Contact: Ejner Knudsen, ext. 7403

1 Introduction

1.1 The purpose of this report is to outline the proposed internal audit strategy for 2004/05 to 2006/07 for approval by members of the Standards Committee.

2 Background

2.1 Standards Committee approved the current internal audit strategy for Hampshire County Council on 28 January 2003. The strategy is reviewed annually to ensure that it remains up to date and there have been a number of developments over the last year that affect it. The purpose of this report, therefore, is to present a revised audit strategy for the next three years, reflecting those changes.

2.2 The revised audit strategy has already been considered / approved by the Corporate Management Team.

2.3 To date, the audit strategy, which has been formally documented since October 1999, has been largely successful in achieving the aims of internal audit identified in the Accountancy Practices Board (APB) guidelines, the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom, (the Code) and the CIPFA Local Government Audit Manual.

2.4 The definition of internal audit, as stated in the Code, is as `an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the organisation's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.'

3 Change issues

3.1 There are a number of external and internal change factors that affect the internal audit strategy. As internal audit resources are limited, the aim of this review of the strategy is to ensure that an appropriate level and balance of coverage is maintained across the County Council.

3.2 External factors affecting the audit strategy include:

· the continuing impact of constitutional changes on the decision making process

· the need for compliance with the CIPFA/SOLACE framework "Corporate Governance in Local Government - A Keystone for Community Governance"

· the DfES seeking to introduce similar governance assurances to schools

· the latest requirements and changes in the Comprehensive Performance Assessment (CPA)

· the further development of partnership working

· the need for compliance with the Regulation of Investigatory Powers Act 2000 (RIPA) and its impact on resourcing fraud investigation

· the impact of `Every Child Matters' on operational risks and financial control.

3.3 Internal factors include:

· compliance with the County Council's Corporate Governance Framework

· additional stakeholder demands for reporting and assurance

· the development of the corporate risk management framework

· SAP roll-out and changes in the systems framework and assurance levels as a result.

3.4 Many of these issues were highlighted in the last review of the audit strategy but were in the relatively early stages of development. The more detailed impact of these factors on the audit strategy, drawing on experience over the last year, is assessed in more detail below.

4 Internal audit strategy

4.1 The proposed internal audit strategy is outlined below covering the following areas:

· corporate governance

· risk management

· partnership arrangements

· key financial systems

· departmental systems

· establishment visits

· systems development

· fraud and irregularity

· computer audit

· follow-up work

5 Corporate governance

5.1 Developments in corporate governance in local authorities over the last few years have challenged and changed traditional internal audit reporting lines. Internal audit findings have been traditionally shared with operational and senior managers to provide:

· assurance over the internal controls operating in the systems falling within their responsibility

· recommendations to improve compliance with controls or to strengthen the control framework.

5.2 Good corporate governance, however, highlights internal audit's responsibilities to other stakeholders, including chief officers and members. This requires assurance on controls operating in each department and throughout the County Council as a whole. Internal audit has provided assurance on financial controls for the last two financial years, and for 2002/03 this work was important to the development of the new Statement of Financial Control. This was a requirement of the CIPFA / LASAAC Code of Practice on Local Authority Accounting in the UK, and was signed by the County Treasurer as part of the County Council's published accounts.

5.3 Advice from CIPFA / SOLACE developed this a stage further, however, suggesting that from 2003/04 the statement of financial control should be extended to become a more general statement of internal control, covering financial and non-financial controls, including the corporate governance framework. This statement should be signed by the Leader and Chief Executive. The assurance provided by internal audit needs to be taken into account in producing these statements and in anticipation of this change, the audit strategy approved in January 2003, extended the scope of internal audit coverage to include corporate governance arrangements.

5.4 The approach to this work has been developed during 2003/04, with the first round of reviews drawing on the results of corporate and departmental corporate governance questionnaires issued to all chief officers and heads of department in May 2003. This approach was brought to the attention of members of the Standards Committee in a report to the meeting on 28 October 2003. Internal audit are therefore well placed to provide the Standards Committee with an initial view on the effectiveness of the County Council's Code of Corporate Governance and of compliance with it for the meeting on 27 July 2004.

5.5 As the Comprehensive Performance Assessment process has assessed the County Council as an excellent authority, it is not necessary for internal audit reviews to be carried out in every department each year. A three-year programme of reviews is sufficient to provide an overall opinion for the County Council. The approach to corporate governance reviews can therefore be summarised as follows:

· a systems based review of corporate governance arrangements will be carried out corporately and in all departments over a three year cycle. Audit coverage at this strategic level in the organisation will provide assurance to management that their policies are being implemented and complied with. These will be high level reviews of corporate governance arrangements, internal audit having neither the resources nor expertise to carry out in depth examinations of governance issues. This work will encompass arrangements for carrying out best value reviews, ensuring that systems are in place to produce and monitor robust data to support performance indicators, risk management and control of partnership arrangements which were previously covered separately in the internal audit strategy

· in the intervening years, a limited amount of compliance testing will be undertaken in each department to confirm whether or not the County Council's Code of Corporate Governance is operating in practice

· results of the compliance testing will be used to assess priorities for carrying out full reviews in departments in future

· internal audit will work with the Monitoring Officer to develop the use of the corporate governance questionnaires as an annual self assessment tool for all departments. This will highlight areas of change and be used to determine the scope of compliance testing each year.

5.6 This work at departmental level will complement the work of the Audit Commission which is required under its Code of Audit Practice (March 2002) to report on the financial aspects of corporate governance in the annual audit letter.

6 Risk management

6.1 Risk management is the responsibility of the Risk Management Board and corporate guidance has been produced to ensure a consistent approach to risk management throughout the County Council. To date, however, the risk management structures, processes and reporting arrangements have not been reviewed by internal audit. The interaction of corporate governance, risk management and internal audit is being developed and reflected in this audit strategy.

6.2 The CIPFA audit manual identifies that one of the objectives of internal audit is to facilitate good practice in managing risks. Internal audit carry out a risk assessment when drawing up plans, taking account of corporate risk assessments, previous audit findings, management concerns and the results of fraud and irregularity investigations to ensure that the areas of highest risk to the County Council are audited. This enables internal audit to provide management with an opinion on whether there are effective controls working to mitigate risk in individual systems or establishments.

6.3 The revised internal audit strategy for risk management is as follows:

· to review corporate and departmental arrangements for risk management under the heading of corporate governance reviews outlined above

· to use the results of the annual corporate risk assessment process to identify areas where internal audit review is required or to identify who provides assurance on the controls to mitigate the risk. Reliance will be placed on the quality assurance programme undertaken by the Chief Executive's department to confirm the quality of the results of the risk assessment process

· to provide an assurance on the County Council's risk management processes in the annual internal audit opinion.

7 Partnerships

7.1 There are an increasing number of partnership arrangements to which a significant proportion of the County Council's resources are being committed. The nature of these partnerships is very varied, some having tight controls prescribed by external bodies providing funding whilst others are far looser arrangements. This brings a new area of risk and the need for a control framework for each individual arrangement.

7.2 Corporate Guidance was approved by the Corporate Management Team in September 2003 to provide a detailed framework for setting up partnership arrangements to ensure accountability and liabilities are well defined.

7.3 The arrangements that departments have in place for entering, controlling and documenting partnership arrangements will be reviewed by internal audit as part of the corporate governance reviews described above. Partnership arrangements will also be considered during the risk assessment process when developing internal audit plans and where appropriate, internal audit will either include partnerships in the scope of systems based audit work or ensure that internal audit is provided by another organisation.

7.4 Partnerships with health authorities will require particular consideration with the introduction of new proposals with `Every Child Matters', as will partnerships with district councils and the police authority.

8 Key financial systems audit

8.1 Internal audit carry out systems based audit reviews of key financial systems (budgetary control, creditor payments, payroll and income) at central, departmental and unit level as part of establishment reviews (see paragraphs 11.3 -11.4 below) .

8.2 Key financial systems reviews remain potentially high risk areas due to the value and volume of transactions involved and will continue to be reviewed annually to provide assurance that controls are in place and are complied with. The ongoing roll out of SAP, however, will lead to a further devolution of control, and will result in internal audit resources gradually transferring from central to departmental and unit level reviews to ensure that system controls are operating in practice. There will also be new risks to consider when the new procurement policy is implemented eg. in relation to local purchasing, serial contracts and call off monitoring.

8.3 Audit reviews of key financial systems are also carried out in each department on a three-year cycle and there are no plans to change this approach.

9 Departmental systems audit

9.1 In addition to the key financial systems, each department also operates a range of systems, dependent on their specific management and operational requirements. The risks attached to these systems will also be reviewed during the internal audit planning process and will be included in the audit plan as appropriate. These systems are generally of medium risk to the County Council as a whole and audited every three to four years.

10 Systems development

10.1 There are currently a significant number of days in the plan to provide advice to the development phase of SAP. This level of cover is likely to reduce over the next few years as the various modules are rolled out. The need for internal audit involvement in systems development will, however, continue in the following ways:

· to provide assurance to stakeholders in the change control process

· input to business process re-engineering work to ensure that controls are not compromised

· to ensure awareness of the new system opportunities for improved controls and decision making eg from better information reports

· to provide advice during the development of departmental systems.

11 Establishment audits

11.1 About one third of all audit days are currently spent on a planned cycle of reviews covering the majority of establishments. Planned frequencies range from two to five years, depending on the risks associated with each type of establishment. A systems based approach to this work has been developed over the last year and is in the process of being implemented across all establishments. This provides a more comprehensive review of controls, with targeted compliance testing to provide a more robust assurance to management.

11.2 In terms of risk, some establishments eg libraries or registrars have very little locally controlled income or expenditure and the findings tend to be similar for each type of establishment and change little from year to year.

11.3 A revision to the audit strategy will be piloted for the future as follows:

· a gradual move away from the strict cyclical review of establishments. The sample of establishments selected for review each year will include those assessed to be higher risk, with others continuing to be reviewed over an extended period of time, in line with revised risk assessments

· increase the number of departmental system reviews, potentially covering all systems operating at establishment level. Most policies and procedures are prescribed centrally, and this approach will therefore enable the adequacy of the control framework to be assessed in more detail. Compliance testing will be carried out at a sample of establishments across the County Council, through short site visits, with findings shared with the senior manager. This approach will achieve the same overall level of assurance as the current approach but will enable auditors to demonstrate risks more clearly to departmental management

· to help inform internal audit's own risk assessment of individual establishments, the potential for introducing a control risk self assessment for completion by managers at a random sample of establishments each year will also be explored during 2004/05. This would be followed up with a short notice visit to assess the evidence in place to support the questionnaire and general compliance with controls. This will not require advance preparation by the establishment and will consist mainly of testing.

11.4 Whilst the number of establishments subject to a full review each year may reduce over time, audit presence at establishment level will at least be maintained through the compliance testing required by systems based reviews (which will also include key financial systems) and the short notice visits. The present level of regularity reviews of Social Services establishments may need to continue, however, as compliance with some controls continues to be poor.

11.5 Last year's strategy reported that from 2003/04 the DfES were intending to introduce a statutory audit framework for schools (using powers provided by the Education Act 2002), most likely requiring annual internal audit reviews. It was also likely that the school would be responsible for procuring this service. As a result of a pilot study, however, the DFES are not proposing to implement an annual audit regime for schools. Instead they are considering the implementation of a financial management toolkit and are expecting a high level of financial competence. When known, the requirements will be reflected in internal audit work carried out at schools. The requirement for assurance statements at school level will also be reviewed.

12 Fraud and irregularity

12.1 The CIPFA Audit Manual says that one of the objectives of internal audit should be to identify fraud as a consequence of its reviews and to deter crime. The level of fraud and irregularities currently reported in the County Council is low and only a very small proportion of fraud is identified as a consequence of audit reviews. Nevertheless internal auditors are trained to be able to identify the potential for fraud when carrying out their work. The County Council can demonstrate a good record of reporting suspected irregularities to internal audit in accordance with financial regulations.

12.2 In addition to carrying out fraud and irregularity investigations, internal audit are also currently involved in the following fraud detection work:

· participation in the National Fraud Initiative which helps to deter crime nationally but has not proved significant in uncovering frauds perpetrated against the County Council

· a limited number of specific fraud detection reviews which have tended to provide a limited level of assurance that controls are being complied with rather than finding anything significant. There is scope to extend this work further increasing the level of substantive testing in control areas where compliance is poor. Subscription to the National Anti Fraud Network ensures that internal audit are aware of the type and incidence of fraud and corruption in other local authorities and this information can be used to inform this programme of work.

12.3 Internal audit has maintained informal liaison with Police to ensure that appropriate cases are handed over to them at an appropriate time. Reporting frauds to the Police and Crown Prosecution Service raises their profile and can provide a deterrent against further offences being carried out. However, due to competing demands on their time, the Police are finding it increasingly difficult to commit resources to and investigate alleged frauds against the County Council which are considered low priority crimes. This means that the County Council needs to consider alternative means of pursuing these cases.

12.4 An approach will be developed to cover potential employment, civil and criminal sanctions for each irregularity investigated. Initial discussions with the Chief Executive suggests that the County Council could carry out its own civil prosecutions and could use powers to assist with debt recovery from individuals subject to prosecution. This would, of course, only be an option where the benefits outweigh the costs (which could include providing a deterrent to further criminal activity). It also requires a clear prosecution policy.

12.5 Legislation governing the conduct of fraud and irregularity, however, has become increasingly complex over recent years and with it the risk that failure to follow correct procedures may not only result in failure to prosecute but also the possibility of litigation against the County Council. Investigations also tend to be very time consuming and the need to complete them as quickly as possible results in resources being diverted away from assurance work. To enable internal audit to continue to carry out investigations there is a need to invest in more training to provide specialist skills in this area and identify resources to undertake the work, without impacting on assurance work. The County Council already has a `Reporting Concerns at Work' policy in place, however feedback from departmental corporate governance questionnaires suggests that awareness of the policy is limited. The policy will therefore need to be re-launched to raise its profile throughout the County Council, ensuring that it is more accessible to staff.

12.6 Policies and procedures on fraud investigation, prosecution and recovery will also need to be developed during 2004/05 to support this work.

12.7 To summarise the proposed audit strategy for the future is as follows:

· train specialist staff to provide the skills and expertise required to continue carrying out fraud and irregularity investigations, unless the agreed protocol requires that cases are handed over to the Police

· carry out a planned programme of fraud detection work across the County Council, using trend analysis and fraud bulletins produced by professional bodies to determine higher risk areas

· continue to support the National Fraud Initiative

· carry out short notice visits to establishments to assess compliance with controls and investigate anomalies identified through fraud detection work.

13 Computer audit

13.1 Because of the pace of development in the field of information technology, computer audit work has always been subject to more frequent risk assessment and change of audit emphasis than the more traditional audit of financial systems. The general approach has, however, always been grounded in the CIPFA computer audit manual.

13.2 Internal audit will continue to advise on and test the controls in SAP as it is rolled out. However, the centralisation of the IT network and the integration of the resource management systems should lead to a slowing down in the pace of change over the longer term.

13.3 The computer audit team also has a role to play in fraud investigation and detection work and internal audit are currently assessing the need for investment in resources and skills in computer forensics and the handling of electronic evidence.

14 Follow up

14.1 Audit standards require internal audit to follow up audit assignments to review the effectiveness of management action arising from audit recommendations. The strategy for follow up work is as follows:

· where an assignment concludes that the overall framework of control in an establishment or system is `inadequate', a follow up review will be carried out within one year.

· significant risks reported in the annual audit opinion for each client department will be followed up in the following year.

15 Resource implications

Staff input

15.1 Although it is not possible to estimate the exact resource implications of the individual changes in audit strategy proposed at this stage, there are compensating increases and decreases in the level of resources required in each area. The overall objective of the audit strategy is to redistribute the existing resources to provide a higher level of assurance in each department, whilst maintaining the current spread of coverage across all departments.

15.2 The proposed changes, however, are likely to affect the staff mix required to deliver the audit strategy over the next few years.

15.3 Investment in training will also be required to support the strategy for work relating to fraud and irregularity.

15.4 Subject to consultation, the internal audit plan will be prepared to ensure the resources available are organised to deliver it. In future, the format of the plan will focus on the required outputs and deliverables which will be broken down into individual audit reviews and tasks and the required resources rather than an analysis of inputs in the form of the frequency of review and days.

IT

15.5 Investment in new equipment and audit specific systems is also required to ensure that internal audit continue to deliver an efficient service to high professional standards. A business process re-engineering exercise is currently underway to identify service improvements prior to the completion of the business case for investment.

16 Internal audit approach

16.1 The approach to internal audit work for the County Council is based on professional standards and is tried and tested. It has always followed the principles of best practice and is subject to continuous review. The approach is fully documented and seeks to use risk assessment to:

· identify significant systems, locations and transactions

· decide on an appropriate audit approach (eg systems, regularity)

· carry out audits of those areas on a periodic basis.

16.2 The audit reviews are summarised in the form of a three year strategic audit plan, by department and type of audit. This is reviewed and updated to reflect changes in the risk environment. The Treasurer is responsible for approving an annual audit plan in line with the agreed strategy.

16.3 This approach has always been fully supported by the Audit Commission.

16.4 Customers are also satisfied with the work of internal audit. The high scores consistently obtained by auditors in audit appraisal questionnaires (92.3% for the first three quarter of 2003/04) and other customer surveys demonstrate this.

17 Relationship with external audit

17.1 Regular liaison meetings are held with the County Council's external auditors. The protocol outlining the working relationship is out of date and current arrangements will need to be formalised over the coming year. This will need to cover:

· information sharing

· reliance on each others work

· joint planning to ensure that audit resources are maximised and to prevent duplication of work.

18 Reporting Strategy

18.1 Reporting arrangements for internal audit are summarised below:

· Standards Committee - the Chief Internal Auditor will report changes to the audit strategy to the Standards Committee for approval. Progress against the audit plan will be reported half way through the year, followed by an annual internal audit opinion to inform the completion of the statement of internal control

· Section 151 Officer - as Section 151 Officer, the County Treasurer is responsible for maintaining an effective and adequate internal audit function and ensuring that an effective system of internal financial control is maintained and operational for the County Council resource. Internal audit will therefore report plans to the County Treasurer for approval, together with at least half year progress reports and an annual internal audit opinion on internal financial control to inform the completion of the Statement on Internal Financial Control

· Monitoring Officer - the Chief Internal Auditor will discuss cases of reported fraud and irregularity with, and will also report formally on internal financial control to the Monitoring Officer as lead officer for corporate governance. Internal audit will also carry out work commissioned by him to support the published statement on internal control and governance

· Chief Officers / departmental management team - internal audit will discuss plans and provide at least a half year progress report and an annual internal audit opinion outlining key findings and assurance on the control framework

· Operational managers - the findings of all reviews will be discussed with the system owner / head of establishments during and at the close of each assignment. A report summarising these findings will also be issued, providing a clear opinion on the framework of control, the operation of controls and any significant findings. A management response will be required to agree action to address recommendations for improving controls.

19 Recommendation:

19.1 That the Standards Committee approve the internal audit strategy for 2004/05 to 2006/07.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

NONE