Contact: Karen Shaw, tel 01962 846194 or email [email protected]

1 Summary

1.1 The internal audit opinion is that Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been, or, will be agreed by relevant managers and that they will be resolved in an appropriate manner.

1.2 The following paragraphs explain how we arrived at this opinion.

2 Background

2.1 From 2003/04, the Code of Practice on Local Authority Accounting in the United Kingdom has required the Chairman of Hampshire Fire And Rescue Authority and the Chief Officer to sign a general statement on internal control as a note to the published accounts. During 2007/08, however, the Chartered Institute of Public Finance and Accountancy (CIPFA) and the Society of Local Authority Chief Executives (SOLACE) published revised guidance regarding corporate governance in order to satisfy the requirements of Regulation 4(2) of the Accounts and Audit (Amendment) (England) Regulations 2006. As a result of this, an annual governance statement replaces the statement of internal control with effect from 1^st April 2007.

2.2 To support the process of producing the annual governance statement, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating across the Authority.

2.3 This opinion is contained in the assurance statement attached at Appendix A.

2.4 It is a management responsibility to develop and maintain the internal control framework, and to ensure that the Authority's resources are properly applied. Internal audit is an assurance function that provides an independent and objective opinion to the Authority on the control environment by evaluating its effectiveness in achieving the Authority's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006).

3 Objectives

3.1 This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the Authority's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

4 Audit approach

4.1 A summary outlining the audit approach and audit delivery during 2007/08 is provided in appendix B.

4.2 Detailed reports, giving the internal audit opinion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· comprehensive

· appropriate

· incomplete

· inadequate.

5 Overall assurance

5.1 The internal audit opinion is that Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice. Where improvements to controls are required, we are satisfied that appropriate action has been, or, will be agreed by relevant managers and that they will be resolved in an appropriate manner.

5.2 There has been no change in the overall level of assurance provided compared to that given in our 2006/07 annual internal audit opinion.

6 Issues raised during 2007/08

Main Findings

6.1 20 reviews were completed in 2007/08 and based on the audit evidence obtained, 14 systems /establishments had an appropriate framework of control and two had an incomplete framework of control to ensure that the activities and procedures achieve the Authority's objectives. Four reviews were follow up audits and in each case evidence of progress against recommendations was found. Overall, audit testing has shown that the controls are operating in practice.

6.2 A summary of the opinions on the reviews carried out in 2007/08 is shown at Appendix D.

Payroll

6.3 Payroll reviews in both 2005/06 and 2006/07 highlighted risks concerning a lack of segregation of duties between Workforce Planning and Workforce Support functions, and a lack of independent checking of data.

6.4 Our review of payroll in 2007/08 concluded that these issues had not been addressed. In addition, we found that read-only access to the payroll system is not adequately restricted to appropriate staff leading to a risk of breach of the Data Protection Act. Recommendations have been made to address risks identified and actions to address risks will be assessed during 2008/09.

Workshops

6.5 Our previous two annual reports have highlighted risks relating to stock management arrangements at Workshops. Our review during 2007/08 once again raised similar concerns, as controls in place within the current stores stock control system are not sufficient to ensure all stock is correctly accounted for. We also raised specific concerns over the control of fuel stocks due to inadequate accounting and security arrangements and the lack of formal contractual arrangements with contractors for the removal of metal waste and supply of fuel. Since our review several changes have taken place including the relocation of Workshops to the headquarters site and alterations to line management responsibilities. In addition, the procurement of a new stock control system is being considered to address the ongoing concerns in this area.

6.6 We have agreed with management that a limited amount of follow up work will be undertaken during 2008/09 to give the new arrangements time to take effect, with a full review being undertaken early in 2009/10.

6.7 Last year's annual report highlighted concerns about security of back-up tapes held at workshops. The relocation to HQ has resolved this issue.

6.8 Whilst a number of other significant recommendations were made during the year, these were significant to the systems concerned and were not material in the context of the Authority as a whole.

Common findings

6.9 No significant common findings have been identified during the year.

Follow-up work

6.10 Where an assignment concludes that the overall framework of control in an establishment or system is `inadequate', a follow-up review is carried out within one year. There were no inadequate opinions in 2006/07 requiring follow-up, however follow up work was undertaken to assess progress made in implementing recommendations relating to Copnor Fire Station, Databases, and Security and Password Controls. In addition, the scope of planned full reviews of Estates and Property Management were reduced to only follow up previous recommendations. We found that appropriate measures had been taken to address the recommendations made in all the above reviews.

6.11 We will continue to review the implementation of audit recommendations made in 2007/08 as part of our 2008/09 audit plan. In addition, HFRA has a robust process for monitoring the implementation of agreed actions and progress has been reported to the Performance Review Committee during the year. Responsibility has now been transferred to the Governance Committee.

Pro-active fraud work

6.12 During 2007/08 we met with the Employee Relations Department to develop our approach to delivering pro-active fraud detection work in accordance with our agreed plan. Detail of this work can be found in appendix D.

6.13 Data matches reported by the Audit commission in January 2007 as a result of the 2006 National Fraud Initiative (NFI) were risk assessed and investigated, and our findings can be found in appendix D.

Irregularities

6.14 Two potential irregularities were reported during 2007/08, detail of which can be found in appendix D. one relating to a breach of Data Protection legislation, and one with regard to unsuitable material being found on the laptop of a recently left staff member. Audit reviewed controls with regard to the Data Protection issues. The laptop issue has been referred to the police for further investigation.

Value for money

6.15 During the year, any value for money issues highlighted during the course of our controls assurance work have been reported to management. A summary of issues raised is attached at Appendix D, however these were not significant.

7 Recommendations

7.1 That the Governance Committee accept the internal audit assurance statement for 2007/08 detailed in Appendix A.

7.2 The main risks identified during the year are noted.

Section 100 D - Local Government Act 1972 - background papers

The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.

NB the list excludes:

Published works.

Documents which disclose exempt or confidential information as defined in the Act.

TITLE FILE

None

Appendix A

Annual assurance statement for the year ended 31 March 2008

Introduction

The Accounts and Audit Regulation 2003, amended in 2006, require the Treasurer to maintain an adequate and effective system of internal audit.

From 2003/04 the Code of Practice on Local Authority Accounting in the United Kingdom has required the Chairman of Hampshire Fire And Rescue Authority and the Chief Officer to sign a general statement of internal control as a note to the published accounts. During 2007/08, however, the Chartered Institute of Public Finance and Accountancy (CIPFA) and the Society of Local Authority Chief Executives (SOLACE) published revised guidance regarding corporate governance in order to satisfy the requirements of Regulation 4(2) of the Accounts and Audit (Amendment) (England) Regulations 2006. As a result of this, an annual governance statement replaces the statement of internal control with effect from 1^st April 2007.

To support the process of producing the annual governance statement, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance for the Authority.

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the Treasurer. The internal audit plan has been delivered in accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire Fire and Rescue Authority has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the Authority's objectives. Audit testing has shown controls to be working in practice.

Karen Shaw

Chief Internal Auditor

Hampshire Fire and Rescue Authority

26 June 2008

Appendix B

Audit Background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the Authority with an assurance on the system of internal control. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2007/08, including those audits carried forward from 2006/07

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the organisation's objectives or systems

· the quality of internal audit's performance

· the proportion of audit need that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit needs of the Authority

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006. The standards cover the following areas:

· scope of internal audit

· independence

· ethics for internal auditors

· audit committees

· relationships

· staffing, training and continuing professional development

· audit strategy and planning

· undertaking audit work

· due professional care

· reporting

· performance, quality and effectiveness.

2.2 We have a number of mechanisms in place to ensure that our services are of a consistently high standard. In particular:

· we are registered under British Standard BS EN ISO 9001:2000, the international quality management standard and have developed a comprehensive set of audit and management procedures to underpin this

· we have Investors in People accreditation which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our individual planning process, with essential needs delivered within the year

· we have a quality assurance programme which includes an annual service improvement planning process; annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services; a rolling programme of reviews of a sample of completed audit reviews and management processes to ensure consistency in approach and compliance with professional standards and quality procedures; and a quarterly review by the County Treasurer's management team of our performance indicators.

2.3 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.4 In addition, our work is subject to annual review by the Authority's external auditors who continue to rely on our work to support their audit opinion.

3 Audit Needs

3.1 A risk assessment was undertaken for the 2007/08 audit plan, which involved an analytical review of data relating to the Authority including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with the Director of Corporate Services and other finance managers to ensure the audit plan addressed the key risks facing the Authority.

A summary of audit days delivered during 2007/08 is provided in Table 1.

Table 1 - Summary of audit days delivered (2007/08)

Detail	2007/08 Days	Days
Days carried forward from 2006/07		37
Audit plan agreed by Treasurer	206
Variations to the plan	-39.5
Revised plan at the year end		166.5
Total days		203.5
Total days delivered including delivery of carry forward audits		200
Days carried forward to 2008/09		3.5

3.2 The 2006/07 carry forward days relate to audits which were in progress at the end of the year. Of these, our reviews of Pension Arrangements and Treasury Management were not included in the 2006/07 opinion. These were completed during 2007/08 and are included in this report.

3.3 The audit plan was revised during the year to 166.5 days. The original and revised audit plans are shown at Appendix E and the agreed changes made to the plan reflect the following:

· a reduction of 10 days from the plan as HFRA requested that the audit of business continuity be deferred until 2008/09 as work is on-going in this area

· a reduction of 10 days with respect to the audit of community safety as the department is currently undergoing a restructure

· a reduction of 10 days due to the deferral of the business education audit due to organisational changes

· an additional three days to enable audit to oversee stock checks during the move of Workshops from the Winnall site to HQ

· the reduction in scope of the capital contracts and estates management reviews from two full audits to one follow up audit (-14 days)

· an additional 1.5 days needed for the networks audit in order to complete the work satisfactorily.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was in progress as at 31 March 2008. Of those audits, only SAP Access is not included in this report, but will be reported in the 2008/09 audit opinion.

3.5 No limitations were placed on the scope of our work during the year.

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in Appendix E. We are not aware of any significant changes to any of the systems reviewed since our work was conducted, apart from the changes at workshops as detailed in paragraph 6.5.

4.2 Our work has been carried out using a systems based audit approach. This covers the control environment of HFRA which comprises the systems of governance, risk management and internal control. Key elements of the control environment include:

· establishing and monitoring the achievement of HFRA's objectives

· the facilitation of policy and decision-making ensuring compliance with established policies, procedures, laws and regulation - including how risk management is embedded in the activity of HFRA, how leadership is given to the risk management process, and how staff are trained or equipped to manage risk in a way appropriate to their authority and duties

· ensuring the economical, effective and efficient use of resources, and for securing continuous improvement in the way in which functions are exercise, having regard to a combination of economy, efficiency and effectiveness

· the financial management of HFRA and the reporting of financial management

· the performance management of HFRA and the reporting of performance management.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit Liaison

5.1 Staff within Hampshire Fire and Rescue Service have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 Management responses to audit reports have been prompt helping to ensure that recommendations to address control weaknesses receive management's early attention. This has been aided by the pro-active role undertaken by the Deputy Performance Review Manager in tracking and following up audit responses and action plans.

5.3 Audit Appraisal Questionnaires (AAQ) have been received from eight of the reviews completed in the year with an average satisfaction score of 88.8% (87.9% 2006/07), which demonstrates a good working relationship. We are grateful for these responses, as feedback enables us to improve our service to the Authority.

5.4 Quarterly meetings have taken place between the Director of Corporate Services, Head of Financial and Office Services, Deputy Performance Review Manager and Internal Audit to discuss progress on the delivery of the internal audit plan and provide an opportunity to share information on audit and operational developments within the service.

Appendix C

Audit opinion definitions:

Appendix D

Hampshire Fire and Rescue Authority

Annual internal audit opinion 2007/08 - Summary of main issues reported during 2007/08.

Note 1 - the definitions for opinions are given in Appendix C.

Appendix E

Hampshire Fire and Rescue Authority

Annual internal audit plan 2007/08