Crown Prosecution Service Resource Accounts 2009 - 2010

Statement on internal control 2009-10

Scope of responsibility

As Accounting Officer, I have responsibility for maintaining a sound system of internal control that supports the achievement of CPS policies, aims and objectives, whilst safeguarding the public funds and departmental assets for which I am personally responsible, in accordance with the responsibilities assigned to me in Managing Public Money. I am supported in managing the CPS and its key risks by the Chief Executive Officer who, as an additional Accounting Officer, is responsible for running the business on a day-to-day basis, for human resources, finance, business information systems, and business development, allowing me to concentrate on prosecution, legal issues and criminal justice policy.

This year has been one of considerable change for the CPS, particularly regarding the devolution of responsibilities to Groups, and also the merger with the RCPO. The CPS is a national Service that is delivered at a local level by 42 Areas across England and Wales. Each Area is headed by a Chief Crown Prosecutor (CCP). A 'virtual' 43rd Area, CPS Direct, is also headed by a CCP and provides charging decisions to the police electronically. The 42 Areas are arranged into 13 Groups. Each Group is overseen by a Group Chair, who is also a CCP, and who is supported by a Senior Area Business Manager. A number of specialist Casework Divisions deal with the prosecution of serious organised crime, terrorism, fraud and other sensitive prosecution cases.

I have put in place clear governance arrangements to make sure that the CEO and I, with the support of the CPS Board, are able to lead and direct the Service and manage risk effectively. All the CPS' senior leaders have a role to play in these arrangements. In light of the performance issues in London and Gwent, governance arrangements have been improved, so the CPS Board will take a much greater role in reviewing the performance of operational groups. The CEO and I regularly review the governance arrangements so that they fully contribute to making sure that the CPS achieves its Strategic Objectives.

In 2009-10 the CPS incorporated the Revenue and Customs Prosecutions Office (RCPO). I additionally took on the role of Director of Revenue and Customs Prosecutions Office on 1 January 2010 and a single management and governance structure has operated since then. For the period 1 April 2009 to 31 December 2009 the RCPO system of internal control was in place. The RCPO Accounting Officer [David Green QC] for that period has provided me with full assurance on the effectiveness of the internal control systems for which he was responsible.

CPS, incorporating RCPO, is an independent part of the criminal justice system under the ministerial superintendence of the Attorney General. I regularly meet the Attorney General to assess progress and performance and to discuss the issues and the risks associated with key criminal justice policies.

The purpose of the system of internal control

The system of internal control is designed to manage risk to a reasonable level rather than to eliminate all risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness.

It is designed to identify and prioritise the risks to the achievement of departmental policies, aims and objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised, and to manage them efficiently, effectively and economically.

The system of internal control has been in place in CPS for the year ended 31 March 2010 and up to the date of approval of the annual report and accounts, and accords with Treasury guidance.

Capacity to handle risk

The CPS Board is responsible for ensuring that there are appropriate risk management arrangements and that corporate risks are properly managed and includes a risk management champion.

The Directors Group (formally the Corporate Delivery & Management Group) undertake regular and detailed oversight of the risk management capability and the management of key corporate risks. All corporate risk owners are Board or Directors Group Members.

Headquarters' Directors and Group Chairs are personally responsible for maintaining effective risk management arrangements and ensuring an effective system of internal control.

Managers and staff at all levels have a responsibility to identify, evaluate, manage or report risks. Risk training was delivered to a wide range of managers and will continue during 2010-11. Support and best practice guidance was provided by a dedicated corporate risk management advisor, and a full range of risk guidance and support is available on the CPS internal 'Infonet'.

The CPS is committed to further embedding risk management and development of awareness through maintaining and updating the level of support and guidance provided; prescribing a programme of risk training integrated into our broader management training and continuing risk management capability assurance.

The risk and control framework

All risk management is aligned to the corporate aims, objectives, priorities and commitments. Formal Risk Management is applied to strategic corporate risks, Group and Area operational and business risks and key business change programmes.

The key elements of the risk and control framework for 2009-10 are listed below and work to embed these will continue in 2010-11.

• Corporate and operational business risk owners are responsible for ensuring proper identification, review, and re-assessment of the level of risk.
• The Directors Group identifies the corporate risks and updates the corporate risk register at formal quarterly reviews.
• The Board agrees and reviews the corporate risk register and receives quarterly performance, business change and risk highlight reports, and separate reports of any escalated risks. No corporate risks were escalated to the Board in 2009-10.
• The Board regularly reviews in-year expenditure against forecasts to ensure effective allocation and control of CPS' financial resources.
• Regular Board scrutiny of performance against Key Performance Indicators and targets.
• Change proposals are examined by the Change Portfolio Review Panel, key business change programmes are subject to an OGC Gateway review and all strategic business change projects are overseen by the Board.
• A Senior Information Risk Officer, Chief Information Officer and Departmental Security Officer support to the Board in respect of information handling and assurance risks.
• A Security & Information Management Group was set up in 2009-10 to assist the Senior Information Risk Officer meet his responsibilities. Our approach to information risk management is to integrate it into our existing business and change risk arrangements.
• An Information Management Strategy and Policy and a revised Security Strategy and Policy were promulgated. An Information Assurance Maturity Model Assessment was completed which showed that there is now a framework of processes and procedures against which we can adequately deliver and monitor our performance.
• 'Protecting Information' training was provided for all staff and introduced specific roles for information assurance and information management advice.
• The Board has set a risk tolerance range, and the acceptable parameters for risk taking are outlined in the CPS risk policy and guidance documents.
• The CPS policy statement, risk management guide and statement of best practice criteria were updated and re-issued in 2009-10.
• All RCPO risks were cleared by their Board prior to incorporation, except for one relating to taxpayer confidentiality which was subsumed into the CPS information handling risk on their incorporation.

CPS approach to risk management is to encourage a culture in which all staff are aware of the need to identify and manage a broad range of risks. All operational units, projects and programmes are required to maintain risk registers that list and evaluate the risks identified, and provide a framework for monitoring mitigation actions.

RCPO/CPS Merger Arrangements

Following the announcement of the merger of RCPO and CPS a Transition Programme Board was established to oversee the work necessary to combine the two entities and ensure good governance throughout all stages of the transition.

The Programme Board set up work streams to handle different aspects of the transition (legal, human, financial, estates) and each of these has maintained a register of relevant risks. Accordingly, the management of risk throughout the project has been transparent and effective and the merger programme was completed on time and within budget.

The transfer of case management information from RCPO to CPS and the associated technological issues were identified as a discrete risk under the transition programme and were subject to close management and oversight.

Independent assurance of the transition programme has been provided by OGC Gateway Reviews. In its first review of the programme the Gateway team found that the likelihood of the programme delivering successfully was 'very high'.

On completion of phase one of the merger the RCPO Accounting Officer wrote to me to formally hand over responsibility for the future delivery of RCPO's request for resources: "the effective and efficient prosecution of cases in accordance with the Code for Crown Prosecutors".

Review of effectiveness

As Accounting Officer, I have responsibility for reviewing the effectiveness of the system of internal control. My review of the effectiveness of the system of internal control is informed by the work of the internal auditors and the executive managers within the department who have responsibility for the development and maintenance of the internal control framework, and comments made by the external auditors in their management letter and other reports. I have been advised on the implications of the result of my review of the effectiveness of the system of internal control by the Board, the Audit Committee and the Directors Group, and a plan to address weaknesses and ensure continuous improvement of the system is in place.

Assurance regarding the adequacy of the internal controls is provided by:

• The internal audit function operates to the 'Government Internal Audit Standards' guidance and reports on the framework of internal control to the Audit Committee.
• The Head of Internal Audit that provides an independent opinion on the adequacy and effectiveness of the department's system of internal control, and an opinion on significant control issues.
• The Audit Committee, which now includes four non-executive members, one of whom is a Non-executive Director who sits on the CPS Board and now serves as the Chair. The Audit Committee is authorised to review, and where necessary advise on CPS' Resource Accounts, internal and external audit, risk management, corporate governance and financial discipline and internal control.
• The Audit Committee also reviews and endorses the annual report from the Head of Internal Audit and reports to the Board.
• The Chief Crown Prosecutors and HQ Directors complete a certificate of assurance that includes statements on the level of assurance achieved throughout the year against key aspects of their business. They specifically provide an assurance on the effectiveness of local systems to identify and manage the principal risks to the delivery of CPS policies, aims and objectives.
• The Area quarterly performance reviews monitor the effectiveness of the system of internal control and provide action plans for performance improvement, which are agreed with the Chief Executive and the Chief Operating Officer.
• The HM Crown Prosecution Service Inspectorate provides an independent review of business efficiency and effectiveness. In 2009-10 their programme of review included Performance Assessments of 9 London Boroughs; full inspections of 2 Areas and 2 Casework Divisions; and 4 thematic reviews: Advocacy; Victims & Witness Care and the handling of Persistent & Prolific Offenders; and Mentally Disordered Offender cases.

Significant internal control issues

Two CPS Areas were identified as performing below the minimum standard required and confirmed in inspections by HM Crown Prosecution Service Inspectorate. These were:

• Gwent was rated 'Poor' where there performance issues in a number of critical aspects including decision making and management, including management of resources and the prosecution process. London was also rated 'Poor' overall, and a number of Boroughs experienced performance issues on a range of operational activities with magistrates' courts and lower tier Crown Court casework including decision making and case preparation and progression.

The performance management regime in place had indicated that there were performance issues for the two Areas but a further review of the system has identified that performance reporting needs to be sharper and more predictive as well as providing effective diagnostics measures. We are developing the performance management system for 2010-11 to ensure that it enables timely identification of business delivery and the CEO and I, supported by the Board, are taking appropriate remedial action at the earliest opportunity to prevent poor performance recurring. For the Areas mentioned above we have strengthened management capability and have supported the Areas in developing action plans to deliver improved performance. Achievement of those plans will be monitored by the CEO and I.

Keir Starmer QC

Accounting Officer

22 July 2010