Contact: Ejner Knudsen, ext 7403

1 Introduction

1.1 In our opinion Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

1 Background

1.1 From 2002/03 the Code of Practice on Local Authority Accounting in the UK has required the County Treasurer to sign a statement on the system of internal financial control as a note to the published accounts. From 2003/04, the Leader and Chief Executive will also be required to sign a more general statement of internal control. To enable them to do this, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating in each department and in the County Council as a whole.

1.2 This assurance has been appended to the annual accounts for each department for presentation to Executive Members. An overall assurance statement for the County Council as a whole is attached at Appendix A for consideration by the Standards Committee and Cabinet.

1.3 It is a management responsibility to develop and maintain the internal control framework, and to ensure that an organisation's resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the organisation's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: CIPFA Code of Practice for Internal Audit in the United Kingdom 2003)

2 Objectives

2.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the department's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

3 Audit approach

3.1 A summary outlining the audit approach and audit delivery during 2003/04 is provided in appendix B.

3.2 Detailed reports, giving our conclusion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· good

· effective

· basic

· inadequate

4 Overall assurance

4.1 In our opinion Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

4.2 There has been no change in the overall level of assurance provided compared to that given in our 2002/03 annual internal audit opinion.

5 Issues raised during 2003/04

Main Findings

5.1 Details of the level of control and the main issues identified across all departments in 2003/04 is given in Appendix D which is not for publication by virtue of paragraph 14 pf Part I of Schedule 12A of the Local Government Act 1972. Concerns regarding the system of internal control were raised in respect of the areas outlined below. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

Significant findings

SAP Development

5.2 Last year's annual internal audit report identified significant risks relating to the input controls for areas of the payroll and creditors systems. SAP development has been ongoing throughout 2003/04 and the significant risks identified in the creditors system have been addressed

5.3 Progress has also been made in addressing the risks within the payroll system, particularly in respect of the reconciliation of payroll holding accounts. New reports for checking the validity of data have also been developed during the year, but were not fully operational by 31 March 2004. A Business Process Innovation (BPI) review team has been established to support and complement the further development of SAP, to ensure that payroll input is controlled at the point of entry. One significant issue for all SAP modules is the need to have regular reviews of user roles and access.

Social Services

5.4 In previous years we have been concerned that controls within the department were not working in practice and that management actions agreed as a result of internal audit review have not been carried out, meaning that risks have not been addressed in a timely manner. Our work during 2003/04 has identified some improvement in compliance with controls following a programme of training for staff and visits to establishment by Finance staff. Our follow-up work during the year has also identified general improvement in the departmental approach to implementing internal audit recommendations.

5.5 However, our reviews within the department once again raised significant concerns about the failure to implement an audit recommendation made in 2000/01 to develop and use a central approved supplier list for children's services. In addition to some of the financial issues for the County Council, our greatest concerns are that children could be at risk of being placed with unsuitable providers of care. Since our reviews were carried out, a Contract Support Manager (Children and Families) has been appointed and we understand that she is in the process of compiling an approved list of suppliers for children's services. We will review the implementation of this control as part of our follow-up work in 2004/05.

5.6 In addition, work during the year raised significant concerns regarding the procedures for placing children with Regulation 38 foster carers, in particular the time taken to approve the placement by the Foster Carers Panel. In year follow-up work confirmed that action had not been taken to address this significant risk by the end of March.

Computer Suite

5.7 As the reliance on IT systems and electronic information increases so does the reliance on environment services which support central computing equipment. Currently there is no secondary power supply to the main computer centre and this is a risk which will need to be considered against the cost. Discussions are still underway with PBRS to resolve this issue.

Viruses

5.8 Virus attacks cost organisations a great deal of money in the loss of core systems and data if they are successful. IT Services has put in considerably more controls and protection over the last year but there is a concern about a number of departmental PCs and equipment outside central control which pose a risk to the IT2000 network. Departments need to consider reducing the number of unmanaged PC devices and their connection to the corporate network must be strictly controlled. This will also make security updates easier to distribute.

Corporate information security

5.9 Last year's annual report raised concerns affecting corporate information security. Further issues were identified during 2003/04 including virus protection, file management and compliance with the Data Protection Act. Whilst IT Services has undertaken necessary work at the centre (eg virus protection) more needs to be done by departments. IT Services has provided general guidance (though more is needed) but this is not being used by all departments.

5.10 It was expected that these issues would be addressed through Security Managers Group but this group has not met over the year. This has increased the risk to the confidentiality and integrity of data and will continue to be monitored by audit. It has now been reinstated with a new Chair from July 2004.

Business continuity

5.11 Business continuity has been considered by the Corporate Risk Management Board. It is clear that this is much wider than a pure IT matter (non-IT solutions can often be more effective). With the single computer centre at The Castle site, vulnerability has increased in the event that a disaster destroyed a large part of the site.

5.12 IT Disaster Recovery plans are in place which would set up alternative arrangements if such an event occurred but not without significant cost in time and money. It is understood that longer term plans are being considered by PBRS and IT Services, including considering the possibility of a future second computer site.

Common findings

5.13 Limited compliance testing of corporate governance arrangements across the County Council highlighted a number of common findings, the most significant of which are:

· not all departments have a documented scheme of delegation in place to formalise decision making arrangements

· partnership arrangements are not always sufficiently documented.

Follow-up work

5.14 Our follow-up of other significant audit findings raised in 2002/03 confirmed that progress had been made during 2003/04 and appropriate action had generally been taken in respect of the recommendations made.

5.15 We will review the implementation of audit recommendations made in 2003/04 as part of our 2004/05 audit plan.

6 Recommendations

6.1 That the Standards Committee accept the internal audit assurance statement for 2003/04 detailed in Appendix A.

6.2 That progress of management actions to resolve the issues in paragraphs 6.1 to 6.13 be reported mid-year to the new Governance Committee.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

Nil.

Hampshire County Council Appendix A

Assurance statement for the year ended 31 March 2004

Introduction

The Accounts and Audit Regulation 2003 require the County Treasurer to maintain an adequate and effective system of internal audit.

From 2002/03 the Code of Practice on Local Authority Accounting in the UK has required the County Treasurer to sign a statement on the system of internal financial control as a note to the published accounts. From 2003/04, the Leader and Chief Executive will also be required to sign a more general statement of internal control. To enable them to do this, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance for each department and the County Council as a whole.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the County Treasurer. The internal audit plan has been delivered in accordance with the Code of practice for internal audit in local government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. Audit testing has shown that the controls are generally working in practice.

Ejner Knudsen

Chief Internal Auditor

County Treasurer's Department

Hampshire County Council

16 July 2004

Appendix B

Audit Background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the County Council with an assurance on the system of internal control of the County Council. The opinions provided for each department will contribute to this overall assurance. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2003/04, including those audits carried forward from 2002/03

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the organisation's objectives or systems

· the quality of internal audit's performance

· the proportion of the department's / County Council's audit need that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit needs of the department

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2003. The standards cover the following areas:

Organisational standards

· scope of internal audit

· independence

· audit committees or equivalent

· relationships with management, other auditors and other review bodies

· staffing, training and development

Operational standards

· audit strategy

· management of audit assignments

· due professional care

· reporting

· quality assurance.

2.2 Hampshire Audit Services is registered under ISO9001, the international quality management standard and we have developed comprehensive procedures to ensure that all audits are conducted to the required standard. In particular, the audit planning memorandum is approved, before site work commences, by the Audit Manager, who also reviews each draft and final report before it is issued to ensure that all key controls have been properly evaluated and that adequate audit evidence has been obtained to support the findings.

2.3 We also have Investors in People accreditation which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our performance development scheme and a detailed training and development programme is planned, delivered and evaluated each year.

2.4 Our quality assurance programme includes:

· annual service improvement planning, using appropriate management tools to challenge our approach;

· annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services;

· quarterly reviews of a sample of completed files and reports by another Audit Manager not involved in the audit to ensure consistency in approach and compliance with professional standards;

· internal quality audits of our audit and management processes each year, with issues raised and followed up;

· quarterly review of performance indicators reported to the County Treasurer's management team.

2.5 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.6 In addition, our work is subject to annual review by Hampshire County Council external auditors who continue to rely on our work to support their audit opinion.

3 Audit Needs

3.1 A risk assessment was undertaken for the 2003/04 audit plan, which involved an analytical review of data relating to the department including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with departmental management to ensure the audit plan addressed the key risks facing the department.

A summary of audit days delivered during 2003/04 is provided in Table 1.

Table 1 - Summary of audit days delivered (2003/04)

Detail	2003/04 and days	days
Days carried forward from 2002/03		308
Audit plan agreed by County Treasurer	3108.5
Variations to the plan	-182.5	2926
Revised plan at the year end		3234
Total days delivered including delivery of carry forward audits		3407
Days carried forward to 2004/05		173

3.2 The audit plan was revised during the year to 3234 days. The original and revised audit plans are shown at Appendix E.

3.3 Changes made to the plan reflect the following:

· changes to the scope of individual assignments following the results of initial risk assessment and review

· new areas requiring review being highlighted during the year

· an increase in time required to follow up significant issues raised

· time saving achieved on individual reviews

· the postponement of audits following a reassessment of risk across the County Council audit plan.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was still in progress as at 31 March. For all audits carried forward from 2002/03 and completed during 2003/04, an audit opinion is provided as part of the 2003/04 annual audit opinion.

3.5 There were 271 audits started in 2003/04, of which 32 audits were in progress at 31 March 2004 (2 only requiring a management response). These will be reported in the 2004/05 annual internal audit opinion.

3.6 No limitations were placed on the scope of our work during the year

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in appendix E. We are not aware of any significant changes to any of the systems reviewed since our work was conducted.

4.2 Our work has been carried out using a systems based audit approach. This covers the internal control systems of the department and during the conduct of our work, particular attention was given to arrangements established to ensure:

· financial control

· safeguarding of assets to reduce exposure to theft or fraud

· compliance with the County Council's policies, procedures, laws and regulations the integrity and reliability of information and data

· value for money.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit liaison

5.1 Staff within the departments have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 In most departments, management responses have been timely and have addressed the issues raised. In particular, we noted a significant improvement in the timeliness of responses received from the Social Services department. However, concerns have been raised about the timeliness of responses from both the Recreation and Heritage department (outstanding audits as at 31 March show an average delay of 71 days) and the Property, Business and Regulatory Services department (outstanding audits as at 31 March show an average delay of 37 days) as it could indicate that recommendations to address control weaknesses have not received management's attention and are not implemented in a controlled manner.

5.3 Audit Appraisal Questionnaires (AAQ) have been received from 109 of the audits completed before 31 March 2004, with an average satisfaction score of 94.1%. This demonstrates continuous improvement against the equivalent scores for the last two years (2001/02 90.3% and 2002/03 91.8%) and confirms that there is a good working relationship between Internal Audit and County Council staff.

5.4 2003/04 has seen the further development of liaison between Internal Audit and County Council staff, for example:

· we have developed our liaison with the Education department through regular meetings with and reports to Governor Services, meetings with Education Financial Services and attendance at Administrative Officer meetings

· we have also established monthly liaison with the Recreation and Heritage department to help to monitor and improve audit progress

· the continuation of monthly liaison meetings with the Social Services department has been complemented by the establishment of quarterly update reports to Social Services departmental management team

· presentations to departmental managers and attendance at departmental workshops.

This liaison is of real value to both Internal Audit and departmental staff and helps to promote good and consistent practice.

Appendix C

Audit opinion definitions:

Appendix D - Confidential

Appendix E

Hampshire County Council - original and revised 2003/04 plans

Note 1 - the significant reduction in days between 2002/03 and 2003/04 was due to the fact that activities previously shown as corporate activities were shown in the departmental plans in 2003/04.