Contact: Karen Shaw, 01962 846072, email: [email protected]

1 Introduction

1.1 The purpose of this report is to present the proposed internal audit strategy for 2008 to 2013 for approval by members of the Governance Committee prior to preparation of the detailed internal audit plans for 2008/09 and beyond.

1.2 A formal audit strategy has existed since 1999 and was last reviewed in detail in 2003/04. Since that time annual reviews have been presented to the Governance Committee to report on the ongoing relevance of the strategy and to make recommendations for change in line with sector developments.

1.3 The overall objective of the strategy is to ensure that internal audit resources are efficiently and effectively deployed to meet the requirements for internal audit outlined in:

· CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006 (the Code)

· The Accounts and Audit Regulations 2003, including 2006 amendments.

To date, the current strategy has been largely successful in achieving these aims.

1.4 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the Hampshire Fire and Rescue Authority (HFRA) resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the HFRA on the control environment by evaluating its effectiveness in achieving the HFRA's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources (source - the Code).

2 Recommendation

2.1 That the Governance Committee approve the internal audit strategy for 2008 to 2013.

3 Context

3.1 There are a number of external and internal factors that have been taken into account in preparing this strategy, the key factors being:

· revisions made to the Accounts and Audit Regulations 2003 in 2006

· revisions to the CIPFA Code of Practice for internal audit in 2006

· revised guidance from CIPFA and SOLACE `Delivering Good Governance in Local Government'

· the proposed Integrated Risk Management Plan / corporate plan for 2008 to 2011 which is currently at consultation stage, which will need to be reflected in the internal audit risk assessments

· the developing CPA / CAA requirements

· increased focus on partnership working, including the Local Area Agreement

· the need to ensure that the Audit Commission can continue to rely on our work

· changing customer expectations

· the impact of ongoing implementation and development of new audit management software

· the results of annual benchmarking information for internal audit.

3.2 Whilst the impact of some of these changes is not yet clear, the proposed strategy is based on the latest information available and will be updated annually during the life of the strategy to reflect emerging guidance.

3.3 The proposed audit strategy has been considered by the Treasurer and senior management within HFRA.

3.4 The terms of reference for the internal audit service provided to HFRA were approved by the Governance Committee in March 2006. No changes are required as a result of revisions to the audit strategy.

4 Proposed audit strategy

4.1 The proposed audit strategy covers all HFRA activities, funded from whatever source, including risk management, control and governance processes. The proposed audit strategy is presented under the following headings:

· Corporate governance

· Partnerships

· Key financial systems

· Departmental systems

· Procurement and contracts

· Establishment visits

· Systems development and computer audit

· Fraud and irregularity

· Value for money

· Sustainability.

Corporate governance

4.2 The HFRA Corporate Governance Policy document was approved in March 2005 and a high level audit review was carried out in 2005/06 to provide a broadly based assurance.

4.3 Since that time, developments in corporate governance have expanded the scope of the review and to accommodate this, a revised strategy was agreed by the Governance Committee in 2006/07. This provides for agreed elements of corporate governance to be covered each year over a five year cycle to ensure that the full programme is covered over the cycle. This provides more robust assurance in each area.

4.4 Our consultation with other internal audit providers during our strategy review, indicates that our approach to this area of work is well developed compared to other local authorities and that the current strategy provides a comprehensive scope of coverage. However, there are a number of drivers for change. In particular CIPFA /SOLACE has issued new guidance on `Delivering Good Governance in Local Government - Framework' which will require HFRA to review and revise the Corporate Governance Policy. The Chief Officer and Chairman of the HFRA will also be required to sign a Governance Statement from 2007/08 to replace the statement on internal control. We therefore need to ensure that the scope of our work is in line with the new requirements.

4.5 The amendments to the Accounts and Audit Regulations in 2006 also introduced a new mandatory requirement for an annual review of internal audit and this will need to be built into the new Corporate Governance Policy and processes.

4.6 Whist this potentially affects the scope of our work, no significant changes are proposed to the current strategy for reviewing the system of corporate governance.

Partnerships

4.7 The current strategy recognises the importance of partnerships and as part of our corporate governance work we have reviewed arrangements for managing significant partnerships.

4.8 A list of all significant partnerships has been produced and reported to the Senior Management Team in September 2007. These have been reviewed by management against a partnerships governance toolkit.

4.9 The biggest development is that of the Local Area Agreement (LAA) in 2006/07 which is a three year agreement between partners in Hampshire and the Government to improve lives and conditions in Hampshire communities. The LAA is an opportunity to strengthen partnership working to deliver on priority outcomes drawn from the community strategies, with funding channelled via the County Council as the lead partner.

4.10 Although the audit arrangements for the LAA are not clear as the governance framework is not yet established, it is likely that HFRA will be required to provide assurance to the LAA Board on the use of grant funds allocated to it. When the requirements are clear, a decision will need to be made on who should provide this assurance, whether internal audit or management.

4.11 As part of our governance work, we propose to carry out a full systems review of the arrangements for partnerships to ensure that partnerships are recorded and managed in line with corporate guidance.

4.12 In addition, we propose to ensure that our audit planning process includes the identification of significant partnerships so that these can be included in the internal audit plan to ensure that they are managed and administered effectively.

Key financial systems

4.13 Our current strategy provides for system based internal audit reviews of key financial systems to be carried out at central and function / operational group levels on a risk based cycle. Historically, this has included central reviews of payroll, creditors, debtors, budgetary control, treasury management and pension arrangements.

4.14 Regular review of the key financial systems needs to continue due to the high value and volume of transaction involved, however, the following factors impact on the frequency, scope and approach to future reviews:

· the stabilisation of SAP

· the changes to audit standards, requiring the Audit Commission, as the HFRA's external auditors, to review controls in key systems on a three year cycle.

4.15 If future, we propose to review key financial systems using a risk based approach over a three year cycle (previously a two to three year cycle), co-ordinating our plans with those of the Audit Commission to ensure that they can continue to place reliance on our work.

4.16 Key financial systems will also continue to be included in the scope of our work at function / operational group level on a risk basis to ensure that sufficient assurance is gained across HFRA. This work will be co-ordinated to ensure that a rolling assurance is gained across all systems over a three year period.

Departmental systems

4.17 In addition to the key financial systems, each function / operational group also operates a range of systems, dependent on their specific management and operational requirements. The risks attached to these systems will also be reviewed during the internal audit planning process and will be included in the audit plan on a risk based approach.

4.18 As part of the internal audit planning process we will also aim to identify developing systems or systems subject to significant change so that our involvement can be planned at an early stage to advise on control issues.

Procurement and contracts

4.19 Our current strategy does not separately identify procurements and contracts and these areas have historically been included as departmental systems.

4.20 We have identified opportunities to re-focus our work in this area and propose the following strategy:

· central reviews of corporate contract procedures and the corporate procurement strategy

· periodic risk based review of arrangements for managing capital, revenue and consultants contracts in line with Financial Regulations and Contract Standing Orders

· through our audit planning process, we will identify significant revenue and capital contracts and include specific contract audit review of these in our plans. This will include arrangements for actively managing performance and efficiency targets and penalties written into contracts. This will require investment in specialist training and development for audit staff to provide the necessary skills for this work.

Establishment visits

4.21 Over the last few years we have been piloting a move away from a strict cyclical review of establishments towards a risk based approach. As a result the sample of establishments selected for review each year has included those assessed to be higher risk, with others continuing to be reviewed over an extended period of time, in line with revised risk assessments. At the same time we have extended the use of themed systems based audits, with the aim of covering all systems operating at establishment level over time. Most policies and procedures are prescribed centrally, and this approach has therefore enabled the adequacy of the control framework to be assessed in more detail. The reviews are supported by compliance testing carried out at a sample of establishments across HFRA, through short site visits, with findings shared with the relevant officer-in-charge / manager.

4.22 This approach has achieved the same overall level of assurance but enables internal audit to demonstrate risks more clearly to management. The outcome of this change of approach also indicates that the level of assurance provided at establishment level generally has been maintained.

4.23 The introduction of control risk self assessment questionnaires for completion by the officer in charge / manager at a random sample of establishments each year has also been piloted, to inform the risk assessment process. This has not proved to be of significant benefit to the planning process, compared to the time required for completion and we do not therefore propose building this approach into our future strategy.

4.24 As part of this strategy review we have identified further opportunities to develop our approach to ensure that audit resources are focussed on higher risk areas. In terms of financial risk, retained fire stations have very little locally controlled income or expenditure and the findings tend to be similar across all stations and change little from year to year. Due to the low risk in this area, we therefore propose to discontinue the traditional full scope reviews but to continue to include retained stations in the sample of stations tested within themed audits to maintain our audit presence.

4.25 We propose that wholetime stations continue to be subject to full review over a five year period, and also feature in testing plans for our themed reviews.

4.26 Whilst the number of establishments subject to a full review each year will reduce from 2008/09, audit presence at establishment level will continue to be maintained through the compliance testing required by systems based reviews (which will also include key financial systems).

Systems development and computer audit

4.27 Due to the pace of development in the field of information technology, computer audit work has always been subject to more frequent risk assessment and change of audit emphasis than other audit areas. This ensures that audit coverage keeps pace with developments and reviews are included in the internal audit plan on a risk assessed basis.

4.28 Currently, the audit plan does not include time to allow for internal audit involvement at the development stage of a project to ensure that control issues are considered at an early stage. We therefore propose that significant developments are identified at the audit planning stage in future and that internal audit involvement is planned as appropriate.

Fraud and irregularity

4.29 One of the objectives of internal audit is to identify fraud as a consequence of its reviews and to deter crime. This is a developing area of work and as a consequence progress has been reported to the Governance Committee as appropriate to agree ongoing changes to the strategy.

4.30 We have also established a dedicated investigation team which works closely with legal services and the police and we continue to invest in training and development to ensure work is delivered in accordance with best practice and legislation.

4.31 We are also developing the proactive counter fraud programme to test the HFRA's anti fraud culture, and intend to work closely with the Professional Standards departments on this. This will provide evidence in support of the HFRA Use of Resources assessment.

4.32 In support of this ongoing development, we propose the following strategy, reflecting changes agreed over the last few years:

· record reported cases of potential fraud or irregularity (including those reported under the `Reporting Concerns at Work Policy') and agree with management action to be taken with regard to investigation. Where appropriate, investigations will be conducted by internal audit and referred to the police for investigation and prosecution where criminal activities are suspected

· raise awareness of members and senior officers with regard to promoting the HFRA anti fraud and corruption culture

· continue to deliver a programme of proactive counter fraud work to test the strength of the anti fraud culture, using intelligence from management gained as part of the audit planning and reporting process. This will include the introduction of internal data matching where possible This may require short notice or unannounced visits to be carried out to establishments

· actively participate in the National Fraud Initiative programme which helps to deter crime nationally.

Value for money

4.33 Management's arrangements for securing value for money has always been an implicit part of internal audit reviews.

4.34 Since 2006/07 we have included a specific statement in all audit reports, detailing whether or not any value for money opportunities have been identified during our review. In addition, the scope of our corporate governance work includes a high level review of management's arrangements for securing value for money.

4.35 The implementation of new audit management software in 2007/08 provides the potential for developing reporting mechanisms further. Within this five year strategy we therefore intend to assess the possibility of reporting more explicitly on the controls reviewed which impact on the achievement of value for money to provide additional assurance in this area.

4.36 To date the internal audit strategy has not included specific value for money reviews as these tend to require a lot of time and input from a range of interested parties to produce successful outcomes. There is a risk that this could divert resources away from assurance work and compromise our independence. Completion of the assurance work will always be our priority within the plan. However, changes to the agreed strategy, in particular the reduction in establishment visits, may provide opportunities for our involvement in added value work in topical areas in future, without significantly increasing the overall size of the plan. It is proposed that these opportunities are identified at the planning stage in future and included in the plan as resources permit.

Sustainability

4.37 Our current audit strategy does not provide for reviews of sustainability.

4.38 A major best value review is currently in progress with the aim of reducing the carbon footprint and environmental impact of the HFRA. The report is due to be published in 2008/09 and the recommended actions will be monitored by the Performance Review Committee.

4.39 We will keep this area under review and develop our audit approach once the outcomes of the best value review are known. One potential area for review will be the implementation of sustainability impact assessments for all major decisions and projects.

Follow up work

4.40 Audit standards require internal audit to follow up assignments to review the effectiveness of management action arising from audit recommendations. No change is proposed to the current strategy :

· where an assignment concludes that the overall framework of control in an establishment or system is 'inadequate', a follow up review will be completed within one year. Follow up work may also be carried out where the overall framework is 'incomplete' at the discretion of the Audit Manager, depending on the risks involved

· significant risks reported in the annual audit opinion will be followed up in the following year.

5 Resource implications

Liaison with the Audit Commission

5.1 We have regular liaison meetings with the Audit Commission to discuss national and local audit issues. We have also consulted them on our proposed audit strategy to ensure that they can continue to rely on our work and minimise the duplication of work.

Staff input

5.2 The overall objective of the audit strategy is to distribute internal audit resources to provide an appropriate level of assurance for HFRA.

5.3 The internal audit plan for HFRA in 2007/08, totalled 206 days. Although it is not possible at this stage to estimate the detailed resource implications of the revised strategy, it is possible to identify the areas of change both in terms of staff mix and days required. We anticipate that the overall effect on resources will be minimal and managed within existing resource levels. This is summarised below:

5.4 Over the last four years, there has been a great deal of pressure on resourcing the internal audit delivery. This has been due to the impact of ongoing long term sickness as well as the effects of implementing agreed changes to the audit strategy which have typically required a richer staff mix. As a result of this resources have been distributed to ensure coverage of the higher risk areas, ensuring that appropriate levels of assurance have been delivered on an annual basis.

5.5 The section continues to experience ongoing sickness issues, and additional resources have recently been secured to cover the impact in the short to medium term. In addition, the pressure on staff mix is expected to continue as we move towards higher level strategic reviews.

5.6 Our implementation of new audit management software during 2007/08 is expected to achieve some efficiencies in the audit process over time, enabling us to deliver either a higher level of audit assurance or a reduction in audit days in some areas, which will provide flexibility in the implementation of the audit strategy.

5.7 The revised strategy also highlights a number of training needs that will need to be addressed to equip our staff with appropriate skills, in particular in the areas of contract audit and sustainability. These needs will be addressed in our training plan for 2008/09.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

NONE