Does the organization
manage its risks and
maintain a sound system
of internal control?
(with support from Karen
As at 7 April 2009
KLOE 2.4 – Does the organisation manage its risks and maintain
a sound system of internal control ?
During 2008/9 there has been a significant improvement in the Council‟s risk
management arrangements, including those covering partnership working, and the
Corporate Risk Manager has successfully started to embed risk management across the
Council‟s services. There is a dedicated risk management and internal control project
group which has the principle aim of further improving risk management and internal
control at Liverpool. Internal Audit continue to work towards checking and aiding the
improvement of internal controls through audits and investigations. A rolling programme
of internal control training due to start in April / May 2009 will assist with these
There are well embedded arrangements in place for managing the risk of fraud and
corruption, and these are regularly assessed against best practise in the public and
private sectors to ensure that our high standards are maintained.
The Council has a Risk Management Policy and Strategy that is signed by the leader of
the council and the Chief Executive. This document will be re-worked in 2009 to take
account of our transforming governance/control landscape. We have identified a lead
member/champion (Karen Afford) who is also a member of the Audit & Accounts
Committee. Re-defined approaches to the hierarchical understanding and dynamic
management of risk have been taken to EMT and agreed. A dedicated sub-set of EMT
(the Corporate Risk Management Group) is attended by AED‟s and the assistant Chief
There is a dedicated Risk Management and Internal Control Project with its own PID,
plans and (dynamic and well attended) Project Group.
The Corporate Risk Register itself has been significantly improved. Meanwhile, the
„across the business‟ management of risks at all levels is becoming more dynamic,
sophisticated and sensitive - initially via training and the facilitation of improved risk
registers. The “risk-based” behaviours and arrangements that business units need to
exhibit are improving and will continue to do so over time. Some areas are ahead of
As at 7 April 2009
Corporate Risk Management Group; membership/ composition of the Group, the
remit/ terms of reference, the dates that the Group met in 2008/09, meeting
Risk Management Project Control Group; Summary of composition and attendance
records. Project plan, Risk Register, minutes etc.
All papers submitted to Executive Board, Audit and Accounts, Corporate Services,
EMT and other committees/groups are available.
New Corporate Risk Register and evidence of dynamic re-working and
reconsideration on an ongoing basis.
Corporate Risk is reported to Executive Board, the Corporate Services Select
Committee and the Audit & Accounts Committee.
The strategic objectives (Corporate Aims) have been re-worked and the new hierarchy
of risk registers will include dedicated registers for each Aim. The risks on the Corporate
Risk Register are linked to the new aims.
All risks are scored on a 4 x 4 scale for impact and likelihood.
All risks and the controls that mitigate them (at all levels) are owned by individual
colleagues. Owners are named on all risk registers. The risk register template used
throughout LCC has been made more sensitive and now uses a three score mechanism
(Inherent / Today / Target). New software is being procured to improve the quality of MI
that can be derived from this data-set and thereby drive improved arrangements and
Paper outlining new 4 levels risk hierarchy as agreed at EMT 6th March
Membership of Alarm
Foundation stages in respect of Partnership Risks have been worked through including
meetings with Liverpool First (LSP) to plan a way forward for partnerships involved in
delivery of the LAA. This will lead to a risk workshop for the LSP itself in April 2009
followed by the roll-out of risk management for the Strategic Issue Partnerships. The
assessment and improvement of RM arrangements across other partnerships is in plan
and will be worked through in spring/summer 09. The picture in terms of the quality of
RM within and around service delivery partners is mixed as is the quality of risk
knowledge and management re the impact those partners have on the councils own
aims. Some good quality arrangements can already be demonstrated. The importance of
partnership risks has been built into the new 4-level hierarchical model for risk
management that has been agreed by EMT and reported to members. Partnership risk
is a key RM action area for 2009.
As at 7 April 2009
Work with Liverpool First
Work with Schools (both IA derived and Risk team).
Assurance re 20/20 and Enterprise
Evidence of fact finding trip to Croydon (March 2009) to see approach to RM in LAA.
Evidence of much improved BSF risk register (driven by Corporate Risk team)
Evidence of visits to Risk Managers at Wirral, Merseyside Police, Leeds and
A RM members briefing was delivered by the Head of the Corporate Risk Management
business unit in February 2009. Essential RM training will also be delivered to the Audit
Committee on 29th April 2009.
Detailed half day briefing/training sessions will have been rolled out to all heads of
business units and heads of finance (and some other key officers at the corporate
centre) by May 2009. An online e-learning package is being refreshed for roll out in
2009. Members of the risk and insurance unit have received formal and on-the-job
training from the Corporate Risk Manager and at least one member of that team will
commence a more formal IRM qualification in 2009. The Corporate Risk Manager has
attended a variety of training events/sessions/briefings/meetings to improve knowledge
and awareness. The Risk Management Intranet page has been totally re-written – as
has the Risk Management Toolkit which is now an instructional guide for managers in
the Business Units.
Risk Workshop papers for EMT April 2009.
Training papers re Heads of Business Units (material, attendees, dates etc).
Intranet page and all linked content available.
Evidence of training (including IRM hosted) attended by Corporate Risk Manager as
well as meetings of Merseyside Risk Managers Group (attended by Rob Gore).
Evidence of training delivered to Audit Committee, Members (briefing) and In-house
Initial designs of new e-learning to be rolled out in 09/10
Risk Management Toolkit.
Ad-hoc responses to requests from Business Units for help with drafting Risk
Evidence of Quality Assuring of Risk Registers and feeding back to Heads of
Business Units to drive improvement and embedding.
As at 7 April 2009
FRAUD AND CORRUPTION
Fraud Related Strategies and Policies
LCC have an Anti fraud and Corruption Strategy which sets out the Council‟s zero
tolerance of Fraud and Corruption and commitment in taking action against offenders
through the disciplinary procedure, prosecution and /or referral to the police.
This strategy is reviewed annually by Internal Audit, and any changes are taken to EMT
for approval, then to Audit and Accounts Committee for comment before going to full
Council as part of the overall changes to the Constitution. The strategy was significantly
updated in November 2008 and these changes were advertised across the council.
The Anti Fraud and Corruption Strategy is supported by the Whistleblowing Policy and
the Fraud Response Plan. All of these documents are accessible via the intranet and
they are regularly referred to in reminder articles to all Council staff on Message of the
Day and In the Know.
The Fraud Response Plan is split into two parts, the first of which is accessible to all
council staff and the second part (which contains investigation operational detail) is
restricted to Internal Audit. The first part gives instruction on what to do in the event of
suspicion or allegations of fraud / financial irregularity, as well as guidance on the
reporting lines to follow.
Similar to the Anti-Fraud and Corruption Strategy, the Whistleblowing Policy is reviewed
annually and regularly advertised across the council by way of posters, leaflets, and
electronic communication. A summary of the policy is available on the Council‟s internet
and sites accessible to service users also display information about the whistleblowing
Whistleblowers are offered a variety of different ways of contacting the appropriate
officer, and Internal Audit oversee the operation of the whistleblowing line. Evidence of
the success of the whistleblowing procedures is demonstrated by way of one particular
area of the council where the number and regularity of allegations made lead to Internal
Audit undertaking a detailed „health check in 08/9, following which no further
whistleblowing allegations were made. There is also an on-going criminal investigation
into a case brought to Internal Audit‟s attention through the whistleblowing line which is
unlikely to have ever been detected through business unit checks or regular audits. The
lessons learnt from this investigation have been applied to the entire range of services in
this particular area to reduce the risk of copycat frauds.
A number of investigations have been initiated by whistleblowing allegations which have
ultimately led to an improvement in internal controls. Whenever possible, successful
outcomes of investigations have been advertised across the Council to act as a
deterrence to potential fraudsters and to help raise fraud awareness.
As at 7 April 2009
Anti-Fraud & Corruption Strategy
Fraud Response Plan (Full Version)
Audit Committee minutes
Example of adverts on Message of the Day. Etc re cases and policies
Audit Investigation Reports
AF70 returns to Audit Commission
Internal Audit Intranet Page
Codes of Conduct
Registers of gifts and hospitality
Responsibilities re Fraud
The Counter Fraud Team are manage benefit fraud investigations (inc those arising
through NFI matches) whilst Internal Audit manage all other fraud related work at LCC.
Protocol between Internal Audit and CFT re NFI staff cases
Proactive Fraud Work and Partnerships
An increasing amount of time is spent by Internal Audit on pro-active fraud work, and in
08/09 Internal Audit introduced the use of CAAT‟s in the core financial audits to help
identify potential fraud.
The annual audit plan is risk based and one of the factors considered is the occurrence
or likelihood of fraud. This fraud assessment informs the pro-active fraud programme.
Comparisons with other core cities showed that Liverpool invest a greater percentage of
total audit time than other authorities on proactive fraud work.
Fraud awareness briefing sessions have been held for officers and a selection of key
partners have been asked about their awareness of the Council‟s stance on fraud as
well as the fraud related policies and procedures, which in itself raises fraud awareness
with Liverpool‟s partners. Corporate access to an e-learning course on fraud and
corruption has recently been procured and plans are currently being made to roll out this
learning programme in conjunction with internal control training.
Annual Audit and Proactive Fraud Plans
CAATs audit reports previously provided to Audit Commission
Core City benchmarking results
Material from briefing sessions
Fraud survey results from partners
National Fraud Initiative
The Council fully participates in the National Fraud Initiative (NFI) and has contributed
some of the successful cases that the Audit Commission includes in its national press
As at 7 April 2009
releases on NFI.
NFI website re LCC
Meeting notes with NFI Audit Commission staff
Criminal Investigations and Joint Agency Working
For all investigations the potential for criminal and / or civil action is considered at the
outset of the case and during the investigation. Internal Audit have an investigation
protocol with Merseyside Police and had a successful internal and criminal case during
08/09, and several ongoing cases with the Police at present. Internal Audit also work
successfully on joint cases with other public sector bodies, inc the DWP.
Confidential details of recent criminal and multi-agency cases
Police / Audit Protocol
The Head of Internal Audit is a qualified Local Counter Fraud Specialist and Certified
Fraud Examiner, and uses membership of these national and international groups as
well as networks within the Big 4 accountancy practices to ensure that counter fraud
arrangements at the Council are based around best practice from both private and public
sector. Regular benchmarking exercises and discussions around approaches with other
Core Cities assist in ensuring that best practise is followed
CFE and CFS material within Internal Audit
Benchmarking results with core cities
Attendance at fraud conferences and events
Membership of LCFS and ACFE
As at 7 April 2009
Internal Audit Dept
LCC have an experienced Internal Audit business unit of 28 staff with a management
team who are all either CIPFA or ACA qualified. 22% of audit staff are currently studying
for a professional qualification in audit / accountancy which is far greater than any other
core city. There was a significant investment in in-house and on-the-job training in 08/9
which is reflected in the annual benchmarking exercises with the other core cities.
The 08/9 self assessment against the CIPFA Code of Practice which was recently
shared with the Commission shows almost complete compliance, and an improvement
on previous years results. In addition to this Internal Audit have been ISO9001:20000
certified for a number of years.
Risk based auditing is now embedded within Internal Audit and strong links have been
built with the Risk Management business unit with the sharing and review of risk
registers, control risk matrices and risk related recommendations following from certain
audits and investigations. There is regular communication between the two business
Internal Audit have a bespoke audit manual, based around the CIPFA manual, which is
in the process of being updated following the implementation of new audit software
which will automate more of the audit processes and increase overall efficiency levels
within Internal Audit. The new software will facilitate better analysis of control issues that
are identified through audits and investigations and hence focus corrective actions, as
well as to inform the annual audit plan in future years.
As already provided to the Audit Commission as part of their current assessment of the
Internal Audit function at LCC, plus PI’s in Performance Management Database
Since March 2007 LCC have had an Audit Committee whose membership and terms of
reference largely follow the CIPFA model. An assessment (based around the CIPFA
guidance) of the Audit Committee was made by Internal Audit in April 2008 and the
results have led to a programme of training being rolled out which will be ongoing into
2009/10. Training has been delivered on the Annual Governance Statement, basic
accountancy, audit processes and risk management (due April 09).
Also during 2008/9 a series of Audit Chair core city meetings have been held in
Birmingham and Newcastle. These have helped to increase the level of knowledge and
understanding of the Committee and facilitated discussion around common issues.
Formal training sessions have recently started to be incorporated within these core city
As at 7 April 2009
Terms of reference and minutes from Committee meetings
Assessment of Audit Committee
Minutes and material from Core City Audit Chair meetings
Policies and Procedures
Contract Standing Orders and Financial Regulations are reviewed annually for
appropriateness by a number of business units (including Procurement and Internal
Audit) before being taken to full council for approval as part of the overall constitution
changes. They are available on the intranet at all staff and any changes are widely
The Council has a scheme of delegation
There is an annual audit of officers and members expenses and gifts / hospitality.
The February 2009 inspection by the Office of Surveillance Commissioners found that
the Councils powers under the Regulation of Investigatory Powers Act were used
properly and only minor recommendations were made in relation to improving our
existing good processes in relation to the legislation. There were no issues identified in
the 07/8 AGS relating to issues with compliance with laws and regulations.
Papers from annual review of CSO’s and Financial Regulations
Audit reports (as previously sent to Audit Commission)re policies and procedure
OSC report re RIPA
07/8 AGS (as previously sent to Audit Commission)
System of Internal Controls
The entire core financial systems are audited annually with key controls tested and any
weaknesses reported on. In 2008/9 CAAT testing was introduced by Internal Audit in
the core financial areas to increase the volume of testing done on key controls and it is
planned to broaden this work in 2009/10.
Where appropriate, financial investigations conducted by Internal Audit generate
recommendations to improve the control environment. There is regular communication
with other core cities and Merseyside Local Authorities to identify control weaknesses
that others have experienced which may be applicable to Liverpool to learn from. In this
way potential copycat frauds are prevented.
The time invested by Internal Audit in following up recommendations has doubled in
2008/9 and any recommendations that have not been implemented by the agreed date
As at 7 April 2009
are immediately escalated to senior management in order that the control environment is
not left exposed.
Monthly summary reports are issued to Finance Managers on listing audit assurance
opinions on completed audit work todate. They use this in conjunction with the monthly
lists of open audit recommendations to focus attention on control weakness at their local
management team meetings.
Quarterly update reports are provided to EMT and the Audit and Accounts Committee
highlighting the key work undertaken in the quarter, audit assurance opinions todate and
any issues arising with the follow up of audit and investigation recommendations.
Quarterly update reports are also provided to EMT and the Audit & Accounts Committee
on steps taken to address the key weaknesses in the 07/8 AGS. In 08/9 the monitoring
officer took the lead on the AGS process and the number of partners asked to provide
assurance statements for the 08/9 AGS has been increased. Internal Audit have
continued to liaise closely with other core cities on the processes followed in compiling
and monitoring the AGS and also comparisons of common issues contained within the
A programme of internal control training is being developed and plans have been made
to roll that out in conjunction with fraud awareness training in May 2009. The Cash
Handling Booklet, which details the procedures and controls over the processing of cash
across the entire range of council services, has been reviewed, completely revised and
reissued by Internal Audit. A Money Laundering Reporting Officer has been appointed
and a draft money laundering policy is currently being finalised prior to release in April
All Business Units have a business impact analysis and a business continuity plan, and
a corporate business continuity plan is being finalised. An exercise has been held with
key partners to test the adequacy of emergency plans.
Quarterly IA updates to EMT and A&A Committee re controls
Feb 09 AGS position table on 08/9 statement
Cash Handling Booklet
Draft Money Laundering Policy
Annual Audit Plan
Business continuity plans
Results of emergency planning exercise
As at 7 April 2009