Contact: Ejner Knudsen, Chief Internal Auditor, ext. 7403

1 Introduction

1.1 The purpose of this report is to outline the proposed internal audit strategy for 2004/05 to 2006/07, for approval by members of the Governance Committee.

1.2 In previous years the Hampshire Fire and Rescue Service (HFRS) internal audit strategy has been presented and approved as part of the Hampshire County Council audit strategy. An annual internal audit plan is then prepared to control the deployment of resources in accordance with the strategy's priorities and approved by the Treasurer after consultation with the Chief Fire Officer.

2 Background

2.1 The current internal audit strategy for HFRS was approved by Management in January 2003 and formed the basis of the activity reported in 2003/04. This was included in the assurance part of the Statement of Financial Control, which accompanied the Final Accounts.

2.2 The strategy is reviewed regularly to ensure that it remains up to date and there have been a number of recent developments that will need to be taken into account. The purpose of this report, therefore, is to present a revised audit strategy for the next three years to the members of the new Governance Committee, which reflect the changes considered to be necessary as discussed below in section 3 of the report.

2.3 To date, the audit strategy has been developed to achieve the aims and standards of internal audit as identified in the Accountancy Practices Board (APB) guidelines, the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom, (the Code) and the CIPFA Local Government Audit Manual.

2.4 The definition of internal audit, as stated in the Code, is as `an assurance function that primarily provides an independent and objective opinion to the organisation on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the organisation's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources.'

2.5 Compliance with these professional standards is reviewed independently by the external auditor ( Audit Commission ) and included in their annual report along with the extent to which reliance is placed on it.

3 Change issues

3.1 There have been a number of external and internal change factors identified that affect the risks to be covered by the internal audit strategy. As internal audit resources are limited, the aim of this review of the strategy is also to ensure that an appropriate level of coverage can be maintained across the activities of HFRS.

3.2 External factors affecting the audit strategy include:

· additional external inspection through the Comprehensive Performance Assessment process in early 2005

· the need for compliance with the CIPFA/SOLACE framework "Corporate Governance in Local Government - A Keystone for Community Governance"

· service modernisation initiatives including regionalisation

· the need for compliance with the Regulation of Investigatory Powers Act 2000 (RIPA) and its impact on resourcing fraud and other special investigations.

3.3 Internal factors include:

· additional stakeholder demands for reporting and assurance

· the development of the corporate risk management framework

· SAP roll-out and changes in the systems framework and assurance levels as a result

· the move away from a divisional structure so that groups of stations deal directly with HQ.

3.4 Many of these issues were highlighted in the last review of the audit strategy but were in the relatively early stages of development. The more detailed impact of these factors on the audit strategy, drawing on experience over the last year, is assessed in more detail below.

4 Internal audit strategy

4.1 Since this is the first time that the strategy has been presented to members, the proposed internal audit strategy is outlined below covering the following areas:

· corporate governance

· risk management

· partnership arrangements

· key financial systems

· systems audit (operational functions)

· establishment visits

· fraud and irregularity

· computer audit

· follow-up work

5 Corporate governance

5.1 Developments in corporate governance over the last few years have challenged and changed traditional internal audit reporting lines. Internal audit findings have been traditionally shared with operational and senior managers to provide:

· assurance over the internal controls operating in the systems falling within their responsibility

· recommendations to improve compliance with controls or to strengthen the control framework.

5.2 Good corporate governance, however, highlights internal audit's wider responsibilities to other stakeholders, including senior officers and members. This requires assurance on controls operating throughout HFRS as a whole. Internal audit has provided assurance on financial controls since 2000/01 and from 2002/03 onwards, this work has been important to the development of the new Statement of Financial Control. This was a requirement of the CIPFA / LASAAC Code of Practice on Local Authority Accounting in the UK, and was signed by the Treasurer as part of the published accounts.

5.3 Advice from CIPFA / SOLACE developed this a stage further, however, suggesting that from 2003/04 the statement of financial control should be extended to become a more general statement of internal control, covering financial and non-financial controls, including the corporate governance framework. The Chairman to Hampshire Fire and Rescue Authority and the Chief Fire Officer were required to sign this statement. This audit strategy needed to take account of the assurance required from internal audit in producing these statements and in anticipation of this change, the previous audit strategy approved in January 2003 also extended the scope of internal audit coverage to include corporate governance arrangements.

5.4 The audit approach to this work has been developed during 2003/04, although it has not yet been fully applied to HFRS, as the Authority is still in the process of developing the corporate framework. Internal audit are well placed to provide the Governance Committee with an initial view on the effectiveness of HFRS's Code of Corporate Governance and of compliance with it, once it has been approved.

5.5 The approach to corporate governance reviews may be summarised as follows:

· a systems based review of corporate governance arrangements will be carried out corporately throughout HFRS over a three year cycle. Audit coverage at this strategic level in the organisation will provide assurance to management that their policies are being implemented and complied with. These will be high level reviews of corporate governance arrangements, internal audit having neither the resources nor expertise to carry out in depth examinations of all governance issues. This work will encompass arrangements for carrying out best value reviews, ensuring that systems are in place to produce and monitor robust data to support performance indicators, risk management and control of any partnership arrangements.

· internal audit will work with the Monitoring Officer to develop the use of a corporate governance questionnaire as a self assessment tool to highlight areas of change and be used to determine the scope of HFRS internal audit reviews each year.

5.6 This work will complement the work of the Audit Commission, which is required under its own Code of Audit Practice to report on the financial aspects of corporate governance in the annual audit letter.

6 Risk management

6.1 Risk management is the responsibility of the Corporate Management Team and corporate guidance has been produced to ensure a consistent approach to risk management throughout HFRS. To date, however, the risk management structures, processes and reporting arrangements have not been reviewed by internal audit. The interaction of corporate governance, risk management and internal audit is being developed and reflected in this audit strategy.

6.2 The CIPFA audit manual identifies that one of the objectives of internal audit is to facilitate good practice in managing risks. Internal audit carry out a risk assessment when drawing up plans, taking account of corporate risk assessments, previous audit findings, management concerns and the results of fraud and irregularity investigations to ensure that the areas of highest risk to HFRS are audited. This enables internal audit to provide management with an opinion on whether there are effective controls working to mitigate risk in individual systems or establishments.

6.3 The revised internal audit strategy for risk management is as follows:

· to review corporate and operational groups for risk management under the heading of corporate governance reviews outlined above

· to use the results of the annual corporate risk assessment process to identify areas where internal audit review is required or to identify who provides assurance on the controls to mitigate the risk

· to provide an assurance on HFRS's risk management processes in the annual internal audit opinion.

7 Partnerships

7.1 The nature of partnerships is very varied, some having tight controls prescribed by external bodies providing funding whilst others are far looser arrangements. This brings a new area of risk and the need for a control framework for each individual arrangement.

7.2 The arrangements in place for entering, controlling and documenting partnership arrangements will be reviewed by internal audit as part of the corporate governance reviews described above. Partnership arrangements will also be considered during the risk assessment process when developing internal audit plans and where appropriate, internal audit will either include partnerships in the scope of systems based audit work or ensure that internal audit is provided by another organisation.

8 Key financial systems audit

8.1 Internal audit carry out systems based audit reviews of key financial systems (budgetary control, payroll, creditor payments, and income) at central, and function / operational group level (see paragraphs 10.3 -10.4 below) .

8.2 Key financial systems reviews remain potentially high risk areas due to the value and volume of transactions involved and regular review is therefore essential to provide assurance that controls are in place and are complied with. The ongoing roll out of SAP, however, will lead to a further devolution of control, and will result in internal audit resources gradually transferring from central to functions / operational groups. Unit level reviews will ensure that system controls are operating in practice. There will also be new risks to consider if new procurement practices develop in relation to local purchasing, serial contracts and call off arrangements.

8.3 Audit reviews of key financial systems are carried out on a two-year cycle and there are no plans to change this approach.

9 Systems audit (operational functions)

9.1 In addition to the key financial systems, each function / operational group also operates a range of systems, dependent on their specific management and operational requirements. The risks attached to these systems will also be reviewed during the internal audit planning process and will be included in the audit plan as appropriate. These systems are generally of medium risk to HFRS and are audited every three to four years.

10 Establishment audits

10.1 About 20% of all audit days are currently spent on a planned cycle of reviews covering the majority of establishments. Planned frequencies range from two to four years, depending on the risks associated with each type of establishment. A systems based approach to this work has been developed and is in the process of being implemented across all establishments. This provides a more comprehensive review of controls, with targeted compliance testing to provide a more robust assurance to management.

10.2 In terms of financial risk, some establishments such as retained fire stations have very little locally controlled income or expenditure and the findings tend to be similar for each type of establishment and change little from year to year.

10.3 A revision to the audit strategy will be piloted for the future as follows:

· a gradual move away from the strict cyclical review of establishments. The sample of establishments selected for review each year will include those assessed to be higher risk, with others continuing to be reviewed over an extended period of time, in line with revised risk assessments

· extend systems based audits (operational functions), potentially covering all systems operating at establishment level. Most policies and procedures are prescribed centrally, and this approach will therefore enable the adequacy of the control framework to be assessed in more detail. Compliance testing will be carried out at a sample of establishments across HFRS, through short site visits, with findings shared with the relevant officer-in-charge / manager. This approach will achieve the same overall level of assurance as the current approach but will enable auditors to demonstrate risks more clearly to management

· to help inform internal audit's own risk assessment of individual establishments, the potential for introducing a control risk self assessment for completion by the officer in charge / manager at a random sample of establishments each year will also be explored during 2004/05. This would be followed up with a short notice visit to assess the evidence in place to support the questionnaire and general compliance with controls. This will not require advance preparation by the establishment and will consist mainly of testing.

10.4 Whilst the number of establishments subject to a full review each year may reduce over time, audit presence at establishment level will at least be maintained through the compliance testing required by systems based reviews (which will also include key financial systems) and the short notice visits.

11 Fraud and irregularity

11.1 The CIPFA Audit Manual says that one of the objectives of internal audit should be to identify fraud as a consequence of its reviews and to deter crime. The level of fraud and irregularities currently reported in HFRS is low and only a very small proportion of fraud is identified as a consequence of audit reviews. Nevertheless internal auditors are trained to be able to identify the potential for fraud when carrying out their work.

11.2 In addition to carrying out fraud and irregularity investigations, internal audit are also currently involved in the following fraud detection work:

· participation in the National Fraud Initiative which helps to deter crime nationally, although this has not proved significant in uncovering frauds perpetrated

· a limited number of specific fraud detection reviews which have tended to provide a limited level of assurance that controls are being complied with rather than finding anything significant. There is scope to extend this work further increasing the level of substantive testing in control areas where compliance is poor. Subscription to the National Anti Fraud Network ensures that internal audit are aware of the type and incidence of fraud and corruption in other local government bodies and this information can be used to inform this programme of work.

11.3 Internal audit has maintained informal liaison with Police to ensure that appropriate cases are handed over to them at an appropriate time. Reporting frauds to the Police and Crown Prosecution Service raises their profile and can provide a deterrent against further offences being carried out. However, due to competing demands on their time, the Police are finding it increasingly difficult to commit resources to investigate alleged frauds, which are considered low priority crimes. This means that HFRS may need to consider alternative means of pursuing such cases.

11.4 Internal audit is developing its approach to cover potential employment, civil and criminal sanctions for each irregularity investigated, which could assist HFRS when taking legal action. This would, of course, only be an option where the benefits outweigh the costs (which could include providing a deterrent to further criminal activity). It also requires a clear prosecution policy.

11.5 Policies and procedures on fraud investigation, prosecution and recovery will also need to be developed during 2004/05 to support this work.

11.6 To summarise the proposed audit strategy for the future is as follows:

· have access to trained staff to provide the skills and expertise required to continue carrying out fraud and irregularity investigations, unless the agreed protocol requires that cases are handed over to the Police

· carry out a planned programme of fraud detection work across HFRS, using trend analysis and fraud bulletins produced by professional bodies to determine higher risk areas

· continue to support the National Fraud Initiative

· carry out short notice visits to establishments to assess compliance with controls and investigate anomalies identified through fraud detection work.

12 Computer audit

12.1 Because of the pace of development in the field of information technology, computer audit work has always been subject to more frequent risk assessment and change of audit emphasis than the more traditional audit of financial systems. The general approach has, however, always been grounded in the CIPFA computer audit manual.

12.2 There are of course many IT applications specifically dedicated to the fire service but which are equally dependant on controls to provide security in terms of access and plans which provide for continuity and disaster recovery.

12.3 The computer audit team also has a role to play in fraud investigation and detection work and internal audit are currently assessing the need for investment in resources and skills in computer forensics and the handling of electronic evidence for all its customers.

13 Follow up

13.1 Audit standards require internal audit to follow up audit assignments to review the effectiveness of management action arising from audit recommendations. The strategy for follow up work is as follows:

· where an assignment concludes that the overall framework of control in an establishment or system is `inadequate', a follow up review will be carried out within one year

· significant risks reported in the annual audit opinion will be followed up in the following year.

14 Resource implications

14.1 Although it is not possible to estimate the exact resource implications of the individual changes in audit strategy proposed at this stage, there are compensating increases and decreases in the level of resources required in each area. The overall objective of the audit strategy is to redistribute the existing resources to provide a higher level of assurance, whilst maintaining the current spread of coverage across the organisation.

14.2 The proposed changes, however, are not expected to affect the staff mix required to deliver the audit strategy over the next few years.

14.3 Due to the delay in setting up arrangements for dealing with corporate governance within HFRS the 2004/05 annual plan has been prepared and approved by the Treasurer in anticipation that the strategy changes will be acceptable to the committee. Any modifications can be made if necessary to the work planned for the remainder of the year, subject to the availability of sufficient resources. The format of the plan has focused on the required outputs and deliverables and will form the basis of future progress reports and main findings.

15 Internal audit approach

15.1 The approach to internal audit work for HFRS is based on professional standards and is tried and tested. It has always followed the principles of best practice and is subject to continuous review. The approach is fully documented and seeks to use risk assessment to:

· identify significant systems, locations and transactions

· decide on an appropriate audit approach (eg systems, regularity)

· carry out audits of those areas on a periodic basis.

15.2 The audit reviews are summarised in the form of a three year strategic audit plan, by type of audit. This is reviewed and updated to reflect changes in the risk environment. The Treasurer is responsible for approving an annual audit plan in line with the agreed strategy.

15.3 This approach has always been fully supported by the Audit Commission.

15.4 Customers are also satisfied with the work of internal audit. The high scores consistently obtained by auditors in audit appraisal questionnaires (90% for 2003/04) and other customer surveys demonstrate this.

16 Relationship with external audit

16.1 Regular liaison meetings will be held with HFRS external auditors. The protocol outlining the working relationship is now out of date and current arrangements will need to be formalised over the coming year. This will need to cover:

· information sharing

· reliance on each others work

· joint planning to ensure that audit resources are maximised and to prevent duplication of work.

17 Reporting Strategy

17.1 Reporting arrangements for internal audit are summarised below:

· Governance Committee - the Chief Internal Auditor will report changes to the audit strategy to the Governance Committee for approval. Progress against the audit plan will be reported half way through the year, followed by an annual internal audit opinion to inform the completion of the statement of internal control

· Section 151 Officer - as Section 151 Officer, the Treasurer is responsible for maintaining an effective and adequate internal audit function and ensuring that an effective system of internal financial control is maintained and operational for the HFRS resource. Internal audit will therefore report plans to the Treasurer for approval, together with at least half year progress reports and an annual internal audit opinion on internal control to inform the completion of the Statement on Internal Financial Control

· Monitoring Officer - the Chief Internal Auditor will discuss cases of reported fraud and irregularity with, and will also report formally on internal financial control to the Monitoring Officer as lead officer for corporate governance. Internal audit will also carry out work commissioned by him to support the published statement on internal control and governance

· Chief Officer(s) - internal audit will discuss plans and provide at least a half year progress report and an annual internal audit opinion outlining key findings and assurance on the control framework

· Operational managers - the findings of all reviews will be discussed with the system owner/head of establishment or department during and at the close of each assignment. A report summarising these findings will also be issued, providing a clear opinion on the framework of control, the operation of controls and any significant findings. A management response will be required to agree action to address recommendations for improving controls.

Recommendation:

That the Governance Committee approve the internal audit strategy for 2004/05 to 2006/07.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

NONE