By Rachel Bowden, member of the Internal Audit Standards Advisory Board, speaker at CIPFA's Audit Conference 2013
November 2012 saw new Police and Crime Commissioners (PCCs) take over from the previous Police Authorities with an extended remit. Before November 2012 internal audit had a clear role in the policing sector, this was to provide assurance to the Police Authority through the Section 151 Officer.
Most internal auditors worked with both the Authority and the Force, they reported to and attended the Authority’s Audit Committee. Over time the role of internal audit has naturally evolved from a financial control compliance role to management assurance on the far wider aspects of governance, risk and internal control. But, since November I think things are less clear. This is perhaps unsurprising as PCCs are still new and still developing their working relationships with Chief Constables. Offices of the PCCs are still developing their own policies and procedures, some are adopting what was put in place as part of transition plans by their predecessors in 2012, others are deciding to scrap those and work to their own policies. So the first challenge for internal audit is: where do you best provide assurance when governance and policy frameworks are in a state of flux?
The Public Sector Internal Audit Standards (PSIAS) which were published in December 2012 came in to effect from 1 April 2013, replacing the previous Code of Practice published by CIPFA back in 2006. I actually think PSIAS make things easier for internal auditors because PSIAS require a relationship between internal audit and the Board (or equivalent for the organisation in which it works) – no longer is it sufficient for internal audit to report solely to the Chief Financial Officer. This concept, of course, is not new. Many internal auditors working with police forces and PCCs will be members of the Chartered Institute of Internal Auditors and therefore very familiar with the contents of PSIAS, which are based on international internal auditing standards. But, what does “Board” mean in the context of the PCC and Chief Constable?
The Financial Management Code of Practice published by the Home Office makes it clear that both the PCC and Chief Constable must have an internal audit service. Both have Chief Financial Officers (CFOs) and therefore there are two reporting lines for internal audit following the normal section 151 route. But, PCCs and Chief Constables are Corporations Sole. Therefore it can be argued that good governance requires that internal auditors should report to PCCs and Chief Constables, even if they do maintain a day to day relationship with CFOs. Alongside this, internal auditors also maintain a key relationship with the Audit Committee, which the Financial Management Code of Practice suggests should be joint Audit Committees. We are already seeing diversity in the scope and remit of these new joint Audit Committees, with some stepping up to the mark and others finding that their terms of reference mean they have no real authority over the PCC – the risk then is that Audit Committees tend to rubber stamp decisions and papers instead of challenging management.
So, in this new environment internal auditors need to find a way of working that means they have access to senior people, can challenge the PCC and Chief Constable on matters of governance, risk and control, and provide independent and objective assurance to the PCC, Chief Constable and the Audit Committee. I hope that PCCs and Chief Constables embrace the assurance that internal auditors can, and do, provide and that internal auditors use the new PSIAS to make sure they are appropriately positioned in the right place for both the Office of the PCC and the Force.