Contact: Ejner Knudsen, ext 7403

1 Introduction

1.1 It is internal audit's opinion that Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown controls to be working in practice, with some specific exceptions. Where improvements to controls or compliance are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

1 Background

1.1 From 2003/04, the Code of Practice on Local Authority Accounting in the United Kingdom has required the Leader and Chief Executive to sign a general statement on internal control as a note to the published accounts. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating in each department and in the County Council as a whole.

1.2 An overall assurance statement for the County Council as a whole is attached at Appendix A.

1.3 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the County Council's resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the County Council on the control environment by evaluating its effectiveness in achieving the County Council's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: Chartered Institute of Public Finance and Accountancy - Code of Practice for Internal Audit in Local Government in the United Kingdom 2006)

2 Objectives

2.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the County Council's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

3 Audit approach

3.1 A summary outlining the audit approach and audit delivery during 2006/07 is provided in Appendix B.

3.2 Detailed reports, giving our conclusion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· comprehensive

· appropriate

· incomplete

· inadequate.

4 Overall assurance

4.1 It is internal audit's opinion that Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown controls to be working in practice with some specific exceptions. Where improvements to controls or compliance are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

4.2 There has been no change in the overall level of assurance provided compared to that given in our 2005/06 annual internal audit opinion.

5 Issues raised during 2006/07

Main findings

5.1 Details of the level of control and the main issues identified across all departments in 2006/07 is given in Appendix D which is not for publication by virtue of paragraph 7 of Part I of Schedule 12A of the Local Government Act 1972. Concerns regarding the system of internal control were raised in respect of the areas outlined below. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

5.2 Our follow-up of audit findings raised in 2005/06 audit reports confirmed that progress had been made during 2006/07 and appropriate action had generally been taken in respect of the recommendations made. An update on the issues raised in the 2005/06 annual audit report is included below.

5.3 We will review the implementation of audit recommendations made in 2006/07 as part of our 2007/08 audit plan.

Adult Services budget

5.4 In February 2006 the Adult Services department forecast an overspend of approximately £11m. The overspend was expected to continue into 2006/07, and together with budgeted savings targets and further new pressures, an overspend in the region of £20m was expected in 2006/07 unless clear actions were taken. The Audit Manager responsible for delivery of audit services to the Adult Services department contributed to an independent review set up to understand why the department had found itself in this position, along with verifying any findings from the Adult Services in-house teams. This piece of work was completed and reported to Cabinet in May 2006. The department put a financial recovery plan into place to help address the overspend. Savings targets of £4.5m were set for 2006/07 and a further £8.4m, which was revised to £9.5m, for 2007/08. At the time of writing this report the overspend position is expected to be less than £8m for 2006/07. This is a significant improvement on the budget position reported at this time last year.

Pay and benefits

5.5 In our 2005/06 annual audit opinion we reported that our review of the Pay and Benefits project highlighted a lack of consistency in the approaches taken by departments to checking the information supplied by the Pay and Benefits Project Team and significant variations in the extent and evidencing of checking undertaken. Our follow up testing showed considerable improvement in the checking undertaken by departments in 2006/07, which was consistent and in line with agreed timescales.

CRB checks

5.6 In our 2005/06 annual audit opinion we reported that a draft CRB policy was in place, which complies with current legislation and covers pre-employment and re-checks. Our follow up work in 2006/07 found that the overall CRB policy was approved by CMT, Cabinet and Scrutiny Committee in March 2007. The rechecking aspects of the policy will be worked on over the next six months.

5.7 Testing in the Adult Services and Children's Services departments has shown that progress has been made and that CRB checks are now being carried out for voluntary and contract workers and residential providers.

SAP access

5.8 Over the last two years, concerns have been raised about the process for requesting access to SAP, however there has been significant progress during 2006/07. Responsibility for day-to-day problem solving has been transferred to the security team, giving technical staff more time to focus on development work, new procedures have been developed and documented, and roles for support and technical staff are being reviewed and amended. However we did find that at the time of the audit, roles enabling users to create and amend user accounts were still not adequately restricted, increasing the risk of unauthorised access to or amendment of the system and data. IT Services have advised us that control mechanisms have since been implemented to manage the allocation of superuser accounts that are only provided for emergency support activities. Monitoring of adequate separation of duties, which was highlighted in the 2005/06 audit, is still not in place, and there is a risk that users may be able to bypass financial and other controls. This issue has been under consideration for some time, and we understand that IT Services are actively pursuing a suitable solution.

Computer suite / Business continuity

5.9 We have previously reported concerns regarding the Computer Suite, however our follow up work in 2006/07 found that progress is being made in addressing the issues. In particular, a new data centre will be provided as part of the refurbishment of Ashburton Court, the project is scheduled for completion in Spring 2009. IT Services are also investigating the possibility of a partnership with a private sector organisation to provide a second data centre at low or no cost, this is a long-term plan which is still at a very early stage. A second data centre would enable service provision to continue in the event of the unavailability of the primary site.

5.10 A corporate Business Continuity Advisor has been appointed and good progress is being made in documenting corporate plans and developing procedures. Responsibility for continuity planning for IT systems has also been assigned within IT Services and we understand that good progress has been made in developing business continuity documentation. Our work in these areas is ongoing and will be reported more fully during 2007/08.

VAT

5.11 Last year we identified some VAT invoices where VAT had not been charged instead of being charged at the standard rate. Our follow up work in 2006/07 found that VAT had been correctly calculated, and that staff training had led to an amendment of procedures and greater awareness of correct procedures. These invoices related to an external contract, which is no longer in operation.

Information security management

5.12 During 2006/07 the Security Managers Group reviewed its terms of reference, and clarified reporting lines and how actions would be progressed. Enthusiasm and commitment among members has increased noticeably during the year, although departmental security managers are still unsure whether they have time to carry out their security role fully, as in most cases it forms a very small part of their overall job; we will monitor this situation in conjunction with the Chair of the group and IT Services.

Direct Payments

5.13 Whilst there are procedures and guidance notes in place these are not embedded into the Adult Services department and care managers seem unaware of their role in checking financial records and providing advice on financial management. There is a risk that the direct payments received by clients are being used to purchase inappropriate items and not the care required to meet their assessed needs and a number of potential irregularities have been reported during the year (see paragraph 6.19). The procedures and guidance notes were put into place after the previous audit and the direct payments finance team was established, however the majority of the findings are the same as they were at the previous audit.

5.14 This matter was discussed at the Governance Committee first in October 2006 and also in April 2007 and a plan of action agreed including a business process review to enable the control framework to cope with an expansion of the service.

Pension contributions

5.15 Pension fund rules and regulations have been the subject of close scrutiny by the government and there have been many proposals for change, resulting in a need for the control framework to be strengthened. The County Treasurer's department Pension Services section have sought to modernise processes and services provided, using a business process innovation approach, to meet the heightened scrutiny arrangements.

5.16 Our 2006/07 review found that controls over the calculation and deduction of pension contributions for HCC staff, payment of these deductions into the pension fund, the integrity of HCC financial statements relating to pensions, and production of annual benefits statements are in place. However, some control issues were identified relating to the administration of the pension contributions, particularly in agreeing the payroll deductions to the pension fund receipts, and checks on the data supplied by other contributing bodies. There are known issues relating to the operation of the interface between SAP and AXISe, the system used to record pension contributions, and these are included on the section's action plan.

5.17 The business process innovation work will be ongoing in 2007/08, providing an opportunity for further improvement to be made to controls.

Rebate and turnover levels

5.18 County Supplies arrange contracts on a rebates basis, where a rebate can be claimed by HCC raising an invoice, once pre-determined volumes of purchases have been made. Our 2005/06 report raised concerns regarding the collection of rebates. Our 2006/07 follow up review demonstrated that these issues are ongoing, as rebates are still not collected in accordance with the contracted timescales, and one rebate outstanding last year still remains unpaid now. In addition, sales data is not always available to support the rebate that is being claimed.

Irregularities

5.19 2006/07 saw a reduction in the number of reported cases of potential irregularities, with 24 potential irregularities reported, 17 of which were investigated, affecting six departments. In 2005/06 there were 39 potential irregularities reported, however, this was considered to be an exceptional year with levels of reporting now returning to those consistent with previous years.

5.20 Ten of the investigations undertaken in 2006/07 occurred within the Adult Services department and of these, four were concerning direct payments. We found that a lack of accountability over the use of direct payments by Service Users, had increased the risk of money for care being used inappropriately. One investigation led to an amount in excess of £11,000 being recovered and the direct payment facility being withdrawn.

5.21 We undertook a further four assignments at schools which had been brought forward from 2005/06, and the Investigations Team continues to work closely with the police in preparing for the forthcoming court case of the previous Headteacher and Deputy Headteacher of Sundridge School, who have been charged with theft and obtaining pecuniary advantage by deception. All significant investigations undertaken in 2006/07 have been summarised in Appendix D.

5.22 The reduction in reported cases of potential irregularities has allowed completion of the Fraud and Irregularity Investigation Procedures, which were approved by Governance Committee in April 2007, as well as delivery of the proactive counter fraud programme. This included presentations on identity fraud detection to appropriate Human Resources staff, a review of the use of imprest accounts in schools and the commencement of the NFI data matching exercise, which will continue into 2007. Progress is also being made in raising staff awareness on private use of the internet, through liaison with the Security Managers User Group (SMUG) and tools are being developed to allow monitoring by management.

5.23 Overall, there has been no evidence of further fraud or irregularity arising from our proactive counter-fraud work, indicating that the control environment continues to be strong. The incidence of fraud reporting and detection is considered low for an organisation of this size and diversity.

Common findings

5.24 There are no other significant common findings identified by our 2006/07 audit work, however, where common findings have been identified within departments, these are detailed in appendix D.

Value for money

5.25 During the year, any value for money issues highlighted during the course of our controls assurance work have been reported to management. No major opportunities were identified, however, issues specific to departments are reported in appendix D.

6 Recommendations

6.1 That the Governance Committee accept the internal audit assurance statement for 2006/07 detailed in Appendix A.

6.2 That progress of management actions to resolve the issues in paragraphs 6.4 to 6.18 be reported mid-year to the Governance Committee.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

Nil.

Hampshire County Council Appendix A

Assurance statement for the year ended 31 March 2007

Introduction

The Accounts and Audit Regulation 2006 require the County Treasurer to maintain an adequate and effective system of internal audit.

From 2003/04 the Code of Practice on Local Authority Accounting in the United Kingdom has required the Leader and Chief Executive to sign a general statement of internal control as a note to the published accounts. To support this process, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance for each department and the County Council as a whole.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the County Treasurer. The internal audit plan has been delivered in accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown that the controls are working in practice with some specific exceptions.

Ejner Knudsen

Chief Internal Auditor

County Treasurer's Department

Hampshire County Council

28 June 2007

Appendix B

Audit background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the County Council with an assurance on the system of internal control of the County Council. The opinions provided for each department will contribute to this overall assurance. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2006/07, including those audits carried forward from 2005/06

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the County Council's objectives or systems

· the quality of internal audit's performance

· the proportion of the County Council's audit plan that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit plan of the County Council

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006. The standards cover the following areas:

· scope of internal audit

· independence

· ethics for auditors

· audit committees

· relationships

· staffing, training and continuing professional development

· audit strategy and planning

· undertaking audit work

· due professional care

· reporting

· performance, quality and effectiveness.

2.2 Hampshire Audit Services is registered under ISO9001, the international quality management standard and we have developed comprehensive procedures to ensure that all audits are conducted to the required standard. In particular, the audit outline is approved, before site work commences, by the Audit Manager, who also reviews each draft and final report before it is issued to ensure that all key controls have been properly evaluated and that adequate audit evidence has been obtained to support the findings.

2.3 We also have Investors in People accreditation which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our performance development scheme and a detailed training and development programme is planned, delivered and evaluated each year.

2.4 Our quality assurance programme includes:

· annual service improvement planning, using appropriate management tools to challenge our approach;

· annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services;

· a three year rolling programme of quarterly reviews of a sample of completed files and reports and management processes to ensure consistency in approach and compliance with professional standards and quality procedures. Issues raised are discussed by the Section's management team and follow up action is monitored by the Quality Manager;

· quarterly review of performance indicators reported to the County Treasurer's management team.

2.5 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.6 In addition, our work is subject to annual review by Hampshire County Council's external auditors who continue to rely on our work to support their audit opinion.

3 Audit needs

3.1 A risk assessment was undertaken for the 2006/07 audit plan, which involved an analytical review of data relating to each department including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with departmental management to ensure the audit plan addressed the key risks facing each department.

A summary of audit days delivered during 2006/07 is provided in Table 1.

Table 1 - Summary of audit days delivered (2006/07)

Detail	2006/07 days	days
Days carried forward from 2005/06		439
Audit plan agreed by County Treasurer	3704
Variations to the plan	(502)
Revised plan at the year end		3202
		3641
Total days delivered including delivery of carry forward audits		3330
Days carried forward to 2007/08		311

3.2 The audit plan was revised during the year to 3202 days. The original and revised audit plans are shown at Appendix E.

3.3 Changes made to the plan reflect the following:

· changes to the scope of individual assignments following the results of initial risk assessment and review

· new areas requiring review being highlighted during the year

· an increase in time required to follow up significant issues raised

· time saving achieved on individual reviews

· the postponement of audits following a reassessment of risk across the County Council audit plan.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was still in progress as at 31 March. For all audits carried forward from 2005/06 and completed during 2006/07, an audit opinion is provided as part of the 2006/07 annual audit opinion.

3.5 The results of 26 reviews started in 2006/07, are not included in the 2006/07 annual internal audit opinion as they were still in progress at the end of the year. The results of these reviews will be included in our 2007/08 opinion.

3.6 No limitations were placed on the scope of our work during the year.

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in Appendix E. We are not aware of any significant changes to any of the systems reviewed since our work was conducted. However, during 2006/07, as a result of the merger of the Chief Executive's and Human Resources departments, there has been a significant change to staff and their respective responsibilities. The reorganisation of the Children's Services department that commenced in 2005/06 also continued in 2006/07 with the filling of senior management posts. The impact of these changes will be assessed as part of our ongoing audit work during 2007/08.

4.2 Our work has been carried out using a systems based audit approach. This covers the internal control systems of the County Council and during the conduct of our work, particular attention was given to arrangements established to ensure:

· financial control

· safeguarding of assets to reduce exposure to theft or fraud

· compliance with the County Council's policies, procedures, laws and regulations

· the integrity and reliability of information and data

· value for money.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit liaison

5.1 Staff within the departments have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 In most departments, management responses have been timely and have addressed the issues raised but with some delays noted in schools and in the Property, Business and Regularity Services department.

5.3 Audit Appraisal Questionnaires (AAQs) have been received from 98 of the audits completed before 31 March 2007, with an average satisfaction score of 94.2% This confirms that there continues to be a good working relationship between Internal Audit and County Council staff.

5.4 2006/07 has seen the further development of liaison between Internal Audit and County Council staff, for example:

· we delivered training sessions for staff in Human Resources regarding identity fraud

· 2006/07 has seen the continuation of the liaison between Internal Audit and Education Financial Services, which is of real value to both teams. Our quarterly audit plans are also shared with key clients in the Children's Services department. We have continued to develop our liaison with HIAS and attend Local Leadership Team meetings at Havant, Fleet and Bartley termly to exchange information. These meetings have enabled us to refine our risk assessments for individual schools and in several instances have influenced the scope of our onsite audit work. We have also attended a significant number of Administration Officer network meetings to discuss the introduction of the Financial Management Standard in Schools (the Standard). A series of evening events were also provided to introduce the Standard to Hampshire school governors

· in the County Treasurer's department, we have contributed to the Employee Self Service exploitation project for Travel and Subsistence to automate claims. We have also continued to be represented at the Corporate Accounting Forum, and the Accounting Network.

This liaison is of real value to both Internal Audit and departmental staff and helps to promote good and consistent practice.

Appendix C

Audit opinion definitions:

Appendix E

Hampshire County Council - original and revised 2006/07 plans