Contact your Parish Council
MAIDSTONE BOROUGH COUNCIL
Audit Committee
30 MARCH 2015
REPORT OF Head of Audit Partnership
Report prepared by Russell Heppleston Audit Manager
1. internal audit operational plan
1.1 Issue for Decision
1.1.1 The report is provided in order to allow the Committee to consider and approve the Internal Audit Operational Plan 2015/16.
1.2 Recommendation of the Head of Audit Partnership
1.2.1 The Audit Committee approves the Internal Audit Operational Plan for 2015/16.
1.2.2 The Audit Committee approves in principle the longer term plan up to 2018/19 but notes this will be subject to annual review and refresh.
1.3 Reasons for Recommendation
1.3.1 The role of the Audit Committee is required to obtain assurance on the control environment of the organisation; therefore, the Committee needs to have an awareness of the work conducted by Internal Audit, in order to adequately fulfil its duties.
1.3.2 The internal control environment comprises the whole network of systems and controls established to manage the Council, to ensure that its objectives are met. It includes financial and other controls, and arrangements for ensuring the Council is achieving value for money from its activities
1.3.3 The report attached in appendix A sets out the one-year operational plan for 2015/16 together with the longer-term plan up to 2018/19. We ask the Committee to review and approve the 2015/16 operational plan in approve in principle the longer-term plan.
1.4 Alternative Action and why not Recommended
1.4.1 The Audit Committee as part of its terms of reference must maintain oversight of the internal audit function and its activities. The plan proposed aims to complete internal audits responsibilities in an efficient and effective manner. We recommend no alternative course of action.
1.5 Impact on Corporate Objectives
1.5.1 The role of Internal Audit is to help the Council accomplish its objectives. All audit work considers the adequacy of controls and risks associated with the delivery of the Councils strategic and operational objectives.
1.6 Risk Management
1.6.1 The audit plan is produced as a result of risk assessment examining where audit activity is best focussed. The risk of not approving the plan is that the Council will be at greater risk of incurring or failing to detect fraud, error or service failure or weakness.
1.7 Other Implications
1.7.1 None directly
1. Financial
|
|
2. Staffing
|
|
3. Legal
|
|
4. Equality Impact Needs Assessment
|
|
5. Environmental/Sustainable Development
|
|
6. Community Safety
|
|
7. Human Rights Act
|
|
8. Procurement
|
|
9. Asset Management
|
|
1.8 Relevant Documents
1.8.1.1 The following documents are to be published with this report and form part of the report:
Appendix A: Internal Audit Operational Plan 2015/16 2018/19
1.8.1.2 Background Documents
There are no background papers to further support this report.
IS THIS A KEY DECISION REPORT? THIS BOX MUST BE COMPLETED
Yes No
If yes, this is a Key Decision because: ..
.
Wards/Parishes affected: ..
..
|
Mid Kent Audit
Internal Audit Plan
2015/16 2018/19
Maidstone Borough
Council
Introduction
1. Internal audit is an independent and objective assurance and consulting activity designed to add value and improve the Councils operations. It helps the Council accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes[1].
2. Statutory authority for Internal Audit is within the Accounts and Audit Regulations 2015 (the Regulations), which require the Council to undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes in accordance with the proper practices. From 1 April 2013 the proper practices are the Public Sector Internal Audit Standards (PSIAS) that replaced the Code of Practice for Internal Audit in Local Government in the UK.
3. The Head of Audit Partnership must provide an annual opinion on the overall adequacy and effectiveness of the Councils framework of control, governance and risk, as required by both PISAS and Regulation 5. The opinion takes into consideration:
a) Controls: Including financial and non-financial controls.
b) Governance: Including effectiveness of measures to counter fraud and corruption, and
c) Risk Management: Principally, the effectiveness of the Councils risk management framework.
4. This document sets out our internal audit plan for the next four years outlining the work we will undertake to both inform that opinion and provide wider support to the Council in helping to achieve its strategic objectives. As required by PSIAS we have, for the first time, included for the Committee details of the risk assessment that underpins the plan to demonstrate the process of its compilation. We aim by this to give the Committee assurance that our work is appropriately tailored to reflect the risks to and priorities of the Council and sufficiently resourced to deliver an effective and accurate audit opinion.
5. Naturally, in order to effectively respond to the changing environment of local government we will need to keep our plan continually flexible and under review. As the activities of the Council, and the consequent risks to its control, governance and risk management vary, so we will need to consider how our audit plan is best arranged to deliver appropriate assurance. This may include substituting individual projects or changing their scope, timing or duration.
6. Our principal route for this review will be in ongoing consultation with the Councils s.151 Officer, although we will continue to keep the Audit Committee abreast of changes through our interim and annual reporting as well as consult directly with the Chair of this Committee with respect to significant changes to the plan (as set out in the Audit Charter elsewhere on tonights agenda, if the Committee accept our recommendation to adopt the Charter).
Basis of our plan: available resources
7. In previous years our audit plans were centred on delivering a set number of projects per year. While this gave the plans directness and simplicity it limited the ability of the service to respond to changing need; a project is a large block of work to flex and adapt. Moreover, that approach did not recognise the time and contribution of audit management or acknowledge any of the range of additional tasks and support the service provides. The restriction also led to inconsistent definition of what constituted an audit project, obscuring the link between plans and the risk profile of the authority. This weakness was noted and commented on within our 2014 External Quality Assessment (EQA) undertaken by the Institute of Internal Auditors (IIA).
8. This plan seeks to add this flexibility by taking advantage of the freedom in the 2014 revised collaboration agreement by moving from a project to days-led approach. In moving to this approach we have allocated to each authority a total number of audit days proportionate to their financial contribution to the service.
Role |
Contractual Days |
Chargeability target |
FTE |
Available Days |
Head of Audit |
219 |
40% |
1.0 |
87 |
Audit Manager |
219 |
50% |
2.0 |
218 |
Senior Auditor |
219 |
75% |
3.95 |
648 |
Auditor |
219 |
85% |
1.5 |
277 |
Trainee Auditor |
2.0 |
250 |
||
Specialist Support |
1.0 |
120 |
||
Totals |
11.45 |
1,600 |
For further details of the resources available to the Partnership, see appendix E.
Authority |
Contribution to overall partnership budget |
Audit Days Allocated |
Ashford BC |
23.0% |
370 |
Maidstone BC |
29.5% |
470 |
Swale BC |
25.7% |
410 |
Tunbridge Wells BC |
21.9% |
350 |
Total |
100% |
1,600 |
9. Therefore the total audit allocation for Maidstone BC in 2015/16 is 470 days. Based on our risk assessment, we are satisfied that represents a sufficient level of resource to evaluate the effectiveness of the Councils risk management, internal control and governance processes. Our audit plan cannot address all risks across the Council and represents our best deployment of limited audit resources. In approving the plan, the Audit Committee recognises this limitation. We will keep the Committee abreast of any changes in our assessment of resource requirement as we monitor the risks posed to the Council. In particular, we will revise this resource assessment afresh each year of the four year plan.
Basis of our plan: risk assessment
10. Our assessment that this level of resource is adequate is based upon the risk assessment underlying our plan. This assessment comprises 3 principal steps:
Step 1: Understanding the Audit Universe, Strategic Priorities and Risks
11. Our assessment of the audit universe essentially all of the areas and topics that are within the potential scope of audit review and contribute to the Councils pursuit of its strategic priorities is informed by review of the Councils structure, ongoing meetings and discussion with officers and Members and review of Council meeting papers.
12. Our aim in drawing together the plan is that, over the course of its four year lifetime, all areas of the Council will have received a proportionate level of audit review. The 2015/16 assessment of the audit universe is shown by the areas displayed in the plan at appendix A and we will update and refresh this assessment each year.
13. Strategic priorities and risks have been determined by the Council and considered by us in drawing together the audit plan. As the Council moves through the process of refreshing and updating its strategies and priorities for 2015/16 onwards, it is important that the audit plan is flexible to respond to the changing needs of the Council. We therefore keep our assessment of risks and priorities under review, to ensure that any changes in direction are considered within our audit plan.
14. The Councils key risks are included within its strategic risk register 2013-2016. At the time of writing, the register details 6 risks scenarios, some of which contain several individual risks:
Risk 1 (amber): Having the right resources which are used in the right way
Risk 2: (amber) Resident satisfaction with place & the way that services are provided
Risk 3: (red) Economic downturn/austerity agenda
Risk 4: (red) Creating the place we want to be
Risk 5: (amber) Delivering services in partnership with others
Risk 6: (red) Impacts arising from political change
Step 2: Evaluating the risks
15. A key finding of the IIAs EQA last year was the need to make our planning more clearly derived from and led by the differing objectives and risks at each authority; a point that was the root finding for 4 of the 6 recommendations needed to achieve full conformance with the PSIAS. We have responded to those recommendations in this plan by conducting a comprehensive risk assessment across the range of Council services, building on our work in identifying the audit universe and the Councils key priorities and risks.
16. In conducting this assessment we considered risk across 6 discrete fields (summarised below, a full detail of our assessment process is at appendix B.
Financial Risk
The risk that failure in the service/area will undermine the Councils financial standing.
Strategic Risk
The risk that failure in the service/area will prevent achievement of a strategic goal or mitigation of a priority risk.
Fraud Risk
The risk that the service will be a victim of fraud or corruption, from within our without.
Change Risk
The risk that the service will be subject to, or seek, change leaving it vulnerable to failure.
Oversight Risk
The risk that failure in the service will not be identified or addressed by agencies other than internal audit.
Exposure Risk
The risk that failure in the service will materially damage the Councils standing, including its ability to deliver services for the local population.
17. One of these risks in particular Oversight Risk bears further explanation. One way of considering the control environment at any organisation is the three lines of defence model. In this analogy, an organisation has three levels of control which might serve to prevent or detect failure or error.
First Line of Defence: Direct controls within the service itself operating day-to-day to maintain internal control and support risk management.
Second Line of Defence: Controls operating at a corporate level to provide oversight to the process, setting and monitoring a framework for internal control and risk management to operate within.
Third Line of Defence: An independent perspective, still under corporate control, to challenge and comment upon the process and its implementation. Usually, this is the level at which Internal Audit operates.
18. When considering oversight risk, we reviewed the extent to which any service is subject to this model. Also, beyond those internal measures, we also sought to establish and consider what level of external regulation and oversight operates. For instance, although the Health and Safety Executive is not part of the Councils own control processes (as the Council cannot control or direct its actions), its reviews and findings provide useful commentary and perspective on the effectiveness of controls. The Councils external auditors Grant Thornton provide a similar perspective across the Councils finances and value for money operations.
19. As noted in appendix B, where a given service does not have a clear position within the three lines of defence or is not subject to detailed oversight from any external agency, we scored this risk factor more highly.
20. We considered each of those inherent risk factors alongside a final factor:
Audit Knowledge
Whether there are findings from previous audits (or an absence of positive audit findings in recent years) which suggest an increased risk of service failure.
21. The detailed audit plan at appendix A includes details of recent audit coverage in each area.
22. Our risk assessment is necessarily limited to matters emerging from the processes listed above. We will review and update this assessment and our plan at least annually, as well as keeping abreast of developments at the Council and seeking to ensure our plan remains relevant and valuable in-between those annual reviews. In consultation with management, and with the approval of the Audit Committee, we will seek to ensure that audit resources remain appropriately focussed.
Step 3: Drawing up the plan and individual projects
23. The higher risk a service or area, by this evaluation the greater level of audit attention and the earlier in the lifespan of our plan that attention comes. Appendix A shows how that assessment has formed our audit plans for 2015/16 to 2018/19.
24. Once we have selected an area for review it will be subject to our usual process of issuing draft and final briefs ahead of the work to ensure our attention is appropriately tailored.
25. The risk-based approach taken to forming the plan as a whole will be integrated within our approach to individual projects. Each will now include, in addition to any specific objectives agreed by the service, the following three objectives as standard:
· Has the service/area set out its objects and risks and are these in line with the Councils overall aims and risk appetite?
· Are there adequately designed controls to achieve those objectives and/or mitigate those risks?
· Are those controls operating effectively?
26. We will conduct each review in line with our standard audit methodology which is aligned to the Public Sector Internal Audit Standards. The roles and responsibilities for successful delivery of audit projects are set out also in our Audit Charter. An updated Charter for 2015/16 is also included on this agenda and will be provided to every audit sponsor.
27. Each of these audit reviews will culminate in an assurance rated report, giving our view on whether the particular area is operating effectively. We will keep these rating levels consistent with our revised approach adopted first in 2014/15, with details of the assurance levels included as a reminder to Members in this report at appendix C.
28. We will also, where appropriate, make recommendations for improvement. These recommendations are graded as set out in appendix C and followed up by our audit team when due for implementation. Recommendations that we find have not been implemented where there is ongoing risk to the Council are reported in the first instance to the Councils Management Team. Also, Senior Managers responsible for services that consistently fail to address audit recommendations may be invited to provide further explanation to Members at the Audit Committee.
29. The plan also recognises the non-project work we deliver, using our experience and expertise to assist the Council in pursuit of its strategic priorities. We undertake this work in line with the arrangements set out in the Charter, in particular with those safeguards aimed at preserving our independence and objectivity.
30. Typically the non-project work will not result in an assurance graded output, but rather an alternative format relevant to the engagement and agreed with the works sponsor. In any event, we will inform the Audit Committee of the outcomes of non-project work through our interim and year end reports.
Monitoring delivery
31. We undertake our audit work against our standard audit approach, which has been assessed in our EQA as consistent with the PSIAS. In addition we adhere to the professional standards, roles and responsibilities as set out in the Charter.
32. As part of this approach we are careful to ensure the quality and consistency of our work. With respect to individual audit projects, each undergoes internal review from management focussing on each stage from compilation of the original brief, through completion of fieldwork and ultimately our reporting.
33. We undertake broader quality assurance of our work as required by the PSIAS. These require an external assessment at least every five years and annual self-assessments to ensure maintenance of standards. Mid Kent Audit underwent an EQA in early 2014, becoming the first local authority audit service in the country to seek such a review from our professional institute, the IIA. This concluded we were fully conforming with 50/56 PSIAS and partially conforming to the remaining 6. We are currently in discussion with the IIA about their completing a follow up review in early April 2015 to examine our progress on implementing the recommendations and hope to report the outcome of that review to Members as part of our 2014/15 annual report.
34. In addition our annual reports will include a full self-assessment against the PSIAS. In the event of this review identifying matters to address we will set out a plan for Members for our response.
35. We are also responsible to Members via the Audit Committee. We will provide interim and annual reports on progress against our plans, as well as attend each Committee meeting to respond to queries from Members. The Head of Audit Partnership is also the lead contact for Members for any matters arising, queries about the service or areas of concern (including Whistleblowing, under the Councils procedures) and can be contacted at any time.
36. Our service is also monitored each quarter by an Audit Shared Service Board; David Edwards (Director of Environment and Shared Service) is Maidstones representative. The Board receives performance and financial monitoring reports on the progress of the service. The set of performance indicators against which we report are included at appendix D, and we also report outturn on these indicators to the Audit Committee twice a year.
37. We are also dedicated to continuing to develop and enhance the professional expertise and experience of our audit team. For 2015/16 this includes re-starting the previously dormant Trainee Auditor grade, taking on skilled individuals dedicated to pursuing a career in local government audit and supporting them through a professional qualification. We include more details about the audit team and the work we will be undertaking in 2015/16 to support and enhance their development within appendix E
Appendix A: Maidstone Borough Council: 4 Year Audit Plan
Core Finance & Corporate Governance Reviews
Service |
Audit Project |
Partnership |
2015/16 |
2016/17 |
2017/18 |
2018/19 |
|
Core Financial Systems |
69 days 6 reviews |
67 days 6 reviews |
74 days 6 reviews |
50 days 5 reviews |
|||
Finance |
Payments & Receipts |
|
10 |
10 |
10 |
10 |
|
Finance |
Budget Management |
|
15 |
|
15 |
|
|
Finance |
Procurement |
|
10 |
|
15 |
|
|
Finance |
General Ledger |
|
|
10 |
|
10 |
|
Finance |
Feeder Systems |
|
|
10 |
|
|
|
Finance |
Bank/Treasury |
|
|
15 |
|
10 |
|
Human Resources |
Payroll |
MBC/SBC |
10 |
10 |
10 |
8 |
|
Revenues & Benefits |
Council Tax |
MBC/TWBC |
12 |
|
12 |
12 |
|
Revenues & Benefits |
Business Rates |
MBC/TWBC |
12 |
|
12 |
|
|
Revenues & Benefits |
Housing Benefits |
MBC/TWBC |
|
12 |
|
|
|
Corporate Governance |
55 days 5 reviews |
58 days 6 reviews |
55 days 5 reviews |
53 days 6 reviews |
|||
Corporate Centre |
Business Continuity |
|
15 |
|
|
10 |
|
Corporate Centre |
Members Allowances |
|
10 |
|
15 |
|
|
Corporate Centre |
Corporate Governance |
|
5 |
5 |
5 |
5 |
|
Corporate Centre |
Safeguarding |
|
15 |
|
|
|
|
Corporate Centre |
Corporate Projects Review |
|
10 |
10 |
10 |
10 |
|
Corporate Centre |
Register of Interests |
|
|
10 |
|
10 |
|
Corporate Centre |
Freedom of Information |
|
|
15 |
|
|
|
Corporate Centre |
Performance Management |
|
|
10 |
|
10 |
|
Corporate Centre |
Data Protection |
|
|
|
15 |
|
|
Corporate Centre |
Risk Management[2] |
|
|
|
10 |
|
|
ICT |
ICT Controls & Access |
MBC/SBC/TWBC |
|
8 |
|
8 |
|
Service Reviews
Service |
Audit Project |
Partnership |
2015/16 |
2016/17 |
2017/18 |
2018/19 |
|
Service Reviews |
192 days 16 reviews |
178 days 14 reviews |
210 days 18 reviews |
135 days 11 reviews |
|||
Bereavement |
Crematorium & Cemetery |
|
|
15 |
|
|
|
Building Control |
Building Control Fees |
|
|
15 |
|
|
|
Building Control |
Building Control Operations |
|
|
|
|
15 |
|
Community Development |
Community Safety |
|
15 |
|
|
|
|
Community Development |
CCTV |
|
|
15 |
|
|
|
Community Development |
Community Halls |
|
|
|
15 |
|
|
Community Development |
Public Health |
|
|
|
|
15 |
|
Community Development |
Cultural Development |
|
|
|
|
15 |
|
Democratic Services |
Elections & Registration |
|
|
15 |
|
|
|
Economic Development |
Commercial Projects |
|
15 |
|
|
|
|
Economic Development |
Museum & Tourism |
|
|
15 |
|
|
|
Economic Development |
Hazlitt Centre |
|
|
15 |
|
|
|
Economic Development |
Parks & Open Spaces |
|
|
15 |
|
|
|
Economic Development |
Market |
|
|
|
15 |
|
|
Economic Development |
Leisure Centre |
|
|
|
15 |
|
|
Economic Development |
Cobtree Manor |
|
|
|
|
15 |
|
Environmental Health |
Litter Enforcement |
|
15 |
|
|
|
|
Environmental Health |
Air Quality & Pollution |
MBC/SBC/TWBC |
|
|
6 |
|
|
Environmental Health |
Animal Welfare & Control |
|
|
|
15 |
|
|
Environmental Health |
Food Safety |
MBC/SBC/TWBC |
|
|
|
6 |
|
Finance |
Insurance Management |
|
|
|
10 |
|
|
Finance |
VAT Management |
|
|
|
|
10 |
|
Housing |
Temporary Accommodation |
|
15 |
|
|
|
|
Housing |
Housing Grants |
|
|
15 |
|
|
|
Housing |
Homelessness |
|
|
|
15 |
|
|
Housing |
Housing Allocations |
|
|
|
|
15 |
|
Human Resources |
Learning & Development |
MBC/SBC |
8 |
|
|
|
|
Human Resources |
HR Policy Compliance |
MBC/SBC |
|
8 |
|
|
|
Human Resources |
Recruitment |
MBC/SBC |
|
|
8 |
|
|
Human Resources |
Health & Safety |
|
|
|
15 |
|
|
ICT |
Networks |
MBC/SBC/TWBC |
6 |
|
|
|
|
ICT |
IT Business & Application Support |
MBC/SBC/TWBC |
6 |
|
|
|
|
ICT |
ICT Procurement |
MBC/SBC/TWBC |
|
6 |
|
|
|
ICT |
Technical Support |
MBC/SBC/TWBC |
|
|
6 |
|
|
ICT |
Information Security |
MBC/SBC/TWBC |
|
|
|
6 |
|
Legal |
Legal Services |
MBC/SBC/TWBC |
|
|
6 |
|
|
Licensing |
Licensing |
MBC/TWBC |
15 |
|
15 |
|
|
Parking |
Parking Enforcement |
MBC/SBC |
8 |
|
|
8 |
|
Parking |
Park & Ride |
|
15 |
|
|
|
|
Parking |
Residents Parking |
MBC/SBC |
|
8 |
|
|
|
Parking |
Parking Income |
MBC/SBC |
|
|
8 |
|
|
Planning |
Planning Support |
MBC/SBC/TWBC |
6 |
|
|
|
|
Planning |
Section 106 Payments |
|
15 |
|
|
|
|
Planning |
Land Charges |
MBC/SBC/TWBC |
|
6 |
|
|
|
Planning |
Planning Income |
MBC/SBC/TWBC |
|
|
6 |
|
|
Planning |
Planning Enforcement |
|
|
|
|
15 |
|
Policy & Communications |
Customer Services |
|
15 |
|
|
|
|
Policy & Communications |
Online Management |
|
|
15 |
|
|
|
Policy & Communications |
Complaints |
|
|
|
15 |
|
|
Policy & Communications |
Equalities |
|
|
|
15 |
|
|
Property |
Asset Management |
|
15 |
|
|
|
|
Property |
Facilities Management |
|
|
15 |
|
|
|
Property |
Corporate Support |
|
|
|
15 |
|
|
Revenues & Benefits |
Discretionary Payments |
MBC/TWBC |
8 |
|
|
|
|
Waste & Street Scene |
Grounds Maintenance |
|
15 |
|
|
|
|
Waste & Street Scene |
Waste Collection Contract |
ABC/MBC/SBC |
|
|
10 |
|
|
Waste & Street Scene |
Commercial Waste |
|
|
|
|
15 |
|
Other Work
Service |
Audit Project |
Partnership |
2015/16 |
2016/17 |
2017/18 |
2018/19 |
Risk Management |
20 days |
20 days |
20 days |
20 days |
||
Corporate Centre |
Supporting Risk Management Process[3] |
|
15 |
15 |
15 |
15 |
Corporate Centre |
Supporting Risk Management Training |
|
5 |
5 |
5 |
5 |
Counter Fraud |
20 days |
20 days |
20 days |
20 days |
||
Corporate Centre |
NFI Co-ordination |
|
5 |
5 |
5 |
5 |
Corporate Centre |
Proactive work |
|
5 |
5 |
5 |
5 |
Corporate Centre |
Initial investigations on referral |
|
5 |
5 |
5 |
5 |
Corporate Centre |
Kent Matches Co-ordination |
|
5 |
5 |
5 |
5 |
Audit Follow Ups |
60 days |
60 days |
60 days |
60 days |
||
Various |
Quarterly follow up exercise |
|
60 |
60 |
60 |
60 |
Consultancy and other work |
60 days |
67 days |
31 days |
132 days |
||
Corporate Centre |
Supporting Audit Committee |
|
9 |
9 |
9 |
9 |
Comm. Development |
Repair & Renew Grant Sign Off |
|
5 |
|
|
|
Various |
Project Board Attendance and Support |
|
8 |
8 |
|
|
TBC |
Unallocated consultancy time |
|
38 |
50 |
22 |
123 |
Overall Summary
Work Type |
2015/16 |
2016/17 |
2017/18 |
2018/19 |
Audit Work (leading to assurance rating) |
316 days 27 reviews |
303 days 26 reviews |
339 days 29 reviews |
238 days 22 reviews |
Core Financial Systems |
69 |
67 |
74 |
50 |
Corporate Governance |
55 |
58 |
55 |
53 |
Service Reviews |
192 |
178 |
210 |
135 |
Non Audit Work (unrated reporting) |
154 days |
167 days |
131 days |
226 days |
Risk Management |
20 |
20 |
20 |
20 |
Counter Fraud |
20 |
20 |
20 |
20 |
Audit Follow Up |
60 |
60 |
60 |
60 |
Consultancy/Contingency |
54 |
67 |
31 |
132 |
Total Audit Resources Available |
470 days |
470 days |
470 days |
470 days |
Audit projects noting more than one client (e.g. MBC/SBC/TWBC) are reviews of services delivered in partnership. In such instances our work is co-funded between the partners audit plans and the audit output will be made available to all on the same basis. Precise timings of work within a given year will be subject to negotiation with individual audit sponsors.
Appendix B: Risk Assessment Criteria
Risk Type |
Financial Risk |
Strategic Risk |
Fraud Risk |
Change Risk |
Oversight Risk |
Exposure Risk |
Audit knowledge |
Full Risk Description |
Failure will undermine the Council's financial position |
Failure will prevent strategic goal or mitigation of strategic risk |
Victim to fraud or corruption (internal or external) |
Subject to change leaving it vulnerable to failure |
Failure not be identified or addressed by agencies other than internal audit |
Failure will materially damage the Council's standing |
Findings from previous audits which increase the risk of service failure |
Indications of highest risk (4) |
Fundamental levels of income or expenditure at stake (£5m+) |
Specific service goals integral to overall Council achievement |
High volume of transactions with systemic risk of loss |
Subject to major fundamental forced change. |
Not subject to significant external scrutiny. |
Significant interactions, high level of public interest. |
Recent history of adverse opinions |
Indications of raised risk (3) |
Significant levels of income or expenditure at stake (£1m+) |
Service supports Council goal but together with other services |
Moderate transaction volume with some identified weaknesses. |
Service has decided to undergo major fundamental change. |
Professional standards exist but no clear external review mechanisms. |
Wide range of public interactions but limited public interest. |
Mixed recent history, weak responses/no relevant history |
Indications of moderate risk (2) |
Material levels of income or expenditure at stake (£0.5m+) |
Service plays minor direct contribution together with other services |
Low transaction volume, few identified weaknesses |
Significant change expected in operations. |
Review body exists, but remote or risk based oversight only |
Limited or minor public interest or interactions. |
Good recent record but weak responses |
Indications of lower risk (1) |
Non material levels of income or expenditure at stake (<£0.5m) |
No direct link to strategic objectives, but overall supporting role |
No significant fraud exposure |
No significant change anticipated. |
Subject to regular or continuing external review and scrutiny. |
Mainly back office with few public interactions. |
Good recent record with prompt response |
Appendix C: Assurance & Recommendation Ratings
Assurance Ratings 2015/16 (unchanged from 2014/15)
Strong Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk. There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities. Reports with this rating will have few, if any; recommendations and those will generally be priority 4. |
Sound Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks. Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service. |
Effective Service |
Weak Controls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims. Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service. |
Poor Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives. |
Ineffective Service |
Recommendation Ratings 2015/16 (unchanged from 2014/15)
Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority. Priority 1 recommendations are likely to require immediate remedial action. Priority 1 recommendations also describe actions the authority must take without delay.
Priority 2 (High) To address a finding which impacts a strategic risk or key priority, which makes achievement of the Councils aims more challenging but not necessarily cause severe impediment. This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical. Priority 2 recommendations also describe actions the authority must take.
Priority 3 (Medium) To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority. There will often be mitigating controls that, at least to some extent, limit impact. Priority 3 recommendations are likely to require remedial action within six months to a year. Priority 3 recommendations describe actions the authority should take.
Priority 4 (Low) To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities. There will usually be mitigating controls to limit impact. Priority 4 recommendations are likely to require remedial action within the year. Priority 4 recommendations generally describe actions the authority could take.
Advisory We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve. These will be included for the service to consider and not be subject to formal follow up process.
Appendix D: Performance Indicators
Area |
Ref |
Indicator |
Definition |
|
|||
Finance |
F1 |
Cost per audit day |
Total cost of service / productive days |
F2 |
Audits completed on budget |
Percentage of audits delivered within pre-determined number of days |
|
F3 |
Chargeable days |
Percentage of staff time spent on delivering the audit plan (as distinct from training, personnel management, admin and so on). |
|
Internal Process |
I1 |
Full PSIAS conformance |
Conformance with Public Sector Internal Audit Standards, as assessed by IIA |
I2 |
Audits completed on time |
Percentage of audits completed on or before a deadline agreed with the audit sponsor within our audit brief |
|
I3 |
Draft reports on time |
Percentage of draft reports delivered within 10 days of concluding fieldwork |
|
Customer |
C1 |
Satisfaction with assurance |
Percentage of respondents very/satisfied with the assurance received based on surveys sent at end of each audit project |
C2 |
Final reports on time |
Percentage of final reports delivered within 5 days of closing meeting |
|
C3 |
Satisfaction with conduct |
Percentage of respondents very/satisfied with staff conduct shown based on surveys sent at end of each audit project |
|
Learning & Developing |
L1 |
Implemented recommendations |
Percentage of recommendations implemented as agreed with audit |
L2 |
Training plan achieved |
Percentage of assigned training days completed by staff |
|
L3 |
Satisfaction with skills |
Percentage of respondents very/satisfied with staff skills displayed based on surveys sent at end of each audit project |
Appendix E: Mid Kent Audit Team
Management
Rich Clarke CPFA (Head of Audit Partnership): Rich became head of the audit partnership on 1 April 2014, succeeding Brian Parsons. He joined the partnership from KPMG, where he had a range of internal and external audit clients across the public sector including LB Islington, Woking BC, East Kent Hospitals University NHS Trust, the Foreign and Commonwealth Office and the Civil Aviation Authority. Previous to joining KPMG, Rich worked for the Audit Commission for 12 years, where he achieved CIPFA qualification and gained broad experience in local government and NHS audit as well as leading national training on technical accounting, data quality and audit efficiency and project management. In 2015/16 Rich will be begin studying again aiming to achieve CIPFA Accredited Counter Fraud Specialist status.
Ian Cumberworth MAAT (Audit Manager: Ashford & Tunbridge Wells): Ian became the Audit Manager for Ashford and Tunbridge Wells in 2010 when the original partnership was extended having previously been the Audit Manager at Tunbridge Wells . He has experience of working in the private sector and a number of public sector authorities and has gained a broad knowledge and experience within Local Government. He has experience in supporting and leading on corporate projects which has included areas such as Best Value, VFM studies, Procurement & Contracting initiatives and various inspection regimes.
Russell Heppleston CMIIA (Audit Manager: Maidstone & Swale): Russell started working for the Maidstone / Ashford partnership in November 2005, and continued his role as Auditor for the Mid Kent Audit Service when it was established in 2010. He progressed through professional qualifications with the Institute of Internal Auditors (IIA) to achieve both Practitioner and Chartered member status. As an Auditor Russell examined the majority of council services, and had particular interests in project management and governance. In September 2013 Russell was appointed as the Audit Manager for Maidstone and Swale, and is the client manager at both sites and is responsible for delivering the audit plan. In 2015/16 Russell will be studying to achieve accreditation with the Institute of Risk Management.
Auditors & Senior Auditors
Alison Blake ACCA (Senior Auditor): Alison joined the internal audit partnership in 2012 and has worked on a variety of audits since starting. Prior to this Alison worked for South Coast Audit for 7 years where she undertook internal audit work across a range of NHS clients in East Kent. While at South Coast Audit she achieved ACCA qualification. During Alisons career she has completed a wide range of audit work including finance, information governance and risk management, system reviews and reviews of compliance with legislation with the aim of working with the client to help them achieve their objectives and the objectives of the organisation as a whole. Alison is currently on maternity leave but will be re-joining the team in January 2016.
Mark Goodwin (Senior Auditor): Mark joined Ashford Borough Council in January 1999 having previously worked at Maidstone Borough Council in an audit role. He was a founder member of the Ashford and Maidstone Internal Audit Partnership before this developed into the four-way Mid Kent Audit Partnership in April 2010. He is an experienced auditor who has audited extensively the full spectrum of Council services and activities across a number of local authorities.
Frankie Smith PIIA (Senior Auditor): Frankie Smith started her career in Internal Audit at Kent County Council in 2001 as a Trainee Auditor. In December 2001 she was appointed to the role of Auditor at Maidstone Borough Council. In the last 13 years she has completed audits at Ashford, Maidstone, Swale and Tunbridge Wells and is currently the Senior Auditor at Swale Borough Council. Frankie completed the CIPFA Diploma in Public Audit in 2003, the IIA Diploma in March 2013 and is now studying towards the IIA Advanced Diploma with a view to becoming a tutor for the IIA qualifications.
Claire Walker (Senior Auditor): Claire joined the audit partnership in September 2010, and has wide experience in a variety of sectors and bodies; Local and Central Government, Arts, Broadcasting, Financial Services, NGOs & Not For Profit Sector (domestic & foreign), also Lottery Fund distribution QUANGOS (New Opportunities Fund, Big Lottery Fund, Millennium, Commission, Olympic Delivery Agency, Heritage Lottery Fund, and Sport England) and the associated grant making programmes (in house and outsourced grant administered programmes). Claire delivered some training & mentoring projects for the FCO, DFID and the World Bank in addition to work on European Social Fund projects. Within Local Government Claire has undertaken a wide range of audits with a focus on legal compliance, contracts and governance arrangements. Other audit experience covers outsourcing functions, due diligence, and fraud investigations.
Jen Warrillow PIIA (Auditor): Jen joined Mid Kent Audit in September 2013 from Kent County Council where she trained as an Internal Auditor. She recently completed study for Practitioner of the Institute of Internal Auditors status and during 2015 will study to become a Chartered Member of the Institute. At KCC Jen undertook a wide range of audits including financial, governance and grant funding internally for the Council and externally for Parish Councils. Previous to joining KCC, Jen worked as an investigator for Swale BC and then Tonbridge & Malling BC. Jen will be providing maternity cover for Alison Blake in the Senior Auditor role until July 2015.
Paul Goodwin AAT (Auditor): Paul has been employed by Tunbridge Wells Borough Council for over 26 years of which nearly all has been in Internal Audit. Paul is a qualified Accounting Technician.
Jo Herrington PIIA (Auditor): Jo joined the audit partnership on 30 September 2013. She joined the partnership from Gravesham BC, where she worked for nearly nine years. She gained experience of working in the Finance department and the Revenues department before settling in the Internal Audit team in September 2009, who operated a shared management arrangement with Tonbridge & Malling BC. As part of the Internal Audit team she gained broad experience conducting financial and operational audit reviews, as well as being involved in working groups across the authority. Jo recently achieved the IIA Diploma, and will be providing maternity cover for Alison Blake in the Senior Auditor role between July and December 2015.
Trainee Auditors & Others
Michael Pugh (Trainee Auditor): Michael joined the audit team in March 2015 as a trainee auditor. He joins us from Baker Tilly where he worked as a risk analyst within their Technology Services internal audit division at clients across the private and public sectors. Michael will be embarking on a professional qualification supported by the service during 2015/16.
Ben Davis (Trainee Auditor): Ben joined the audit team in March 2015 as a trainee auditor. Ben holds a degree in Modern History from UEA and has previous experience in finance teams in the private and voluntary sectors. Ben will also be embarking on a professional qualification supported by the service during 2015/16.
We also have facility within the audit service to seek and deploy additional specialist resource depending on the needs of the service and of our local authority partners. In 2014/15 we used this facility to support delivery of specific audit projects including a significant counter fraud investigation and a major post implementation review of a shared service project.
[1] This is the definition of internal audit included within the Public Sector Internal Audit Standards
[2] This is our review of the Councils risk management process, which will be assurance rated work. It is distinct from our work supporting day-to-day risk management (as noted elsewhere in this plan).
[3] This is our work supporting the day-to-day risk management process, such as receiving action plans and establishing the effectiveness and accuracy of mitigating actions declared. To maintain independence, these two areas of work will be undertaken by separate teams.