Contact: Karen Shaw, tel 01962 846072 or email [email protected]

1 Summary

1.1 The internal audit opinion is that Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been, or, will be agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

2 Background

2.1 From 2003/04 the Code of Practice on Local Authority Accounting in the United Kingdom has required the Chairman of Hampshire Fire and Rescue Authority and the Chief Officer to sign a general statement on internal control as a note to the published accounts. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating across the Authority.

2.2 This opinion is contained in the assurance statement attached at Appendix A.

2.3 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the Authority's resources are properly applied. Internal audit is an assurance function that provides an independent and objective opinion to the Authority on the control environment by evaluating its effectiveness in achieving the Authority's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006).

3 Objectives

3.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the Authority's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

4 Audit approach

4.1 A summary outlining the audit approach and audit delivery during 2006/07 is provided in appendix B.

4.2 Detailed reports, giving the internal audit opinion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· comprehensive

· appropriate

· incomplete

· inadequate.

5 Overall assurance

5.1 The internal audit opinion is that Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been, or, will be agreed by relevant managers and that they will be resolved in an appropriate manner.

5.2 There has been no change in the overall level of assurance provided compared to that given in our 2005/06 annual internal audit opinion.

6 Issues raised during 2006/07

Main Findings

6.1 Twenty two reviews were completed in 2006/07 and based on the audit evidence obtained, one system had a comprehensive framework of control, nineteen systems /establishments had an appropriate framework of control and two had an incomplete framework of control to ensure that the activities and procedures achieve the Authority's objectives. Overall, audit testing has shown that the controls in place are operating in practice.

6.2 A summary of the opinions on the reviews carried out in 2006/07 is shown at Appendix D.

Significant findings

Payroll

6.3 Our review of payroll in 2005/06 highlighted that control could be improved further if, in the absence of a separation of duties between personnel and payroll functions, evidence was available of the independent checking undertaken of payroll data, particularly for new starters. Since our review was carried out, the functions have been separated into two sections, however our review in 2006/07 found that both Workforce Planning and Workforce Support staff are able to amend payroll data and independent checking of input to the SAP payroll system is not carried out.

6.4 The 2005/06 annual report also reported an error that had been brought to our attention concerning the interpretation and payment of back-pay, arising from the Fire Service Pay and Conditions Agreement, which led to overpayments to a group of 97 staff. Management requested assurance that the processes and methods used to confirm the extent of, and recovery of the resulting overpayments were robust. We concluded that sufficient and effective procedures were in place to achieve this, however our review identified a number of lessons to be learned to enable management to manage the risk of errors in future projects more effectively.

Workshops

6.5 During 2005/06 we were unable to give assurance on the framework of control in respect of the workshops as the scope of our work was limited because transaction data had been lost on the Fleet Management System. A new system (TRACE) was implemented on 1 March 2005 and although our testing was limited to recent transactions, the audit highlighted several areas for improvement. Our review of the workshops in the current year concluded that an incomplete framework of control is in place and a number of issues were identified. The ICT Section were not involved in the implementation of the Trace system and concerns were raised regarding the protocols for access to the system and system resilience. These issues need to be addressed as part of the post implementation review to ensure that the system meets the business needs of the workshop stores. We also raised concerns over:

· arrangements in place to ensure that stock and accounting systems record all authorised stock transactions

· the utilisation of workshop facilities by private individuals as this has not been formalised or documented.

Security and password controls

6.6 Our review of security and password controls during 2006/07 once again raised concerns over the arrangements for monitoring and controlling access to personal data in Revelation as well as concerns over the storage of back-up tapes for the Novell server. Previous reviews of Revelation have led to recommendations to replace the system due to the security concerns raised, however our review of databases in 2006/07 found that the system is still in use and that there is no action plan in place to implement a replacement system. This increases the risk of personal data being accessed by unauthorised people and contravention of the Data Protection Act. Back up tapes for Novell are also at risk of damage or theft and could affect the recovery of data in the event of a disaster event.

6.7 Whilst a number of other significant recommendations were made during the year, these were significant to the systems concerned and were not material in the context of the Authority as a whole.

Common findings

6.8 No significant common findings have been identified during the year. However a summary of common issues raised during our establishment reviews is outlined in Appendix D.

Follow-up work

6.9 Where an assignment concludes that the overall framework of control in an establishment or system is `inadequate', a follow-up review is carried out within one year. There were no inadequate opinions in 2005/06 requiring follow-up, however follow up work was undertaken to assess progress made in implementing recommendations relating to corporate governance, payroll and unofficial funds. Apart from the issues raised in paragraph 6.3 relating to payroll, we found that appropriate measures had been taken to address the recommendations made.

6.10 We will continue to review the implementation of audit recommendations made in 2006/07 as part of our 2007/08 audit plan. In addition, HFRA has a robust process for monitoring the implementation of agreed actions and progress is reported to the Performance Review Committee.

Irregularities

6.11 There have been no reported financial irregularities during 2006/07.

Value for money

6.12 During the year, any value for money issues highlighted during the course of our controls assurance work have been reported to management. A summary of issues raised is attached at Appendix D, however these were not significant.

7 Recommendations

7.1 That the Governance Committee accept the internal audit assurance statement for 2006/07 detailed in Appendix A.

7.2 The main risks identified during the year are noted.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

None

Appendix A

Annual assurance statement for the year ended 31 March 2007

Introduction

The Accounts and Audit Regulations 2003 require the Treasurer to maintain an adequate and effective system of internal audit.

From 2003/04 the Code of Practice on Local Authority Accounting in the United Kingdom has required the Chairman of Hampshire Fire and Rescue Authority and the Chief Officer to sign a general statement on internal control as a note to the published accounts. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the Treasurer. The internal audit plan has been delivered in accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations, which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice.

Karen Shaw

Chief Internal Auditor

Hampshire Fire and Rescue Authority

21 June 2007

Appendix B

Audit Background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the Authority with an assurance on the system of internal control. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2006/07, including those audits carried forward from 2005/06

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the organisations objectives or systems

· the quality of internal audit's performance

· the proportion of audit need that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit needs of the Authority

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006. The standards cover the following areas:

· scope of internal audit

· independence

· ethics for internal auditors

· audit committees

· relationships

· staffing, training and continuing professional development

· audit strategy and planning

· undertaking audit work

· due professional care

· reporting

· performance, quality and effectiveness.

2.2 Hampshire Audit Services is registered under ISO9001, the international quality management standard and we have developed comprehensive procedures to ensure that all audits are conducted to the required standard. In particular, the audit outline is approved, before site work commences, by the Audit Manager, who also reviews each draft and final report before it is issued to ensure that all key controls have been properly evaluated and that adequate audit evidence has been obtained to support the findings.

2.3 We also have Investors in People accreditation, which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our performance development scheme and a detailed training and development programme is planned, delivered and evaluated each year.

2.4 Our quality assurance programme includes:

· annual service improvement planning, using appropriate management tools to challenge our approach

· annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services

· a three year rolling programme of quarterly reviews of a sample of completed files and reports and management processes to ensure consistency in approach and compliance with professional standards and quality procedures. Issues raised are discussed by the Section's management team and follow up action is monitored by the Quality Manager

· quarterly review of performance indicators reported to the Treasurer's management team.

2.5 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.6 In addition, our work is subject to annual review by the Authority's external auditors who continue to rely on our work to support their audit opinion.

3 Audit Needs

3.1 A risk assessment was undertaken for the 2006/07 audit plan, which involved an analytical review of data relating to the Authority including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with the Director of Corporate Services and other finance managers to ensure the audit plan addressed the key risks facing the Authority.

A summary of audit days delivered during 2006/07 is provided in Table 1.

Table 1 - Summary of audit days delivered (2006/07)

Detail	2006/07 Days	Days
Days carried forward from 2005/06		30
Audit plan agreed by Treasurer	209
Variations to the plan	27
Revised plan at the year end		236
Total days		266
Total days delivered including delivery of carry forward audits		229
Days carried forward to 2007/08		37

3.2 The 2005/06 carry forward relates to audits which were in progress at the end of the year. Of these, only our review of human resources was not included in the 2005/06 opinion. This was completed during 2006/07 and is included in this report.

3.3 The audit plan was revised during the year to 236 days. The original and revised audit plans are shown at Appendix E and the agreed changes made to the plan reflect the following:

· two days transferred from special investigations to enable a follow-up review of unofficial funds (no impact on total days)

· addition of SAP creditors (+7 days) and debtors and cash income (+5 days) reviews to the plan to ensure adequate coverage of key financial controls in line with the requirements of the International Audit Standards governing the external audit work carried out by the Audit Commission

· addition of 5 days to enable a follow-up review of IT Management

· addition of a 10 day review of back pay overpayments. This was at the request of management following an error made in the calculation and payment of back pay to a group of 97 staff due to the misinterpretation of the Fire Service Pay and Conditions Agreement.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was still in progress as at 31 March 2007.

3.5 The following audits were in progress at 31 March 2007 and will be reported in the 2007/08 annual internal audit opinion:

· Pension arrangements

· Treasury management.

3.6 No limitations were placed on the scope of our work during the year.

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in Appendix E. During 2006/07 there have been resourcing issues in the Human Resources section which have had an impact on the control framework. We will continue to monitor progress in this area and follow up the specific recommendations made. We are not aware of any other significant changes to any of the systems reviewed since our work was conducted.

4.2 The work has been carried out using a systems based audit approach. This covers the internal control systems of the service and during the conduct of our work, particular attention was given to arrangements established to ensure:

· financial control

· safeguarding of assets to reduce exposure to theft or fraud

· compliance with the Services' policies, procedures, laws and regulations

· the integrity and reliability of information and data

· value for money.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit Liaison

5.1 Staff within Hampshire Fire and Rescue Service have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 Last year we reported that management responses to audit reports had been late in some instances. This has improved during 2006/07 due to the proactive role of the Deputy Performance Review Manager in monitoring and chasing management responses. This has resulted in the majority of responses being received within the agreed timescales and should result in management addressing control weaknesses in a timely manner to reduce the risk of loss or embarrassment to the Authority.

5.3 Audit Appraisal Questionnaires (AAQ) have been received from eight of the reviews completed in the year with an average satisfaction score of 87.9% (95.1% 2005/06). This is evidence of a good working relationship between Internal Audit and HFRA.

5.4 Meetings have taken place between the Director of Corporate Services, Head of Financial and Office Services, Deputy Performance Review Manager and Internal Audit to discuss progress on the delivery of the internal audit plan and provide an opportunity to share information on audit and operational developments within the service.

Appendix C

Audit opinion definitions:

Appendix D

Hampshire Fire and Rescue Authority

Annual internal audit opinion 2006/07 - Summary of main issues reported during 2006/07.

Note 1 - the definitions for opinions are given in Appendix C.

Appendix E

Hampshire Fire and Rescue Authority

Annual internal audit plan 2006/07