Contact your Parish Council
Internal Audit & Assurance Plan 2019/20
Maidstone Borough Council
Introduction
1. We provide an independent and objective assurance and consulting service designed to add value to and improve the Council’s work. We help the Council achieve its objectives by bringing a systematic and disciplined approach to evaluate and improve effectiveness of risk management, control and governance.
2. We work within statutory rules drawn from the Accounts and Audit Regulations 2015 and the Public Sector Internal Audit Standards (the “Standards”). In 2015 the Institute of Internal Audit (IIA) assessed us as working in full conformance with the Standards. We have kept full conformance since then, including through the major update to the Standards in 2017.
3. Over the next year we must commission an External Quality Review as five years have passed since our last assessment. We discuss the assessment need further later in this report.
4. We also work to an Audit Charter agreed at each partner authority. The Charter sets out the local context for audit, including independence safeguards. At this Council, the Audit, Governance & Standards Committee approved the Charter in January 2019.
5. The Standards set out demands on the Head of Audit Partnership for compiling and presenting a document to describe planned work for the year ahead. The plan, presented for Member approval, must set out:
· Internal audit’s evaluation of and response to the risks facing the organisation.
· How we consult with senior management and others.
· How we have considered whether we have suitable resources to address the risks we identify.
· How we will effectively use those resources to complete the plan.
6. The Plan can include assurance and non-assurance rated engagements. This means we can accept consultancy work where this is the best way to support the Council. We set out considerations for accepting such engagements in the Audit Charter.
7.
We must also clarify that our audit plan cannot address all risks across
the Council and represents our best use of invariably limited resources. In
approving the plan, the Committee recognises this limit. We will keep the
Committee abreast of any changes in our assessment of need as we oversee the
risks posed to the Council. In particular we will undertake a full evaluation
of need during each annual planning round.
Risk Assessments
8. The Standards direct us to begin our planning with a risk assessment. This assessment must consider risks both from global changes and within the Council. We must also keep our risk assessment current. This plan represents our conclusions now, but we will continue to reflect and consider our response as risks and priorities change across the year. We will report a specific update to Members midway through the year. We may also consult the Committee (or its Chairman) on other significant changes if the need arises.
Global and Sector Risks
9. In considering global and sector risks we draw on various sources. This includes updates provided by relevant professional bodies, such as the Institute of Internal Audit (IIA) and CIPFA. We also consult with colleagues both direct through groups such as London and Kent Audit Groups and through review of all other published audit plans in the South East.
10. These sources give us insight into both the key issues facing local government and how audit teams respond. To show our thinking on these global risks we’ve highlighted below some of the issues discussed by the IIA in Risk In Focus 2019.
The Risk |
Cybersecurity has been a high-priority risk for many years and this shows no signs of subsiding. Companies are pushing to move away from legacy systems. As approaches to managing cyber risk mature, attention is turning to third-party defensibility. |
Maidstone Context |
Mid Kent’s ICT strategy makes great use of the ‘cloud’. For example the current rollout of Microsoft Office 365 across the authority. Increasingly, individual services are also relying on software hosted by suppliers outside the Council’s direct control; Internal Audit with Pentana being just one example.
|
Mid Kent Audit Response – Cybersecurity & Third Parties |
We are now in the second year as members of the Apex Framework; a large professional services contract managed by LB Croydon. This gives us immediate access to specialist and general support at set rates. In 2019/20 we plan to use that specialist support to help look specifically at how our IT service can draw assurance where third parties hold and manage our data and services via our networks. |
The Risk |
Anti-bribery and corruption risk is longstanding. However, national legislative reforms, coordinated global enforcement by regulators and record-breaking fines are raising the stakes and pushing this issue to the top of the corporate agenda. |
Maidstone Context |
The IIA report reflects updated legislation across the world, notably in China, Brazil, France and Spain. While this subject is settled in UK law with the Bribery Act 2010, in Maidstone in 2019 we may see several new Members. They will need an understanding of how the rules work within the Public Sector. |
Mid Kent Audit Response |
In our plan for 2019/20 we aim to develop and deliver anti bribery training materials, aimed first at Members and key officer subjects. This training will explain the law, the Council’s policy and how we expect people to respond to any concerns on corrupt practices. |
The Risk |
The IIA’s description of this risk highlights protectionist trade tariffs between the USA and China as well as increasing trade sanctions. However, in the UK, this risk touches on Brexit and how UK trade might look in 2019/20 and beyond. |
Maidstone Context |
The Council’s risk register recognises the threats to the Council’s income and Maidstone’s economy through broader economic changes. Maidstone is, like all Kent Councils, also vulnerable to issues arising from any significant traffic issues cause by delays at ports and the channel tunnel. |
Mid Kent Audit Response |
The daily changing outlook on Brexit makes including any specific work on that topic in our annual plan a difficult task. However in 2019/20, as in previous years, we have set aside a consultancy budget to deal with emerging issues. Also, audit standards demand we keep our wider plan flexible in the face of developing risks. |
The Risk |
There is a notable inconsistency in the IIA’s surveys between organisations’ priority risks and where internal audit focuses its time. Chief Audit Executives should therefore re-evaluate with their audit committees whether internal audit works effectively to deliver sound risk-based assurance. |
Maidstone Context |
The Council sets out its corporate risks clearly in regular reporting to Senior Officers and Members. |
Mid Kent Audit Response (Auditing the Right Risks) |
We seek to draw on the Council’s risk information to help us compile and check our planning. Without neglecting more ‘routine’ matters, we aim to give due weight to corporate risks and add assurance where we can. |
Local Risks
11. The Council compiles and surveys a set of Corporate Level Risks. These cover matters that threaten the Council’s overall objectives, either because of their severity or the breadth of impact across several services.
12. The Council is currently compiling a new set of Corporate Level risks following a risk workshop earlier in the year. We have included within our planning the risks discussed at that workshop.
Audit Risk Review and Consultation
13. We also conduct our own risk assessment looking across all relevant parts of the Council (the “audit universe”). This risk assessment differs from the Council’s own risk approach in that we consider one specific risk:
What is the risk we offer a mistaken opinion because we don’t understand the service?
14. There are two main parts to considering this risk. The first how important the service is to the Council’s overall objectives and controls. Here we consider:
Finance Risk: The value of funds flowing through the service. High value and high volume services (such as Council Tax) represent a higher risk than low value services with regular and predictable costs and income. |
|
Priority Risk: The strategic importance of the service in delivering Council priorities. For example waste services will be higher risk owing to the direct link with the Council’s objectives. |
|
Support Service Risk: The extent to which other services rely on effective function of this part of the Council. For example, many services have a strong reliance on continuing effective IT services. |
15. The second part is the likelihood we might hold (or gain) a mistaken view of the service. Here we consider:
Oversight Risk: Considering where other agencies have an interest in regulating and inspecting the service. For example, Mid Kent Legal Services receive regular inspections from the Law Society to keep Lexcel accreditation and so have relatively low risk. |
|
Change Risk: Considering the extent of change the service faces, or has recently experienced. This might be voluntary (a restructure, for example) or imposed (like new legislation). |
|
Audit Knowledge: What do we know about the service? This considers not just our last formal review, but any other information we have gathered from, for example, following up agreed actions. We also consider the currency of our knowledge, with an aim to conduct a full review in each service at least every five years if possible.
|
|
Fraud Risk: The susceptibility of the service to fraud loss. High volume services that deal direct with the public and handle cash, such as licensing for example, are higher risk. |
16. The results of these various risk assessments provide a provisional audit plan. We then take this provision plan out to consultation. We meet every Head of Service, Director and the Chief Executive to get their perspective on our assessment and give us updates on their sections.
17. Having gained a perspective on the key issues for audit attention in the coming year we then consider the quantity and quality of our resources.
18. We set out the full results of the risk assessment on the audit universe in Appendix I.
Resources
19. The audit team is in consultation phase of a planned restructure. We aim to have the new structure in place by 1 April 2019. Currently, though, there is a degree of doubt on the precise extent and arrangement of the team. Please see appendix II for more information on our restructure.
20. However, our planning estimate for 2019/20 says we will likely have available 1,865 days across the partnership. This is a modest (2.5%) increase on 2018/19 total. The most significant variance being we are now using our new audit software, Pentana. We have been using Pentana now since July 2018 and ended the implementation phase in January 2019. We look now to its benefits in adding greater efficiency and quality to our work.
21. The total number of days divides between authorities in the proportions set out in our collaboration agreement:
22. Audit Standards demand we assess whether the resources available – in both quantity and capability – can fulfil our responsibilities. In that assessment we must consider:
· Whether we had enough resource to complete our prior year plan.
· How the size and complexity of the organisation has changed.
· How the organisation’s risk appetite and profile have changed.
· How the organisation’s control environment has changed, including how it has responded to our audit findings.
· Whether there have been significant changes to professional standards.
23. Based solely on those internal reasons, we believe we have enough resource to deliver the 2019/20 plan. There is no precise guidance on overall adequacy of internal audit resource. However, as in previous years, we have reviewed provision at other authorities. In Kent, we show that comparison in the map above. We also compare resources through contacts in London Audit Group and beyond. Through the Internal Audit Standards Board, we also consider comparative resourcing in central government, health and the private sector. For example, the table below sets out research conducted by KMPG on the typical size of internal audit services in listed companies across the world:
Type |
IA FTE |
IA Costs |
IA as % Revenue |
Company (<$500m turnover) |
4.5 to 7.2 |
$613k to $819k |
0.30% to 0.37% |
Company ($500m-$1b turnover) |
5.0 to 7.4 |
$737k to $908k |
0.10% to 0.13% |
MBC (£91.6m gross cost of services)[1] |
3.3 |
£206k |
0.22% |
24. We must also consider ability of the audit team. The team as a whole now has more formal qualifications than ever before. Ben Davis, previously a Trainee Auditor in the Partnership, qualified with CIPFA in summer 2018 and three others have progressed to the final stage in IIA qualifications. Appendix II sets out how our restructure aims to continue developing the skills of the team.
25.
Beyond direct employees, we have also sought access to sources of specialist
expertise. In particular, we have used this to supplement our IT audit work.
We will continue in 2019/20 to access this support through memberships of
Framework agreements with audit firms managed by LB Croydon and Kent CC.
Proposed Audit & Assurance Work 2019/20
26. Our audit project work comes in two distinct approaches; those that lead to assurance ratings and those that do not. We usually provide a rating as shorthand to describe our findings and the assurance that we can offer. See Appendix IV for the definitions and different levels. However, we recognise circumstances where our work aims principally at supporting work in progress, or providing advice where an assurance rating is not right. We complete full reports for each type and will provide summaries in our reporting to Members.
27. We also undertake various other review and advice tasks over the year. However, we usually do not separately report work that takes under 5 days to complete or does not result in a single distinct report. For example, our work supporting the Council’s risk management.
28. In the tables below we set out our planned work for 2019/20. We also provide our planning objectives for each project, setting out in more detail the intended scope for each review. However, we will agree a precise scope with the officer Audit Sponsor when we come to undertake the work. See the next section of this report for information on how we complete detailed planning on audit projects and work towards their completion.
Proposed Audit & Assurance Project Work 2019/20 |
331 days |
DIRECTOR OF FINANCE & BUSINESS IMPROVEMENT |
|
High Priority Projects (aim to complete 100% during 2019/20) |
|
Information Management · To follow up from cross-authority advisory work on GDPR in spring 2019. · To also consider other aspects of information management, such as responding to Freedom of Information requests.
|
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
Budget Setting · To review controls in place around setting the annual budget. · To consider specifically controls for ensuring achievability of savings projections. |
|
Business Continuity · To consider arrangements for ensuring business continuity. · To consider, as areas for possible specific focus, Brexit planning or IT support.
|
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
Creditors (Corporate Credit Cards) · To review controls for compliance with corporate credit card policy. |
|
Customer Services · To consider the service following transformation review in early 2019. |
|
General Ledger · To consider controls around GL journals and data quality from feeder systems. |
|
Health & Safety · To consider corporate conformance with second level HSE requirements. |
|
Members’ Allowances · To review controls for accurate payment of Member allowances and expenses. · To consider 2019 policy changes proposed by Independent Remuneration Panel. |
|
Social Media · To consider policy update due during 2019. · To review protocols for dealing with public enquiries received by social media. |
|
Subsidiary Company Governance · To consider the Council’s controls for overseeing Maidstone Property Holdings, in the light of separate independent advice to be received by the Council. |
|
Treasury Management · To review controls governing treasury activities (including borrowing). |
|
DIRECTOR OF REGENERATION & PLACE |
|
High Priority Projects (aim to complete 100% during 2019/20) |
|
Civil Parking Enforcement · To review operation of new contract beginning during 2019. · To consider income reconciliation. |
|
Developer Contributions · To review controls around monitoring collection and use of developer income from sources such as s106 agreements. · To review conformance with October 2018 Community Infrastructure Levy policy. |
|
Planning Conditions · To consider how the Council ensures discharge of planning conditions. |
|
Waste Crime Team · To consider outcomes of team trial period ending late 2019/20. |
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
Community Protection Team · To consider controls for recording and responding to complaints from the public across the team’s work (except stray dogs and pest control, which were examined separately in 2018/19). |
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
Economic Development · To review controls for effective spend of economic development income. · To potentially review specific capital projects, to be scoped with officers. |
|
Parks · To consider controls for ensuring success of management plan for parks across the Borough, focussing away from Mote Park. |
|
Residents’ Parking · To review controls around residents’ parking schemes. |
|
MID KENT SERVICES DIRECTOR |
|
High Priority Projects (aim to complete 100% during 2019/20) |
|
IT Network Security · To consider arrangements for securing the Council’s IT networks, with possible particular emphasis on cloud computing and other third party arrangements. |
|
IT Technical Support · To consider processes for supporting IT use in the Council. · To also consider rollout of specific developments, such as Windows 365. |
|
Recruitment · To consider controls around recruitment, including appropriate safeguarding checks and legal compliance. · To possibly consider apprentice recruitment and use of the apprenticeship levy. |
|
Universal Credit · To review controls managing the Council’s work in supporting Universal Credit rollout in the borough. |
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
Council Tax · To consider arrangements for Council Tax billing. · To consider particularly controls around increasing digitalisation of applications. |
|
Discretionary Housing Payments · To review processing DHP claims, including consistency in decision making. |
|
IT Asset Management · To review controls on asset management, especially tracking and security for portable devices. |
|
IT Backup & Recovery · To review controls for periodic IT backups and test arrangements for recovery.
|
|
Medium Priority Projects (aim to complete 50% during 2019/20) |
|
IT Project Management · To review how IT supports services in delivering projects, including managing its workload. |
|
Planning Administration · To examine controls for income collection and reconciliation. |
|
Workforce Planning · To consider how the HR service supports the Council in identifying and planning its strategic workforce requirements. |
Proposed Assurance Non-Project Work 2019/20 |
159 days |
Risk · Updating and reviewing Risk Framework · Regular monitoring and reporting to Senior Officers and Members · Review of risk identification and reporting within project management · Member briefings, especially for new Members in 2019
|
|
Counter Fraud · General Policy and Advice, including Whistleblowing and Anti-Corruption · Fraud Risk Assessment, focusing on payroll and expenses · Incident specific advice, support and reactive investigation · Training and development, including for new Members in 2019. Potential subject of focus being on Bribery Act 2010 duties.
|
|
Member Support · Attendance and preparation for Audit, Governance & Standards Committee and other Members’ meetings (including Chairman’s briefings). · Developing and presenting Member briefings on governance issues. |
|
Agreed Actions Follow Up · Ensuring officers carry out actions as agreed. · Reporting progress towards implementation to Senior Officers and Members. |
|
Audit Planning · Keeping the 2019/20 plan and attendant risk assessments under review. · Developing audit planning for 2020/21 and beyond.
|
|
Proposed Unallocated Contingency 2019/20 |
50 days |
Consultancy · We aim to keep around 10% of audit days as a consultancy fund to provide general and extra advice to the Council. · This will include attendance and contribution to officer groups and expansions to audit scopes to cover particular concerns or interests. · It also covers any investigative work we undertake. We are named in the Council’s whistleblowing, data protection and computer use policies as a potential investigator of matters referred to us. |
Delivering the Audit & Assurance Plan
29. We work in full conformance with the Public Sector Internal Standards. This includes having an internal quality assessment approach comprising both specific review of individual projects and periodic ‘cold review’, looking back at completed work and taking forward learning to help us improve.
Overseeing Delivery
30. We will report progress on delivering the plan to this Committee part-way through the year. We are also part of the Mid Kent Services Directorate and overseen by a Shared Services Board, with Mark Green (Director of Finance & Business Improvement) as Maidstone’s representative.
31. We also report each month on various performance indicators detailing our progress and provide quarterly updates to the Strategic Management Team. We include a listing of those indicators, with descriptions, at appendix III to this plan.
Quality & Improvement Plan
32. Although in 2015 the IIA assessed us as fully conforming to the Standards, we have continued to challenge and update how we work. Through these types of review we have kept our full conformance with the Standards and increased productive days by nearly 20% since 2015 without any more than inflationary budget increase.
33. We successfully set up our new Audit Management Software – Pentana – during 2018/19. The whole team now use Pentana to deliver our work and we can see the benefits already in quality and efficiency. There is also a significant improvement in how we can manage and organise our planning. For example, Pentana supports comprehensive risk assessments set out in Appendix I. We also have a greater capacity to ‘prioritise’ subjects to allow more flexibility as plans change through the year.
34. For 2019/20 our focus for quality and improvement will be on:
· Continuing to support and strengthen the team’s use and understanding of Pentana’s audit approach, especially its consistent focus on an Objective -> Risk -> Control -> Test method. Over time, following this approach will deliver a comprehensive understanding of the control environment across the whole authority and lead to significant efficiencies in planning future work.
· Exploring how best to open Pentana to officers outside audit. The software has a web module that allows officers outside audit to pass information to us direct, for instance updates on progress towards carrying out agreed actions. We hope to pilot some methods for rolling out this feature during 2019/20, mindful of the need to be efficient in our call on officers’ time as well as effective management of audit resources.
· Considering how to continue improving our reporting. Pentana allows for many different variants of our reporting tailored suitably to different audiences. In 2019/20 we will explore how we can efficiently use this flexibility to make our reporting have maximum impact in supporting services to improve.
External Quality Assessment
35. Public Sector Internal Audit Standard 1312 demands we undergo an external assessment at least every five years. The IIA undertook our last assessment, in spring 2015, that reported Mid Kent Audit as fully conforming to the Standards. This means our next review must take place by spring 2020. The full text of the Standard is below:
36. The Standard, and our Charter, both highlight the role of the “Board” (this Committee) in oversight of the assessment. Specific responsibility for its arrangement rests with the Head of Audit.
37. We will set out specific proposals for the assessment later in the year. Currently, our plan considers the following principles.
· We will seek a properly qualified external assessor for the review with experience of reviewing similar audit services.
· We will buy the assessment for payment rather than seeking to enter any reciprocal or peer arrangement. We feel this is important to safeguard the independence and professionalism of the review.
· We will ask the assessor to consider best practice rather than simple conformance. This will give us a sense of where we stand on quality compared to the best of our peers. It will also point to improvements we can look into to develop the service.
· We will seek one assessment across the whole partnership rather than individual assessments for each authority.
· We will publish a terms of reference for the assessment to Members before fieldwork.
· We will publish the final report of the assessment in full to Members. We will include in that publication any action plan proposed by the assessors and our response.
38. We welcome comments from Members on these principles and any specific matters of focus we might consider.
Appendix I: Audit Universe
The “Audit Universe” is our running record of all services at the Council we might examine. The list below shows its current arrangement including details of previous reviews.
Area |
Risk Score |
Last Audit |
Due |
Corp Risk Link |
Top Priority: We aim to complete all of these during 2019/20 |
||||
Car Parks & Enforcement |
High |
2016/17 |
Due |
|
Developer Contributions |
High |
2016/17 |
Overdue |
ü |
Information Management |
Moderate |
2016/17 |
Due |
|
IT Network Security |
High |
2018/19 |
|
|
IT Tech Support |
High |
2014/15 |
Overdue |
|
Recruitment |
Moderate |
2013/14 |
Overdue |
ü |
Universal Credit |
High |
|
|
ü |
Waste Crime Team |
High |
|
|
ü |
Medium Priority: We aim to complete around half of these during 2019/20 |
||||
Budget Setting |
Moderate |
2015/16 |
Overdue |
ü |
Business Continuity |
Moderate |
2015/16 |
Overdue |
|
Business Rates |
Moderate |
2017/18 |
Not Due |
ü |
Community Protection Team |
Low |
2017/18 |
Not Due |
ü |
Contract Management |
High |
2017/18 |
Due |
ü |
Council Tax |
Moderate |
2016/17 |
Due |
|
Creditors |
Moderate |
2018/19 |
Not Due |
|
Customer Services |
High |
|
|
|
Discretionary Housing Payments |
Moderate |
2016/17 |
Due |
|
Economic Development |
High |
2017/18 |
Due |
ü |
General Ledger |
Moderate |
2017/18 |
Due |
|
Health & Safety |
Moderate |
2016/17 |
Due |
|
IT Backup & Recovery |
High |
2017/18 |
Due |
|
IT Project Management |
High |
|
|
|
Members’ Allowances |
Low |
2015/16 |
Due |
|
Parks |
Moderate |
2015/16 |
Due |
|
Planning Administration |
High |
|
|
|
Residents’ Parking |
High |
2016/17 |
Not Due |
|
Social Media |
Moderate |
2014/15 |
Overdue |
|
Subsidiary Co. Governance |
Moderate |
2017/18 |
Due |
|
Treasury Management |
Moderate |
2016/17 |
Due |
|
Workforce Planning |
Moderate |
|
|
ü |
Low Priority: Keep under review but not likely to undertake further work in 2019/20 |
||||
Building Control |
Moderate |
2018/19 |
Not Due |
|
CCTV |
Moderate |
|
|
|
Conversation & Heritage |
High |
|
|
|
Corporate Governance |
Moderate |
2017/18 |
Due |
|
Council Tax Reduction Scheme |
Moderate |
2018/19 |
Not Due |
|
Debt Recovery Service |
High |
2018/19 |
Not Due |
|
Declarations of Interest |
Moderate |
2018/19 |
Not Due |
|
Elections Management |
Moderate |
2016/17 |
Due |
|
Electoral Registration |
Moderate |
|
|
|
Housing Benefit |
Moderate |
2016/17 |
Due |
|
Internal Communications |
Moderate |
|
|
|
IT Asset Management |
High |
|
|
|
Leisure Services |
Moderate |
2014/15 |
Overdue |
|
Parking Income |
High |
2017/18 |
Not Due |
|
Performance Management |
Moderate |
2016/17 |
Due |
|
Planning Enforcement |
High |
2018/19 |
Not Due |
|
Pre-Application Planning |
High |
|
|
|
Procurement |
High |
2017/18 |
Due |
ü |
Property Management |
Moderate |
2016/17 |
Not Due |
|
Public Consultations |
Moderate |
2018/19 |
Not Due |
|
Public Health |
Moderate |
2016/17 |
Not Due |
|
Spacial Planning |
High |
2017/18 |
Due |
ü |
Training & Development |
Moderate |
2016/17 |
Due |
|
Waste Collection |
High |
2018/19 |
Not Due |
ü |
Website |
Moderate |
|
|
|
Very Low Priority: Recent assurance gained and no fresh risk indicated |
||||
Absence Management |
Moderate |
2018/19 |
Not Due |
|
Budgetary Control |
Moderate |
2018/19 |
Not Due |
|
Complaints Handling |
Moderate |
2018/19 |
Not Due |
|
Crematorium |
Low |
2017/18 |
Not Due |
|
Debtors |
Moderate |
2017/18 |
Not Due |
|
Emergency Planning |
Moderate |
2017/18 |
Not Due |
|
Facilities Management |
Low |
2016/17 |
Not Due |
|
Food Safety |
Low |
2017/18 |
Not Due |
|
Grounds Maintenance |
Moderate |
2018/19 |
Not Due |
|
Home Improvement Grants |
Low |
2017/18 |
Not Due |
|
Homelessness |
Moderate |
2018/19 |
Not Due |
|
HR Policy Compliance |
Moderate |
2018/19 |
Not Due |
|
Insurance |
Moderate |
2018/19 |
Not Due |
|
Land Charges |
Moderate |
2017/18 |
Not Due |
|
Licensing |
Moderate |
2018/19 |
Not Due |
|
Marketing |
Low |
2018/19 |
Not Due |
|
Very Low Priority: Recent assurance gained and no fresh risk indicated (continued) |
||||
Museum |
Low |
2018/19 |
Not Due |
|
Payroll & Expenses |
Moderate |
2017/18 |
Not Due |
|
Project Management |
Moderate |
2018/19 |
Not Due |
|
Safeguarding |
Moderate |
2018/19 |
Not Due |
|
Staff Performance Management |
Moderate |
2018/19 |
Not Due |
|
Theatre |
Low |
2016/17 |
Not Due |
|
Tourism |
Low |
|
|
|
Appendix II: Audit Team and Restructure
We are proud in the Audit team of having a strong record in supporting development and achievement within our team. With that in mind we periodically revisit arrangements to ensure we, for now and the future, are set up to continue delivering an efficient and effective service. We are therefore currently consulting on a restructure proposal that aims to:
· Give more supervising and mentoring opportunities to our Senior Auditors. This will both support junior staff and make the role a better development step towards management for those with that ambition.
· Create Audit Apprentice roles, linked to the Level 7 Internal Audit Professional Scheme recently approved by the Department for Education. This scheme, which lasts up to four years, eventually provides apprentices with all the professional qualifications they would need to rise to Head of Audit level as well as a Master’s degree in Audit & Consultancy.
· Create an annual pool of funds we can use flexibly to support different needs at partner authorities. This could be used, for instance, in securing specialist audit support on key projects. It could support authorities in delivering savings targets. Or get specific training to help existing members of the audit team.
The consultation period ends mid-March with new arrangements in place from the start of 2019/20. We will report to Members on results, and details of our new structure, in our annual reporting this coming June.
Appendix III: Performance Indicators
We are consulting on new performance indicators for 2019/20. Our proposed indicators for reporting are:
Training Take-Up
We recognise the success of our service is down to the quality of our people. The Council’s working environment, its risks and the practice of professional audit keeps changing and we support and encourage our team to continue developing new skills.
We expect each person to devote a minimum 5% of their time to training and development, along a plan agreed with their line manager. This indicator measures how well people can take up and complete that training plan.
Overall Plan Progress
Each audit plan promises a certain number of days productive audit work to each authority. This indicator measures how many productive days we have delivered against that plan target.
Audit Feedback (Quantitative)
Feedback from audit sponsors and others is a key indicator in letting us know how well our service meets the needs of each Council. This quantitative measure records a simple ‘satisfied/dissatisfied’ from key stakeholders for each audit report. It sits alongside a broader range of qualitative measures giving us more detailed feedback.
Prompt Reporting
Effective findings describe the world as it is now. Undue delay limits how much our findings can help the Council improve or add risk with issues unaddressed.
This indicator measures the time between completion of our fieldwork and issue of the final report. So it includes both the time spent on the audit side creating a draft report and the service side in framing its response. We typically aim to get from fieldwork to final report in 30 days.
Appendix IV: Assurance Ratings
Assurance Ratings 2019/20 (unchanged since 2014/15)
Full Definition |
Short Description |
Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk. There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities. Reports with this rating will have few, if any, recommendations and those will generally be priority 4. |
Service/system is performing well |
Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks. Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service. |
Service/system is operating effectively |
Weak – Controls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims. Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service. |
Service/system requires support to consistently operate effectively |
Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives. |
Service/system is not operating effectively |
Recommendation Ratings 2019/20 (unchanged since 2014/15)
Priority 1 (Critical) – To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority. Priority 1 recommendations are likely to require immediate remedial action. Priority 1 recommendations also describe actions the authority must take without delay.
Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment. This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical. Priority 2 recommendations also describe actions the authority must take.
Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority. There will often be mitigating controls that, at least to some extent, limit impact. Priority 3 recommendations are likely to require remedial action within six months to a year. Priority 3 recommendations describe actions the authority should take.
Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities. There will usually be mitigating controls to limit impact. Priority 4 recommendations are likely to require remedial action within the year. Priority 4 recommendations generally describe actions the authority could take.
Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve. These will be included for the service to consider and not be subject to formal follow up process.