Archived decisions
Hampshire Fire and Rescue Authority | |||
Governance Committee |
Item 6 | ||
14 November 2008 |
|||
Internal audit progress report | |||
Report of the Treasurer | |||
Contact: Karen Shaw, ext 6194, email [email protected]
1 Introduction
1.1 This report summarises:
· progress against the Authority's internal audit plan for 2008/09
· an update on action taken by management to address the issues raised in the annual internal audit opinion for 2007/08
· significant matters arising from 2008/09 internal audit work
· priorities for the remainder of 2008/09.
2 Progress against the internal audit plan for 2008/09
2.1 The 2008/09 internal audit plan was prepared in line with the updated internal audit strategy that was approved by the Governance Committee in November 2007. The original plan totalled 239 days and, in addition, 3.5 days of work in progress was carried forward from last year. The actual days delivered in the six months ending 30 September 2008 are shown in table 1 below.
2.2 Table 1 - summary of audit days delivered 1 April 2008 to 30 September 2008
Days |
Days | |
Previous year carry forward |
3.5 | |
2008/09 agreed audit plan |
239 |
|
Variations to the plan |
+3 |
|
Revised 2008/09 plan |
242 | |
Total for 2008/09 |
245.5 | |
Actual days delivered to 30 September 2008 |
110 | |
Percentage of revised plan delivered |
(45.5%) | |
2.3 A summary of the audit opinions given to date for each completed review is included in appendix A.
2.4 Variations made to the plan up to 30 September 2008, amount to an increase of three days compared to the original agreed plan. This variation arose from:
· an additional three days audit work to follow up on actions arising from the mobile phones controls report. This review will be carried out in quarter four and outcomes reported in the internal audit annual opinion.
2.5 In addition, the 15 day procurement audit has been divided into two parts, general procurement (10 days) and fuel cards (5 days). The time allocation has not been altered, but two separate reports will be produced.
2.6 Follow up work is due to be carried out on Community Fire Risk Management Information System (CFRMIS) during quarter three and SAP Access during quarter four.
2.7 The number of completed audits and status of the remainder as at 30 September 2008 are summarised below:
2008/09 Plan |
Issued reports* |
In progress |
To start | |
Annual report |
1 |
0 |
0 |
1 |
Key financial systems |
1 |
0 |
1 |
0 |
Establishments |
4 |
1 |
0 |
3 |
Departmental systems |
12 |
4 |
4 |
4 |
VFM reviews |
1 |
0 |
1 |
0 |
Computer audit |
2 |
1 |
0 |
1 |
Follow up reviews** |
3 |
0 |
0 |
3 |
TOTAL |
24 |
6 |
6 |
12 |
* Includes reports currently in draft.
** CFRMIS, SAP Access and Service Mobile Phones controls.
3 Action to be taken by management to address the issues raised in the annual internal audit opinion for 2007/08
3.1 The 2007/08 annual internal audit opinion, reported to members of the Governance Committee in June 2008, raised new or ongoing concerns in a number of areas as follows.
Payroll
3.2 The 2007/08 Internal Audit Annual Opinion report highlighted risks concerning a lack of segregation of duties between the Workforce Planning and Workforce Support functions, and a lack of independent checking of data. In response, we understand that management have revised arrangements to improve segregation of duties and add compensating controls such as improved checking and monitoring systems. These controls are currently being assessed as part of the 2008/09 review of human resources.
3.3 In addition we also raised concerns over possible risks arising from the number of staff who had access to the payroll. As a result, this has been reviewed and modified. Please see paragraph 4.3 for further detail arising from a subsequent SAP Access review.
Workshops
3.4 Our review of workshops in 2007/08 concluded that an incomplete framework of control was in place and a number of issues were identified, notably with regard to the ability and resilience of the stock control system in producing useful and timely management information. These issues have been on-going for a number of years. Since that audit review was completed, work has been undertaken to begin the procurement process for a new system to replace Trace. This process is at selection stage with the procurement being carried out in conjunction with Hampshire County Council's IT Services.
3.5 Our review of the project implementation documentation and initial product selection stage raised concerns that risks to the project had not been identified and documented and that site visits to view products were not being evaluated on a consistent basis. This increases the risk that the chosen product may not meet the needs of all stakeholders. A risk log has since been compiled and further assessment of potential solutions undertaken. Further audit work will be undertaken when the project reaches its testing and implementation stages.
3.6 The Fleet Maintenance Centre Manager is due to report progress on the project to the Performance Review and Scrutiny Committee in November 2008.
3.7 In addition, revised stock control management arrangements have been implemented, with the Procurement Manager taking over responsibility for stock management. Progress will be assessed for the annual internal audit opinion and a full review undertaken in 2009/10.
4 Significant matters arising from 2008/09 internal audit work
Fuel issues
4.1 A review of fuel management systems was undertaken. It revealed an incomplete framework of control was operating with inadequate management information available. There is a risk that the Service may be unable to accurately determine how much fuel is held at any one time. n the event of a large scale emergency there is therefore a risk that fuel stocks may be inadequate to carry out essential business. In addition, there are no current formal policies or procedures in this area, although local fuel stock records are maintained.
Use of Service Mobile Phones
4.2 Following pro-active fraud work on the use of service mobile phones, a controls report was issued which raised concerns over lack of a formal policy on use of mobile phones and blackberries. In addition there were concerns over the processes in place for staff reporting and reimbursing for private use. Recommendations were made to address these concerns and a follow up review will be undertaken in quarter four of 2008/09.
SAP Access
4.3 Our review highlighted that due to incomplete documentation, management are unable to precisely identify what SAP access staff have. A particular concern was raised over the number of users who have access to add positions to the organisational structure, leading to a risk of the setting up of `ghost' employees. Recommendations to improve control have been made and progress will be reviewed in quarter four.
5 Irregularities
5.1 There have been no irregularities reported during the first half of the year.
6 National fraud initiative (NFI)
6.1 Data required by the Audit Commission for the 2008 NFI data matching exercise has been uploaded and matches should be reported in January 2009.
7 Priorities for the remainder of 2008/09
7.1 Our priority for the remainder of the year is to complete the internal audit plan to enable us to provide an internal audit opinion for 2008/09 in line with the internal audit strategy, including follow up work where significant issues have already been raised.
8 Recommendation
8.1 That members of the Governance Committee note the progress of internal audit work during 2008/09 and the key issues arising.
Appendix A
Hampshire Audit Services internal audit update - summary of main issues reported during the period 1 April 2008 to 30 September 2008
System |
Assurance |
Opinion on the framework of control (note 1) |
Controls operating in practice? |
Main Issues Appropriate action has been agreed, or, is under consideration by relevant managers to address these issues and progress is being monitored by management |
Key financial systems: |
||||
SAP Creditors |
In progress | |||
Departmental systems: |
||||
Business Continuity |
Full |
Appropriate |
Yes |
None |
Health and Safety |
Full |
Appropriate |
Yes |
None |
Community Safety |
Full |
Appropriate |
Yes |
None |
General Procurement |
Full |
Appropriate |
Yes |
None |
HR |
In progress | |||
Fuel Issues |
Partial |
Incomplete |
With exceptions |
There are no formal procedures in place for the management of fuel stocks held by HFRS. There is inadequate management information available from the system, resulting in management being unable to assess how much fuel is held at any one time. |
Data Quality |
In progress | |||
Computer audits: |
||||
SAP Access (07/08) |
No |
Incomplete |
With exceptions |
Documentation on the SAP security roles is incomplete and does not enable HFRS to know what access staff have and are being granted. Six users have access to a transaction used to add positions to the organisational structure and a transaction to recruit to those positions. This presents a risk of `ghost' employees being created in SAP. These points will be followed up in the latter half of 2008/09. |
Replacement Fleet Management System |
No |
Incomplete |
With exceptions |
Key decisions and discussions are not documented and cannot be confirmed should dispute arise. Site visits to see products have not been carried out consistently leading to risks that the option chosen does not meet the requirements of all the board members. Risks to the project have not been identified and mitigated against, leading to increased risks of the project going over planned financial budgets, time or not achieving the stated needs. |
IT strategy and Management |
In progress | |||
Establishments Wholetime |
||||
Rushmoor |
Full |
Appropriate |
Yes |
None |
Value for Money Review |
||||
Travel |
In progress | |||
Pro-active fraud reviews |
||||
Mobile phones controls |
N/A |
N/A |
N/A |
As a result of the investigation work undertaken, a number of system control weaknesses were identified, relating to inadequate procedures and monitoring mechanisms, which we consider require prompt action by management. It is our intention to carry out a follow-up review of the issues raised in this report in approximately 6-9 months time to ensure that adequate controls have been put into operation. |
Note 1 - the definitions for opinions are given in Appendix B.
Appendix B
Audit opinion definitions:
Comprehensive |
Controls are in place to manage all the risks identified. |
Appropriate |
Sufficient controls exist to manage the key risks identified in an effective and efficient manner. |
Incomplete |
One or more key controls are missing therefore there is a need to introduce additional key controls to manage the risk to the organisation. |
Inadequate |
Controls are considered to be insufficient to manage the risks identified, with the absence of at least one critical control mechanism. Failure to improve controls could lead to increased risk of major loss or embarrassment to the organisation. |
Section 100 D - Local Government Act 1972 - background papers
The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.
NB the list excludes:
Published works.
Documents which disclose exempt or confidential information as defined in the Act.
TITLE FILE
None