1.       PURPOSE OF REPORT AND EXECUTIVE SUMMARY

1.1    This report is provided to enable the Committee to consider and endorse the Internal Audit Plan 2016-17.

1.2    Public Sector Internal Audit Standards requires the Internal Audit Service to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals.

1.3    As the Committee charged with governance, the Audit, Governance & Standards Committee it is required to consider and endorse the audit plan, and maintain oversight of the internal audit service and its activities.

2.       INTRODUCTION AND BACKGROUND

2.1    The Audit, Governance and Standards Committee must obtain assurance on the control environment of the Council. Consequently, the Committee needs to have an awareness of the work conducted by Internal Audit, in order to adequately fulfil its duties.

2.2    The internal control environment comprises the whole network of systems and controls established to manage the Council, to ensure that its objectives are met. It includes financial and other controls, and arrangements for ensuring the Council is achieving value for money from its activities

2.3    The report sets out the one-year operational plan for 2016/17 together with an update to the longer-term plan up to 2018/19 originally presented to the Audit Committee in March 2015.  We ask the Committee to review and endorse the 2016/17 operational plan and note the longer-term plan.

2.4    We also ask Members to note the Audit Partnership’s view that the Partnership has sufficient resources to deliver the plan.  This final request arises from developments to Public Sector Internal Audit Standards during 2015/16 that requires the Head of Audit to explicitly draw attention of Members to his assessment of the resources as his disposal.

3.       AVAILABLE OPTIONS

3.1    The plan proposed aims to complete internal audit’s responsibilities in an efficient and effective manner, in accordance with our professional standards. We recommend no alternative course of action.

4.       PREFERRED OPTION AND REASONS FOR RECOMMENDATIONS

4.1    The Audit, Governance & Standards Committee it is required to consider and endorse the audit plan, and maintain oversight of the internal audit service and its activities.

4.2    The risk of not endorsing the plan is that the Council will be at greater risk of incurring or failing to detect fraud, error or service failure or weakness.

5.       CONSULTATION RESULTS AND PREVIOUS COMMITTEE FEEDBACK

5.1    The audit plan is developed through consultation with senior officers and Heads of Service across the Council. Previously this committee has endorsed the audit plan, and commented positively on its formation.

5.2    The plan has also been shared in full with officers at the Council’s Wider Leadership Team and at the Audit Partnership’s Shared Service Board. This report reflects comments made during consultation.

6.       NEXT STEPS: COMMUNICATION AND IMPLEMENTATION OF THE DECISION

6.1    If the plan is endorsed as outlined, then the next step will be for us to write to each Head of Service to communicate the audit projects in their service areas for the year.

7.       CROSS-CUTTING ISSUES AND IMPLICATIONS

8.       REPORT APPENDICES

The following documents are to be published with this report and form part of the report:

·         Appendix I: Internal Audit Plan 2016-17

9.       BACKGROUND PAPERS

There are no background papers to further support this report.

Mid Kent Audit

Internal Audit Plan 2016/17 Operational Plan and Strategic Plan Update

Maidstone Borough Council

Introduction

1.             Internal audit is an independent and objective assurance and consulting activity designed to add value and improve the Council’s operations. It helps the Council accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes[1].

2.             Statutory authority for Internal Audit is within the Accounts and Audit Regulations 2015, specifically Regulation 5:

A relevant authority must undertake an effective internal audit to evaluate effectiveness of its risk management, control and governance processes, taking into account Public Sector Internal Audit Standards (PSIAS).

3.             The Head of Audit Partnership is required by PSIAS standard 2450 to provide an annual opinion on the overall adequacy and effectiveness of the Council’s framework of governance, risk management and control. The opinion takes into consideration:

a)             Internal Controls: Including financial and non-financial controls.

b)             Corporate governance:  Including effectiveness of measures to counter fraud and corruption, and

c)             Risk Management: Principally, the effectiveness of the Council’s risk management framework.

4.             The opinion draws significantly on the work conducted by the audit team during the year which is principally set out in the internal audit plan. The Standards, specifically standard

·         The Head of Audit Partnership must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals 

5.             This document builds on our 4 year strategic plan presented to this Committee in March 2015, outlining the updates and adaptations we propose to ensure that the 2016/17 operational plan will support an accurate and reliable Head of Audit opinion and help the Council achieve its objectives.  While the focus is on 2016/17, we have also made some consequential adaptations to the final two years of the plan which we will revisit in full and extend into 2020/21 as part of next year’s planning.

Basis of our plan: available resources

6.             Last year we adapted the basis of our plan to move from seeking to deliver a set number of projects to a number of audit days.  This move has enabled a much greater responsiveness and flexibility in how we deliver the audit resource.  At Maidstone in 2015/16 this helped enable us to support the Council in developing its risk management approach.

7.             As noted in our interim update in December 2015, during 2015/16 the Audit Partnership was restructured following the departure of a long-standing Audit Manager.  The restructure has meant the team for 2016/17 can deliver more productive days. We achieve this through the addition of an audit team administrator role to free-up time for completing the plan, revision to the audit manager job description to enable more direct project and consulting work and continued development of the two trainee posts we created in 2015.

8.             These changes have meant an increase across the Partnership in available productive days from 1,600 to 1,710, an increase of just under 7%.  Given that the restructure occurred within the existing audit budget, this increase in productive days is at no additional cost.

9.             In accordance with the principles of the Collaboration Agreement which governs the operation of the service, we divide these days between the authorities in line with their contribution to the service’s budget, as per the table below:

10.         Therefore the total audit allocation for Maidstone BC in 2016/17 is 500 days, an increase of 30 days from the 2015/16 level. We are satisfied that the Audit Partnership has sufficient resources in both quantity and capability to fulfil responsibilities. We present a full analysis of resources on the following page to support this conclusion.

11.         However, we must clarify that our audit plan cannot address all risks across the Council and represents our best deployment of what are inevitably limited audit resources.  In approving the plan, the Audit Committee recognises this limitation.  We will keep the Committee abreast of any changes in our assessment of resource requirement as we monitor the risks posed to the Council.  In particular, we will revise this resource assessment afresh each year.

12.         Operational guidance on PSIAS 2030 (Resource Management) sets out a range of factors Heads of Audit must consider when evaluating whether the level of resource available is sufficient to fulfil responsibilities.  Our analysis of the audit partnership against this guidance is outlined below:

Basis of our plan: risk assessment

13.         In compiling the four year strategic plan in 2015 we undertook a comprehensive evaluation of all areas of potential assurance need (the ‘audit universe’) and the risks and priorities of the Council.  It is not efficient to run that evaluation in full every year and so the 2016/17 planning has concentrated on adapting and evolving our understanding of the internal control, governance and risk framework.  We will undertake a more comprehensive review ahead of the 2017/18 audit plan, including a new four-year plan which will extend out to 2020/21.

14.         What we have done for 2016/17 is an analysis of the projects and other audit work originally scheduled in the four-year plan we presented in March 2015 and considered their continuing relevance and utility to the Council based on our understanding of how its risks and priorities have developed.  To form this analysis we have:

·         Considered the results of audit work conducted in 2015/16 (including non-project work ,follow-up of recommendations and work completed at other authorities),

·         Consulted widely with officers, including meeting individually with each Head of Service and presenting an earlier draft of this plan to the Shared Service Board which includes the Council’s s.151 Officer.

·         Reviewed the Council’s strategic plan and risk documentation, including direct participation across the year at officer led risk workshops.

15.         These steps stand in addition to our day-to-day work across the year in keeping plans flexible and responsive to new information and feedback from officers, Members and the broader environment the Council operates in.

16.         The work identified for 2016/17 is set out on the following page, along with further notes of the ground we expect the review to cover (although specific audit scopes with be agreed with audit sponsors during engagement planning) and comments on any changes from the 2016/17 plan outlined in our 4 year strategic plan of Mach 2015.

2016/17 Operational Audit Plan

2 Shared service review jointly funded from audit plans of participating authorities.

17.         At Appendix II, we show this plan in place against the remainder of our strategic plan up to 2018/19.  This includes a small number of consequential amendments to 2017/18 and 2018/19, particularly when work has been re-scheduled.  We will re-consider those changes and set out further detail as part of our planning for 2017/18 and subsequent years.

Delivering audit work

18.         The risk-based approach taken to forming the plan is integrated within our approach to individual projects.  In addition to any specific objectives agreed with the audit sponsor at the time of drawing up the audit scope each project considers the strategies, risks and objectives relevant to the service area under review.

19.         We will conduct each review in line with our standard audit methodology which is aligned to the Public Sector Internal Audit Standards.   The roles and responsibilities for successful delivery of audit projects are set out also in our Audit Charter.  An updated Charter for 2016/17 is also included on today’s agenda and will be provided to every audit sponsor.

20.         Each of these audit reviews will culminate in an assurance rated report, giving our view on whether the particular area is operating effectively.  We will keep these rating levels consistent with our revised approach adopted first in 2014/15, with details of the assurance levels included as a reminder to Members in this report at appendix IIII.

21.         We will also, where appropriate, make recommendations for improvement.  These recommendations are graded as set out in appendix IIII and followed up by our audit team when due for implementation.  Recommendations that we find have not been implemented where there is ongoing risk to the Council are reported in the first instance to the Council’s Leadership Team.  Also, Senior Managers responsible for services that consistently fail to address audit recommendations may be invited to provide further explanation to Members at the Audit, Governance & Standards Committee.

22.         The plan also recognises the non-project work we deliver, using our experience and expertise to assist the Council in pursuit of its priorities.  We undertake this work in line with the arrangements set out in the Charter, in particular with those safeguards aimed at preserving our independence and objectivity.

23.         Typically the non-project work will not result in an assurance graded output, but rather an alternative format relevant to the engagement and agreed with the work’s sponsor.  In any event, we will inform the Audit Committee of the outcomes of non-audit work through our interim and year end reports.

Monitoring delivery

24.         We undertake our audit work against our standard audit approach, which has been assessed in our EQA as conforming with the PSIAS.  In addition we adhere to the professional standards, roles and responsibilities as set out in the Charter.

25.         As part of this approach we are careful to ensure the quality and consistency of our work.  With respect to individual audit projects, each undergoes internal review focussing on each stage from compilation of the original brief, through completion of fieldwork and ultimately our reporting.

26.         We undertake broader quality assurance of our work as detailed in our annual reports which include a full self-assessment against the PSIAS.

27.         Our service is also monitored each quarter by an Audit Shared Service Board; Paul Riley is Maidstone’s representative.  The Board receives performance and financial monitoring reports on the progress of the service.  The set of performance indicators against which we report are included at appendix V, and we also report outturn on these indicators to the Audit Committee twice a year, as part of our interim report in September, and the annual report in June.

28.         We are also dedicated to continuing to develop and enhance the professional expertise and experience of our audit team.  In 2016/17 we have three of the team studying for professional qualifications in addition to the five who gained qualifications in 2015/16.  We include more details about the audit team and the work we will be undertaking in 2016/17 to support and enhance their development within appendix III.

Appendix II: Maidstone Borough Council: Updated Strategic Plan

Core Finance & Corporate Governance Reviews

Operational Reviews

29.              Audit projects noting more than one client (e.g. ABC/SBC) are reviews of services delivered in partnership.  In such instances our work is co-funded between the partners’ audit plans and the audit output will be made available to all on the same basis.  Precise timings of work within a given year will be subject to negotiation with individual audit sponsors.

Other Work

Overall Summary

*In 2017/18 we will be undergoing a full risk assessment exercise for the audit plan, and so anticipate the total allocated days to be re-allocated accordingly to the assessment outcomes.

Appendix III: Mid Kent Audit Team

Management

Management

Rich Clarke CPFA ACFS (Head of Audit Partnership): Rich became head of the audit partnership on 1 April 2014 joining the partnership from KPMG, where he had a range of internal and external audit clients across the public sector including LB Islington, Woking BC, East Kent Hospitals University NHS Trust, the Foreign and Commonwealth Office and the Civil Aviation Authority.  Rich is a Chartered Accountant (CPFA) and during 2015 undertook and passed further study to become an Accredited Counter Fraud Specialist (ACFS).

Russell Heppleston CMIIA (Deputy Head of Audit Partnership): Russell started working for the Maidstone / Ashford partnership in November 2005, and continued his role as Auditor for the Mid Kent Audit Service when it was established in 2010.  He progressed through professional qualifications with the Institute of Internal Auditors (IIA) to achieve both Practitioner and Chartered member status. Having been appointed as Audit Manager for Swale and Maidstone in 2013, Russell was subsequently appointed as Deputy Head of Audit Partnership in the 2015 restructure.  During 2016/17 Russell will be studying to achieve accreditation with the Institute of Risk Management.

Frankie Smith CMIIA (Audit Manager – Swale & Tunbridge Wells): Frankie Smith started her career in Internal Audit at Kent County Council in 2001 as a Trainee Auditor.  In December 2001 she was appointed to the role of Auditor at Maidstone Borough Council.  Over the last 15 years she has completed audits at Ashford, Maidstone, Swale and Tunbridge Wells and became fully CMIIA qualified in August 2015.  Frankie was appointed to the role of Audit Manager for Swale and Tunbridge Wells in August 2015.

Alison Blake ACCA, CIRM (Audit Manager – Ashford & Maidstone): Alison joined the internal audit partnership in 2012.  Prior to this Alison worked for South Coast Audit for 7 years where she undertook internal audit work across a range of NHS clients in East Kent. During Alison’s career she has completed a wide range of audit work including finance, information governance and risk management, system reviews and reviews of compliance with legislation with the aim of working with the client to help them achieve their objectives and the objectives of the organisation as a whole.   Following Alison’s recent return from maternity leave she takes on the role of Audit Manager for Ashford and Maidstone.

Auditors & Senior Auditors

Mark Goodwin (Senior Auditor): Mark joined Ashford Borough Council in January 1999 having previously worked at Maidstone Borough Council in an audit role.  He was a founder member of the Ashford and Maidstone Internal Audit Partnership before this developed into the four-way Mid Kent Audit Partnership in April 2010.  He is an experienced auditor who has audited extensively the full spectrum of Council services and activities across a number of local authorities. During 2015 Mark also completed a qualification as a CIPFA Accredited Counter Fraud Technician.

Claire Walker (Senior Auditor): Claire joined the audit partnership in September 2010, and has wide experience in a variety of sectors and bodies; Local and Central Government, Arts, Broadcasting, Financial Services, NGOs & Not For Profit Sector (domestic & foreign), also Lottery Fund distribution QUANGOS (New Opportunities Fund, Big Lottery Fund, Millennium, Commission, Olympic Delivery Agency, Heritage Lottery Fund, and Sport England) and the associated grant making programmes (in house and outsourced grant administered programmes).  Claire delivered some training & mentoring projects for the FCO, DFID and the World Bank in addition to work on European Social Fund projects.  Within Local Government Claire has undertaken a wide range of audits with a focus on legal compliance, contracts and governance arrangements.  Other audit experience covers outsourcing functions, due diligence, and fraud investigations. 

Jo Herrington PIIA (Auditor): Jo joined the audit partnership on 30 September 2013. She joined the partnership from Gravesham BC, where she worked for nearly nine years. She gained experience of working in the Finance department and the Revenues department before settling in the Internal Audit team in September 2009, who operated a shared management arrangement with Tonbridge & Malling BC. As part of the Internal Audit team she gained broad experience conducting financial and operational audit reviews, as well as being involved in working groups across the authority. Jo was promoted to the position of Senior Auditor during the 2015 restructure.

Jen Warrillow PIIA (Auditor): Jen joined Mid Kent Audit in September 2013 from Kent County Council where she trained as an Internal Auditor. She recently completed study for Practitioner of the Institute of Internal Auditors status and during 2015 studied to become a Chartered Member of the Institute.  At KCC Jen undertook a wide range of audits including financial, governance and grant funding internally for the Council and externally for Parish Councils.  Previous to joining KCC, Jen worked as an investigator for Swale BC and then Tonbridge & Malling BC.  Jen was promoted to the position of Senior Auditor during the 2015 restructure.  Jen is currently on maternity leave, scheduled to return to the team in July 2016.

Paul Goodwin AAT (Auditor): Paul has been employed by Tunbridge Wells Borough Council for over 26 years of which nearly all has been in Internal Audit. Paul is a qualified Accounting Technician.

Andy Billingham (Auditor): Andy joined the Partnership on 7 December 2015. He had previously worked for Swale Borough Council for 10 years within the Revenues and Benefits department gaining extensive knowledge of local government processes and procedures whilst dealing with complex disputes and representing the authority at Tribunals. Andy holds a degree in History as well as an Institute of Revenue Rating and Valuation qualification

Trainee Auditors & Others

Ben Davis (Trainee Auditor): Ben joined the team in March 2015 as a trainee auditor.  He holds a degree in Modern History from UEA and has previous experience in finance teams in the private and voluntary sectors.  Ben began training towards achieving a professional qualification through the Chartered Institute of Public Finance and Accountancy (CIPFA) and was successful in passing the first stage of the qualification in December 2015.

Helen Pike (Trainee Auditor): Helen joined the audit team in July 2015 as a trainee auditor.  Her previous work experience is extensive and incorporates spells in occupations as diverse as TV programme scheduling and emergency ambulance despatch but joined us most recently from the finance and administration team of the Kent Institute for the Blind.  Helen has recently embarked on studying for the Institute of Internal Audit Professional Certificate as the first step towards becoming a Chartered Internal Auditor (CIA). 

Louise Taylor (Audit Team Administrator): The Audit Partnership restructure in 2015 created the role of audit team administrator to assist the team in various tasks including monitoring performance management, archiving our reports and manging our audit software.  Following a trial period, this post was taken by Louise who had previously worked in the Planning department of Maidstone Borough Council and has extensive experience working with local authorities.

We also have facility within the audit service to seek and deploy additional specialist resource depending on the needs of the service and of our local authority partners. 

Appendix IIII: Assurance & Recommendation Ratings

Assurance Ratings 2016/17 (unchanged from 2014/15 and 2015/16)

Recommendation Ratings 2016/17 (unchanged from 2014/15 and 2016/17)

Priority 1 (Critical) – To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

Appendix V: Performance Indicators