Archived decisions

HAMPSHIRE COUNTY COUNCIL

Decision Report

1. Executive summary

1.1. In accordance with the Accounts and Audit (England) Regulations 2003, as amended in 2006, the County Council is required to include an annual governance statement within the published accounts.

1.2. To support the process of producing the annual governance statement, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the system of internal control operating in each department and in the County Council as a whole.

1.3. An overall assurance statement for the County Council as a whole is attached at Appendix A.

2. Contextual information

2.1. It is a management responsibility to develop and maintain the internal control framework, and to ensure that the County Council's resources are properly applied. Internal audit is an assurance function that primarily provides an independent and objective opinion to the County Council on the control environment by evaluating its effectiveness in achieving the County Council's objectives. It objectively examines, evaluates and reports on the adequacy of the control environment as a contribution to the proper, economic, efficient and effective use of resources. (source: CIPFA - Code of Practice for Internal Audit in Local Government in the United Kingdom 2006)

3. Internal audit opinion

3.1. It is internal audit's opinion that Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown controls to be working in practice, with some specific exceptions. Where improvements to controls or compliance are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

3.2. The following paragraphs explain how we arrived at this opinion.

4. Objectives

4.1. This report will outline the level of assurance that we are able to provide, based on the internal audit work completed during the year. It will:

· give an opinion on the overall adequacy and effectiveness of the County Council's internal control environment

· disclose any qualification to that opinion, together with the reasons for the qualification

· present a summary of the audit work undertaken to formulate the opinion, including reliance placed on work by other assurance bodies

· draw attention to any issues the Chief Internal Auditor judges particularly relevant to the preparation of the statement on internal control

· compare the work actually undertaken with the work that was planned and summarise the performance of the internal audit function against performance measures and criteria

· comment on compliance with these standards and communicate the results of the internal audit quality assurance programme.

5. Audit approach

5.1. A summary outlining the audit approach and audit delivery during 2008/09 is provided in Appendix B.

5.2. Detailed reports, giving our conclusion on each of the systems examined have been issued to individual managers who have considered each report and provided a management response. This report provides an opinion on the overall control framework using the following terms which are defined in Appendix C:

· comprehensive

· appropriate

· incomplete

· inadequate

6. Overall assurance

6.1. It is internal audit's opinion that Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown controls to be working in practice with some specific exceptions. Where improvements to controls or compliance are required, we are satisfied that appropriate action has been agreed by relevant managers and that they will be resolved in an appropriate manner.

6.2. There has been no change in the overall level of assurance provided compared to that given in our 2007/08 annual internal audit opinion.

7. Issues raised during 2008/09

Main findings

7.1. Details of the level of control and the main issues identified across all departments in 2008/09 are given in Appendix D (which is not for publication by virtue of paragraph 7 of Part I of Schedule 12A of the Local Government Act 1972). Concerns regarding the system of internal control were raised in respect of the areas outlined below. Appropriate action has been agreed by relevant managers to address these issues and progress is being monitored.

7.2. Our follow-up of audit findings raised in 2007/08 audit reports confirmed that progress had been made during 2008/09 and appropriate action had generally been taken in respect of the recommendations made. An update on the issues raised in the 2007/08 annual audit report is included below.

7.3. We will review the implementation of audit recommendations made in 2008/09 as part of our 2009/10 audit plan.

SAP access controls

7.4. Over the last three years, we have raised issues regarding the segregation of duties within SAP and role-based security.

7.5. A working group comprising representatives from the Chief Executive's (Human Resources), County Treasurer's and Property, Business and Regulatory Services departments was set up to look into the issues relating to separation of duties in more detail, and report back on the risks in the three main business areas of human resources, finance and procurement. The working group concluded that compensating controls are now in place to manage the risks identified.

7.6. The majority of departments currently assign SAP access on an individual security role basis. The County Treasurer's department has implemented role templates, so each role, such as Auditor, has a group of SAP security roles assigned to it in the template. Audit Services have carried out an investigation to establish whether the implementation of generic role-based security (as opposed to the current hybrid system of role-based and role specific security) would enhance data security and make it easier to manage user access. Research indicates that because of the size and complexity of the County Council, and the large variety of roles undertaken by staff, role-based security would be difficult to implement and manage across the board, and would not offer significant benefits over current arrangements. Findings, with a summary of other controls that have been developed, will be reported to the Security Managers Group for discussion on the way forward in June 2009.

Direct payments (Adult Services)

7.7. In 2006/07 we reported that, whilst procedures and guidance notes were in place, they were not embedded into the department and most care managers seemed unaware of their role in checking financial records and providing advice on financial management. The matter was subsequently discussed at the Governance Committee and a plan of action agreed including a business process review to enable the control framework to cope with a planned expansion of the service.

7.8. A report to Cabinet on 25 February 2008 outlined proposed changes to the Direct Payment Scheme, both as a result of a consultation exercise and also to address the issues raised in the 2006 Internal Audit report. This is particularly significant because direct payments are part of the extensive modernisation agenda based around personalisation of services, which Adult Services are currently implementing on a pilot basis. An audit review of direct payments was carried out during 2008/09 and found that issues previously raised had either been addressed or were included in an action plan for resolution.

7.9. The roll out of self directed support has been extended until April 2010, however, in the meantime we have provided advice and support on potential control issues and we are satisfied that adequate progress is being made against the revised self directed support roll out programme.

Pension contributions

7.10. Our 2006/07 review identified some issues relating to the administration of pension contributions, particularly in reconciling the payroll deductions to the pension fund receipts, and checks on the data supplied by other contributing bodies. There were also known issues relating to the operation of the interface between SAP and AXISe, the system used to record pension contributions

7.11. There was progress made in 2007/08 to address the significant findings previously raised and further action was expected in 2008/09. For this reason, the follow up work of the pensions contributions review was limited only to the actions taken against the recommendations made. We found that several of the recommendations had been actioned, but that the impact of these changes would not be known until after the year end process was complete, and we were not able to fully test the control improvements.

7.12. As part of the management response to the pension contributions review in 2006/07, it was agreed that the County Treasurer's Consultancy team should undertake a business process innovation (BPI) review of the whole pension contributions process. The review commenced in October 2008 and is ongoing. However, the phasing of the review was amended during the year, to reflect other work in the department and the initial work has been more limited than a full BPI review. Outcomes to date have focussed on the transfer of roles and responsibilities within the department. Further work may be required to improve the control framework in the future

Chief Executive's (Human Resources)

7.13. A number of issues relating to the Resourcing Centre and Service Centre have been raised in the Chief Executive's (Human Resources) departmental annual opinions in the last three years. In particular:

· the provision of training and guidance for recruiting managers to enable effective checking of eligibility to work in the UK

· consistent application of the CRB policy (failure to apply CRB checks correctly was also the most significant common finding arising from the extensive programme of school visits)

· ensuring the appropriate electronic authorisation of payroll changes

7.14. Whilst our follow up work has shown that there is now consistency in the application of the CRB policy, the remaining issues have still not been addressed and in our opinion now need prompt resolution

Capital project budget planning

7.15. Concerns were raised in the 2007/08 annual report regarding the clarity of roles and responsibilities for the financial monitoring of capital projects and the management reporting process. We found that the responsibilities and information are spread across more than one department and we concluded that the process needs to be reviewed, streamlined and documented.

7.16. Following the findings of the report, the County Treasurer's Consultancy team have been requested to undertake some work in this area, incorporating the findings from the audit review. Initial meetings have taken place to progress the work and Internal Audit will contribute. As a result of this no further audit work was carried out in 2008/09 but a further review will be scheduled for 2009/10.

High cost placements (Adult Services)

7.17. For the second year running, our audit work has shown that there is not always evidence on Swift that annual reviews of high cost placements are being carried out (24.6% failure in a sample of 175 tested). There is a potential risk that placements may no longer be suitable for the client or alternative placements may have become available which offer better value for money.

Worker profiles for agency staff

7.18. For the second year running we have raised issues relating to the lack of worker profiles (which prove that agency workers are who they claim to be) in both Adult Services and Children's Services establishments. We found that agency staff did not always have worker profiles at the establishment as required by the Manpower agency contract conditions and where these existed they were not always complete with photographs and CRB reference numbers. There is therefore a risk that inappropriate staff may be working within the establishments. It is intended that the new Manpower system will reduce the number of staff with no worker profile as it is our understanding that the worker profiles will be available on line. At the time of our testing the new system had not been implemented.

Safeguarding (Children's Services)

7.19. Our review of a sample of child protection plans and social care records found that although there are robust procedures in place there is some non-compliance with nationally-set timescales for visiting children and for the holding of strategy discussions and child protection conferences. Risks to the safety of children would be further reduced by adherence to timescales. We have recommended that Area Directors put in place an action plan to encompass how timescales can be met in future and how recording can be improved. We understand that £1.2 million has been included in the 2009/10 budget to address a range of safeguarding issues and this will also help to reduce the risk. We will carry out follow-up audit work during 2009/10.

Irregularities

7.20. During 2008/09, 25 potential irregularities were reported, 23 of which led to investigations being undertaken by Audit Services and/or the department in which the potential irregularity was identified. Of these, most related to internal procedural issues, but two cases were referred to the police for criminal investigation. The outcomes of the internal investigations included resignations and dismissals, with losses either recovered or being pursued through the legal system.

7.21. This level of irregularities reported is consistent with that reported in 2007/08.

7.22. Details of the more significant investigations are included in appendix D (which is not for publication by virtue of paragraph 7 of Part I of Schedule 12A of the Local Government Act 1972).

7.23. The Audit Commission's National Fraud Initiative (NFI) data matching exercise for 2008/09 is under way and includes mandatory reports covering payroll and pensions, UK visas, blue badges, private residential care homes, insurance claimants and creditor payments. To date, the NFI exercise has not identified significant levels of fraud or savings in Hampshire and the outcomes have contributed to the overall positive assurances that we are able to provide.

7.24. During the year we undertook a number of pro-active fraud detection exercises and this work did not raise any significant new concerns or evidence of fraud or irregularity, indicating that the control environment continues to be strong. The incidence of fraud - necessarily judged by the volume of reporting and detection - is considered low for an organisation of this size and diversity.

Common findings

Compliance with Contract Standing Orders and European Union directives

7.25. Our 2007/08 audit work identified one significant common finding which arose from our routine audit work as well as irregularity investigations. This related to compliance with the County Council's Contract Standing Orders and European Union directives on procurement. We found a general lack of awareness about aspects of these requirements, as well as missed opportunities within the County Council's monitoring framework which would have allowed for non-compliance to be identified at an earlier stage in the process.

7.26. As a result of our findings we concluded that there was a clear need to raise general awareness of procurement rules across the County Council and to provide appropriate training to staff involved in the procurement process.

7.27. Having worked closely with Legal Services on these cases, we concluded that improvements needed to be made generally in the governance arrangements for major corporate projects and action was recommended at a corporate level, and approved by Cabinet at its meeting on 24 September 2007.

7.28. Cabinet also recommended that `if responsibility for procurement remains with departments, and is not handled centrally, consideration must be given to extending the role of County Supplies, which currently monitors procurement practice for value for money purposes, so that they assume responsibility to monitor, promote best practice and report on areas of non-compliance'. No action had been taken on this recommendation, pending the outcomes of the review of Corporate Services, and we reported the risk that non-compliance would continue. The Corporate Services reviews, which included a review of procurement, are now complete and outcomes were reported to Cabinet on 30 March 2009. Consistent with the above, this concluded that a more corporate approach to procurement should be adopted, in particular to develop and adopt a common template for strategic resourcing for principal categories of spend; and to introduce stronger central leadership and performance management into the current model of a central advisory role supporting a departmental approach.

7.29. We are also currently undertaking a corporate procurement audit, and during 2008/09 carried out a number of procurement reviews within individual departments. The aims of this work were to assess the overall framework of control within the County Council and progress made in implementing previous recommendations, as well as further testing the level of compliance across the County Council. Our departmental reviews identified ongoing concerns with regard to compliance with Contract Standing Orders and European Union Directives on procurement. In particular, there was limited awareness of, and lack of systems in place to track, the EU rule for the four year aggregation of spending, which is the required basis for determining whether the directives apply, leading to cases of potential breach. We also identified a number of cases below the EU thresholds, where tendering arrangements had not complied with the County Council's Contract Standing Orders. Our half year progress report outlined a number of initiatives in place to raise awareness of procurement rules and over 1,000 staff have now received awareness and training sessions on procurement. However, our findings indicate that further work in this area remains a priority.

7.30. A Best Practice Procurement guide has been jointly produced, published and publicised on the County Council's internal website in October 2008 by the Corporate Procurement team and legal services. Action is also being taken to implement wider governance training across the County Council to address governance, ethical, policy and legal issues to ensure that managers are aware of their obligations. Action has been taken to ensure this is covered in training for new managers. To cover all current staff is an ambitious programme and Hampshire Learning Centre staff have agreed the strategy to deliver this over the next two years, in consultation with the Monitoring Officer and Chief Internal Auditor. Work is currently under way to identify all sources of information and training already available with a view to implementing a more structured awareness programme. This will be aimed at both new and existing staff.

7.31. Where other common findings have been identified within departments, these are detailed in appendix D.

8. Recommendation(s)

8.1. That the Audit Committee accept the internal audit assurance statement for 2008/09 detailed in Appendix A.

8.2. That progress of management actions to resolve the issues in paragraphs 7.4 to 7.19 be reported mid-year to the Audit Committee.

CORPORATE OR LEGAL INFORMATION:

Links to the Corporate Strategy

IMPACT ASSESSMENTS:

1. Equalities Impact Assessment:

1.1. Equality objectives are not considered to be adversely affected by the proposals within this report.

2. Impact on Crime and Disorder:

2.1. The proposals in this report are not considered to have any direct impact on the prevention of crime

3. Climate Change:

a) How does what is being proposed impact on our carbon footprint / energy consumption?

No specific changes.

b) How does what is being proposed consider the need to adapt to climate change, and be resilient to its longer term impacts?

No specific proposals affecting adaptation to climate change.

Hampshire County Council

Assurance statement for the year ended 31 March 2009

Introduction

The Accounts and Audit Regulation 2003, amended in 2006, require the County Treasurer to maintain an adequate and effective system of internal audit.

The Regulations also require the County Council to include an annual governance statement within the published accounts.

To support the process of producing the annual governance statement, the Chief Internal Auditor is required to provide an independent opinion on the adequacy and effectiveness of the control environment, comprising risk management, control and governance for each department and the County Council as a whole

Responsibilities

It is a management responsibility to develop and maintain the internal control framework, and to ensure that resources are properly applied in the manner and on the activities intended. It is the responsibility of Internal Audit to form an independent opinion, based on reviews during the year, on the adequacy and effectiveness of the system of internal control.

Basis of opinion

The strategic and annual internal audit plans were prepared by the Chief Internal Auditor to take account of the characteristics and relative risks of the activities involved and were approved by the County Treasurer. The internal audit plan has been delivered in accordance with the Code of Practice for Internal Audit in Local Government in the United Kingdom, issued by CIPFA.

Work has been planned and performed so as to obtain all the information and explanations which were considered necessary in order to provide sufficient evidence to give reasonable assurance that the internal control system is operating effectively. However, this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control.

Opinion

In my opinion Hampshire County Council has an appropriate framework of control that provides reasonable assurance regarding the effective, efficient and economic achievement of the County Council's objectives. Audit testing has shown that the controls are working in practice with some specific exceptions

Paul Carey-Kent

Chief Internal Auditor

County Treasurer's Department

Hampshire County Council

25 June 2009

Audit background

1 Scope of internal audit

1.1 The Chief Internal Auditor is required to provide the County Council with an assurance on the system of internal control of the County Council. The opinions provided for each department have contributed to this overall assurance. It should be noted, however, that this assurance can never be absolute. The most that the internal audit service can do is to provide reasonable assurance that there are no major weaknesses in the system of control. In assessing the level of assurance to be given the following have been taken into account:

· all audits completed during 2008/09, including those audits carried forward from 2007/08

· any follow up action taken in respect of audits from previous periods

· any significant recommendations not accepted by management and the consequent risks

· the effects of any significant changes to the County Council's objectives or systems

· the quality of internal audit's performance

· the proportion of the County Council's audit plan that has been covered to date

· the extent to which resource constraints may limit the ability to meet the full audit plan of the County Council

· any limitations that may have been placed on the scope of internal audit.

2 Audit service quality

2.1 The service we provide is designed to ensure compliance with the standards for internal audit promulgated by the CIPFA Code of Practice for Internal Audit in Local Government in the United Kingdom 2006. The standards cover the following areas:

· scope of internal audit

· independence

· ethics for auditors

· audit committees

· relationships

· staffing, training and continuing professional development

· audit strategy and planning

· undertaking audit work

· due professional care

· reporting

· performance, quality and effectiveness.

2.2 We have a number of mechanisms in place to ensure that our services are of a consistently high standard. In particular:

· we are registered under British Standard BS EN ISO 9001:2000, the international quality management standard and have developed a comprehensive set of audit and management procedures to underpin this

· we have Investors in People accreditation which ensures that the training and development needs of all our staff are reviewed on an annual basis as part of our individual planning process, with essential needs delivered within the year

· we have a quality assurance programme which includes an annual service improvement planning process; annual benchmarking with other local authority internal audit providers to compare the efficiency, effectiveness and economy of our services; a rolling programme of reviews of a sample of completed audit reviews and management processes to ensure consistency in approach and compliance with professional standards and quality procedures; and a quarterly review by the County Treasurer's management team of our performance indicators.

2.3 Whilst identifying some opportunities for continuous development, the results of the quality assurance programme confirm that we substantially comply with the requirements of the Code of Practice.

2.4 In addition, our work is subject to annual review by Hampshire County Council's external auditors who continue to rely on our work to support their audit opinion.

3 Audit needs

3.1 A risk assessment was undertaken for the 2008/09 audit plan, which involved an analytical review of data relating to each department including: size of budgets, content of committee reports or committee decisions, previous audit findings and consultation with departmental management to ensure the audit plan addressed the key risks facing each department.

A summary of audit days delivered during 2008/09 is provided in Table 1.

Table 1 - Summary of audit days delivered (2008/09)

Detail	2008/09 days	days
Days carried forward from 2007/08		337
Audit plan agreed by County Treasurer	4114
Variations to the plan	-124
Revised plan at the year end		3990
		4327
Total days delivered including delivery of carry forward audits		4050
Days carried forward to 2008/09		277

Note - in 2007/08, audit delivery was 3178 days, against a revised plan (including days carried forward from 2006/07) of 3608.

3.2 The audit plan was revised during the year to 3990 days. The original and revised audit plans are shown at Appendix E.

3.3 Changes made to the plan reflect the following:

· changes to the scope of individual assignments following the results of initial risk assessment and review

· new areas requiring review being highlighted during the year

· an increase in time required to follow up significant issues raised

· time saving achieved on individual reviews

· the postponement of audits following a reassessment of risk across the County Council audit plan.

3.4 The carry forward days relate to audits where a draft was issued and awaiting management response or where testing was still in progress as at 31 March. For all audits carried forward from 2007/08 and completed during 2008/09, an audit opinion is provided as part of the 2008/09 annual audit opinion.

3.5 The results of 53 reviews started in 2008/09, are not included in the 2008/09 annual internal audit opinion as they were still in progress at the end of the year. The results of these reviews will be included in our 2009/10 opinion. The majority of these relate to internal audit or FMSiS assessment visits to schools.

3.6 No limitations were placed on the scope of our work during the year.

4 Audit approach

4.1 We examined systems operating to achieve objectives set by management in each of the areas detailed in Appendix E. We are not aware of any significant changes to any of the systems reviewed since our work was conducted. Publication of the corporate services reviews has resulted in some organisational change and review of the new roles and responsibilities will be reflected in our future plans.

4.2 Our work has been carried out using a systems based audit approach. This covers the control environment of the County Council which comprises the systems of governance, risk management and internal control. Key elements of the control environment include:

· establishing and monitoring the achievement of the County Council's objectives

· the facilitation of policy and decision-making ensuring compliance with established policies, procedures, laws and regulation - including how risk management is embedded in the activity of the County Council, how leadership is given to the risk management process, and how staff are trained or equipped to manage risk in a way appropriate to their authority and duties

· ensuring the economical, effective and efficient use of resources, and for securing continuous improvement in the way in which functions are exercised, having regard to a combination of economy, efficiency and effectiveness

· the financial management of the County Council and the reporting of financial management

· the performance management of the County Council and the reporting of performance management.

4.3 An implicit part of our systems based audit approach is an evaluation of the controls in place to prevent and detect fraud and we perform sufficient audit testing to confirm that controls are working in practice.

5 Audit liaison

5.1 Staff within the departments have been co-operative and helpful during audits, and have worked with us to ensure that audits have been timed to suit both parties.

5.2 In most departments, management responses have been timely and have addressed the issues raised but with some ongoing delays noted in schools. New escalation procedures will be implemented in 2009/10 to address this and ensure that action is timely and effective. Some significant delays have also been experienced in Property, Business and Regulatory Services and Environment.

5.3 Audit Appraisal Questionnaires (AAQs) have been received from 212 of the audits completed before 31 March 2009, with an average satisfaction score of 94.9% (93.3% in 2007/08). This confirms that there continues to be a good working relationship between Internal Audit and County Council staff.

5.4 2008/09 has seen the further development of liaison between Internal Audit and County Council staff, for example:

· 2008/09 has seen the continuation of the liaison between Internal Audit and Education Financial Services, Children's Services department and HIAS. We have also attended a significant number of Administrative Officer network meetings and delivered a series of training events for school governors and staff to introduce the Financial Management Standard in Schools

· in the County Treasurer's department we have continued to be represented at the Corporate Accounting Forum, and the Accounting Network and audit advice has been given as requested throughout the year.

This liaison is of real value to both Internal Audit and departmental staff and helps to promote good and consistent practice.

Audit opinion definitions: