Contact: Ejner Knudsen, ext 7403, email [email protected]

1 Introduction

1.1 This report summarises:

· Progress against the Hampshire County Council's internal audit plan for 2005/06.

· An update on action taken by management to address the issues raised in the Hampshire County Council annual internal audit opinion for 2004/05.

· Significant matters arising from 2005/06 internal audit work.

· Priorities for the remainder of 2005/06.

1 Progress against the internal audit plan for 2005/06

1.1 The 2005/06 internal audit plan was prepared in line with the updated internal audit strategy that was approved by the Governance Committee in March 2005. The original plan totalled 3250 days and, in addition, 344 days of work in progress was carried forward from last year. Just under half the year's plan has been delivered to date as shown in table 1 below.

Table 1 - summary of audit days delivered 1 April 2005 to 30 September 2005

1.2 We have found it increasingly difficult to deliver the necessary level of assurance within the established resources. 2005/06 has, to date, been particularly difficult due to an exceptional level of sickness and we have had to review our plans continually. We have made some contingency arrangements for the rest of the year that will enable us to deliver the plan, but there are underlying resourcing pressures relating to staff mix due to the need to deliver higher level corporate governance and controls assurance work. We will need to address this when preparing forward plans for 2006/07.

1.3 A summary of the audit opinions given to date for each department is included in Appendix A.

2 Action taken by management to address the issues raised in the Hampshire County Council annual internal audit opinion for 2004/05

2.1 The 2004/05 annual internal audit opinion reported to members of the Governance Committee in July 2005, raised new or ongoing concerns in the following areas:

· Children's Services

· central approved supplier list for children's services

· Regulation 38 foster carers

· Human Resources

· operational difficulties arising from process changes due to the restructuring

· Criminal Records Bureau pre-employment checks

· evidence of proof of eligibility to work in the UK

· IT security issues

· computer suite

· information security management

· SAP access.

2.2 The 2005/06 internal audit plan includes time to follow-up these issues and work is in progress in some areas. However, an update on progress is summarised below and the full results of follow-up work will be included in the annual internal audit opinion which will be presented to members in July 2006.

Children's services

Children and Families Purchasing

2.3 In 2003/04 we reported that there was no evidence that service providers and their staff had been subject to police checks. Follow up work in 2004/05 found that providers will be checked in a two tier format. Form A checks that include Ofsted, CSCI registration and insurance had been carried out at the time of our 2004/05 annual report and Form B checks, comprising a pre-placement check including police checks, were under way. We plan to test the controls over Form B checks during the period October to December 2005, to allow sufficient time for action to be taken.

Regulation 38 foster carers

2.4 Our 2004 audit work found that the Regulation 38 carers were not being approved by the Foster Carers Panel within the target period of six weeks. The original average time for approval was seven months, however as at September 2005 it stood at 9 weeks. Additional controls have been implemented and at the time of our follow up work there were seven overdue approvals.

Human resources

Operational issues (Resourcing Centre)

2.5 During 2004/05 the Human Resources department experienced difficulties resulting from the restructuring and development of new and consistent processes. Our follow work in this area has so far confirmed the following progress:

· our follow up work indicates that consultation with managers has improved, with a recently formed customer forum, and feedback being invited via the website. Customer surveys have also been carried out, targeting senior and middle managers and the results have been presented to HR staff and reviewed by HR DMT. However, there is still a need to develop this further with a formal communication plan

· Treasurer's consultancy team are currently carrying out a review of business processes

· standard forms have been reviewed and guidance notes have been written where appropriate and are ready for review prior to use

· a corporate project has been set up to address the issues relating to the safe storage of personnel files.

However, limited progress has been made relating to issues raised with regard to the clear tracking of information sent out or received by the Resourcing Centre, partly due to the information provided in SAP. An investigation into alternative solutions is currently underway and, in the meantime, the internal tracking spreadsheet has been reviewed.

Pre-employment checks

2.6 In 2004/05 we raised concerns that pre-employment checks were not being completed for all categories of staff. In particular, we found that the guidance available for CRB checks was inadequate, leading to inconsistencies in checking between categories of staff. A working group has been set up to produce a corporate policy and procedures for CRB checks and will meet for the first time in October 2005. In the meantime, CRB awareness workshops were held for Resourcing Centre staff in April 2005 and guidance has since been written to ensure that a consistent process is followed for processing, dealing with and storing CRB checks. Training on the new processes is due to commence in mid October 2005. In addition, the Employment Guide for managers on the Human Resources web site has been updated to reflect the current guidance.

2.7 We also raised concerns over the retention of evidence as proof of eligibility to work in the UK. We understand that work is ongoing in this areas and we plan to test this further during the second half of the year.

Governance issues

2.8 The 2004/05 interim review of governance arrangements raised a number of issues. We understand that progress has been made to implement the recommendations, in particular our follow up work to date has confirmed that a scheme of delegation has been produced and published, monthly performance indicators are produced and the process for collecting customer feedback has been established. We are planning to review progress with other issues when we undertake a full scope review of governance arrangements during October to December 2005.

IT security issues

Computer suite

2.9 There is still no backup power supply to the computer suite, however a new UPS has been installed which will make a controlled shutdown possible in the event of problems with the power supply. After consultation with the Property, Business & Regulatory Department, it has been determined that a full backup power supply is not feasible in the current accommodation. Consideration is being given to relocating the computer suite, however the earliest timescale for this is likely to be two years. Relocation would also potentially provide an opportunity to enter into a reciprocal arrangement with another local authority for the provision of IT services in an emergency.

IT security management

2.10 Concerns were raised in the annual internal audit report about the lack of a formal plan for implementing the IT Security Framework. Although some additional resource has been made available, progress in implementing the Framework has been slow, and is likely to be further affected by changes in personnel and roles, and the reorganisation of the security function as part of the larger departmental reorganisation.

2.11 We also reported that access to personal data was not being restricted adequately, in contravention of the Data Protection Act. IT Services have provided departments with the means of identifying folders and files stored in shared folders with broad access which belong to them. Departments have also been reminded via the Security Managers Group of the requirement to restrict access to personal and sensitive data because comprehensive and regular checks of shared directories are unlikely to happen because of the resources this would require.

SAP access

2.12 Concerns were raised in the 2004/05 annual internal audit report about weaknesses in the process of requesting access to SAP, resulting in inconsistent practices between departments. To address these concerns, Audit Services are working with the Enterprise team on a project to improve the process. This may involve some potentially significant changes which will take some time to complete, however shorter term improvements will include defining the roles of staff involved in the process, providing briefings and developing documentation and reports to enable user access to be periodically reviewed.

2.13 We also reported that powerful SAP access rights were not being adequately monitoring and controlled. This issue had been raised in previous annual reports. We were told that an action plan to address this issue would be in place by the end of September 2005 and we will review progress during the second half of the year.

3 Significant matters arising from 2005/06 internal audit work

3.1 Details of the main issues identified between April and September 2005 are given in appendix B which is not for publication by virtue of paragraph 14 of Part I of Schedule 12A of the Local Government Act 1972. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

Irregularities

3.2 A number of irregularities have been investigated during the year, some of which have resulted in material loss and are being pursued via criminal investigations. Some common themes have also emerged, particularly relating to the misuse of school funds and the governing body's critical monitoring role.

4 Priorities for the remainder of 2005/06

4.1 During the first half of the financial year internal audit work mainly focused on completing work in progress from 2004/05, irregularity investigations, establishment visits and some departmental systems. During the second half of the year internal audit attention will turn to key financial systems reviews. This is to allow audit samples to be drawn from a greater number of transactions. This work will include the central payroll, creditors, debtors and pensions payroll systems.

4.2 In line with the internal audit strategy and other reports to members on monitoring compliance with the Code of Corporate Governance, internal audit work will be carried out during the period October 2005 to March 2006 in order to provide an opinion on the effectiveness of corporate governance and the extent of compliance in departments and the County Council as a whole. The results of this work will be included in the annual internal audit opinion for 2005/06 which will be presented to members in July 2006.

5 Recommendation

5.1 That the Governance Committee notes the progress of internal audit work during 2005/06 and notes the key issues arising from that work.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

None

Appendix A

Internal audit opinions for work delivered between April 2005 and October 2005

Audit opinion definitions