Watching the watchmen

An Garda Síochána is more than a national police force. The rank and file of the organisation are charged with not only upholding Ireland’s laws and protecting its communities, but have the small matter of state security to contend with. It’s a huge responsibility and one that can’t be taken lightly. 

Similarly, leading the internal audit function of such a far-reaching and critical organisation is one of the most challenging appointments an HIA can take on. Niall Kelly, head of internal audit at An Garda Síochána, knew this only too well when he stepped into his current role from the Department of Communications, Energy and Natural Resources eight years ago. 

Kelly did not have to create the function from scratch. In 2002, a working group reviewed the complexities and sensitivities of the relationship between secretaries general (heads of the civil service) and government ministers, and the responsibilities of the secretaries in stewarding public funds. Following publication of the Mullarkey Report, Ireland set about formalising internal audit structures across all public bodies. 

By the time Kelly joined in 2007, the Garda’s IA function had already been up and running for five years. However, there was much work still to be done. “At the time I joined the organisation had a less developed structure than other public bodies in that it was all staffed by police rather than specialists,” recalls Kelly. “Some of them had done some training but they weren’t specialist auditors and they didn’t have the government experience. What I did when I came in with my team was introduce many of the processes and procedures that were already in place across central government.”

One of the first steps was to restaff the team and professionalise the unit. This involved hiring two senior accountants – one from the Office of the Comptroller and Auditor General, Ireland’s equivalent to the National Audit Office, and another from the Department of Finance, the country’s treasury. Additionally, a senior civil servant who had worked on the Garda side of the Department of Justice was drafted in. This not only helped to build crucial expertise into the team to bring the financial accounts into sharper focus, but also created a valuable link into the Departments of Justice and Finance to cross-check and validate information. 

“We also reduced the number of uniformed police within the unit. We still need input because it’s very difficult to audit a Garda division if you haven’t actually worked in one yourself. So the input of the uniformed police members is vital, but when I came in the entire staff were uniformed officers,” says Kelly. 

A standardised approach

This professionalisation of the national police force’s internal audit function is part of a broader story in Ireland. Following publication of the Mullarkey Report, IA units and audit committees were established – some staffed by accountants and others overseen by civil servants who were landed into the job. By 2012, it was recognised that standardisation was required. As such, the Irish Department of Public Expenditure and Reform adopted a set of policies predicated on the Chartered IIA’s International Standards, adding interpretive notes on how best to implement them into the Irish public service. Kelly says the Chartered IIA’s guidance “was the obvious choice”.

“Because of my background in the audit field, from 2009 to 2010 we had most of the standards in place. We were already adopting best practice, even though it wasn’t compulsory at that stage,” he says.  

These government-wide improvements came at a particularly challenging time. Ireland was one of the countries in Europe hit hardest by the financial crisis, forcing it to take a bailout from the EU/ECB/IMF troika and commit to deep public cuts. A moratorium on hiring and promotion in the public service was lifted as recently as December 2014 and departments across the board saw their budgets shrink. The Garda’s IA function was not immune to austerity – its headcount was reduced from ten to six. 

While some have turned to co-sourcing parts of their internal audit to meet their needs, there’s no such luxury with the Gardaí. Due to the highly sensitive nature of the police force’s work, any third parties working for the organisation have to go through demanding vetting processes that can be more trouble than they are worth. Instead, Kelly and his team have had to hunker down, employing the same risk-based internal audit (RBIA) approach advocated by the Chartered IIA in its International Standards.

“We’ve been applying our resources more cleverly and focusing on the higher-risk areas. When we had a full complement of staff, we used to have a policy of trying to get around the whole organisation – every Garda division and every national unit – once every three years. We now can’t do that. We’re on a four to four-and-a-half year cycle. But we’re more clever in that we’re doing fewer divisional, geographic audits and looking at functions like procurement or payroll across the whole organisation. So we’ve moved towards cross-cutting audits so that we can optimise our resources.”

Identifying risks

When it comes to assurance, Kelly and his team groups risks into four quadrants.  The first of these is ‘fraud, irregularities and errors’, encompassing internal and external fraud against the organisation, irregularities such as incorrect procurement, and mistakes that might lead to losses of money and resources or weaken control systems. 

Another is ‘service delivery risk’. The public have a level of expectation of a police service. With cutbacks as budgets have been squeezed, there is a risk that the Gardaí may not always be able to deliver, so there’s a potential gap between what’s expected and what’s delivered. 

Given the rise in cyber attacks and the growing emphasis on security, another of the four quadrants is ‘data asset risk’. This is of particular importance for a national police force that holds sensitive information on its country’s citizens. It is vital that data protection rules and procedures are followed to the letter, and that there’s no possibility of hacks. 

Finally, there is ‘property and management risk’. In October the Garda Internal Audit Committee published its most recent annual report. It found that of 46 recommendations outstanding  at the end of 2014, 21 related to the control, management, and recording of drugs exhibits, property and evidence, including cash held at police stations. According to the report, the Garda Internal Audit Section could provide only “limited assurance” on this risk and that practical solutions to address the issue needed to be implemented “as a matter of urgency”.

“Certain property comes into the possession of the police, be it money handed in at a station or there’s a big drugs find and evidence has to be secured and stored. We have found that there aren’t properly resourced stores to hold all of these items, or procedures to fully link every item that we have in our possession with an incident in our computer system,” says Kelly. “We’ve expressed concerns around that as being a potential risk and that has fed into a priority issue.”

Now that this concern has been highlighted, it is up to the Garda’s Strategic  Transformation Office to drive changes within the organisation to redress this – along with any other weaknesses. The Property and Evidence Management solution will be one of the first initiatives to be introduced by the Strategic Transformation Office, which is still in its infancy, having been launched in the wake of Garda Commissioner Martin Callinan’s departure. 

Callinan, who held the organisation’s most senior ranking position, stepped down in March 2014 amid criticism of the handling of a whistleblowing case that centred on the alleged erasure of penalty points from well-connected offenders’ driving licences. Nóirín O’Sullivan took on the top role in November 2014 and assembled the Strategic Transformation Office.

Previously, the Garda’s IA function mainly had a financial remit. Police conduct and processes were solely audited and examined by the Garda Professional Standards Unit. Today, Kelly and his team work closely with the new Strategic Transformation Office to identify operational risks which have the potential to undermine the organisation. 

“When the Strategic Transformation Office was established at the start of 2015, one of their first ports of call was the IA unit to get our view on things. So we’re working collaboratively at their request and we’re pushing it as well,” says Kelly. “We’re working alongside the people that are driving the strategic change and transformation, to give them a heads up about what are the real and emerging risks within the organisation.”

This collaboration is now at the heart of auditing An Garda Síochána. Kelly believes it is crucial that he and his team are involved in continuously improving the organisation. This will only happen if they continue to work hand-in-hand with this new office to identify problem areas and contribute to the Garda’s ongoing reform programme.  

“The Strategic Transformation Office was set up to address a lot of the issues that existed pre-2014 and to put initiatives in place to transform the organisation. My aspiration is to really integrate internal audit to feed into that change,” says Kelly. “We’re not going to start auditing professional policing because we’re not qualified to do that. But we will be more involved in highlighting cultural issues and other potential problems that could impinge on the Commissioner as the Accounting Officer.”

This article was first published in Audit & Risk January/February 2016.