 4 findings relate to the following reviews: Financial Ledger (1); Performance Management (4); Workforce Planning (1); GDPR Scottish Police Authority (2); and GDPR Police Scotland (1). 2.6 Our audit work confirms that the management of both SPA and PS have well developed plans in place to respond effectively to audit issues, and are committed to taking the action necessary to address improvement opportunities identified through the internal audit work programme. We have seen evidence through our follow up of previous internal audit management actions that, while still not fully complete, there has been significant management action during the course of 2017/18 to address many of the areas of control weakness previously identified, with a focus on transformation activities. While this has not resulted in a significantly improved control environment during 2017/18, the implementation of these recommendations, along with those raised in 2017/18, will strengthen the internal control framework in place at the SPA and Police Scotland going forward, and help mitigate the risks identified. 3. FINANCIAL IMPLICATIONS 3.1 There are no financial implications arising as a direct result of this report. 4. PERSONNEL IMPLICATIONS 4.1 There are no personnel implications associated with this report. 5. LEGAL IMPLICATIONS 5.1 There are no legal implications associated with this report. 6. REPUTATIONAL IMPLICATIONS 6.1 There are no reputational implications arising from with report. 7. SOCIAL IMPLICATIONS Audit Committee Public Session NOT PROTECTIVELY MARKED 3

4 NOT PROTECTIVELY MARKED 7.1 There are no social implications directly associated with this report 8. COMMUNITY IMPACT 8.1 There are no community impact implications directly associated with this report. 9. EQUALITIES IMPLICATIONS 9.1 There are no equalities implications directly associated with this report. 10. ENVIRONMENT IMPLICATIONS 10.1 There are no environmental implications associated with this report. RECOMMENDATIONS Members are requested to note the report. Audit Committee Public Session NOT PROTECTIVELY MARKED 4

5 Scottish Police Authority Internal Audit Annual Report 2017/18 July 2018

6

7 Scottish Police Authority Internal Audit Annual Report 2017/18 Introduction 1 Overall internal audit opinion 2 Internal audit work performed 4 Appendix 1 Planned v actual days 2017/18 12 Appendix 2 Summary of Internal Quality Assurance Assessment 14 Appendix 3 Progress against KPIs 16

8

9 Introduction The Public Sector Internal Audit Standards (PSIAS) state that: The Chief Audit Executive must deliver an annual internal audit opinion and report that can be used by the organisation to inform its governance statement. The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation s framework of governance, risk management and control. To meet the above requirements, this Annual Report summarises our conclusions and key findings from the internal audit work undertaken at Scottish Police Authority (SPA) during the year ending 31 March 2018, including our overall opinion on SPA and Police Scotland s internal control system. Acknowledgement We would like to take this opportunity to thank all members of management and staff for the help, courtesy and cooperation extended to us during the year. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 1

10 Overall internal audit opinion Basis of opinion As the Internal Auditor of the Scottish Police Authority (SPA) and Police Scotland (PS), we are required by Public Sector Internal Audit Standards to provide the Audit & Risk Committee with assurance on the whole system of internal control. In giving our opinion it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the whole system of internal control. In assessing the level of assurance to be given, we have taken into account: All reviews undertaken as part of the 2017/18 internal audit plan; Any scope limitations imposed by management; Matters arising from previous reviews and the extent of follow-up action taken including in year audits; Expectations of senior management, the Board and other stakeholders; The extent to which internal controls address the SPA and PS s risk management /control framework; The effect of any significant changes in SPA and PS s objectives or systems; and The internal audit coverage achieved to date. In my professional judgement as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the basis and the accuracy of the conclusions reached and contained in this report. The conclusions were based on a comparison of the situations as they existed at the time against the audit criteria. The conclusions are only applicable for the entity examined. The evidence gathered meets professional audit standards and is sufficient to provide senior management with proof of the conclusions derived from the internal audit work. Internal Audit Opinion In our opinion, the internal control environment operated by the SPA and PS continued to improve during the financial year, however areas of significant weaknesses in the framework of internal controls continued to be identified. As a result, the internal control environment operated by the SPA and PS during 2017/18 cannot yet be fully relied upon to provide an appropriate level of assurance regarding the effective and efficient achievement of objectives and the management of key risks. Arrangements to promote value for money and deliver best value are adequate, with scope for improvement. The key contributing factor to this opinion is that we have raised 70 actions within our 2017/18 audits, including 9 at Grade 4 (high risk) and 36 at Grade 3 (moderate risk). This represents a considerable improvement on the outcomes from our audits (which raised 137 actions of which 80% were categorised as higher risk (Grade 3 and above)) and demonstrates the significant effort made by management to address audit actions during the year. 2 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

11 Our audit work confirms that the management of both SPA and PS have well developed plans in place to respond effectively to audit issues, and are committed to taking the action necessary to address improvement opportunities identified through the internal audit work programme. Our follow up of previous internal audit management actions has shown that there has been significant management action during the course of 2017/18 to address many of the areas of control weakness previously identified, with a focus on transformation activities. In particular, PS has introduced new governance structures and the SPA has developed a 2018/19 Improvement Plan which, when fully implemented, should significantly improve the organisation s overall governance framework. The implementation of these recommendations, along with those that were raised in 2017/18, will strengthen the internal control framework in place at the SPA and Police Scotland going forward, and help mitigate the risks identified. Scott-Moncrieff July 2018 scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 3

12 Internal audit work performed Scope and responsibilities Management It is management s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems and processes established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to: risk management; the effectiveness of operations; the economic and efficient use of resources; compliance with applicable policies, procedures, laws and regulations; safeguards against losses, including those arising from fraud, irregularity or corruption; and the integrity and reliability of information and data. Internal auditor The Internal Auditor assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, the Internal Auditor should: analyse the internal control system and establish a review programme; identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner; report findings and conclusions and, where appropriate, make recommendations for improvement; provide an opinion on the reliability of the controls in the system under review; and provide an assurance based on the evaluation of the internal control system within the organisation as a whole. Planning process In order that we can provide an annual assurance statement supporting the Governance Statement, we include all of SPA s and Police Scotland s activities and systems within the scope of our internal audit reviews. Our strategic and annual internal audit plans are designed to provide the Audit & Risk Committee with assurance that SPA s and Police Scotland s internal control systems are effective in managing the key risks and best value is being achieved. The plans are therefore informed by each client s risk management system and linked to the Corporate Risk Register. The Strategic Internal Audit Plan was agreed in consultation with senior management and formally approved by the Audit & Risk Committee. The Annual Internal Audit Plan is subject to revision throughout the year to reflect changes in SPA s and Police Scotland s risk profile. We have planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held 4 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

13 responsible for internal control failures. Assurance on the management of risk is provided from a number of other sources, including the management team, external audit, and the risk management framework itself. Cover achieved Our Internal Audit Plan comprises 500 days per annum and we completed 479 days of core internal audit work. The remaining 21 days relating to the BTP Governance audit have been carried forward into the 2018/19 Internal Audit Plan. We conducted a significant amount of planning for the proposed BTP Governance audit during early However, in recognition of the BTP Integration programme being paused in February 2018, the proposed audit approach was focused on specific aspects of Police Scotland s support of the BTP Integration re-plan. The Audit Plan was subject to regular review at the Audit & Risk Committee, which resulted in some changes to the plan approved by the SPA Board in March All changes were approved by the Audit & Risk Committee and details of the changes are set out in Appendix 1. We confirm that there were no resource limitations that impinged on our ability to meet the full audit needs of SPA and Police Scotland as outlined in the agreed plan, and no restrictions were placed on our work by management. We did not rely on the work performed by a third party during the period. Reports We have prepared a report for each of the internal audit reviews completed and presented these reports to the Audit & Risk Committee. Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were fully discussed and agreed with management prior to submission to the Audit & Risk Committee. We made no significant recommendations that were not accepted by management. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 5

14 Summary of reports by control objective and action grade Twelve internal audit reports have been completed during 2017/18, as summarised in the table below: Review Control objective assessment No. of issues per grading A.4 Budgeting and Reporting A.8 Financial Ledger B.2 Performance Management B.3 Estates Strategy B.5 Governance C.2 Workforce Management C.3 Workforce Planning C.6 HR Management System C.13 Organisational Change Management D.6 GDPR Review (PS) D.6 GDPR Review (SPA) E.2 National Fraud Initiative In addition to the reports set out above, we have also completed the following reviews: Risk Management Framework a desktop review of the Police Scotland draft risk management framework. We identified three improvement actions for management consideration. 6 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

15 BTP Integration Governance and Assurance we completed a high-level review which focused on PS engagement in the BTP Integration re-planning exercise. We produced a management letter for the SPA Chief Officer, indicating that we found no significant weaknesses. We did identify three areas which PS should continue to closely monitor during the re-planning exercise. Annual Accounts Review we completed a comparison of the draft 2017/18 accounts against the efrem disclosure checklist and the progress made by Police Scotland in preparing the financial statements in line with the Annual Accounts preparedness timetable. Bribery and Corruption Review we reviewed the SPA draft Bribery and Corruption Policy against best practice and highlighted a number of areas in which the policy guidance could be expanded and strengthened. EY Pricing Methodology Review at the request of Procurement, we completed a review of the pricing methodology used by EY to quote for the continuation of work relating to development of the Digital, Data and IT Strategy. An investigation into whistleblowing allegations which identified a number of areas for improvement in policies and procedures. Control objective assessment definitions R Critical: fundamental absence or failure of key controls A High: control objective not achieved - controls are inadequate or ineffective Y Moderate: Control objective achieved - no major weaknesses but scope for improvement G Low: Control objective achieved - controls are adequate, effective and efficient G Management action prioritisation definitions 4 Very high risk exposure - major concerns requiring immediate senior management attention. 3 High risk exposure - absence / failure of key controls 2 Moderate risk exposure - controls not working effectively and efficiently. 1 Limited risk exposure - controls are working effectively, but could be strengthened. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 7

16 Progress in implementing internal audit actions In addition to the reviews shown above, we completed quarterly follow up reviews during 2017/18, to validate management s progress in implementing agreed audit actions. The table below sets out the movement in actions included on the Audit Recommendation Tracker throughout the financial year. Number of Actions Open actions brought forward from April New actions added to tracker in period April 17 to March Total actions to follow-up 194 Actions closed in period April 17 to March Open actions carried forward at April In March 2018, we reviewed management s progress in implementing the 116 outstanding actions on the Audit Recommendation Tracker at that time. The chart below summarises the status of the actions. Status of Actions as at 26 March 2018 The SPA is making good progress on outstanding actions, with a total number of 81 open actions at March Of these 81 open actions, 40 are not yet due. There are only 2 actions that are past due date that are not currently in progress. During the same period in 2016/17, there were 18 incomplete actions that were past due date Complete In progress Incomplete Not yet due 2 39 Age and grade of open actions The chart below shows the number and grade of open actions categorised by the year in which the actions were raised: 8 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

17 / / / /18 Grade 1 Grade 2 Grade 3 Grade4 Grade 5 Key Themes There are a number of key themes running through the findings of our internal audit work in 2017/18. Overall, we have observed an improvement in management s capacity and commitment to address internal control issues raised through our internal audit reviews. There remains a significant challenge to address key underlying issues, particularly around the implementation of transformational change programmes and governance, to achieve longer term sustainable improvement in the internal control environment within Police Scotland and the SPA. Our internal audit reviews resulted in 9 Grade 4 findings across four internal audit review areas as follows: Financial Ledger We noted one Grade 4 finding within this review area which related to the segregation of duties in relation to preparation and authorisation / review of manual journal entries. The Finance Department has made a number of improvements since 2016/17 and this has resulted in a substantial decrease in the number of financial control weaknesses identified throughout our internal audit reviews. While we noted one Grade 4 finding in relation to financial controls, management have quickly addressed this through the creation of compensating controls and have asserted that the financial ledger will be upgraded to embed automated journal authorisation by the end of June This will be tested as part of the 2018/19 Q1 Follow up Review. Performance Management We noted four Grade 4 findings within this review area that related to the lack of effective project management arrangements in place to develop and implement a new Performance Management Framework. The four Grade 4 findings were as follows: In the absence of an effective performance management framework, there is an increased risk that Police Scotland is unable to achieve its strategic objectives, which also increases the risk of reputational damage. In the absence of a project plan for performance management within Police Scotland, there is a risk that the new performance management framework will not be delivered in the required timescale. This will lead scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 9

18 to a further delay in Police Scotland being able to fully report on its performance, potentially resulting in failure to achieve its strategic objectives and further reputational damage. There is a risk that KPIs are not sufficiently defined to enable Police Scotland to effectively report on performance, resulting in failure to achieve the strategic objectives and resulting in further reputational damage for Police Scotland. There is a risk that the Demand, Productivity and Performance Board s work to understand the gaps in the data required for the new performance management framework will not be progressed and completed in line with the timelines for production of a single source data warehouse within the Digital Date and IT Strategy. This could result in a failure to define system requirements that will allow efficient and effective future reporting against the Performance Management Framework. Workforce Planning We noted one Grade 4 finding within this review area in relation to the need to develop more strategic workforce planning to help Police Scotland meet future demands and achieve the financial and strategic objectives set out within GDPR Readiness Review We reviewed both Police Scotland and the Scottish Police Authority s preparations to comply with GDPR in December 2017, in advance of the 25 May 2018 implementation deadline. Our review noted three Grade 4 findings as follows: SPA - There is a significant risk that SPA will not be able to or will experience delays in recruiting appropriately skilled data protection specialists due to the high market demand. This will result in SPA not being compliant with GDPR in May 2018 and increases the risks of severe financial penalties and reputational damage. SPA - Without managing GDPR and LED compliance as a project, SPA management may not be able to fully assess progress as well as risks and issues that could impact on the ability of the organisation to achieve compliance by May PS Police Scotland intends to rely on a derogation detailed in Article 63, Paragraph 2 of the Directive, as follows: By way of derogation from paragraph 1, a Member State may provide, exceptionally, where it involves disproportionate effort, for automated processing systems set up before 6 May 2016 to be brought into conformity with Article 25(1) by 6 May There is a risk that, without formal opinion being sought on the applicability of the derogation, Police Scotland s interpretation of the derogation may be incorrect. If this is the case, this will have significant negative impact on the overall GDPR/LED project. We followed up management s progress in addressing our audit findings in March and April 2018 and confirmed that action had been taken to address all high risk recommendations with a range of management actions ongoing. We concluded that, whilst much work remained in progress, the risks of non-compliance with GDPR by the 25 May 2018 implementation date were significantly reduced as a result. 10 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

19 Recurring Themes In addition to the Grade 4 findings that have been detailed above, there are a number of recurring themes that have been identified throughout the 2017/18 internal audit reviews: There are inconsistent processes and controls across Police Scotland and SPA which have contributed to the poor quality of management information. These were impacted by resource challenges affecting Police Scotland s capacity to effectively consolidate information from multiple sources; A need to continue with the ongoing work to develop standard processes to be rolled out across the organisation particularly within Corporate Services; A lack of availability of accurate, reliable data in which to inform and support decision making; A need to continue to invest in the continuing development of financial skills, resources, systems, policies and processes; and A number of prior year agreed actions to improve internal control, some of which relate to 2014 and 2015 internal audit reviews, have yet to be implemented. Independence Public Sector Internal Audit Standards (PSIAS) require us to communicate on a timely basis all facts and matters that may have a bearing on our independence. We can confirm that the staff members involved in each 2017/18 internal audit review were independent of SPA and Police Scotland and their objectivity was not compromised in any way. Conformance with Public Sector Internal Audit Standards We confirm that our internal audit service conforms to the Public Sector Internal Audit Standards, which are based on the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice, against the standards. A summary of the results of our most recent internal assessment is provided at Appendix 2. Key performance indicators We use a suite of Key Performance Indicators (KPIs) to monitor the quality of the internal audit service. These are presented to each meeting of the Audit & Risk Committee. Appendix 3 includes a summary of performance against the KPIs. We would welcome any comments on the KPIs currently used. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 11

20 Appendix 1 Planned v actual days 2017/18 Ref and Name of report Planned Days Actual Days A. Key Financial systems reviews A4. Budgeting and Reporting A8. Financial Ledger B. Key Strategic reviews B2. Performance Management B3. Estates Strategy B4. Risk Management 5 5 B5. Governance C. Key Operational reviews C2. Workforce Management C3. Workforce Planning C5. Staff Performance Management 1 1 C5. BTP Integration Governance and Assurance 50 29* C6. HR Management System C8. Training (including income generation) 1 1 C11. Call Handling C13. Organisational Change Management D. Key Information Systems reviews D6. GDPR Review (PS) D6. GDPR Review (SPA) E. Key Compliance and Regulatory reviews E1. Follow up Reviews E2. National Fraud Initiative E3. Annual Accounts Preparedness F. Management Audit & Risk Committee Planning and Attendance Audit Needs Analysis strategic and operational IA planning Police Scotland Governance Board Attendance 5 5 Liaison with External Audit 3 3 Monthly Liaison Meetings Annual Internal Audit Report 2 2 Contingency TOTAL Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

21 29 days planned allocation were moved from Training (including income generation) Review to Contingency as approved by the Audit & Risk Committee Chair. This has been used to cover the following: Additional Follow up work; Attendance at GDPR sessions; Attendance at April Audit & Risk Committee; Attendance at PS Executive Planning Strategy Meeting; Contract Management including meetings with PS staff and review of Bribery and Corruption Policy, Financial Regulations and ad hoc queries; Completion of review of EY Pricing Methodology as requested by Procurement; Additional work on Governance, Workforce Planning and Performance Management Reviews. * The remaining 21 days of time for BTP Governance will be carried forward into the 2018/19 plan. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 13

22 Appendix 2 Summary of Internal Quality Assurance Assessment We are required by Public Sector Internal Audit Standards to disclose the outcome of our regular internal and external quality assessments. The table below summarises the outcome of our most recent internal quality assessment, in which we have assessed the extent to which our internal audit methodology conforms to the standards. This reflects our most recent quality assessment and we are currently undertaking a further quality review, including independent external assessment as defined under PSIAS. We will share any significant issues and observations with the Audit and Finance Committee on completion of this exercise. Standard Does not conform Conforms Improvements we have identified Purpose & positioning Remit Reporting lines Independence Other assurance providers Risk based plan Structure & resources Competencies Technical training & development Resourcing Performance management Knowledge management Audit execution Management of the IA function Engagement planning Engagement delivery Reporting Impact Standing and reputation of internal audit Impact on organisational delivery Impact on Governance, Risk and Control 14 Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

23 Comment Overall, our service conforms to the requirements of the PSIAS. A range of actions have been identified which will improve the overall effectiveness and consistency with which our methodology is applied. For example, ensuring that all relevant staff are involved in the audit planning and reporting process, and further improving the linkage of our internal audit plans to the key risks facing our clients. Our assessment is based on the overall service that is delivered to each client. Compliance with the methodology will be monitored through an enhanced system of internal quality assurance to supplement existing arrangements. We are happy to provide Audit & Risk Committee members with further details of the information set out above and the assessment process, if required. scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 15

24 Appendix 3 Progress against KPIs The following table sets out performance against the core internal audit plan using the KPIs we have agreed with management and the Audit & Risk Committee KPI description Status Comments 1. The annual internal audit plan is presented to and approved by the Audit & Risk Committee prior to the start of the audit year. GREEN Delivered in line with management expectation for the 2017/18 annual year % of audit input is provided by the core team and continuity of staff is maintained year on year. GREEN Our core team has been defined and planned for the full 2017/18 audit year. 3. Draft reports are issued within 15 working days of completing fieldwork. AMBER All reports have been issued within 15 working days with the exception of Performance Management. 4. Management responses are received within 15 working days and final report issued within 10 working days. RED We do not collate management responses for follow up reports and responses have been received within 15 days for all draft reports for 2017/18, with the exception of Workforce Planning, Workforce Management, HR Management System, Performance Management and Organisational Change. 5. At least 90% of the audit recommendations we make are agreed with and accepted by management. GREEN Over 90% of audit recommendations agreed and accepted by management. 6. At least 75% of Audit & Risk Committee meetings are attended by an Internal Audit Partner. GREEN All but one (Jan 2018) 2017/18 Audit & Risk Committee meetings have been attended by Gary Devlin, the Internal Audit Partner. 7. The annual internal audit plan is fully delivered within agreed cost and time parameters. GREEN All audit work was completed in line with the 2017/18 Internal Audit Plan. A revised approach was agreed with management regarding the BTP Governance audit to reflect the programme being paused. The remaining days have been carried forward into the 2018/19 plan. 8. The annual internal audit report and opinion is presented to and approved by the A&RC at the first meeting after the year-end each year. GREEN Subject to agreeing timings with management, we anticipate that all work will be delivered by year end. 9. All internal audit outputs are finalised and submitted to the SPA at least 10 working days before the A&RC meeting. AMBER Internal audit papers submitted in line with A&RC deadline for plan meetings, but not within 10 working days. 10. Members of senior management and the Audit & Risk Committee are invited to participate in the firm s client satisfaction survey arrangements. N/A The client satisfaction survey will be issued in November Scottish Police Authority Internal Audit Annual Report 2017/18 scott-moncrieff.com

25 Key RED AMBER GREEN More than 15% away from target Within 15% of target Achieved scott-moncrieff.com Scottish Police Authority Internal Audit Annual Report 2017/18 17

26

27 Scott-Moncrieff Chartered Accountants All rights reserved. Scott-Moncrieff refers to Scott-Moncrieff Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of independent firms. Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of investment business activities by the Institute of Chartered Accountants of Scotland.