Contact your Parish Council

Internal Audit & Assurance Plan 2018/19



Maidstone Borough Council


1.             We provide an independent and objective assurance and consulting service designed to add value to and improve the Council’s work.  We help the Council achieve its objectives by bringing a systematic and disciplined approach to evaluate and improve effectiveness of risk management, control and governance.

2.             We work within a statutory framework drawn from the Accounts and Audit Regulations 2015 and the Public Sector Internal Audit Standards (the “Standards”).  In 2015 the Institute of Internal Audit assessed us as working in full conformance with the Standards.  We have kept full conformance since then, including through the major update to the Standards in 2017.

3.             We also work to an Audit Charter agreed at each partner authority.  The Charter sets out the local context for audit, including independence safeguards.  At this Council, the Audit, Governance & Standards Committee approved the Charter in 2016 and it remains in place.

4.             The Standards set out demands on the Head of Audit Partnership for compiling and presenting a document to describe planned work for the year ahead.  The plan, presented for Member approval, must set out:

·                Internal audit’s evaluation of and response to the risks facing the organisation.

·                How we consult with senior management and others.

·                How we have considered whether we have suitable resources to address the risks we identify.

·                How we will effectively use those resources to complete the plan.

5.             The Plan can include assurance and non-assurance rated engagements.  This means we can accept consultancy work where this is the best way to support the Council.  We set out our considerations for accepting consultancy engagements in the Audit Charter.

6.             We must also clarify that our audit plan cannot address all risks across the Council and represents our best use of inevitably limited resources.  In approving the plan, the Committee recognises this limit. We will keep the Committee abreast of any changes in our assessment of need as we oversee the risks posed to the Council.  In particular we will undertake a full evaluation of need during each annual planning round.

Risk Assessments

7.             The Standards direct us to begin our planning with a risk assessment.  This assessment must consider risks to the Council from global changes as well as those recognised within its own risk management.  We must also keep that risk assessment current.  This plan represents our appraisal now, but we will continue to reflect and consider responses as risks and priorities may change across the year. We will report a specific update to Members midway through the year. We may also consult the Committee (or its Chairman) on other significant changes if the need arises.

Global and Sector Risks

8.             In considering global and sector risks we draw on various sources.  This includes updates provided by relevant professional bodies, such as the IIA and CIPFA.  We also consult with colleagues both direct through groups such as London and Kent Audit Groups and through review of all other published audit plans in the South East.

9.             These sources give us insight into both the key issues facing local government and how audit teams respond.  To show our consideration of these global risks we’ve picked the issues below from the IIA Hot Topics in Internal Audit 2018.

The Risk

May 2018 will see the largest expansion of data protection law for 20 years.  The General Data Protection Regulations (GDPR) place new limits on using and sharing personal information, including new requirements on informed consent.  The maximum penalty for breach also increases significantly, with one report estimating the £400k fine for TalkTalk in 2016 would be closer to £60m as a GDPR breach.

Maidstone Context

The Council manages significant volumes of personal data while delivering services.  It will need to make sure it has a clear understanding of where and how it holds, manages and processes data.  The Council will also need a clear method for prompt breach reporting.


Mid Kent Audit Response – GDPR

We have worked through 2017/18 as a contributor to the Council’s Information Management Group.  This Group has overseen the GDPR implementation and we’ve brought information from our findings, wider research and responses from other partners.

On our 2018/19 plan we propose a 4-way review to look across all four partner authorities around 6-9 months after implementation.  Rather than seeking to provide a rating, we will instead look at the common challenges faced by the authorities and effectiveness of responses. We will aim to include a full authority-specific assurance rated review in our 2019/20 plan.


The Risk

The Wannacry cryptoworm attack that hit more than a third of NHS Trusts in May 2017 brought into focus vulnerability from malign online actors.  Although there was no direct financial loss, the NHS estimated it cancelled nearly 7,000 appointments as a direct result.  A National Audit Office report also later highlighted various IT control failures that could have stopped or limited the attack.

Maidstone Context

The Council actively encourages residents to use electronic communications and so sees more and more of its work online.  Mid Kent ICT currently holds ISO certification, Public Sector Network Code of Connections (CoCo) compliance and successfully repels dozens of attempted attacks each day.  However, it is clear the potential disruption of a successful attack would be significant, including on the Council’s ability to maintain communications and make payments.

Mid Kent Audit Response

We are aware that increasingly the complexity of controls demands specialist audit skills to provide assurance on their efficacy.  Longer term, we will seek to grow those skills in-house. But for the 2018/19 plan we have a proposed project that will call on specific IT audit expertise through the competitive rates available to us as a partner in local and regional framework contracts.


The Risk

In themselves, Brexit and the UK Government’s re-examination of local authority funding are not necessarily risks.  But they could affect the Council’s funding, powers and responsibilities as well as the broader economy.  However, the key phrase there is “could”.  While that doubt exists, organisations will need to be as agile and flexible as possible in their planning.

Maidstone Context

The Council has already taken some opportunities arising from Government reviews, such as joining the Kent & Medway Business Rates Retention Pilot.  However, the success of such pilots and much of the Council’s other plans depends on the wider economy.

Mid Kent Audit Response

Owing to this uncertainty, we do not have specific projects on the 2018/19 plan looking at Brexit and other regulatory changes (but we do have the issue on our radar, see appendix I).  Instead, we will continue to focus efforts on supporting the Council in keeping an effective risk register that will allow it to properly identify risks and opportunities as they come into focus.


The Risk

The recent collapse into administration of Carillion and profit warnings at Capita highlights the extent to which public services have become increasingly reliant on private delivery.  These create third party risks where organisations learn they have not transferred the risk as well as the service.  Sound and continuing diligence and well-managed supplier relationships are crucial to ensuring success.


Maidstone Context: Vendor Risk

The Council runs significant parts of its service through third parties.  For example Leisure (with Serco), Waste (with Biffa) and the Theatre (with Parkwood).  We must also consider partnerships, such as Mid Kent Services, where the Council works with other organisations to deliver services.

Mid Kent Audit Response: Vendor Risk

Our audit universe (see Appendix I) includes period review of all the Council’s major contractual relationships.  Also, in 2018/19, we are embarking on a series of mid-term reviews examining conformance with collaboration agreements for shared services.


The Risk

Organisations must think more strategically about their workforce planning.  Driven by financial restraints, changing demographics and increased automation and use of technology, organisations must consider how they can effectively hold the skills and experience they need to deliver their objectives.

Maidstone Context:

The Council continues to rationalise workforce in line with Medium Term Financial Plans and its workforce strategy. It will need to manage institutional memory and keep essential skills.

Mid Kent Audit Response:

We recognise the Head of Shared Human Resources is new in post and so have put back a full assurance rated review into workforce planning into 2019/20.  Instead, in 2018/19, we will complete a Mid Term Review of the HR service.  This work is closer to consultancy and about reviewing the collaboration agreement and assessing how the service supports each partner authority.


The Risk

The new Public Sector Internal Audit Standards in April 2017 placed greater emphasis on the role of internal audit in understanding and providing assurance against a wide range of corporate risks.  The traditional view of audit as a branch of accounting is disappearing under standards that demand more familiarity with governance, analytics and effective communication of audit findings to provide valuable business insight.

Mid Kent Audit Response

Our Quality and Improvement planning considers the skills we need now and in the future, including the IT audit specialism noted above.  We are also increasingly looking at ways to efficiently expand the range, scope and effectiveness of our coverage.  To that end we are looking to get more up-to-date audit software, which will support efforts to create standard testing templates, support audit work and improve efficiency, monitoring and reporting.


Local Risk Review

10.         The Council keeps a corporate register describing the most significant risks it faces. Risks on the corporate register align direct to the Strategic Plan and have a more strategic outlook.

11.         Our audit planning considers these issues to ensure we provide risk-based assurance to the Council.  While not the sole plan driver, we aim to ensure our audit projects and wider work includes coverage of the risks featured on the corporate register.

12.         The table on the following page shows each of the risks on the corporate register, with relevant audit work either recently completed or planned over the next two years.


Risk Register Item

Residual Risk Rating

Relevant Planned Audit Work

Impact x Likelihood


ICT Systems Failure / Security

4 x 4

16 (Red)

Audit Projects

ICT Networks (17/18)

Cyber Security (18/19)

Computer Use Policies (19/20)

Other Work

Information Management Group

Incident investigation

Legal Compliance / Breaches (e.g. GDPR)

5 x 3

15 (Red)

Audit Projects

GDPR Review (18/19)

Freedom of Information (19/20)

Other Work

Information Management Group

Data Protection Audits

Major Project Failure

4 x 3

12 (Red)

Audit Projects

Subsidiary Company Governance (17/18)

Capital Purchases & Disposals (19/20)

Project Management (19/20)

Other Work

Corporate Governance Group

Housing Pressures Continue to Increase

4 x 3

12 (Red)

Audit Projects

Homelessness (17/18)

Homelessness Reduction Act (18/19)

Housing Allocations (18/19)

Delay in Local Plan Adoption

4 x 3

12 (Red)

Other Work

Planning Risk Review

Local Plan Project Evaluation Support

Financial Restriction

4 x 3

12 (Red)

Audit Projects

Financial Management (17/18)

Budget Management (18/19)

NNDR (18/19)

Poor Partner Relationships

3 x 3

9 (Amber)

Audit Projects

Mid Term Service Reviews: Audit (17/18), IT, Revenues & Benefits, HR (18/19), Legal, Planning Support (19/20)

Breakdown of Governance Controls

4 x 2

8 (Amber)

Audit Projects

Corporate Governance (17/18)

Public Consultations (18/19)

Other Work

Corporate Governance Group

Workforce Capacity & Skills

2 x 2

4 (Green)

Audit Projects

Absence Management (18/19)

Recruitment (18/19)

Workforce Planning (19/20)


13.         We co-ordinate and provide risk management support for the Council. This work includes regular liaison with risk owners to co-ordinate and report progress through Corporate Leadership Team and the Policy & Resources Committee. Therefore, for all risks, we will continue to support risk owners and regularly report progress.

Audit Risk Review and Consultation

14.         We then consider all the auditable parts of the Council (the “audit universe”) against our own risk evaluation criteria.  These consider:

Finance Risk: The value of funds flowing through the service.  High value and high volume services (such as Council Tax) represent a higher risk than low value services with regular and predictable costs and income.

Priority Risk: The strategic importance of the service in delivering Council priorities.  For example waste services will be higher risk owing to the direct link with the Council’s objective to “provide a clean and safe environment”.

Fraud Risk: The susceptibility of the service to fraud loss.  High volume services that deal direct with the public and handle cash, such as licensing for example, are higher risk.

Oversight Risk: Considering where other agencies have an interest in regulating and inspecting the service.  For example, Mid Kent Legal Services receive regular inspections from the Law Society to keep Lexcel accreditation and so have relatively low risk.

Change Risk: Consider the extent of change the service has been, or will be, undergoing.  This might be voluntary, such as a restructure or imposed such as new legislation.

Audit Knowledge: What do we know about the service?  This considers not just our last formal review, but any other information we have gathered from, for example, following up agreed actions.  We also consider the currency of our knowledge, with an aim to conduct a full review in each service at least every five years if possible.

15.         The results of these various risk assessments provide a provisional audit plan.  We then take this provision plan out to consultation. We meet every Head of Service, Director and the Chief Executive to get their perspective on our assessment and give us updates on their sections.

16.         Having gained a perspective on the key issues for audit attention in the coming year we then consider the quantity and quality of our resources.



17.         The audit team contains 11.6 FTE plus a 0.6 FTE administrator.  To calculate the total amount of resources available we take the full time available (less contractual leave and public holidays) and subtract various categories of non-audit time, such as training.  Then we add back known positive changes, which include our annual aim to make the service at least 3% more efficient each year by refining our working practice.  We set out that calculation in the chart below.

18.         The result is 1,820 chargeable days, meaning time we can put towards completion of our agreed audit plans.  This is essentially the same as in 2017/18 and divides between the authority partners in the proportions set out in our collaboration agreement:

19.         Audit Standards demand we assess whether the resources available – in both quantity and capability – can fulfil our responsibilities.  In that assessment we must consider:

·         Whether we had sufficient resource to complete our prior year plan.

·         How the size and complexity of the organisation has changed.

·         How the organisation’s risk appetite and profile have changed.

·         How the organisation’s control environment has changed, including how it has responded to our audit findings.

·         Whether there have been significant changes to professional standards.

20.         Based solely on those internal reasons, we believe we have enough resource to deliver the 2018/19 plan.  There is no precise guidance on overall adequacy of internal audit resource.  Besides the reasons above we also analyse other SE English District Councils to consider a ‘typical’ volume of audit coverage.  The graph below presents that survey and a ‘best fit’ line (noting that we have excluded some extreme outliers on the higher end).  We highlight the Mid Kent partner authorities.

21.         We must also consider ability of the audit team.  Appendix II sets out the significant range of skills, qualifications and experience we have within the audit team.

22.         As noted in the risk assessment, we are looking to increase our means on technical IT audit.  For 2018/19 we aim to supplement the team with technical support accessed at competitive market rates through new memberships of Framework agreements with audit firms managed by LB Croydon and Kent CC.

Proposed Audit & Assurance Work 2018/19

23.         Our audit project work comes in two distinct approaches; those that lead to assurance ratings and those that do not.  We usually provide a rating as shorthand to describe our findings and the assurance that we can offer.  See Appendix IV for the definitions and different levels.  However, we recognise circumstances where our work aims principally at supporting work in progress, or providing advice where an assurance rating is not right.  We complete full reports for each type and will provide summaries in our reporting to Members.

24.         We also undertake various other review and advice tasks over the year. However, we usually do not separately report work that takes under 5 days to complete or does not result in a single distinct report.  For example, our work supporting the Council’s risk management. 

25.         In the tables below we set out our planned work for 2018/19.  We also provide our planning objectives for each project, setting out in more detail the intended scope for each review.  However, we will agree a precise scope with the officer Audit Sponsor when we come to undertake the work.  See the next section of this report for information on how we complete detailed planning on audit projects and work towards their completion. 

Proposed Audit & Assurance Project Work 2018/19

380 days


Assurance Rated Projects

Public Consultations

·         To assess guidance provided to assist undertaking public consultations against suitable evaluation criteria (for example, the Sedley principles).

·         To review a sample of consultations for compliance with established criteria

Budgetary Control

·         To consider effectiveness and appropriateness of the Council’s approach to monitoring and controlling budgets.

·         To review compliance with budget control rules.

·         To review compliance with virement rules.

Accounts Payable

·         To review design and effectiveness of key controls within the accounts payable system.


·         To review the operation and effectiveness of service transformation.

·         To review project management of digital transformation work.

Property Management

·         To review controls for managing income received from property.

Non-Assurance Rated Projects

General Data Protection Regulations

·         To consider across the four partner authorities varying challenges and approaches to carrying out GDPR including areas of non-compliance.

·         The aim of our review will be to identify and share best practice and successful approaches.  We will undertake an assurance rated review at each authority in 2019/20.

·         (We will complete this review six to nine months after the go live date of GDPR in May 2018)

Procurement Fraud Risk Review

·         To undertake a detailed review of a sample of small to mid-level suppliers.  Using open source information (for instance, Companies House data) we will consider the presence of risk signals that may warrant further investigation.

·         Risk signals might include the part of the supplier’s work delivered to the Council, relationships between the supplier and Members and officers (declared and undeclared) and public reviews from other customers.

National Fraud Initiative

·         To manage the Council’s link with the Cabinet Office on NFI matters and act as a single liaison point.

·         To ensure the Council gives suitable information to residents on the collection and use of data for NFI purposes.

·         To examine matches outside the Revenues Service. The Mid Kent Revenues Compliance Team examines revenues matches.


Assurance Rated Projects

Waste Contract

·         To review contract management controls.

(We will conduct this review across Swale, Maidstone and Ashford as partners in the contract).

Cobtree Trust

·         To review how the Council manages and discharges its responsibilities as corporate trustee

·         (Note that this review will focus on Maidstone BC, the Trust is a separate entity that manages its own audit arrangements to review controls operating within the Trust).


·         To review financial controls operating at the museum for collecting income (café, shop, events and exhibitions, room hire)


·         To review operation of the market against business plans, including financial controls.

Commercial Waste

·         To review design and operation of controls around invoicing, billing and collection.

·         To review cost allocation and management, including overhead allocation.

Environmental Enforcement

·         To review operation of in-house service (timed for around 12 months into 18 month trial).

·         To review controls on issue and collection of fixed penalty notices.

Housing Allocations

·         To review controls around direct lets to homeless households.

Assurance Rated Projects (continued)

Building Control

·         To review design and operation of controls for setting and collecting income.

·         To review administration and documentation of discretionary fees.

Planning Enforcement

·         To review process for creating, documenting and executing planning control notices.

Air Quality

·         To review controls for achieving and reporting progress on the low emissions strategy.

·         To review data quality on collection and reporting of air quality data.

Licensing Administration

·         To review controls for appropriate recording and issue of licenses.

·         To review controls for collecting and banking licensing income within the licensing partnership, including allocating to partners.

Non-Assurance Rated Projects

Homelessness Reduction Act

·         To consider across the four partner authorities varying challenges and approaches to the Homelessness Reduction Act.

·         The aim of our review will be to identify and share best practice and successful approaches.

Planning Risk Review

·         To review effectiveness of mitigating actions proposed for planning risks.

Local Plan Project Support

·         To contribute to post-project evaluation of the Council’s drawing up its local plan.


Assurance Rated Projects

Cyber Security

·         Using externally gained IT audit expertise, to consider effectiveness of the Council’s measures to mitigate the risk and impact of cyber attack.

IT Technical Support

·         To review controls for overseeing and reporting performance of the IT Service Desk.

Absence Management

·         To consider compliance with the Council’s absence management policy.

·         To review controls for overseeing and reporting interventions aimed at reducing levels of sickness absence within the Council.


·         To review compliance with the Council’s recruitment policy.

·         To assess financial and buying controls for recruitment-related spending.

·         To review compliance with policies around recruitment and retention of contractors

Revenues & Benefits Compliance Team

·         To review controls for collecting and reporting performance data of the Compliance Team.

·         To consider compliance with relevant laws and procedures, including use and handling of personal data.

·         To review controls for monitoring delivery of the work programme.


Assurance Rated Projects (continued)

Council Tax Reduction Scheme

·         To review operation of controls for ensuring compliance with the Council’s scheme.

·         To review use and reporting of the Council’s power to levy fines for non-reporting of changes in circumstance.

Business Rates Liabilities & Reliefs

·         To review operation of controls for ensuring proper application of reliefs.

·         To document and review process for ensuring liabilities are recognised and recorded.

Declarations of Interest

·         To review effectiveness of controls for ensuring declarations are made, reviewed and updated as required by the Council’s policies.

·         To assess use of declarations as appropriate in procurement decisions.

·         (Will cover both officer and Member declarations).

Non-Assurance Rated Projects

Payroll Fraud Risk Review

·         To examine expenses data for risk signals that may warrant further investigation.  Risk signals might include large or unexplained claims, significant month-to-month variations or variable mileage claims between regular destinations.

Mid Kent Human Resources Service Mid Term Review

·         To complete a Mid-Term review as mandated by the collaboration agreement, considering adherence to the agreement and general satisfaction with the service.

Mid Kent ICT Service Mid Term Review

·         To complete a Mid-Term review as mandated by the collaboration agreement, considering adherence to the agreement and general satisfaction with the service.

Mid Kent Revenues & Benefits Mid Term Review

·         To complete a Mid-Term review as mandated by the collaboration agreement, considering adherence to the agreement and general satisfaction with the service.


Proposed Audit & Assurance Non-Project Work 2018/19

120 days


·         To continue supporting the Council in managing and reporting its strategic and operational risks.

·         Focus in 2018/19 towards setting in risk management in Council procedures, and streamlining and ‘automating’ updates to risk information.


Counter Fraud

·         To move forward with implementation of new Counter Fraud and Corruption and Whistleblowing Policies.

·         To examine matters arising, including through Whistleblowing complaints.

·         To create and provide e-Learning modules on key parts of supporting the Counter Fraud Culture, focusing first on Whistleblowing and Counter Bribery.

·         To create and deliver Counter Bribery workshops to at-risk groups (including Members).


Audit & Assurance Non-Project Work (continued)

Member Support

·         To report audit progress to Committee and provide further advice and support as needed.

·         To deliver, on request, Member briefings and training workshops on matters related to audit and governance.

Recommendation Follow Up

·         To follow-up all agreed recommendations on time to ensure effective action to address our findings.

·         To report on progress and provide further reporting where necessary.

·         To provide support on implementation, including drawing on best practice from other authorities in the partnership.

Audit Planning

·         To keep our audit planning under review, ensuring its continued relevance.

·         To compile and report an audit plan for 2019/20.

Proposed Unallocated Contingency 2018/19

30 days


·         We aim to keep around 10% of audit days as a consultancy fund to provide general and extra advice to the Council.

·         Note that some of this 10% we have already allocated in response to officer requests for support projects (see project list above).

·         This will include attendance and contribution to officer groups and expansions to audit scopes to cover particular concerns or interests.

·         It also covers any investigative work we undertake.  We are named in the Council’s whistleblowing, data protection and computer use policies as a potential investigator of matters referred to us.


Delivering the Audit & Assurance Plan

26.         We work in full conformance with the Public Sector Internal Standards.  This includes having an internal quality assessment approach comprising both specific review of individual projects and period ‘cold review’, looking back at completed work and taking forward learning to help us improve. 

27.         The diagram below sets out how we undertake a typical audit project.  However, with each piece of work, we discuss and agree a specific workflow with an officer contact we call the Audit Sponsor (typically, the Head of Service).

Overseeing Delivery

28.         We will report progress on delivering the plan to this Committee part-way through the year.  We are also part of the Mid Kent Services Directorate and overseen by a Shared Services Board, with Mark Green (Director of Finance & Business Improvement) as Maidstone’s representative.

29.         We also report each month on various performance indicators detailing our progress.  We include a listing of those indicators, with descriptions, at appendix III to this plan.

Quality & Improvement Plan

30.         Although in 2015 the IIA assessed us as fully conforming with the Standards, we have continued to challenge and update how we work.  Milestones included a revision to our audit manual in 2016 (and updated after refreshed standards in 2017) and a restructure to add an administrator to the team and focus our auditors on chargeable work.  Through these types of review we have kept our full conformance with the Standards and increased productive days by nearly 15% since 2015 without any more than inflationary budget increase.

31.         For 2018/19 our focus will be on successful implementation of our new Audit Management Software.  We decided in late 2017 to test the market, having used our current software in various forms since 2001.  We tested various alternatives, all of which have new and better features and a cost saving.

32.         Our evaluation continues but we will know the result before the Committee meets and working towards implementation.  The precise benefits will depend on which product we select, but some of the benefits we looking for include:

·         Greater capacity for template and re-usable audit programmes to aid efficiency.

·         Improved reporting, especially on recommendation progress.

·         Better integration with and support for the Council’s risk management work.

·         Greater ability to document and oversee the full scope of the audit universe.

·         Automation of performance information and thematic reporting.

33.         In 2018/19 we will also continue our strong support for training and development within the audit team.  During the year we will have five people furthering or completing (we hope) professional qualifications and we wish them every success.  We will also continue supporting broader development, including in IT auditing, investigation support, data analytics and risk management.

Appendix I: Audit Universe

The “Audit Universe” is our running record of all services at the Council we might examine.  The list below shows its current arrangement including details of previous and planned future reviews.  Note that future reviews past 2018/19 are provisional; we will undertake a fresh risk assessment each year.


As set out in the risk assessment, we also consider broader issues that don’t necessarily fit within the structure chart.  These include the Council’s strategic risks and subjects where the right audit response is not yet clear.  The chart below summarises some of these subject we are keeping track of, for potential future inclusion within an audit programme:


Appendix II: Audit Team CVs & Experience


Rich Clarke CPFA ACFS (Head of Audit Partnership): Rich became head of the audit partnership in April 2014 joining from KPMG, where he had a range of internal and external audit clients across the public sector.  Rich is a Chartered Accountant (CPFA) and during 2015 undertook and passed further study to become an Accredited Counter Fraud Specialist (ACFS).  Rich is also UK Local Government representative on the Internal Audit Standards Advisory Board, the body charged with updating the Public Sector Internal Audit Standards.  In 2016 Rich also began ancillary work as a CIPFA associate, delivering training on CIPFA’s behalf across the country on managing and improving internal audit teams.  In addition, Rich is currently Chairman of the Kent Audit Group and an Executive Board Member and Treasurer of the London Audit Group.

Russell Heppleston CMIIA (Deputy Head of Audit Partnership): Russell started working for the Maidstone / Ashford partnership in November 2005, and continued his role as Auditor for the Mid Kent Audit Service when it was established in 2010.  He progressed through professional qualifications with the Institute of Internal Auditors (IIA) to achieve Chartered member status and the Qualification in Internal Audit Leadership (QIAL). Having been appointed as Audit Manager for Swale and Maidstone in 2013, Russell was subsequently appointed as Deputy Head of Audit Partnership in the 2015 restructure.  Russell has recently attained the International Diploma of Enterprise Risk Management (GradIRM), and leads the risk management support work across the partnership.

Frankie Smith CMIIA (Audit Manager – Swale & Tunbridge Wells): Frankie Smith has worked in internal audit for 17 years, starting as an auditor at Maidstone Borough Council.  During this time Frankie has completed audits at Ashford, Maidstone, Swale and Tunbridge Wells.  Frankie achieved Chartered Auditor (CMIIA) status in August 2015 and was appointed that same month to the role of Audit Manager at Swale and Tunbridge Wells.

Alison Blake ACCA, CIRM (Audit Manager – Ashford & Maidstone): Alison joined the internal audit partnership in 2012 and took on the role of Audit Manager in January 2016.  Prior to this Alison worked for South Coast Audit for 7 years where she undertook internal audit work across a range of NHS clients in East Kent. During Alison’s career she has completed a wide range of audit work with the aim of supporting the in achieving their objectives and the objectives of the organisation as a whole.   In 2014 Alison achieved the Certificate qualification from the Institute of Risk Management.

Senior Auditors

Mark Goodwin ACFT (Senior Auditor): Mark joined Ashford Borough Council in January 1999 having previously worked at Maidstone Borough Council in an audit role.  He was a founder member of the Ashford and Maidstone Internal Audit Partnership before this developed into the four-way Mid Kent Audit Partnership in April 2010.  He is an experienced auditor who has audited extensively the full spectrum of Council services and activities across a number of local authorities.  Mark was awarded the Accredited Counter Fraud Technician (ACFT) designation by CIPFA in March 2016.

Claire Walker (Senior Auditor): Claire joined the audit partnership in September 2010, and has wide experience in a variety of sectors and bodies; Local and Central Government, Arts, Broadcasting, Financial Services, NGOs and Not for Profit Sector and associated grant making programmes.  Claire delivered some training and mentoring projects for the FCO, in addition to work on European Social Fund projects.  Within Local Government Claire has undertaken a wide range of audits with a focus on legal compliance, contracts and governance arrangements.  Other audit experience covers outsourcing functions, due diligence, and fraud investigations. 

Jo Herrington PIIA CIA (Senior Auditor): Jo joined the audit partnership in September 2013. Prior to this Jo worked for Gravesham BC for nearly nine years where she gained experience of working in the Finance department and the Revenues department before settling in the Internal Audit team in September 2009. As part of the Internal Audit team she gained broad experience conducting financial and operational audit reviews, as well as being involved in working groups across the authority. Jo was promoted to the position of Senior Auditor in 2015 and has since gained qualifications as a Practitioner of the Institute of Internal Auditors (PIIA) in October 2015 and as a Certified Internal Auditor (CIA) in June 2016.

Jen Warrillow PIIA CIA (Senior Auditor): Jen joined Mid Kent Audit in September 2013 from Kent County Council where she trained as an Internal Auditor.  She undertook a wide range of audits including financial, governance and grant funding internally for the Council and externally for Parish Councils. Jen was previously an investigator at Swale BC and then moved on to Tonbridge & Malling BC.  She is now studying to become a Chartered Member of the Institute of Internal Auditors. Jen was promoted to the position of Senior Auditor during the 2015 restructure. 



Paul Goodwin AAT (Auditor): Paul began working for Tunbridge Wells BC in 1990 and has spent almost all his work since in Internal Audit. Paul is a qualified Accounting Technician.

Andy Billingham (Auditor): Andy joined the Partnership in December 2015.  He had previously worked for Swale Borough Council for 10 years within the Revenues and Benefits department gaining extensive knowledge of local government while dealing with complex disputes and representing the authority at Tribunals.  Andy holds a degree in History as well as an Institute of Revenue Rating and Valuation qualification.  He is currently studying towards the Certified Internal Auditor (CIA) qualification.

Trainee Auditors

Ben Davis (Trainee Auditor): Ben joined the team in March 2015 as a trainee auditor.  He holds a degree in Modern History from UEA and has previous experience in finance teams in the private and voluntary sectors.  Ben began training towards achieving a professional qualification through the Chartered Institute of Public Finance and Accountancy (CIPFA) and has progressed successfully through the qualification.  He aims to achieve the full professional qualification in mid 2018.

Louise Taylor (Trainee Auditor): Louise joined the team in November 2015 as audit team administrator and became a trainee auditor in August 2016.  Louise had previously worked in the Planning department of Maidstone BC and has extensive experience working with local authorities.  In early 2017 Louise began training to become a Certified Internal Auditor (CIA) with the Institute of Internal Auditors (IIA).  She also holds an MA in Planning, Policy and Practice and a degree in Human Geography.

Framework Contracts

In March 2018 we signed on to be a part of the APEX Audit and Anti-Fraud framework.  Administered by London Borough Croydon, this agreement allows participating local authorities to acquire specialist and general audit support through a centrally procured contract, with no minimum or maximum commitment.  After a competitive tender, LB Croydon awarded the framework contract in December 2017 to Mazars LLP, a major accounting and audit form we have worked with previously in Mid Kent.

We also, informally, have negotiated with Kent County Council access to its call-off contract for specialist and general audit support with BDO LLP.  Therefore we now have two straightforward and competitively priced options to help support our work.

Appendix III: Performance Indicators








Cost per audit day

Total cost of service / productive days


Audits completed on budget

Percentage of audits delivered within pre-determined number of days


Chargeable days

Percentage of staff time spent on delivering the audit plan (as distinct from training, personnel management, admin and so on).

Internal Process


Full PSIAS conformance

Conformance with Public Sector Internal Audit Standards, as assessed by IIA


Audits completed on time

Percentage of audits completed on or before a deadline agreed with the audit sponsor within our audit brief


Draft reports on time

Percentage of draft reports delivered within 10 days of concluding fieldwork



Satisfaction with assurance

Percentage of respondents ‘very/satisfied’ with the assurance received based on surveys sent at end of each audit project


Final reports on time

Percentage of final reports delivered within 5 days of closing meeting


Satisfaction with conduct

Percentage of respondents ‘very/satisfied’ with staff conduct shown based on surveys sent at end of each audit project

Learning & Developing


Implemented recommendations

Percentage of recommendations implemented as agreed with audit


Qualification Success

Pass rate of exams undertaken by members of the audit team.


Satisfaction with skills

Percentage of respondents ‘very/satisfied’ with staff skills displayed based on surveys sent at end of each audit project



Appendix IV: Assurance Ratings

Assurance Ratings 2018/19 (unchanged since 2014/15)

Full Definition

Short Description

Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any, recommendations and those will generally be priority 4.

Service/system is performing well

Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.

Service/system is operating effectively

WeakControls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.

Service/system requires support to consistently operate effectively

Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.

Service/system is not operating effectively


Recommendation Ratings 2018/19 (unchanged since 2014/15)

Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.


[i] Vanitas Still Life by Evert Collier (1662)