MAIDSTONE BOROUGH COUNCIL

Audit Committee

30 MARCH 2015

REPORT OF Head of Audit Partnership

Report prepared by Russell Heppleston – Audit Manager 

1.           internal audit operational plan

1.1        Issue for Decision

1.1.1   The report is provided in order to allow the Committee to consider and approve the Internal Audit Operational Plan 2015/16.

1.2        Recommendation of the Head of Audit Partnership

1.2.1   The Audit Committee approves the Internal Audit Operational Plan for 2015/16.

1.2.2   The Audit Committee approves in principle the longer term plan up to 2018/19 but notes this will be subject to annual review and refresh.

1.3        Reasons for Recommendation

1.3.1   The role of the Audit Committee is required to obtain assurance on the control environment of the organisation; therefore, the Committee needs to have an awareness of the work conducted by Internal Audit, in order to adequately fulfil its duties.

1.3.2   The internal control environment comprises the whole network of systems and controls established to manage the Council, to ensure that its objectives are met. It includes financial and other controls, and arrangements for ensuring the Council is achieving value for money from its activities

1.3.3   The report attached in appendix A sets out the one-year operational plan for 2015/16 together with the longer-term plan up to 2018/19.  We ask the Committee to review and approve the 2015/16 operational plan in approve in principle the longer-term plan.

1.4        Alternative Action and why not Recommended

1.4.1   The Audit Committee as part of its terms of reference must maintain oversight of the internal audit function and its activities.  The plan proposed aims to complete internal audit’s responsibilities in an efficient and effective manner. We recommend no alternative course of action.

1.5        Impact on Corporate Objectives

1.5.1 The role of Internal Audit is to help the Council accomplish its objectives. All audit work considers the adequacy of controls and risks associated with the delivery of the Council’s strategic and operational objectives.

1.6        Risk Management

1.6.1   The audit plan is produced as a result of risk assessment examining where audit activity is best focussed.  The risk of not approving the plan is that the Council will be at greater risk of incurring or failing to detect fraud, error or service failure or weakness.

1.7        Other Implications

1.7.1   None directly

1.8        Relevant Documents

1.8.1.1              The following documents are to be published with this report and form part of the report:

Appendix A: Internal Audit Operational Plan 2015/16 – 2018/19

1.8.1.2              Background Documents

There are no background papers to further support this report.

IS THIS A KEY DECISION REPORT?                  THIS BOX MUST BE COMPLETED   NO     Yes                                               No     If yes, this is a Key Decision because: ……………………………………………………………..   …………………………………………………………………………………………………………………………….                                                         Wards/Parishes affected: …………………………………………………………………………………..   ……………………………………………………………………………………………………………………………..

Mid Kent Audit

Internal Audit Plan

2015/16 – 2018/19

Maidstone Borough

Council

Introduction

1.        Internal audit is an independent and objective assurance and consulting activity designed to add value and improve the Council’s operations. It helps the Council accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes[1].

2.        Statutory authority for Internal Audit is within the Accounts and Audit Regulations 2015 (the Regulations), which require the Council to undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes in accordance with the ‘proper practices’. From 1 April 2013 the ‘proper practices’ are the Public Sector Internal Audit Standards (PSIAS) that replaced the Code of Practice for Internal Audit in Local Government in the UK.

3.        The Head of Audit Partnership must provide an annual opinion on the overall adequacy and effectiveness of the Council’s framework of control, governance and risk, as required by both PISAS and Regulation 5. The opinion takes into consideration:

a)    Controls: Including financial and non-financial controls.

b)    Governance:  Including effectiveness of measures to counter fraud and corruption, and

c)    Risk Management: Principally, the effectiveness of the Council’s risk management framework.

4.        This document sets out our internal audit plan for the next four years outlining the work we will undertake to both inform that opinion and provide wider support to the Council in helping to achieve its strategic objectives.  As required by PSIAS we have, for the first time, included for the Committee details of the risk assessment that underpins the plan to demonstrate the process of its compilation.  We aim by this to give the Committee assurance that our work is appropriately tailored to reflect the risks to and priorities of the Council and sufficiently resourced to deliver an effective and accurate audit opinion.

5.        Naturally, in order to effectively respond to the changing environment of local government we will need to keep our plan continually flexible and under review.  As the activities of the Council, and the consequent risks to its control, governance and risk management vary, so we will need to consider how our audit plan is best arranged to deliver appropriate assurance.  This may include substituting individual projects or changing their scope, timing or duration.

6.        Our principal route for this review will be in ongoing consultation with the Council’s s.151 Officer, although we will continue to keep the Audit Committee abreast of changes through our interim and annual reporting as well as consult directly with the Chair of this Committee with respect to significant changes to the plan (as set out in the Audit Charter elsewhere on tonight’s agenda, if the Committee accept our recommendation to adopt the Charter).

Basis of our plan: available resources

7.    In previous years our audit plans were centred on delivering a set number of projects per year.  While this gave the plans directness and simplicity it limited the ability of the service to respond to changing need; a project is a large block of work to flex and adapt.  Moreover, that approach did not recognise the time and contribution of audit management or acknowledge any of the range of additional tasks and support the service provides.  The restriction also led to inconsistent definition of what constituted an audit ‘project’, obscuring the link between plans and the risk profile of the authority.  This weakness was noted and commented on within our 2014 External Quality Assessment (EQA) undertaken by the Institute of Internal Auditors (IIA).

8.    This plan seeks to add this flexibility by taking advantage of the freedom in the 2014 revised collaboration agreement by moving from a project to days-led approach.  In moving to this approach we have allocated to each authority a total number of audit days proportionate to their financial contribution to the service.

For further details of the resources available to the Partnership, see appendix E.

9.    Therefore the total audit allocation for Maidstone BC in 2015/16 is 470 days.  Based on our risk assessment, we are satisfied that represents a sufficient level of resource to evaluate the effectiveness of the Council’s risk management, internal control and governance processes.  Our audit plan cannot address all risks across the Council and represents our best deployment of limited audit resources.  In approving the plan, the Audit Committee recognises this limitation.  We will keep the Committee abreast of any changes in our assessment of resource requirement as we monitor the risks posed to the Council.  In particular, we will revise this resource assessment afresh each year of the four year plan.

Basis of our plan: risk assessment

10.    Our assessment that this level of resource is adequate is based upon the risk assessment underlying our plan.  This assessment comprises 3 principal steps:

Step 1: Understanding the Audit Universe, Strategic Priorities and Risks

11.    Our assessment of the audit universe – essentially all of the areas and topics that are within the potential scope of audit review and contribute to the Council’s pursuit of its strategic priorities – is informed by review of the Council’s structure, ongoing meetings and discussion with officers and Members and review of Council meeting papers. 

12.    Our aim in drawing together the plan is that, over the course of its four year lifetime, all areas of the Council will have received a proportionate level of audit review.  The 2015/16 assessment of the audit universe is shown by the areas displayed in the plan at appendix A and we will update and refresh this assessment each year.

13.    Strategic priorities and risks have been determined by the Council and considered by us in drawing together the audit plan.  As the Council moves through the process of refreshing and updating its strategies and priorities for 2015/16 onwards, it is important that the audit plan is flexible to respond to the changing needs of the Council. We therefore keep our assessment of risks and priorities under review, to ensure that any changes in direction are considered within our audit plan. 

14.    The Council’s key risks are included within its strategic risk register 2013-2016.  At the time of writing, the register details 6 risks scenarios, some of which contain several individual risks:

Risk 1 (amber): Having the right resources which are used in the right way

Risk 2: (amber) Resident satisfaction with place & the way that services are provided

Risk 3: (red) Economic downturn/austerity agenda

Risk 4: (red) Creating the place we want to be

Risk 5: (amber) Delivering services in partnership with others

Risk 6: (red) Impacts arising from political change

Step 2: Evaluating the risks

15.         A key finding of the IIA’s EQA last year was the need to make our planning more clearly derived from and led by the differing objectives and risks at each authority; a point that was the root finding for 4 of the 6 recommendations needed to achieve full conformance with the PSIAS.  We have responded to those recommendations in this plan by conducting a comprehensive risk assessment across the range of Council services, building on our work in identifying the audit universe and the Council’s key priorities and risks.

16.         In conducting this assessment we considered risk across 6 discrete fields (summarised below, a full detail of our assessment process is at appendix B.

Financial Risk

The risk that failure in the service/area will undermine the Council’s financial standing.

Strategic Risk

The risk that failure in the service/area will prevent achievement of a strategic goal or mitigation of a priority risk.

Fraud Risk

The risk that the service will be a victim of fraud or corruption, from within our without.

Change Risk

The risk that the service will be subject to, or seek, change leaving it vulnerable to failure.

Oversight Risk

The risk that failure in the service will not be identified or addressed by agencies other than internal audit.

Exposure Risk

The risk that failure in the service will materially damage the Council’s standing, including its ability to deliver services for the local population.

17.         One of these risks in particular –Oversight Risk – bears further explanation.  One way of considering the control environment at any organisation is the three lines of defence model.  In this analogy, an organisation has three levels of control which might serve to prevent or detect failure or error.

First Line of Defence: Direct controls within the service itself operating day-to-day to maintain internal control and support risk management.

Second Line of Defence: Controls operating at a corporate level to provide oversight to the process, setting and monitoring a framework for internal control and risk management to operate within.

Third Line of Defence: An independent perspective, still under corporate control, to challenge and comment upon the process and its implementation.  Usually, this is the level at which Internal Audit operates.

18.         When considering oversight risk, we reviewed the extent to which any service is subject to this model.  Also, beyond those internal measures, we also sought to establish and consider what level of external regulation and oversight operates.  For instance, although the Health and Safety Executive is not part of the Council’s own control processes (as the Council cannot control or direct its actions), its reviews and findings provide useful commentary and perspective on the effectiveness of controls.  The Council’s external auditors – Grant Thornton – provide a similar perspective across the Council’s finances and value for money operations.

19.         As noted in appendix B, where a given service does not have a clear position within the three lines of defence or is not subject to detailed oversight from any external agency, we scored this risk factor more highly.

20.         We considered each of those inherent risk factors alongside a final factor:

Audit Knowledge

Whether there are findings from previous audits (or an absence of positive audit findings in recent years) which suggest an increased risk of service failure.

21.         The detailed audit plan at appendix A includes details of recent audit coverage in each area.

22.         Our risk assessment is necessarily limited to matters emerging from the processes listed above.  We will review and update this assessment and our plan at least annually, as well as keeping abreast of developments at the Council and seeking to ensure our plan remains relevant and valuable in-between those annual reviews.  In consultation with management, and with the approval of the Audit Committee, we will seek to ensure that audit resources remain appropriately focussed.

Step 3: Drawing up the plan and individual projects

23.         The higher risk a service or area, by this evaluation the greater level of audit attention and the earlier in the lifespan of our plan that attention comes.  Appendix A shows how that assessment has formed our audit plans for 2015/16 to 2018/19.

24.         Once we have selected an area for review it will be subject to our usual process of issuing draft and final briefs ahead of the work to ensure our attention is appropriately tailored. 

25.         The risk-based approach taken to forming the plan as a whole will be integrated within our approach to individual projects.  Each will now include, in addition to any specific objectives agreed by the service, the following three objectives as standard:

·         Has the service/area set out its objects and risks and are these in line with the Council’s overall aims and risk appetite?

·         Are there adequately designed controls to achieve those objectives and/or mitigate those risks?

·         Are those controls operating effectively?

26.         We will conduct each review in line with our standard audit methodology which is aligned to the Public Sector Internal Audit Standards.   The roles and responsibilities for successful delivery of audit projects are set out also in our Audit Charter.  An updated Charter for 2015/16 is also included on this agenda and will be provided to every audit sponsor.

27.         Each of these audit reviews will culminate in an assurance rated report, giving our view on whether the particular area is operating effectively.  We will keep these rating levels consistent with our revised approach adopted first in 2014/15, with details of the assurance levels included as a reminder to Members in this report at appendix C.

28.         We will also, where appropriate, make recommendations for improvement.  These recommendations are graded as set out in appendix C and followed up by our audit team when due for implementation.  Recommendations that we find have not been implemented where there is ongoing risk to the Council are reported in the first instance to the Council’s Management Team.  Also, Senior Managers responsible for services that consistently fail to address audit recommendations may be invited to provide further explanation to Members at the Audit Committee.

29.         The plan also recognises the non-project work we deliver, using our experience and expertise to assist the Council in pursuit of its strategic priorities.  We undertake this work in line with the arrangements set out in the Charter, in particular with those safeguards aimed at preserving our independence and objectivity.

30.         Typically the non-project work will not result in an assurance graded output, but rather an alternative format relevant to the engagement and agreed with the work’s sponsor.  In any event, we will inform the Audit Committee of the outcomes of non-project work through our interim and year end reports.

Monitoring delivery

31.         We undertake our audit work against our standard audit approach, which has been assessed in our EQA as consistent with the PSIAS.  In addition we adhere to the professional standards, roles and responsibilities as set out in the Charter.

32.         As part of this approach we are careful to ensure the quality and consistency of our work.  With respect to individual audit projects, each undergoes internal review from management focussing on each stage from compilation of the original brief, through completion of fieldwork and ultimately our reporting.

33.         We undertake broader quality assurance of our work as required by the PSIAS.  These require an external assessment at least every five years and annual self-assessments to ensure maintenance of standards.  Mid Kent Audit underwent an EQA in early 2014, becoming the first local authority audit service in the country to seek such a review from our professional institute, the IIA.  This concluded we were fully conforming with 50/56 PSIAS and partially conforming to the remaining 6.  We are currently in discussion with the IIA about their completing a follow up review in early April 2015 to examine our progress on implementing the recommendations and hope to report the outcome of that review to Members as part of our 2014/15 annual report.

34.         In addition our annual reports will include a full self-assessment against the PSIAS.  In the event of this review identifying matters to address we will set out a plan for Members for our response.

35.         We are also responsible to Members via the Audit Committee.  We will provide interim and annual reports on progress against our plans, as well as attend each Committee meeting to respond to queries from Members.  The Head of Audit Partnership is also the lead contact for Members for any matters arising, queries about the service or areas of concern (including Whistleblowing, under the Council’s procedures) and can be contacted at any time.

36.         Our service is also monitored each quarter by an Audit Shared Service Board; David Edwards (Director of Environment and Shared Service) is Maidstone’s representative.  The Board receives performance and financial monitoring reports on the progress of the service.  The set of performance indicators against which we report are included at appendix D, and we also report outturn on these indicators to the Audit Committee twice a year.

37.         We are also dedicated to continuing to develop and enhance the professional expertise and experience of our audit team.  For 2015/16 this includes re-starting the previously dormant ‘Trainee Auditor’ grade, taking on skilled individuals dedicated to pursuing a career in local government audit and supporting them through a professional qualification.  We include more details about the audit team and the work we will be undertaking in 2015/16 to support and enhance their development within appendix E

Appendix A: Maidstone Borough Council: 4 Year Audit Plan

Core Finance & Corporate Governance Reviews

Service Reviews

Other Work

Overall Summary

Audit projects noting more than one client (e.g. MBC/SBC/TWBC) are reviews of services delivered in partnership.  In such instances our work is co-funded between the partners’ audit plans and the audit output will be made available to all on the same basis. Precise timings of work within a given year will be subject to negotiation with individual audit sponsors.

Appendix B: Risk Assessment Criteria

Appendix C: Assurance & Recommendation Ratings

Assurance Ratings 2015/16 (unchanged from 2014/15)

Recommendation Ratings 2015/16 (unchanged from 2014/15)

Priority 1 (Critical) – To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

Appendix D: Performance Indicators

Appendix E: Mid Kent Audit Team

Management

Rich Clarke CPFA (Head of Audit Partnership): Rich became head of the audit partnership on 1 April 2014, succeeding Brian Parsons.  He joined the partnership from KPMG, where he had a range of internal and external audit clients across the public sector including LB Islington, Woking BC, East Kent Hospitals University NHS Trust, the Foreign and Commonwealth Office and the Civil Aviation Authority.  Previous to joining KPMG, Rich worked for the Audit Commission for 12 years, where he achieved CIPFA qualification and gained broad experience in local government and NHS audit as well as leading national training on technical accounting, data quality and audit efficiency and project management.  In 2015/16 Rich will be begin studying again aiming to achieve CIPFA Accredited Counter Fraud Specialist status.

Ian Cumberworth MAAT (Audit Manager: Ashford & Tunbridge Wells): Ian became the Audit Manager for Ashford and Tunbridge Wells in  2010 when the original partnership was extended having previously been the Audit Manager at Tunbridge Wells . He has experience of working in the private sector and a number of public sector authorities and has gained a broad knowledge and experience within Local Government. He has experience in supporting and leading on corporate projects which has included areas such as Best Value, VFM studies, Procurement & Contracting initiatives and various inspection regimes.

Russell Heppleston CMIIA (Audit Manager: Maidstone & Swale): Russell started working for the Maidstone / Ashford partnership in November 2005, and continued his role as Auditor for the Mid Kent Audit Service when it was established in 2010.  He progressed through professional qualifications with the Institute of Internal Auditors (IIA) to achieve both Practitioner and Chartered member status. As an Auditor Russell examined the majority of council services, and had particular interests in project management and governance. In September 2013 Russell was appointed as the Audit Manager for Maidstone and Swale, and is the client manager at both sites and is responsible for delivering the audit plan.  In 2015/16 Russell will be studying to achieve accreditation with the Institute of Risk Management.

Auditors & Senior Auditors

Alison Blake ACCA (Senior Auditor): Alison joined the internal audit partnership in 2012 and has worked on a variety of audits since starting.  Prior to this Alison worked for South Coast Audit for 7 years where she undertook internal audit work across a range of NHS clients in East Kent.  While at South Coast Audit she achieved ACCA qualification.  During Alison’s career she has completed a wide range of audit work including finance, information governance and risk management, system reviews and reviews of compliance with legislation with the aim of working with the client to help them achieve their objectives and the objectives of the organisation as a whole.   Alison is currently on maternity leave but will be re-joining the team in January 2016.

Mark Goodwin (Senior Auditor): Mark joined Ashford Borough Council in January 1999 having previously worked at Maidstone Borough Council in an audit role.  He was a founder member of the Ashford and Maidstone Internal Audit Partnership before this developed into the four-way Mid Kent Audit Partnership in April 2010.  He is an experienced auditor who has audited extensively the full spectrum of Council services and activities across a number of local authorities.

Frankie Smith PIIA (Senior Auditor): Frankie Smith started her career in Internal Audit at Kent County Council in 2001 as a Trainee Auditor.  In December 2001 she was appointed to the role of Auditor at Maidstone Borough Council.  In the last 13 years she has completed audits at Ashford, Maidstone, Swale and Tunbridge Wells and is currently the Senior Auditor at Swale Borough Council.   Frankie completed the CIPFA Diploma in Public Audit in 2003, the IIA Diploma in March 2013 and is now studying towards the IIA Advanced Diploma with a view to becoming a tutor for the IIA qualifications.

Claire Walker (Senior Auditor): Claire joined the audit partnership in September 2010, and has wide experience in a variety of sectors and bodies; Local and Central Government, Arts, Broadcasting, Financial Services, NGOs & Not For Profit Sector (domestic & foreign), also Lottery Fund distribution QUANGOS (New Opportunities Fund, Big Lottery Fund, Millennium, Commission, Olympic Delivery Agency, Heritage Lottery Fund, and Sport England) and the associated grant making programmes (in house and outsourced grant administered programmes).  Claire delivered some training & mentoring projects for the FCO, DFID and the World Bank in addition to work on European Social Fund projects.  Within Local Government Claire has undertaken a wide range of audits with a focus on legal compliance, contracts and governance arrangements.  Other audit experience covers outsourcing functions, due diligence, and fraud investigations. 

Jen Warrillow PIIA (Auditor): Jen joined Mid Kent Audit in September 2013 from Kent County Council where she trained as an Internal Auditor. She recently completed study for Practitioner of the Institute of Internal Auditors status and during 2015 will study to become a Chartered Member of the Institute.  At KCC Jen undertook a wide range of audits including financial, governance and grant funding internally for the Council and externally for Parish Councils.  Previous to joining KCC, Jen worked as an investigator for Swale BC and then Tonbridge & Malling BC.  Jen will be providing maternity cover for Alison Blake in the Senior Auditor role until July 2015.

Paul Goodwin AAT (Auditor): Paul has been employed by Tunbridge Wells Borough Council for over 26 years of which nearly all has been in Internal Audit. Paul is a qualified Accounting Technician.

Jo Herrington PIIA (Auditor): Jo joined the audit partnership on 30 September 2013. She joined the partnership from Gravesham BC, where she worked for nearly nine years. She gained experience of working in the Finance department and the Revenues department before settling in the Internal Audit team in September 2009, who operated a shared management arrangement with Tonbridge & Malling BC. As part of the Internal Audit team she gained broad experience conducting financial and operational audit reviews, as well as being involved in working groups across the authority. Jo recently achieved the IIA Diploma, and will be providing maternity cover for Alison Blake in the Senior Auditor role between July and December 2015.

Trainee Auditors & Others

Michael Pugh (Trainee Auditor): Michael joined the audit team in March 2015 as a trainee auditor.  He joins us from Baker Tilly where he worked as a risk analyst within their Technology Services internal audit division at clients across the private and public sectors.  Michael will be embarking on a professional qualification supported by the service during 2015/16.

Ben Davis (Trainee Auditor): Ben joined the audit team in March 2015 as a trainee auditor.  Ben holds a degree in Modern History from UEA and has previous experience in finance teams in the private and voluntary sectors.  Ben will also be embarking on a professional qualification supported by the service during 2015/16.

We also have facility within the audit service to seek and deploy additional specialist resource depending on the needs of the service and of our local authority partners.  In 2014/15 we used this facility to support delivery of specific audit projects including a significant counter fraud investigation and a major post implementation review of a shared service project.