HERTFORDSHIRE COUNTY COUNCIL

INTERNAL AUDIT

ANNUAL REPORT

2008/9

Chris Kay

Internal Audit

June 2009

Hertfordshire County Council

INTERNAL AUDIT

ANNUAL REPORT

2008/9

Contents

Page
Introduction / 3
Key messages / 4
Internal Audit quality assurance / 9
Glossary / 11
Work in departments
Adult Care Services / 13
Children, Schools and Families / 16
Corporate Services / 23
Corporate Finance and Human Resources / 24
Corporate ICT / 30
CountySecretary’s / 30
Herts Business Services / 30
Herts Catering / 31
Procurement / 31
Property / 31
Safety Emergency and Risk Management / 33
Environment / 33
Fire & Rescue / 35
External clients / 36

1

Hertfordshire County Council

Internal Audit

Annual Report 2008/9

INTRODUCTION

This Annual Report brings together, corporately and service by service, the main issues we have raised in the course of our 2008/9 audit work. Our programme of work was as set out in the Internal Audit Plan 2008/9, endorsed by the Audit Committeeon 19 March 2008, supplemented by a number of unplanned investigations, consultancy projects and other types of audit input. All our audit work, whether planned or not, is subject to a risk assessment process, through which we try to ensure that we prioritise our workload appropriately. Despite the significant level of unplanned work, we have delivered 95% of our planned programme, and have agreed any deferred or (rarely) cancelled audits with the managers concerned.

All of the audits summarised here have been formally reported to the relevant managers, and I would like to thank all of them for being receptive to our comments and recommendations. Where relevant, this report outlines their responses and agreed actions. We follow up all high priority recommendations to check on the implementation of these.

More information on quality assurance and performance management arrangements for Internal Audit is provided in the introductory section.

This report is intended particularly for senior management and the Audit Committee, and to provide the Audit Commission with summaries of the work on which they may wish to place reliance. It will be available on Connect from July 2009.

The following paragraphs set out the main themes emerging from our work. The main body of the report then summarises our findings in individual departments.

Chris Kay

Chief Internal Auditor

June 2009

Tel.(01992) 555320

email <>

KEY MESSAGES

Corporate governance

Under the Accounts and Audit Regulations 2003 (amended 2006), the Council is required to undertake an annual review of its system of internal control, which in accordance with proper practices has been integrated within the Annual Governance Statement. Action Plans are in place for all significant governance issues and the Council is addressing the major issues requiring corrective action.

We took a lead role in the review underpinning the Statement, through a Group Auditor’s participation in the Performance and Planning Group (of senior officers chaired by the Director of ACS),which ensured that the review was conducted in accordance with CIPFA guidance. Assurances were sought and obtained in respect of the role of the following in maintaining and reviewing the effectiveness of the governance framework:

  • Monitoring Officer
  • Service Directors (including Service Assurance Statements)
  • External reviews
  • Strategic Partnerships
  • External Audit.

We also involved the Chief Executive, Monitoring Officer, Acting Director of Finance, Head of Risk Management, and other key staff in the review. The review was scrutinised and approved by the Resources Board (of Assistant Directors, chaired by the Chief Internal Auditor). The resulting Annual Governance Statement is being reported to the June 2009 Audit Committee.

The Council’s Statement of Corporate Governance was updated and published during the year, and is being included in the Member Information Pack following the June 2009 election.

The Council’s arrangements for managing risk were further strengthened in 2008/9: we found that new software and management arrangements were introduced effectively and consistently. We also audited the measures that each service was taking to mitigate its highest priority risks (the “red risks”), and found these to be robust.

Internal Audit assurance statement

This Internal Audit Annual Report provides an independent opinion on the adequacy and effectiveness of the Council’s system of financial control, including in particular:

  • the key controls operating within and around the core financial systems
  • financial management in each Department and corporately
  • arrangements for the letting and monitoring of contracts
  • controls over information management and security.

In the Chief Internal Auditor’s opinion, the above arrangements were adequate and effective in 2008/9, with sound controls in all key areas.

The Annual Governance Statement identifies the action plans that are in place to address the significant governance issues, including:

  • the need for the proper recording of assets on a single integrated asset management system
  • the implementation of the recommendations in the external consultant’s reports on the circumstances of the Council’s Icelandic investments and on Treasury Management procedures.

This opinion is based on a programme of audit work which was delivered:

  • in accordance with the approved Internal Audit Plan (of which over 95% was delivered), which in turn resulted from the systematic risk assessment of all auditable areas
  • by suitably experienced and qualified auditors
  • in accordance with the CIPFA Code of Practice for Internal Audit in Local Government
  • to standards that have been reviewed and approved by the Audit Commission acting as external auditors.

Financial management

The deterioration in global and national financial conditions through 2008/9 had impacts on the Council ranging from the failures of Icelandic banks where it held deposits, through pressure on resources caused by the decline in the property market, to an increase in attempted fraud requiring internal audit investigation. Considerable work was needed to address issues raised by the external auditor, particularly concerning the Council’s recording of its fixed assets and their impact on the year-end accounts, as well as responding to the process of the new Comprehensive Area Assessment. These pressures coincided with the Council’s own continuing implementation of a significant programme of change, including in particular the transformation and restructuring of the finance function, the introduction of the “Employee Self-Service/Manager Self-Service” module of the SAP system with electronic budget monitoring,and the wider Way We Work project. These developments have required significant effort from staff, including internal auditors, and it will be particularly important, in a year that is seeing the retirement of the Finance Director and other key officers, that management allow the time and support necessary for the new arrangements to establish, before embarking on further disruptive change.

Operation of the corporate financial systems continued to be generally sound. Where there were issues of concern, such as the level of salary overpayments, these were being actively addressed.

Our annual audits of services’ financial management arrangements found no major weaknesses. Services were addressing the need to update schemes of delegation and business continuity plans.

We once again undertook a wide range of planned audits of financial systems and arrangements, including assessments of some 180 schools’ compliance with the national Financial Management Standard in Schools (FMSiS). Most schools were making satisfactory progress towards compliance with the Standard, although some question its value relative to the work needed to achieve compliance. We also contributed to systems being developed for direct payments to clients, particularly in Adult Care Services.

Partnerships

We undertook audits of the Council’s key strategic partnerships. Our audit of the Joint Commissioning Partnership Board with Health found sound governance arrangements. We assessed the Hertfordshire Children’s Trust Partnership as posing few financial risks, since there was no significant pooling of budgets, although we recommended amendments to the agreement with Health covering the emotional and mental health wellbeing needs of young people.

In addition to our watching brief on the Local Area Agreement, and in preparation for the audit of the reward grant in 2009/10, we provided assurance that the amount of grant to be paid was the maximum allocated.

Many of the Council’s activities are of course undertaken in partnership with other bodies and companies, and our audits of these are referred to under the relevant service heading below.

Internal Audit is working with the chief auditors of the Hertfordshire Districts to develop arrangements for partnership working under the Pathfinder initiative.

Procurement

Preparations for structural and organisational change in all departments required sound transitional arrangements, and we found the work so far on these to have been effective. At the same time, the re-organisation and restructuring of procurement activity is continuing, and it is important that the interim and handover arrangements ensure that objectives are not lost sight of, and that projects are carried through to successful completion. In this way, the challenging requirements to deliver quality services, reduce the carbon footprint of the council and reduce costs can be met.

The Procurement Organisation Review resulted in a robust business case, which was agreed by the Strategic Management Board, with the new Director of Environment and Commercial Services being kept fully briefed. The changes will be implemented as part of the Strategic Procurement Group business plan. All departments of the Council will need to participate fully in the new Procurement Board in addressing the mechanisms to co-ordinate procurement and commissioning activities. Improved procurement should help the Council to gather and manage supplier market intelligence, to understand the spending of the entire organisation, to measure the supplier performance, and to deliver value.

We have recommended that HCC develop key measurements to demonstrate the value of outsourcing. The enhancements negotiated in the property contract extensions requiredrefinement of the system for measuring the performance of the contractors. A project management approach would have helped here.

In the case of the Manpower contract, there was a need for improved communication between service users, contract managers and the contractor. Management and monitoring of home care contracts, however, were effective in detecting failures in provider performance, and resulted in corrective action. All contracting departments need appropriately trained staff in order to realise the benefits of investment in procurement technology and deliver the strategy.

Project Management

Project management remains a vital activity and it is important that there is ongoing management involvement. The new Highways Management System in Herts Highways and the Smart Metering project in Herts Property were examples of projects that were well managed and implemented. The Building Schools for the Future project structure was revised appropriately, more realistic timescales were introduced, and the arrangements were strengthened in other ways. The Integrated Asset Management System (IAMS) project management arrangements were also strengthened in the course of the year. With such projects, it was importantfor senior managers to sponsor the project throughout its lifetime.

Audits of several projects pointed to the need for robust structures to be set up and adequately staffed in order to ensure effective delivery. It was important that the arrangements in place for monitoring and managing property sales, such as the major sites group, continue following the retirement of the Finance Director.

Information & Communications Technology

As in previous years, our reviews of HCC’s ICT systems and the supporting infrastructure found areas of activity undergoing continuous improvement. These changes related not only to the way the services are delivered, as in the case of mobile and remote working, but also the Authority’s move to centralise how it organises and supports such services.

A generally heightened public awareness of the issues surrounding the processing of personal data both informed our work programme, as in the dedicated review of how the Authority discharges its duties under the Data Protection Act, and supported our ability to add value in the reviews where such data was a component.

Our assurance work once again saw us covering a diverse range of computer applications designed to help deliver key operational services; these included the ongoing development of the Integrated Children’s System, the established systems in operation for controlling waste and recycled materials, and the system for payments to music teachers.

Probity work

As in previous years, we undertook a wide range of work designed to detect or minimise the risk of fraud, corruption, or other misdemeanour. Our general anti-fraud and corruption work was also integrated into our systems audits, and involved a range of computer-aided and other audit techniques. We provided the Audit Commission with sets of data as required under the National Fraud Initiative, and investigated resulting data matches, with initial focus on those of a high priority. We responded to requests for further information from other local authorities, the majority of which were investigating benefit fraud.

Other cases requiring detailed investigations included allegations or suspicions of:

  • attempted cheque frauds, which showed a significant increase and had a value of over £420k (potential losses were prevented or recovered from the bank, we worked with the police to investigate, and improved controls were implemented)
  • actual and attempted theft of over £4k by an employee through the accounting system (the employee resigned and a prosecution is pending)
  • overpayments totalling £188k to a voluntary organisation (which has repaid the Council)
  • a number of irregularities in schools, detailed under CSF below, involving such matters as money not banked, the obtaining of goods for personal benefit, and salary overpayments
  • improper management of the Council’s Section 106 agreement relating to a site in Stevenage, in an allegation by a constituent which we found to be without foundation
  • excessive expenses claims.
The broader Internal Audit role

In addition to the work outlined above, we contributed to a range of corporate activities, including:

  • acting as lead officer for, and reporting to, the Audit Committee
  • chairing the Resources Board and participating in the Performance and Planning Group
  • regular liaison with the Audit Commission’s local external audit team.

We delivered audit work under contract for a number of external clients, the most significant of which was Hertfordshire Police Authority.

INTERNAL AUDIT QUALITY ASSURANCE

A review of the system of internal audit was undertaken by the Audit Committee at their meeting of 25March 2009. The review was in compliance with the statutory requirement for such an annual review, and with guidance from CIPFA. This year, the review also incorporated the Audit Commission’s report on its triennial review of the Council’s internal audit management arrangements.

The components of the Audit Committee’s review were:

  • assessment by the Audit Commission of compliance with CIPFA’s Code of Practice for Internal Audit in Local Government in the United Kingdom 2006 (“the CIPFA Code”)
  • evidence of delivery of planned audit work
  • feedback from auditees.

Compliance with the CIPFA Code

The Audit Commission confirmed that the Council’s internal audit arrangements continued to comply with the CIPFA Code.

All internal audit work was undertaken in compliance with the processes set out in the Code, including the planning, resourcing, recording, reviewing (by a senior auditor) and reporting of audits and other reviews. All Internal Audit staff had performance development and review meetings with their managers, and had agreements as to their performance and development needs, in compliance with Corporate Services’ PMDS scheme (accredited by CIPFA for Continuing Professional Development purposes).

Delivery of planned audit work

Internal Audit completed 95.5% of 2008/9planned audits. In almost all cases, those planned audits not completed were deferred or cancelled due to circumstances beyond Internal Audit’s control (such as a delay in implementing a computer system, or a higher priority special investigation).

Feedback from auditees

Following every audit, the manager receiving the audit report was also sent a feedback survey form. The survey asked managers to rate the overall usefulness of their contact with Internal Audit, followed by a series of further questions covering the:

  • audit approach and understanding
  • audit communication
  • audit report
  • timing of the audit.

109 surveys were returned for 2008/9 audits, representing 50% of the 219 surveys issued. Rating of the overall usefulness of the audit contact was:

Score / Number of surveys / %
Excellent / 44 / 40
Good / 60 / 55
Just adequate / 5 / 5
Poor / 0 / 0
Totals / 109 / 100

Further details of the earlier survey results, and of the Audit Commission’s review, were provided in the report to the March2009 Audit Committee on the review of the system of internal audit.

GLOSSARY

The following definitions cover some of the audit terms and abbreviations used most frequently in this Annual Report.

BCP / Business Continuity Plan: a plan for the continuation of a service following a disaster or other major interruption
Commissioning / The process whereby services are designed, procured and performance managed
Core financial system / A computerised or other process fundamental to the operation of the authority’s financial affairs
Corporate governance / The arrangements by which organisations direct and control their functions, and (in local government) relate to their communities
Corruption / The offering, giving, soliciting or acceptance of an inducement or reward which may influence the actions of the Council, its members or its officers
Data matching / Comparison using computer techniques of different sets of information, from within the Council or from other bodies, designed to detect possible fraud or error
Fraud / The intentional distortion of financial records, carried out to conceal the misappropriation of assets or otherwise for gain
ICT / Information and Communications Technology
Internal control / A procedure which ensures that an organisation’s objectives are properly and efficiently carried out
Irregularity / An improper or erroneous use of the Council’s resources
Key controls / Those processes most likely to prevent or detect material errors or other irregularities
Performance Indicator (PI) / A statistic enabling the Council’s service or other output to be measured against that of other authorities, previous achievement, or targets
Performance Management and Development Scheme (PMDS) / Scheme aimed at ensuring that each employee’s performance is managed and their development needs are identified
Private Finance Initiative (PFI) / A Government scheme under which the public sector buys the asset-based services it requires from the private sector
Pre-implementation review / An audit of a computerised or other system shortly before its live operation
Procurement / All activities that involve buying, contracting, purchasing, sourcing or tendering
Risk assessment / A systematic process for assessing the likelihood of major error, loss or irregularity in an activity
SAP / A comprehensive computer system, known as an enterprise resource planning package, for managing finance and other key resources
Service Level Agreement (SLA) / Document setting out the terms of a service, as agreed by receiver and provider
Substantive test / An audit check of sufficient numbers of transactions or records to give a good level of confidence in their completeness, accuracy and validity
Systems audit / An audit approach involving the documentation, evaluation and testing of controls within a financial process
TW3 / The Way We Work - a comprehensive change programme for the whole organisation

WORK IN DEPARTMENTS