Contact your Parish Council
Internal Audit & Assurance Plan 2023/24
Maidstone Borough Council
Introduction
1. This risk-based internal Audit Plan for 2023/24 provides adequate coverage to enable an annual Head of Audit Opinion to be made at the end of the financial year.
2. It is important that this Audit Plan has the flexibility to adapt and adopt to the changes and business priorities as they develop during the forthcoming financial year.
Risk Assessments
3. The Public Sector Internal Audit Standards direct that audit planning is built upon a
risk assessment. This assessment must consider internal and external risks, including
those relevant to the sector or global risk issues. This Plan for 2023/24 represents the current views now, but it will be necessary to continue to reflect and consider the audit response as risks and priorities change across the year. A specific update report will be provided to Members midway through the year.
Global and Sector Risks
4. In considering global and sector risks the risk assessment draws on various sources
such as the IIA and CIPFA.
5. This year will continue to be another challenging year for Local Government in terms
of funding, managing additional recruitment and technological advancement, which in turn may impact on the adequacy and effectiveness of the governance, risk and
control framework of the Council. A number of key areas which require consideration when planning the internal audit coverage are set out below. These areas cut across many of the activities carried out by the Council. These areas are not a full listing, nor are they in any priority order. Indeed many are not mutually exclusive of each other.
“Multi-channel” customer engagement: Partly as a result of COVID-19 but also as
process changes through improved technology, councils will need to embrace cutting
edge technology. Adopting a multi-channel approach to customer engagement will
enable council services to be more readily available, more accessible and more
transparent.
Commercialisation: Councils are being driven towards being more self-sufficient and
cost effective, with pressure to close funding gaps and rebalance budgets. Councils
will already be operating in different financial and more commercial environments
which have been tested by the business disruption associated with the COVID
Pandemic.
Cyber Security: As more services move on-line, risks and vulnerabilities are likely to
increase. Cyber security is as much about awareness and behaviours as it is about
network security. Resilience needs to be regularly and stringently stress tested
across the organisation to ensure it is operating effectively.
Financial Viability: With Council’s emerging from the pandemic and Brexit, Councils have been faced with the reality of unbalanced medium financial plans without including significant potential savings. This has been further exaggerated as the country faces a cost-of-living crisis and is on the fringes of recession. The challenge to ensure a balanced budget is becoming more difficult for all councils.
Staff Wellbeing: Since the COVID-19 pandemic and a move to more agile working, mental health has been on the decline as a result of increased work demands and feelings of loneliness due to remote working. Staff turnover is at an all-time high. Managing the wellbeing and associated risks is crucial to ensure a stable workforce.
Climate Change: Councils are taking action to reduce their own carbon emissions
and working with partners and local communities to tackle the impact of climate
change on their local area.
Inflation: The forecast rises in inflation after a long period of stability has had an
impact upon term contracts as well as budget management.
Council specific Audit Risk Review
6. This risk review incorporates two elements. The first element is the service’s relative
materiality to the Council’s overall objectives and controls. The assessment includes
consideration of:
Finance Risk: The value of funds flowing through the service. |
|
Priority Risk: The strategic importance of the service in delivering Council priorities. |
|
Support Service Risk: The extent interdependencies between Council departments. |
7. The second element considers the reputational aspects of a failure of the effective
operation of the internal control arrangements. The assessment includes
consideration of:
Oversight Risk: Considering where other agencies regulate or inspect the service. |
|
Change Risk: Considering the extent of change the service faces or has recently experienced. |
|
Audit Knowledge: What do we know about the service? This considers not just our last formal review, but any other information we have gathered from, for example, following up agreed actions. We also consider the currency of our knowledge, with an aim to conduct a full review in each service at least every five years if possible.
|
|
Fraud Risk: The susceptibility of the service to fraud loss. |
Audit Risk Prioritisation
8. The results of these various risk assessments provide a provisional Audit Plan. The
provisional Plan is consulted on with the Managers, Heads of Service and Corporate
Leadership Team to get their perspective on the audit assessment and from this the
Risk Based Audit Plan for the financial year is produced.
Resourcing the Audit Plan
9. MKA is currently going through a period of significant staffing change. There are several vacant posts within the team The Head of Mid Kent Audit is currently reviewing the structure. It is likely to be July 2023 at the earliest before all the substantive posts are filled.
10. MKA also have access to sources of specialist expertise through framework
agreements with audit firms, which includes access to subject matter experts.
11. The overall resource level is therefore based on the current audit team establishment and the chargeability for each grade. This calculation produces an available number of days across the four Councils to which MKA provides the internal audit service of 1,589 days.
12. Each Council receives a share in keeping with their contribution to the overall
partnership budget. The Collaboration Agreement is to be subject to a
comprehensive review during 2023/24. The Maidstone Audit Plan for 2023/24 is broadly based on the current Collaboration Agreement, but taking into account the level of work required to deliver an annual Audit Opinion for each authority. This approach has identified 436 days to assign for the 2023/24 audit plan.
13. We hold a variety of qualifications that help to ensure that we provide a high-quality service. These include CIPFA, Certified and Chartered Internal Auditors, a Chartered Accountant, a Certified Risk Manager and Accredited Counter Fraud Technicians. We are also supporting an apprentice through level 7 audit qualification. This breadth of skills and experience, along with any new staff we will recruit as part of the review of the team will enable delivery of the audit plan.
14. MKA has the skills and expertise to deliver the 2023/24 Audit Plan and it is confirmed
that planned audit work will enable a Head of Audit opinion for 2023/24 to be
delivered in Spring 2024.
15. The actual number of days allocated are set out below:
Audit Projects |
270 days |
Members Support |
20 days |
Consultancy |
29 days |
Risk & Governance |
53 days |
Follow-up |
22 days |
Counter Fraud |
18 days |
Audit Planning |
24 days |
|
|
Risk Based Audit: 270 Days
16. The primary part of Audit Plan is delivering risk based audit engagements. The list
below is in alphabetical and do not imply any ranking within the group or intended
delivery order. The timings for the individual reviews will be agreed with a suitable
officer sponsor once the Plan has been approved.
17. The Audit Plan has been prepared in the knowledge that there is ongoing work throughout 2023/24 on reviewing the staffing and procedural efficiencies and Collaboration Agreements for Mid Kent Audit Partnership. Any proposed
changes to the Audit Plan and the rationale for such changes, will be communicated to Senior Management Teams and Audit Committee Members.
18. Below we set out our audit engagements for the year ahead. We will agree the detailed objectives with the service as part of planning each review:
Maidstone Borough Council Audit Plan 2023/24
Project Title |
Previous Audit |
Previous Results |
Contract Management |
2017/18 |
Weak |
Social Media |
2019/20 |
Sound |
Safeguarding |
2015/16 |
Weak |
Safety Partnerships – Animal Welfare |
2017/18 |
Weak |
Elections Management |
2016/17 |
Sound |
Conservation and Heritage |
None |
|
Planning Enforcement |
2018/19 |
Weak |
General Ledger |
2016/17 |
Sound |
Insurance |
2017/18 |
Sound |
Grounds Maintenance |
2015/16 |
Sound |
Complaint Handing |
2017/18 |
Sound |
Public Health |
2016/17 |
Sound |
Economic Development - Development Capital Projects |
None |
|
Repair and Maintenance |
None |
|
Garden Waste |
None |
|
Shared MBC/SBC |
||
HR Policy Compliance |
2017/18 |
Sound |
Learning & Development |
2015/16 |
Sound |
Shared MBC/SBC/TWBC |
||
Land Charges |
2017/18 |
Weak |
Cyber Security |
2018/19 |
sound |
IT Disaster Recovery |
2017/18 |
sound |
Compliance with Computer use policy |
2014/15 |
sound |
Shared MBC/TWBC |
||
Council Tax Reduction Scheme |
2018/19 |
Sound |
Business Rates |
2017/18 |
Strong |
Follow-up of Agreed Actions: 22 days
19. Time has been allocated to following up the actions arising from internal audit
recommendations made and reporting the results to Senior Officers and Members.
Consultancy & Member Support: 49 days
20. A consultancy allocation provides general and specific extra advice or training to the
Council. This allocation also provides support to Members, through attendance at and reporting to Committees.
21. This fund also provides a contingency to avoid having to cut short engagements and
allow full exploration of significant findings.
Risk Management: 53 days
22. At Maidstone MKA’s responsibility encompasses tasks such as leading the risk management framework, keeping and updating strategic and operational risk registers. The responsibility for managing the identified risks remains with the relevant risk owners. MKA also compiles risk reporting to Senior Officers and Members, including an annual report to this Committee.
23. The plans for developing risk management in 2023/24 are set out in the Annual Risk Management Report.
Planning: 24 days
24. This time is allocated to complete the major part of the annual planning exercise, including updating risk assessments and consultation across the Council. The time is also used for identification of risks and issues across the Council, the wider public sector and the audit profession. This ensures the Audit Plan can remain dynamic and responsive to risk through the year.
Counter Fraud Support: 18 days
25. At Maidstone MKA’S responsibilities include writing and updating Counter Fraud and Whistleblowing policies, providing a channel for officers to raise concerns under the Public Interest Disclosure Act. MKA also acts as lead contact for the National Fraud Initiative, a data matching exercise co-ordinated by the Cabinet Office.
26. For 2023/24 it is intended to compile more detailed procedures for investigations, drawing on Cabinet Office Standards. We also aim to draw up training to support compliance with the Bribery Act and make clear where people should report any matters of concern.
26. The counter fraud support also includes conducting investigations on matters of concern. Additional time may be required for such work, and this will be drawn from the consultancy budget above.