Archived decisions
Hampshire Fire and Rescue Authority | |||
Governance Committee |
Item 6 | ||
8 November 2007 |
|||
Internal audit progress report | |||
Report of the Treasurer | |||
Contact: Karen Shaw, ext 6072, email [email protected]
1 Introduction
1.1 This report summarises:
· progress against the Authority's internal audit plan for 2007/08
· an update on action taken by management to address the issues raised in the annual internal audit opinion for 2006/07
· significant matters arising from 2007/08 internal audit work
· priorities for the remainder of 2007/08.
2 Progress against the internal audit plan for 2007/08
2.1 The 2007/08 internal audit plan was prepared in line with the updated internal audit strategy that was approved by the Governance Committee in June 2007. The original plan totalled 206 days and, in addition 37 days of work in progress was carried forward from last year. The actual days delivered in the six months ending 30 September 2007 are shown in table 1 below. Due to long term sickness, the internal audit team has recently been restructured and has sufficient resources to ensure delivery of the remainder of the plan in time for the production of the annual internal audit opinion.
Table 1 - summary of audit days delivered 1 April 2007 to 30 September 2007
Days |
Days | |
Previous year carry forward |
37 | |
2007/08 agreed audit plan |
206 |
|
Variations to the plan |
-20 |
|
Revised 2007/08 plan |
186 | |
Total for 2007/08 |
223 | |
Actual days delivered to 30 September 2007 |
83 | |
Percentage of revised plan delivered |
(45%) | |
2.2 A summary of the audit opinions given to date for each completed review is included in appendix A.
2.3 Variations made to the plan up to 30 September 2007, amount to a decrease of 20 days compared to the original agreed plan. These variations comprise:
· a reduction of 10 days from the plan as HFRA have requested that the audit of business continuity be deferred until 2008/09 as work is on-going in this area.
· a reduction of 10 days with respect to the audit of Community Safety as the department is currently undergoing a restructure.
The number of completed audits and status of the remainder as at 30 September 2007 are summarised below:
2007/08 Plan |
Issued reports* |
In progress |
To start | |
Annual report |
1 |
0 |
0 |
1 |
Key financial systems |
2 |
0 |
1 |
1 |
Establishments |
7 |
7 |
0 |
0 |
Departmental systems |
8 |
1 |
3 |
4 |
Computer audit |
3 |
1 |
1 |
1 |
TOTAL |
21 |
9 |
5 |
7 |
*Includes reports currently in draft.
3 Action to be taken by management to address the issues raised in the annual internal audit opinion for 2006/07
3.1 The 2006/07 annual internal audit opinion, reported to members of the Governance Committee in June 2007, raised new or ongoing concerns in a number of areas as follows.
Payroll
3.2 Our review of payroll in 2006/07 found that both Workforce Planning and Workforce Support staff were able to amend payroll data and independent checking of input to the SAP payroll system was not carried out. We have followed this up with the Deputy Performance Review Team Manager and understand that all data entry has now transferred to the Workforce Support team. However, the HR Management Information Systems Team and three Workforce Planning team members retain some write access but do not routinely enter data into SAP. The Deputy Performance Review Team Manager has advised them of the controls and checks needed to ensure that this access is used appropriately. We also understand that the HR Management Information team are now providing an independent checking function. These new controls will be tested as part of the 2007/08 payroll audit which is due to commence shortly for completion by the end of December 2007.
Workshops
3.3 Our review of the workshops in 2006/07 concluded that an incomplete framework of control was in place and a number of issues were identified, notably with regard to the resilience of the Trace system. A further audit of workshops is currently underway to follow up these issues and is due for completion by the end of October.
Security and password controls
3.4 The 2006/07 annual report raised concerns over the arrangements for the storage of back-up tapes for the Novell server at workshops. Back up tapes are currently held at the workshops in Winnall and we identified risks due to the proximity of the tapes to prime data as well as the risk of theft and damage.
3.5 Management have reviewed the controls in place and have decided to accept the identified risks in the interim period until workshops relocate to Headquarters in December 2007, at which point data will be migrated to the Headquarters data server. Follow-up work in this area is planned to take place in early 2008.
3.6 The full results of follow-up work will be included in the annual internal audit opinion which will be presented to members in June 2008.
4 Significant matters arising from 2007/08 internal audit work
4.1 Details of the main issues identified between April and September 2007 are given in appendix A. Appropriate action has been agreed or is being considered by relevant managers to address these issues and progress is being monitored by management. There are no further significant matters arising from the 2007/08 audit work to report.
5 Irregularities
5.1 One potential irregularity was reported during the first half of the year. An initial investigation has been carried out by management and an audit review is currently underway to review the issues raised.
6 Priorities for the remainder of 2007/08
6.1 During the first half of the financial year internal audit work focused on completing work in progress from 2006/07, on commencing key financial systems work to enable the Audit Commission to place reliance on this work in forming their opinions, and on completing establishment reviews.
6.2 Our priority for the remainder of the year is to complete the internal audit plan to enable us to provide an internal audit opinion for 2007/08 in line with the internal audit strategy. This will include a review of selected areas of corporate governance.
7 Recommendation
7.1 That members of the Governance Committee note the progress of internal audit work during 2007/08 and the key issues arising.
Appendix A
Hampshire Audit Services internal audit update - summary of main issues reported during the period 1 April 2007 to 30 September 2007
System |
Assurance |
Opinion on the framework of control (note 1) |
Controls operating in practice? |
Main Issues Appropriate action has been agreed, or, is under consideration by relevant managers to address these issues and progress is being monitored by management |
Key financial systems: |
||||
Debtors and cash income |
In progress | |||
Departmental systems: |
||||
Pension Arrangements (06/07) |
In progress | |||
Treasury Management (06/07) |
Full |
Appropriate |
Yes |
None |
Workshops |
In progress | |||
Indents |
In progress | |||
Computer audits: |
||||
Networks |
Full |
Appropriate |
With exceptions |
The formal restoration of network access from a fire station or other sites has not been tested. Although Synetrix are to be responsible for the replacement of equipment there is a risk that without an adequate test the recovery could be delayed which could have been identified in a formal test. |
CFRMIS Application Review |
In progress | |||
Establishments Wholetime |
||||
Copnor (follow up) |
Good progress made |
Copnor was reviewed initially in 2006/07 where we found significant risks regarding the security of cash, keys and cheque books. Four out of eight recommendations made at that time have been actioned but further work is still needed, particularly in relation to the completion and approval of social club accounts. | ||
Gosport |
Full |
Appropriate |
Yes |
None |
Southsea |
Full |
Appropriate |
Yes |
Risks to the security of the site were identified due to insecure windows. |
Establishments Retained |
||||
Beaulieu |
Full |
Appropriate |
Yes |
None |
Hythe |
Full |
Appropriate |
Yes |
None |
Hamble |
Full |
Appropriate |
Yes |
None |
New Milton |
Full |
Appropriate |
Yes |
None |
Note 1 - the definitions for opinions are given in appendix B.
Appendix B
Audit opinion definitions:
Comprehensive |
Controls are in place to manage all the risks identified. |
Appropriate |
Sufficient controls exist to manage the key risks identified in an effective and efficient manner. |
Incomplete |
One or more key controls are missing therefore there is a need to introduce additional key controls to manage the risk to the organisation. |
Inadequate |
Controls are considered to be insufficient to manage the risks identified, with the absence of at least one critical control mechanism. Failure to improve controls could lead to increased risk of major loss or embarrassment to the organisation. |
Section 100 D - Local Government Act 1972 - background papers
The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.
NB the list excludes:
Published works.
Documents which disclose exempt or confidential information as defined in the Act.
TITLE FILE
None