Contact: Ejner Knudsen, 01962 847403, email: [email protected]

1 Introduction

1.1 The purpose of this report is to present the proposed internal audit strategy for 2008 to 2013 for approval by members of the Governance Committee prior to preparation of the detailed internal audit plans for 2008/09 and beyond.

1.2 A formal audit strategy has existed since 1999 and was last reviewed in detail in 2003/04. Since that time annual reviews have been presented to the Governance Committee to report on the ongoing relevance of the strategy and to make recommendations for change in line with sector developments.

1.3 The overall objective of the strategy is to ensure that internal audit resources are efficiently and effectively deployed to meet the requirements for internal audit outlined in:

· CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006 (the Code)

· The Accounts and Audit Regulations 2003, including 2006 amendments.

To date, the current strategy has been largely successful in achieving these aims.

1.4 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the County Council's resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the County Council on the control environment by evaluating its effectiveness in achieving the County Council's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources (source - the Code).

2 Recommendation

2.1 That the Governance Committee approve the internal audit strategy for 2008 to 2013.

3 Context

3.1 There are a number of external and internal factors that have been taken into account in preparing this strategy, the key factors being:

· revisions made to the Accounts and Audit Regulations 2003 in 2006

· revisions to the CIPFA Code of Practice for internal audit in 2006

· revised guidance from CIPFA and SOLACE `Delivering Good Governance in Local Government'

· the developing CPA / CAA requirements

· the roll out of the Financial Management Standard in Schools (FMSiS) to all schools by 2010

· increased focus on partnership working, including the Local Area Agreement and Local Public Service Agreements

· the need to ensure that the Audit Commission can continue to rely on our work

· changing customer expectations

· the impact of ongoing implementation and development of new audit management software

· the results of annual benchmarking information for internal audit.

3.2 Whilst the impact of some of these changes is not yet clear, the proposed strategy is based on the latest information available and will be updated annually during the life of the strategy to reflect emerging guidance.

3.3 The proposed audit strategy has already been considered by the Treasurer's Management Team.

3.4 The terms of reference for the internal audit service provided to Hampshire County Council were approved by the Governance Committee in March 2006. No changes are required as a result of revisions to the audit strategy.

4 Proposed audit strategy

4.1 The proposed audit strategy covers all County Council's activities, funded from whatever source, including risk management, control and governance processes. The proposed audit strategy is presented under the following headings:

· Corporate governance

· Partnerships

· Key financial systems

· Departmental systems

· Procurement and contracts

· Pension fund

· Establishment visits

· Systems development and computer audit

· Fraud and irregularity

· Value for money

· Sustainability

· Follow-up work.

Corporate governance

4.2 The scope of corporate governance reviews has expanded each year to reflect developments in the sector, leading to the strategy being revised and agreed by the Governance Committee in 2006/07. This provides for the system of corporate governance to be reviewed across the County Council by a rolling programme of risk based reviews and the use of self assessment questionnaires issued every other year by the Monitoring Officer.

4.3 Our consultation with other internal audit providers during our strategy review, indicates that our approach to this area of work is well developed compared to other local authorities and that the current strategy provides a comprehensive scope of coverage. However, there are a number of drivers for change. In particular CIPFA /SOLACE have issued new guidance on `Delivering Good Governance in Local Government - Framework' which will require the Chief Executive and Leader of the County Council to sign a Governance Statement from 2007/08 to replace the statement on internal control. We therefore need to ensure that the scope of our work is in line with the new requirements. Questionnaires will also require revision to reflect the guidance.

4.4 The amendments to the Accounts and Audit Regulations in 2006 also introduced a new mandatory requirement for an annual review of internal audit and this will need to be built into the new Corporate Governance Policy and processes.

4.5 Whist this potentially affects the scope of our work, no significant changes are proposed to the current strategy for reviewing the system of corporate governance. Through our strategy review, however, we have identified opportunities to develop and streamline our approach to delivering this work which will result in a more robust and consistent assurance across the County Council.

Partnerships

4.6 The current strategy recognises the importance of partnerships and audit plans and as part of our corporate governance work we have reviewed arrangements for managing significant partnerships at both a corporate and departmental level.

4.7 Over the last couple of years, much work has been carried out corporately to set up the partnerships `portal' and database of partnerships and we have been actively involved in advising during the development.

4.8 We propose to carry out a full systems review of the corporate and departmental arrangements for partnerships on a risk based cycle, starting in 2008/09, to ensure that partnerships are recorded and managed in line with corporate guidance.

4.9 In addition, we propose to ensure that our audit planning process includes the identification of significant partnerships relevant to each department and include a review of these arrangements in our departmental plans to ensure that they are managed and administered effectively.

4.10 The biggest development is that of the Local Area Agreement (LAA) in 2006/07 which is a three year agreement between partners in Hampshire and the Government to improve lives and conditions in Hampshire communities. The LAA is an opportunity to strengthen partnership working to deliver on priority outcomes drawn from the community strategies.

4.11 LAA arrangements are subject to ongoing development and as such, the governance and audit arrangements have still to be finalised by the LAA Board. Changes to Government funding and the introduction of Area Based Grants which are no longer ring-fenced will probably reduce some of the range of controls necessary for validation and audit assurance work. Further guidance is expected from the government regarding the ongoing development of these arrangements, however the risks in this area still need to be assessed as procedures for agreeing priorities between all partners, allocating and accounting for funds are determined.

4.12 The current three year LAA will end in 2008/09, after which it is expected that there will be a certificate to complete to validate the expenditure of the County Council and the partner organisations. Internal audit will continue to contribute as required to provide assurance for at least the next two financial years.

Key financial systems

4.13 Our current strategy provides for system based internal audit reviews of key financial systems to be carried out at central, departmental and establishments levels on a risk based cycle. Historically, this has included annual central reviews of payroll, creditors, debtors and main accounting. Benchmarking information indicates that time spent reviewing key financial systems is broadly in line with other comparable authorities, although slightly above average in all areas.

4.14 Regular reviews of the key financial systems needs to continue, however, the following factors impact on the frequency, scope and approach to future reviews:

· the improved stability of SAP

· the changes to audit standards, requiring the Audit Commission, as the County Council's external auditors, to review controls in key systems on a three year cycle

· a continued delegation of control from the centre to departments / establishments.

4.15 Our current strategy allows for all key financial systems to be reviewed on a risk based approach, whilst also taking account of the Audit Commission's requirements. In the past, this has resulted in some systems being reviewed annually due to the increased risks relating to the development phase of SAP and the Audit Commission's requirements for annual review of what they classify as fundamental systems. Due to the developments outlined above, whilst there is no change to the overall strategy, we propose to move away from the annual cycle of reviews towards a three year cycle for all systems, where risk assessment allows. We will also continue to co-ordinate our plans with those of the Audit Commission to ensure that they can continue to place reliance on our work.

4.16 Key financial systems will also continue to be included in departmental plans on a risk basis to ensure that sufficient assurance is gained across the County Council. This work will be co-ordinated to ensure that a rolling assurance is gained across all systems and departments over a three year period.

4.17 We will also continue to co-ordinate the review and updating of the high level system interface documentation to ensure that the control mechanism is understood and that the Audit Commission have the information they require to complete their work.

Departmental systems

4.18 There are some systems that are specific to individual departments and these will continue to be identified through the audit planning process and included in our plans on a risk based approach.

4.19 As part of the internal audit planning process we will also aim to identify developing systems or systems subject to significant change so that our involvement can be planned at an early stage to advise on control issues.

Procurement arrangements

4.20 Our current strategy does not separately identify procurement arrangements and these areas have historically been included as departmental systems. However over recent years there have been significant developments in the County Council's procurements arrangements moving away from traditional contracting arrangements towards the use of framework contracts and involvement in public finance initiatives. These and other changes have introduced new risks into the procurement process and need to be reflected in our audit approach.

4.21 The County Council spends in excess of £550 million per annum on the external provision of goods, works and services and there are over 1,000 corporate contracts currently in place across the County Council.

4.22 Although benchmarking data indicates that the number of days we spend on capital and revenue procurement is comparable with other authorities, we have identified opportunities to re-focus and extend the scope of our work to reflect the changes outlined above. Our proposed strategy is as follows:

· central reviews of procurement arrangements. This will include the corporate procurement strategy, corporate contract procedures and arrangements for monitoring compliance with these requirements. This will include a review of the arrangements for entering into framework contract

· periodic risk based review of departmental arrangements for managing capital, revenue and consultants contracts in line with Financial Regulations and Contract Standing Orders. Our review of the Property, Business and Regulatory Services department will also include the controls in place to project manage capital, revenue and consultants / agency contracts on behalf of other departments

· through our departmental audit planning process, we will identify significant revenue and capital contracts managed by the department and include specific contract audit review of these in our plans to provide ongoing assurance throughout the process. This will include arrangements for actively managing performance and efficiency targets and penalties written into contracts. This will require investment in specialist training and development for audit staff to provide the necessary skills for this work.

Pension fund

4.23 The audit of pension arrangements has not been identified as a separate category in the audit strategy to date, although pension fund management and pensions administration have always been included in our planned work. The increasing profile of corporate governance, however, has led to a number of changes to legislation and best practice guidance on the governance and administration of pension fund investment management. In particular the corporate governance guidance referred to in paragraph 4.3 requires an annual governance statement to be produced which will refer specifically to the pension fund. As a result of these changes, we now need to more explicitly reflect the pension fund in our audit strategy for the next five years.

4.24 A key change arises from good practice guidance from a joint working group of the Society of County Treasurer's (SCT), the Local Authority working group for the audit of investment managers (LAWGAIM) and the County Chief Auditors Network (CCAN) which was published in July 2007. This interprets the changes made under The Local Government Pension Scheme (Amendment) (No3) Regulations 2007 and places more emphasis on the preparation of a separate statement of control/annual governance statement for pension funds. In addition, following a full tender exercise in December 2006 the Pension Fund manager portfolio has increased significantly from four to eleven and a global custodian was appointed.

4.25 In the past our assurance on the controls operated by external investment managers has been obtained through participation in the SCT's working group, whereby each members has carried out a review and shared the results. Due to the changing profile of investment managers used by the group, we have not participated for the last two years and following the issue of the good practice guidance this work has ceased. This leaves a gap in assurance that must be addressed through this revised strategy to provide assurance in line with the new guidance.

4.26 Our proposed audit strategy is as follows:

· we will extend the scope of our work to cover all aspects of the governance arrangements of the pension fund, with the frequency of review determined by legislative changes and by risk assessment

· consultancy work is currently being carried out to review fundamental processes in pensions payroll and the audit of pensions administration is likely to develop over the next three years in line with the findings and changes that result. We therefore propose a two phased approach. Phase one (pre/during the review of business processes) will continue with the existing approach of smaller, more detailed, reviews across all members contributing to the fund, to cover all stages of the pension lifecycle. Phase two (after the review of and implementation of changes to the business processes) will carry out a strategic review of the whole system of control, to ensure a co-ordinated approach to pensions administration. This will include a review of computer controls as well as processing controls

· we will need to continue to obtain assurance over the internal control frameworks of external investment managers. The level of assurance that can be obtained from external reports will be assessed, and will determine our plan of work (which will include control evaluation and compliance testing), audit approach and cycle over a four year period to provide annual assurance across the whole portfolio of funds.

4.27 In anticipation of future changes to the governance report arrangements and to provide greater transparency, we propose to separate the pensions audit work. We will produce a separate internal audit annual assurance report for the pension fund from 2008/09, and issue it to the County Treasurer.

Establishment visits

4.28 Over the last few years we have been piloting a move towards a risk based approach to establishment visits, developing our approach and gathering and assessing the impact of alternative forms of assurance. The pilot has resulted in a more frequent but more focussed presence in establishments, and has enabled us to continue to provide annual assurance in all areas. However, current benchmarking data shows that the County Council still spends a higher number of days on establishment audit compared with other authorities and there may be further opportunities to develop our approach and reduce duplication of reviews.

4.29 Consultation with other authorities during our strategy review indicates an increasing move away from establishment visits to other forms of assurance. However, consultation with key stakeholders indicates their support for maintaining the current levels of presence, whilst using alternative sources of assurance. This will enable us to reduce the scope of work needing to be covered at such visits.

4.30 The following strategy is now proposed:

· establishment audits will continue, with a mix of establishment, themed and short notice visits. For schools the frequency of the establishment visits will remain the same (maximum 6 year cycle), however we will place reliance on the Financial Management Standard in School reviews (FMSiS) and Ofsted reviews for assurance on management and governance processes and the scope of our work will be reduced to focus on the operation of the financial systems. For other departments the mix of the audits will be determined through the annual planning process, however in any one year 20% of the establishments in each department assessed as requiring review according to the risk assessment process will be visited in some form as part of our audit work

· internal audit will continue to offer an external assessment service to schools until all schools have achieved the FMSiS Standard. This proposal will be revisited in Spring 2010 when all schools are required to meet the Standard as the assessment is valid for three years.

Systems development and computer audit

4.31 Due to the pace of development in the field of information technology, computer audit work has always been subject to more frequent risk assessment and change of audit emphasis than other audit areas. This ensures that audit coverage keeps pace with developments. The majority of work is carried out within the IT Services department as they are responsible for corporate IT provision but work is also carried out in other departments where the need is identified through the audit planning process.

4.32 The audit plan also includes time to allow for internal audit involvement at the development stage of a project to ensure that control issues are considered at an early stage. The computer audit team also has a role to play in fraud investigation and detection work, particularly as it relates to the handling of electronic evidence.

4.33 Benchmarking data and consultation with other local authorities suggests that the time and mix of work in this area is comparable and we have not identified the need for any significant changes to the existing strategy. However we have identified opportunities for improvements at the operational level, in terms of process, approach, and training and development.

Fraud and irregularity

4.34 One of the objectives of internal audit is to identify fraud as a consequence of its reviews and to deter crime. This is a developing area of work and as a consequence progress has been reported to the Governance Committee annually to agree ongoing changes to the strategy over the last few years.

4.35 During this time, the County Council's Anti Fraud and Corruption Strategy has been approved and we have documented investigation procedures in consultation with the Monitoring Officer. We have also established a dedicated investigation team which works closely with legal services and the police and we continue to invest in training and development to ensure work is delivered in accordance with best practice and legislation.

4.36 We have also developed the proactive counter-fraud programme to test the County Council's anti-fraud culture and provide evidence in support of the County Council's Use of Resources assessment.

4.37 In support of this ongoing development, we propose to continue with the following strategy, reflecting changes agreed over the last few years:

· record reported cases of potential fraud or irregularity (including those reported under the `Reporting Concerns at Work Policy') and agree with management action to be taken with regard to investigation. Where appropriate investigations will be conducted by internal audit and referred to the police for investigation and prosecution where criminal activities are suspected

· raise awareness of members and senior officers with regard to promoting the anti fraud and corruption culture in Hampshire

· continue to deliver a programme of proactive counter fraud work to test the strength of the anti fraud culture, using intelligence from departments gained as part of the audit planning and reporting process. This will include the introduction of internal data matching where possible This may require short notice or unannounced visits to be carried out to establishments

· actively participate in the National Fraud Initiative programme which helps to deter crime nationally. Whilst the finacial benefits of this initiative tend to favour other authorities processing, for example, housing benefits, the process does provide the County Council with continued assurance that the incidence of fraud in the systems reviewed is low.

Value for money

4.38 Management's arrangements for securing value for money have always been an implicit part of internal audit reviews.

4.39 Since 2006/07 we have included a specific statement in all audit reports, detailing whether or not any value for money opportunities have been identified during our review. In addition, the scope of our corporate governance work includes a high level review of management's arrangements for securing value for money.

4.40 The implementation of new audit management software in 2007/08 provides the potential for developing reporting mechanisms further. Within this five year strategy we therefore intend to assess the possibility of reporting more explicitly on the controls reviewed which impact on the achievement of value for money to provide additional assurance in this area.

4.41 To date the internal audit strategy has not included specific value for money reviews as these tend to require a lot of time and input from a range of interested parties to produce successful outcomes. This work would normally be conducted by the separate Treasurer's Consultancy Team. There is also a risk that this could divert resources away from assurance work and compromise our independence. Completion of the assurance work will always be our priority within the plan. However, changes to the agreed strategy, in particular the reduction in establishment visits, may provide opportunities for our involvement in different types of added value work in topical areas in future, without significantly increasing the overall size of the plan. It is proposed that these opportunities are identified at the planning stage in future and included in the plan as resources permit.

Sustainability

4.42 Our current audit strategy does not provide for reviews of sustainability at County, departmental or establishment levels.

4.43 Since our last strategy review, however, the County Council has developed a sustainability strategy, based on the Aalborg Commitments, which has been implemented and is to be further developed over the next two years.

4.44 A self assessment baseline review was approved by Cabinet in September 2006 and the target for sustainability is now one of four headline performance indicators in the Corporate Business Plan.

4.45 A two phase approach to the audit of sustainability is proposed:

· Phase 1 will incorporate a review of the implementation of the sustainability performance framework, including the baseline assessment and roles of the departmental sustainability action teams

· Phase 2 will review the implementation of the sustainability impact assessments for all major decisions and projects (a requirement of the Comprehensive Area Assessment for the County Council).

4.46 The optimal timing of the phases has yet to be precisely determined but is likely to be 2008/09 for Phase 1 and 2009/10 for Phase 2. Future audit work, beyond Phases 1 and 2, will be dependent on the rollout of the sustainability performance framework.

Follow up work

4.47 Audit standards require internal audit to follow up assignments to review the effectiveness of management action arising from audit recommendations. No change is proposed to the current strategy :

· where an assignment concludes that the overall framework of control in an establishment or system is 'inadequate', a follow up review will be completed within one year. Follow up work may also be carried out where the overall framework is 'incomplete' at the discretion of the Audit Manager, depending on the risks involved

· significant risks reported in the annual audit opinion will be followed up in the following year.

5 Resource implications

Liaison with the Audit Commission

5.1 We have regular liaison meetings with the Audit Commission to discuss national and local audit issues. We have also consulted them on our proposed audit strategy to ensure that they can continue to rely on our work and minimise the duplication of work.

Staff input

5.2 The overall objective of the audit strategy is to distribute internal audit resources to provide an appropriate level of assurance in each department and for the County Council as a whole.

5.3 The plan for Hampshire County Council in 2007/08, totalled 3,722 days. Although it is not possible at this stage to estimate the detailed resource implications of the revised strategy, it is possible to identify the areas of change both in terms of staff mix and days required, and we anticipate that the overall effect on resources will be minimal and managed within existing resource levels. This is summarised below:

5.4 Over the last four years, there has been a great deal of pressure on resourcing the internal audit delivery. This has been due to the impact of ongoing long term sickness as well as the effects of implementing agreed changes to the audit strategy which have typically required a richer staff mix. As a result of this resources have been distributed to ensure coverage of the higher risk areas, ensuring that appropriate levels of assurance have been delivered on an annual basis.

5.5 The section continues to experience ongoing sickness issues, and additional resources have recently been secured to cover the impact in the short term. In addition, the pressure on staff mix is expected to continue as we move towards higher level strategic reviews. This pressure is reflected by benchmarking data which indicates a richer staff mix in comparable counties.

5.6 Our implementation of new audit management software during 2007/08 is expected to achieve some efficiencies in the audit process over time, enabling us to deliver either a higher level of audit assurance or a reduction in audit days in some areas, which will contribute to benefit realisation savings and provide flexibility in the implementation of the audit strategy.

5.7 The revised strategy also highlights a number of training needs that will need to be addressed to equip our staff with appropriate skills, in particular in the areas of contract audit and sustainability. These needs will be addressed in the departmental training plan for 2008/09.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

NONE