Contact Ejner Knudsen Ext 7403

1 Summary

1.1 In our opinion Hampshire County Council has an effective framework of control which provides reasonable assurance regarding the effective, efficient and economic achievement of its objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls were required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

2 Background

2.1 For 2002/03 the Code of Practice on Local Authority Accounting in the UK requires the County Treasurer to sign a statement on the system of internal financial control as a note to the published accounts. To enable him to do this the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal financial control operating in the County Council and this is the purpose of this report. An assurance statement for each department has been appended to the annual accounts for each department for presentation to Executive Members. An overall assurance statement for presentation to Standards Committee and the County Council is attached for comment at Appendix A.

2.2 It is a management responsibility to develop and maintain the internal control framework, and to ensure that an organisation's resources are properly applied in the manner and on the activities intended. The main objectives of internal control, financial and otherwise, are:

· to ensure adherence to management policies and directives in order to achieve the organisation's objectives

· to safeguard assets, including data

· to secure the relevance, reliability and integrity of information

· to ensure, as far as possible, the completeness and accuracy of records

· to ensure compliance with statutory requirements.

3 Objectives

3.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will give:

· a statement on the effectiveness of the system of internal control

· a comparison of internal audit activity during the year with that planned, placed in the context of changing requirements

· an analysis of common or significant weaknesses arising

· details of any major findings where action appears desirable but has not been taken and which thus needs to be brought to the attention of the departmental management team.

4 Scope

4.1 The Chief Internal Auditor is required to provide the County Council with an assurance on the system of internal control of the County Council. The opinions provided for each department will contribute to this overall assurance. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2002/03, including those audits carried forward from 2001/02

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the organisation's objectives or systems

· the quality of internal audit's performance

· the proportion of the County Council's audit need that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit needs of the department

· any limitations that may have been placed on the scope of internal audit.

5 Audit service quality

5.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the Code of Practice for Internal Audit in Local Government in the United Kingdom, issued by the Chartered Institute of Public Finance and Accountancy

5.2 Hampshire Audit Services is registered under ISO9001, the international quality management standard and has developed comprehensive procedures to ensure that all audits are conducted to the required standard. In particular, the audit planning memorandum is approved, before site work commences, by the Audit Manager, who also reviews each draft and final report before it is issued to ensure that all key controls have been properly evaluated and that adequate audit evidence has been obtained to support the findings. In addition, internal audit is subject to annual review by the Audit Commission (formerly District Audit) who continue to rely on its work to support their audit opinion.

6 Audit Needs

6.1 A detailed risk assessment was undertaken for the 2002/03 audit plan, which involved an analytical review of data relating to each department including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with departmental management to ensure the audit plan addressed the key risks facing the County Council.

A summary of audit days delivered during 2002/03 is provided in Table 1.

Table 1 - Summary of audit days delivered (2002/03)

Detail		2002/03
Previous year carry forward	316
Audit plan agreed by County Treasurer		3128
Variations to the plan		-122
Revised 2002/03 plan at the year end		3006
Total days delivered against the 2002/03 plan		2703
Carry forward		303

6.2 The previous year carry forward related to audits where a draft was issued and awaiting management response (7 audits) or where testing was still in progress (43 audits). For all carry forward audits completed during 2002/03 an audit opinion is provided as part of the 2002/03 annual audit opinion.

6.3 There was sufficient work carried out in each department in 2002/03 to enable us to form an opinion on the framework of control, however changes were made to the 2002/03 audit plan during the year to reflect changes in key risks.

6.4 There were 239 audits started during 2002/03 of which there were 45 where testing was in progress at 31 March 2003. Findings from these audits will form a part of the 2003/04 annual audit opinion.

6.5 No limitations were placed on the scope of our work during the year.

7 Audit approach

7.1 We examined systems operating to achieve objectives set by management in each department of the County Council. We are aware that the ongoing implementation of the various modules of SAP as part of the Enterprise Project over the year has led to some changes to the systems reviewed and this is reflected in our audit plans for 2003/04.

7.2 Our work has been carried out using a systems based audit approach. This covers the internal control systems of the department and during the conduct of our work, particular attention was given to arrangements established to ensure:

· financial control

· safeguarding of assets to reduce exposure to theft or fraud

· compliance with the County Council's policies, procedures, laws and regulations

· the integrity and reliability of information and data

· value for money.

7.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice. In selected areas affected by system development we have also carried out increased amounts of substantive testing in 2002/03 to provide assurance that material loss or discrepancies have not resulted where the control framework is not complete.

8 Audit Liaison

8.1 Staff have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

8.2 In most departments, management responses have been timely and have adequately addressed the issues raised and there has been a general improvement in the timeliness of responses compared to last year. However as reported in last year, delays in receiving management responses continued to be experienced in the IT Services department and this has been discussed with the departmental management team.

8.3 Audit Appraisal Questionnaires (AAQs) have been received from 115 of the audits completed before 31 March 2003 with an average satisfaction score of 91.8%. This compares favourably with 2001/02 when the 133 AAQs received showed an average score of 90.3% and demonstrates a good working relationship between Internal Audit and County Council staff.

9 Issues raised during 2002/03

Main Findings

9.1 Details of the level of control and the main issues identified across all departments in 2002/03 is given in appendix C which is not for publication by virtue of paragraph 14 of Part I of Schedule 12A of the Local Government Act 1972. Concerns regarding the system of internal control were raised in respect of the areas outlined below. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

SAP implementation

9.2 The implementation of the SAP system has continued to have a significant impact on the development and operation of the key financial systems.

9.3 Although this has led to some areas of control weakness in the transitional arrangements for processing and recording of financial transactions, we are satisfied that there are sufficient compensating controls (in particular departmental budget management) in place to prevent these weaknesses from having material consequences.

9.4 There is a significant risk relating to the lack of input controls for areas of the payroll and creditors systems as incorrect payments could be made and not identified. However, a large amount of substantive testing was carried out during the year, which provided assurance that the weaknesses in the control framework had not resulted in any material loss or discrepancy. These risks will be addressed through further development of the systems during 2003/04.

Social Services

9.5 The Social Services department was found to have an effective framework of control which provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. However, audit testing showed, as it has in previous years, that controls were not working in practice in some areas. In addition, although appropriate action has been agreed by relevant managers in the Social Services department to address control and compliance issues raised during audit reviews, subsequent audit work has shown that the agreed actions are not always carried out, meaning that identified risks are not being addressed in a timely manner.

9.6 The department has started to address this issue following the appointment of a Financial Control and Compliance Manager and the department has been urged to carry out more follow-up action where significant issues have been raised.

9.7 Of particular concern is the failure to implement an audit recommendation made in 2000/01 to develop and use a central approved supplier list for children's services. In addition to some of the financial issues for the County Council, our greatest concerns are that children are at risk of being placed with unsuitable providers of care.

Business continuity

9.8 In the event of a disaster that destroyed a large part of the Castle site, recovery could take a number of weeks due to the lack of a suitable recovery site and the requirement for specialised storage devices. This would have a serious impact on the functioning of the County Council and suitable arrangements are required to ensure essential equipment would be available if needed.

Common findings

9.9 A number of common findings were highlighted during the. The most significant, which impact across the County Council are summarised below.

Information security

9.10 Departments are not always complying with the guidelines given by IT Services, for example, action is not always taken on unused network user accounts, weakening system access controls. In other instances, departments are looking for guidance which is not currently in place, for example on homeworking, or the use of laptops and corporate guidance is required.

9.11 Sensitive and personal information has been found on shared folders within IT2000, making it available to a much wider audience than it should be. This has been referred to the County Council's Data Protection Officer and needs to be addressed by all departments.

10 Overall assurance

10.1 Detailed reports, giving our conclusion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall financial control framework using the following terms which are defined in Appendix B:

· good

· effective

· basic

· inadequate.

10.2 In our opinion Hampshire County Council has an effective framework of control which provides reasonable assurance regarding the effective, efficient and economic achievement of its objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls were required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

10.3 There has been no change in the overall level of assurance provided compared to that given in our 2001/02 annual internal audit opinion.

11 Recommendation

11.1 That the Standards Committee approve the internal audit assurance statement for 2002/03 detailed in Appendix A.

Section 100D - Local Government Act 1972 - Background Papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

1. Published works

2. Documents which disclose exempt or confidential information as defined in the Act.

Nil

Appendix A

Hampshire County Council

Assurance statement for the year ended 31 March 2003

Introduction

The Accounts and Audit Regulation 2003 require the County Treasurer to maintain an adequate and effective system of internal audit.

From 2002/03 The Code of Practice on Local Authority Accounting in the UK requires the Chief Internal Auditor to provide an independent opinion on the adequacy and effectiveness of the system of internal financial control operating in the County Council. To enable him to do this, an independent opinion on the adequacy and effectiveness of the system of internal control has been prepared for each department.

The much broader issue of Corporate Governance has risen in prominence in the public sector, most recently as a result of the publication of the Chartered Institute of Public Finance and Accountancy (CIPFA) / Society of Local Authority Chief Executives (SOLACE) framework document, " Corporate Governance in Local Government - Keystone for Community Governance", and the introduction of Comprehensive Performance Assessment (CPA) for local authorities. This requires local authorities to develop their own codes of corporate governance and report on how they have monitored the effectiveness of corporate governance arrangements in the year.

The Standards Committee approved Hampshire County Council's Code of Corporate Governance in January 2003 and the Chief Internal Auditor has been given the responsibility to review independently the adequacy and effectiveness of the Code and the extent of compliance with it. This is reflected in internal audit plans for 2003/04, working towards providing an independent opinion on the adequacy and effectiveness of the system of corporate governance operating in the County Council in the future.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the County Treasurer.

The internal audit plan has been delivered in accordance with the Code of practice for internal audit in local government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire County Council has an effective framework of control which provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives.

Ejner Knudsen

Chief Internal Auditor

County Treasurer's Department

Hampshire County Council

5 June 2003

Appendix B

Audit opinion definitions

Good a comprehensive system of controls is in place to ensure the achievement of service objectives, good financial management and to protect the County Council against loss

Effective key controls exist to enable the achievement of system objectives and to protect the organisation from material loss. However, cost effective opportunities to strengthen the control system exist

Basic there is a basic control framework in place but there are gaps which weaken the system and losses or failure to achieve system objectives could occur. There is a need to introduce additional controls to reduce the risk to the organisation.

Inadequate controls are considered to be insufficient with the absence of at least one critical control mechanism. Failure to improve controls could lead to a decline in financial integrity and lead to an increased risk of major loss or embarrassment to the organisation.