Contact: Ejner Knudsen, ext 7403

1 Introduction

1.1 It is internal audit's opinion that Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

1 Background

1.1 From 2002/03 the Code of Practice on Local Authority Accounting in the United Kingdom has required the County Treasurer to sign a statement on the system of internal financial control as a note to the published accounts. From 2003/04, the Leader and Chief Executive are now required to sign a more general statement of internal control replacing the previous one. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating in each department and in the County Council as a whole.

1.2 This assurance has been appended to the annual accounts for each department for presentation to Executive Members. An overall assurance statement for the County Council as a whole is attached at Appendix A.

1.3 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the County Council's resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the County Council on the control environment comprising risk management, control and governance by evaluating its effectiveness in achieving the County Council's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: Chartered Institute of Public Finance and Accountancy - Code of Practice for Internal Audit in the United Kingdom 2003)

2 Objectives

2.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the County Council's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

3 Audit approach

3.1 A summary outlining the audit approach and audit delivery during 2004/05 is provided in Appendix B.

3.2 Detailed reports, giving our conclusion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· good

· effective

· basic

· inadequate

4 Overall assurance

4.1 It is internal audit's opinion that Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown controls to be generally working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

4.2 There has been no change in the overall level of assurance provided compared to that given in our 2003/04 annual internal audit opinion.

5 Issues raised during 2004/05

Main Findings

5.1 Details of the level of control and the main issues identified across all departments in 2004/05 is given in Appendix D which is not for publication by virtue of paragraph 14 of Part I of Schedule 12A of the Local Government Act 1972. Concerns regarding the system of internal control were raised in respect of the areas outlined below. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

Significant findings

Human Resources

5.2 The Human Resources department is a newly formed department, set up in September 2004 and has been experiencing difficulties both with the development of systems and identifying the required level of skill for staff to carry out daily tasks. This has had an impact on the audit work carried out in 2004/05.

5.3 Our review of recruitment and selection raised a number of concerns, the most significant being the adequacy of the guidance available for CRB checks. At the time of the audit, we were unable to provide assurance that the County Council was carrying out these pre-employment checks on all categories of staff required by current legislation. We also identified that evidence of proof of eligibility to work in the UK is not being retained on personal files in all cases.

SAP access

5.4 Our audit review found that the process of requesting and granting SAP access needs to be made more robust and consistent across all departments. Authorised requesters should receive appropriate training to ensure that access is only granted in line with business needs and this should be regularly reviewed.

5.5 In addition, powerful SAP access rights are still not being adequately monitored and controlled, as raised in previous annual reports, and new concerns were raised regarding compliance with the Data Protection Act due to the broad access to personal data within the Human Resources department.

Information security management

5.6 The last two years' annual reports raised concerns affecting corporate information security. A review of information security management was undertaken in 2004/05, when we found that although an IT security framework had been produced, there was no formal implementation plan. In particular, testing showed that access to personal data is still not adequately restricted. IT Services are exploring options for improving this situation, including making departments aware of what files they have stored.

Common findings

5.7 There are no other significant common findings identified by our 2004/05 audit work.

Follow-up work

5.8 Our follow-up of audit findings raised in 2003/04 audit reports confirmed that progress had been made during 2004/05 and appropriate action had generally been taken in respect of the recommendations made. An update on the issues raised in the 2003/04 annual audit report is included below.

5.9 We will review the implementation of audit recommendations made in 2004/05 as part of our 2005/06 audit plan.

SAP development

5.10 SAP roll-out has now been completed during 2004/05. It is felt that SAP is stabilising, which is reflected in the audit work undertaken with the audit scope broadening in some areas.

5.11 In Payroll, the effects of the Business Process Innovation review are ongoing, and should help clarify roles and responsibilities between Human Resources and Payroll, establish documented procedures, and assist with training. For input checking there is an improved level of control, although it is still possible for unauthorised amendments to be made and remain undetected.

5.12 Payroll holding accounts remain a concern, although a considerable amount of work has been undertaken to stabilise and reduce the differences. Salary overpayments will always occur within a payroll, but the recovery process is now much improved and either accounting adjustments or write offs have been agreed for any errors or irrecoverable aged overpayments. Further improvements could be made with automated clearing of recovery transactions on the appropriate holding account.

Social Services

5.13 Our 2003/04 annual report raised significant concerns regarding the procedures for placing children with Regulation 38 foster carers, in particular the time taken to approve the placement by the Foster Carers Panel. Our 2004/05 follow-up work has shown that a shortened assessment has been rolled out across the County and, although there have been some problems with meeting the required timescales, fewer cases are going over the six weeks timescale. Additional controls have also been put into place from May 2005 to protect children in cases where the six week timescale cannot be met.

5.14 Since 2000/01 concerns have been raised about the failure to develop and use a central approved supplier list for children's' services and that, as a result, children could be at risk of being placed with unsuitable providers of care. Our 2004/05 follow up work has shown that 19 local authorities have joined together to construct a database, which requires a two tier checking process by the authority in which the provider is located. Whilst basic checks on providers have been carried out, more detailed checks are currently underway and once completed will address the concerns previously raised. These include a pre-placement check of staffing and spot check of Police checks.

Computer suite

5.15 There is still no backup power supply to the computer suite, however a new Uninterrupted Power Supply system has been installed which will make a controlled shutdown possible in the event of problems with the power supply. After consultation with the Property, Business & Regulatory Department, it has been determined that a full backup power supply is not feasible in the current accommodation. IT Services intend to put together a business case this year to try and resolve this issue.

Security Managers Group

5.16 Having been in abeyance for over a year, the group has now started meeting regularly, and the role of Departmental Security Manager is being revised in the light of the IT Security Framework.

Viruses

5.17 There was a concern about the number of departmental personal computers and equipment outside central control which posed a risk to the IT2000 network. An Antivirus Coordinator has been appointed, who has developed standards for virus protection and security patches. These have been communicated to departments via the Security Managers Group.

6 Recommendations

6.1 That the Governance Committee accept the internal audit assurance statement for 2004/05 detailed in Appendix A.

6.2 That progress of management actions to resolve the issues in paragraphs 6.2 to 6.15 be reported mid-year to the Governance Committee.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

Nil.

Hampshire County Council Appendix A

Assurance statement for the year ended 31 March 2005

Introduction

The Accounts and Audit Regulation 2003 require the County Treasurer to maintain an adequate and effective system of internal audit.

From 2002/03 the Code of Practice on Local Authority Accounting in the United Kingdom has required the County Treasurer to sign a statement on the system of internal financial control as a note to the published accounts. From 2003/04, the Leader and Chief Executive are now required to sign a more general statement of internal control, replacing the previous one. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance for each department and the County Council as a whole.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the County Treasurer. The internal audit plan has been delivered in accordance with the Code of practice for internal audit in local government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire County Council has an effective framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the department's objectives. Audit testing has shown that the controls are generally working in practice.

Ejner Knudsen

Chief Internal Auditor

County Treasurer's Department

Hampshire County Council

13 July 2005

Appendix B

Audit background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the County Council with an assurance on the system of internal control of the County Council. The opinions provided for each department will contribute to this overall assurance. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2004/05, including those audits carried forward from 2003/04

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the County Council's objectives or systems

· the quality of internal audit's performance

· the proportion of the department's/County Council's audit plan that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit plan of the County Council

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2003. The standards cover the following areas:

Organisational standards

· scope of internal audit

· independence

· audit committees or equivalent

· relationships with management, other auditors and other review bodies

· staffing, training and development

Operational standards

· audit strategy

· management of audit assignments

· due professional care

· reporting

· quality assurance.

2.2 Hampshire Audit Services is registered under ISO9001, the international quality management standard and we have developed comprehensive procedures to ensure that all audits are conducted to the required standard. In particular, the audit outline is approved, before site work commences, by the Audit Manager, who also reviews each draft and final report before it is issued to ensure that all key controls have been properly evaluated and that adequate audit evidence has been obtained to support the findings.

2.3 We also have Investors in People accreditation which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our performance development scheme and a detailed training and development programme is planned, delivered and evaluated each year.

2.4 Our quality assurance programme includes:

· annual service improvement planning, using appropriate management tools to challenge our approach;

· annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services;

· a three year rolling programme of quarterly reviews of a sample of completed files and reports and management processes to ensure consistency in approach and compliance with professional standards and quality procedures. Issues raised are discussed by the Section's management team and follow up action is monitored by the Quality Manager;

· quarterly review of performance indicators reported to the County Treasurer's management team.

2.5 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.6 In addition, our work is subject to annual review by Hampshire County Council external auditors who continue to rely on our work to support their audit opinion.

3 Audit needs

3.1 A risk assessment was undertaken for the 2004/05 audit plan, which involved an analytical review of data relating to each department including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with departmental management to ensure the audit plan addressed the key risks facing each department.

A summary of audit days delivered during 2004/05 is provided in Table 1.

Table 1 - Summary of audit days delivered (2004/05)

Detail	2004/05 days	days
Days carried forward from 2003/04		199
Audit plan agreed by County Treasurer	3209
Variations to the plan	-314
Revised plan at the year end		2895
		3094
Total days delivered including delivery of carry forward audits		2750
Days carried forward to 2005/06		344

3.2 The audit plan was revised during the year to 2895 days. The original and revised audit plans are shown at Appendix E.

3.3 Changes made to the plan reflect the following:

· changes to the scope of individual assignments following the results of initial risk assessment and review

· new areas requiring review being highlighted during the year

· an increase in time required to follow up significant issues raised

· time saving achieved on individual reviews

· the postponement of audits following a reassessment of risk across the County Council audit plan.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was still in progress as at 31 March. For all audits carried forward from 2003/04 and completed during 2004/05, an audit opinion is provided as part of the 2004/05 annual audit opinion.

3.5 There were 219 audits started in 2004/05, of which 19 audits are not included in the 2004/05 annual internal audit opinion as they were still in progress at the end of the year. The results of these reviews will be included in our 2005/06 opinion.

3.6 No limitations were placed on the scope of our work during the year, but we have encountered problems this year in the Human Resources department with setting up new planned audits.

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in Appendix E. SAP remains in a state of ongoing development, and changes in roles and responsibilities will be embedded with the implementation of the Payroll Business Process Innovation project and restructuring. The rollout of SAP master data to schools is also underway. The impact of these changes on the framework of control will be evaluated during 2005/06 and included in our annual opinion report for 2005/06.

4.2 Our work has been carried out using a systems based audit approach. This covers the internal control systems of the County Council and during the conduct of our work, particular attention was given to arrangements established to ensure:

· financial control

· safeguarding of assets to reduce exposure to theft or fraud

· compliance with the County Council's policies, procedures, laws and regulations the integrity and reliability of information and data

· value for money.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit liaison

5.1 Staff within the departments have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 In most departments, management responses have been timely and have addressed the issues raised. In particular, we noted continued improvement in the timeliness of responses received from the Social Services department. However, concerns have been raised about the timeliness of responses from schools (with over half of responses being late by an average of over five weeks), IT Services and the Property, Business and Regulatory Services department. This could indicate that recommendations to address control weaknesses have not received management's attention and are not implemented in a controlled manner.

5.3 Audit Appraisal Questionnaires (AAQs) have been received from 85 of the audits completed before 31 March 2005, with an average satisfaction score of 91.4%. This confirms that there continues to be a good working relationship between Internal Audit and County Council staff.

5.4 2004/05 has seen the further development of liaison between Internal Audit and County Council staff, for example:

· this year has seen the continuation of the liaison between Internal Audit and Education Financial Services which is of real value to both teams. Our quarterly audit plans are also shared with key clients in the Education department. Notably, we have developed our liaison with Hampshire Inspection and Advisory Service and now attend Local Leadership Team meetings at Havant, Fleet and Bartley twice a year to exchange information. These meetings have enabled us to refine our risk assessments for individual schools and in several instances influenced the scope of our onsite audit work. We have also attended a significant number of Administration Officer network meetings to discuss the role of audit and identify where we can further improve our service

· we have been advising on a number of issues within the County Treasurer's Department, including the payroll business process innovation workshops, cheque printing software, the current procedures for Social Services clients' property and co-ordinating SAP systems structure chart and control documentation

· at the request of the responsible County Manager a presentation was made to the Older Person's Unit Managers. This presentation included an update on audit as well as covering current issues within Social Services such as SAP and Care Standard 35.

This liaison is of real value to both Internal Audit and departmental staff and helps to promote good and consistent practice.

Appendix C

Audit opinion definitions:

Appendix E

Hampshire County Council - original and revised 2004/05 plans