HERTFORDSHIRE COUNTY COUNCIL

INTERNAL AUDIT

ANNUAL REPORT

2004/05

Chris Kay

Internal Audit

June 2005

Hertfordshire County Council

INTERNAL AUDIT

ANNUAL REPORT

2004/05

Contents

Page
Introduction / 3
Key messages / 4
Glossary / 9
Work in departments
Adult Care Services / 11
Children, Schools and Families / 13
Community Information / 17
Corporate Services / 18
Corporate Finance / 19
County Secretary’s / 23
Hertfordshire Business Services / 23
People and Property / 24
Environment / 25
External clients / 28
Fire and Rescue / 29

2

0705 Internal audit report

Hertfordshire County Council

Internal Audit

Annual Report 2004/05

INTRODUCTION

This Annual Report brings together, service by service and corporately, the main issues we have raised in the course of our 2004/05 audit work. This programme of work was as set out in the Internal Audit Plan 2004/05, presented to the then Audit Committee on 4 March 2004, supplemented by a number of unplanned investigations, consultancy projects and other types of audit input. All our audit work, whether planned or not, is subject to a risk assessment process, through which we try to ensure that we prioritise our workload appropriately. Despite the significant level of unplanned work, we have delivered around 90% of our planned programme, and have agreed any deferred or (rarely) cancelled audits with the managers concerned.

Where relevant, this report outlines management’s responses and actions taken to address our recommendations. We now follow up all audits to check on the implementation of agreed actions.

The report is intended particularly for senior management and the Audit Panel, and to provide the Audit Commission with summaries of the work on which they may wish to place reliance.

All of the audits summarised here have been formally reported to the relevant managers, and I would like to thank all of them for being receptive to our comments and recommendations.

The following paragraphs set out the key messages emerging from our 2004/05 work.

Chris Kay

Chief Internal Auditor

June 2005

Tel. (01992) 555320

email <>

KEY MESSAGES

Corporate governance

Under the Accounts and Audit Regulations 2003, the Council is required to undertake an annual review of its system of internal control. The authority must also include a statement on internal control with its financial statements at the year-end. The system of internal control is the combination of management arrangements which, according to the Regulations, “facilitates the effective exercise of [the Council’s] functions and which includes arrangements for the management of risk”.

For the second year, we led this review, but also followed the more detailed guidance provided by CIPFA in Spring 2005. In particular, we ensured greater input from senior managers within services: each Department provided a “service assurance statement”, in which management set out their assessment of the service’s control environment. We also involved the Chief Executive, Monitoring Officer, Finance Director, Head of Risk Management and other key staff in the review. Based on this work, we drafted the Council’s Statement on Internal Control, on which we are reporting separately to the July 2005 Audit Panel. We found that, in all key respects, the Council’s system of internal control was sound, with no major issues requiring formal identification for corrective action.

This Internal Audit Annual Report also provides an independent opinion on the adequacy and effectiveness of the Council’s system of financial control, including in particular:

·  the key controls operating within and around the core financial systems

·  financial management in each Department and corporately

·  arrangements for the letting and monitoring of contracts

·  controls over information management and security.

In the Chief Internal Auditor’s opinion, the above arrangements were adequate and effective in 2004/05, with sound controls in all key areas.

This opinion is based on a programme of audit work which was delivered:

·  in accordance with the approved Audit Plan, (of which over 90% was delivered), which in turn resulted from the systematic risk assessment of all auditable areas

·  by suitably experienced and qualified auditors

·  in accordance with the CIPFA Code of Practice for Internal Audit in Local Government

·  to standards that have been reviewed and approved by the Audit Commission acting as external auditors.

Through 2004/05, Internal Audit worked closely with the Head of Risk Management on the continued refinement of risk management arrangements. This included:

·  operation of a process, approved by the Cabinet, for the involvement of members in the annual identification and ongoing management of risk

·  identification and assessment, through the Finance Board, of the key risks currently faced by services and the measures being taken to mitigate them

·  sharing of Internal Audit’s own assessment of key risks

·  commissioning an independent review of the Council’s risk management arrangements by Aon Ltd, risk consultants, for delivery in 2005/06.

Our ongoing input to business continuity arrangements allowed us to assess the County Council’s preparedness for an incident which would render the provision of its services inoperable from their current location. We found that much good work had been done to further ensure resilience in the event of an emergency, with further progress being made on overall co-ordination, and on the completion of individual service plans.

SAP

We devoted significant resources to the post-implementation phases of the SAP project. This major new system encompassed all the core financial processes, as well as other key resources, including in particular personnel. The system went live as planned on 5 April 2004, and the large majority of transactions continued to be made correctly and in a timely manner. There were difficulties in the early months of the system’s operation, particularly with the adequacy of management information and other reports, the effectiveness of training, some issues with the management of the then ITnet (now SERCO) contract, and a range of technical challenges. These issues were tackled, and largely resolved, by an impressive dedicated team, together with a larger number of service-based, corporate and contractor staff.

Our work in these and other areas, and the ways in which the issues we raised were addressed, are summarised under Corporate Finance (in Corporate Services) below.

Financial management in Departments

For each Department, we once again undertook an audit of the overall financial management arrangements. These were sound in all key respects. We found:

·  work in progress, for example in Adult Care Services, to further improve the efficiency of business processes

·  some difficulties attributable to SAP in its early months, such as a narrowed focus for budget monitoring on known volatile budgets, although this broadened as the year progressed

·  a general need to complete the updating of schemes of sub-delegation and financial procedures, particularly in the wake of the significant changes in ways of working brought about by SAP

·  the need to better align the budget setting process with some areas of service demand, particularly in Environment, which management took steps to address.

Our opinion was also informed by the findings of our many other service-based audits, which showed financial management to be generally of high quality, with no major weaknesses.

Contracts and partnerships

We sought to help the Council achieve successful contracting outcomes, by contributing to the contract tendering and monitoring process. Our aim was to ensure that lessons learned from our audit work were incorporated into current practice and contract arrangements. We also aimed to identify and log learning points for future use in controlling risk. The need for good, independently verifiable performance measures for contracts is being pursued for several contracts.

The contracting expertise within the Council is generally strong, as evidenced in particular by the SHARP project. There are still areas of patchy understanding, and we worked to encourage a more formalised and expert approach. In turn, improved expertise should facilitate the savings from contracting sought by the Gershon review. Lessons learned are already being applied in many instances, such as in the re-letting of the Customer Service Centre contract, where there was a very strong process incorporating past learning.

We emphasised the need for the clear, transparent and full documentation of contracting processes and procedures, and the importance of clear and easily retrievable management information.

We noted improvements in the various partnering and pooled budget arrangements made by ACS with Hertfordshire Partnership Trust. Reporting and communication arrangements with the Hertfordshire Highways partnership needed improving, particularly when ensuring that changes in service demand could be accommodated within budgetary constraints.

Information & Communications Technology

The majority of our work in this area naturally focussed on SAP, with reviews looking at many of the fundamental issues associated with the implementation of a major new system.

Our audits of the internet and of electronic mail allowed us to review the performance of two areas upon which the Authority is very dependent, and found generally strong controls.

We continued our work on IRIS, the CSF/ACS client database, concentrating on the components of the system which have been implemented, and monitoring its further development. There was good project management, building in lessons learned from the project’s previous stages. We also audited a number of key corporate and service-based computer systems for security and robustness, and found these to be generally sound.

Probity work

As in previous years, we undertook a wide range of work designed to detect or minimise the risk of fraud, corruption, or other misdemeanour. In many cases, this work was integrated into our systems audits, and involved a range of computer-aided and other audit techniques. Such work included:

·  development of arrangements to counter suspected money laundering

·  testing systems aimed at preventing internet misuse

·  input to, and analysis of results from, the Audit Commission’s National Fraud Initiative 2004

·  work to detect improper payments relating to deceased pensioners

·  in-depth checking of transactions in the core financial processes of SAP

·  testing the processes for validating evidence of ACS clients’ income, when assessing them for contributions to residential care costs

·  checks at CSF establishments on the handling of vulnerable clients’ cash and property.

The principal cases requiring detailed investigations were:

·  a suspected irregularity in the Passenger Transport Unit of Environment Department involving bus contracts

·  an alleged bogus lease for telecommunications equipment at a school

·  a possible false benefit claim by an asylum seeker

·  attempts to fraudulently obtain money by telegraphic transfer from two schools’ accounts, which the bank reported and stopped

·  a small number of cheque frauds, of maximum value below £5,000.

In each case, we referred our findings to the police. We ensured that any losses were reimbursed to the Council.

The broader Internal Audit role

In addition to the work outlined above, we contributed to a range of corporate activities, including:

·  co-ordination and validation of performance indicators

·  contributing to the third national Comprehensive Performance Assessment, which again resulted in the Council being evaluated as “excellent”, with Internal Audit achieving the maximum score

·  acting as lead officer for, and reporting to, the Audit Panel

·  chairing the Finance Board

·  regular liaison with the Audit Commission’s local external audit team.

We delivered audit work for a number of external clients, including in particular Hertfordshire Police Authority, the Board of the Chilterns Area of Outstanding Natural Beauty, and Connexions.


GLOSSARY

The following definitions cover some of the audit terms and abbreviations used most frequently in this Annual Report.

BCP / Business Continuity Plan: a plan for the continuation of a service following a disaster or other major interruption
Best Value / A Government initiative aiming to secure continuous improvement through an annual BV Performance Plan
BVPI / Best Value performance indicator
CPA / Comprehensive Performance Assessment: an in-depth assessment by government of Councils’ performance and governance arrangements
Core financial system / A computerised or other process fundamental to the operation of the authority’s financial affairs
Corporate governance / The arrangements by which organisations direct and control their functions, and (in local government) relate to their communities
Corruption / The offering, giving, soliciting or acceptance of an inducement or reward which may influence the actions of the Council, its members or its officers
Data matching / Comparison using computer techniques of different sets of information, from within the Council or from other bodies, designed to detect possible fraud or error
Fraud / The intentional distortion of financial records, carried out to conceal the misappropriation of assets or otherwise for gain
ICT / Information and Communications Technology
Internal control / A procedure which ensures that an organisation’s objectives are properly and efficiently carried out
Irregularity / An improper or erroneous use of the Council’s resources
Key controls / Those processes most likely to prevent or detect material errors or other irregularities
Legacy system / A system which has been superseded, but which holds data which continues to need to be accessible
Performance Indicator (PI) / A statistic enabling the Council’s service or other output to be measured against that of other authorities, previous achievement, or targets
Public Finance Initiative (PFI) / A Government scheme under which the public sector buys the asset-based services it requires from the private sector
Pre-implementation review / An audit of a computerised or other system shortly before its live operation
Risk assessment / A systematic process for assessing the likelihood of major error, loss or irregularity in an activity
SHARP / A project aimed at Simplifying Hertfordshire’s Accounting and Resource Processes
SAP / A comprehensive computer system, known as an enterprise resource planning package, for managing finance and other key resources
Substantive test / An audit check of sufficient numbers of transactions or records to give a good level of confidence in their completeness, accuracy and validity
Systems audit / An audit approach involving the documentation, evaluation and testing of controls within a financial process


WORK IN DEPARTMENTS