Your Councillors

LB Merton CMT Cover sheet

Mid Kent Audit

Annual Internal Audit Report and Opinion

2015/16

Maidstone Borough Council

Introduction

1. Internal audit is an independent and objective assurance and consulting activity designed to add value and improve the Council�s operations. It helps the Council accomplish its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

2. Statutory authority for Internal Audit is within the Accounts and Audit Regulations 2015, which require at Regulation 5 that:

�[the Council] must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance�.

3. The currently operating standards are the Public Sector Internal Audit Standards published by HM Government for effect from April 2013 across the UK public sector.

4. In addition, all internal audit services in whatever sector must also abide by the Code of Ethics and International Professional Practices Framework. .

5. The Head of Audit Partnership must provide an annual opinion on the overall adequacy and effectiveness of the Council�s framework of control, governance and risk. This considers:

� Internal Controls: Including financial and non-financial controls.

� Corporate governance:� Including effectiveness of measures to counter fraud, and

� Risk Management: Principally, effectiveness of the risk management framework.

Independence

6. Mid Kent Audit is a shared service partnership involving Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils working to a collaboration agreement refreshed in July 2014.� As a service, we report to the Mid Kent Services Director and the MKIP Board.

7. Within Maidstone BC, the Head of Audit Partnership has direct and unrestricted access to the Chief Executive, senior management and Members, including the Chairman of the Audit, Governance & Standards Committee.� This right of access is contained within and reinforced by the Audit Charter agreed by management and Audit Committee in March 2015.

8. On no occasion have Senior Officers or Members sought to in appropriately restrict the scope of audit work or change any report prepared by or for the Head of Audit Partnership.

9. We are satisfied that Internal Audit is organisationally independent and fully meets the necessary standards for independence and objectivity.

Head of Audit Partnership Annual Opinion

10. I provide this opinion statement for Maidstone Borough Council (the Council) to inform its Annual Governance Statement which is published alongside the Statement of Accounts for the year ended 31 March 2016.

Scope of responsibility

11. The Council is responsible for ensuring its activities are conducted in accordance with the law and proper practices and that its resources are safeguarded and properly accounted for and used economically, efficiently and effectively.� The Council also has a duty under the Local Government Act 1999 to make arrangements to secure continuous improvement in the way in which its functions are exercised, having regard to a combination of economy, efficiency and effectiveness.

12. In discharging this responsibility the Council must also ensure it operates a sound system of internal control which allows for effective exercise of the Council�s functions and arrangements for risk management.

The purpose of the system of internal control

13. The system of internal control is designed to manage risk to an acceptable level rather than eliminate entirely the risk of failing to achieve objectives.� It can therefore only provide reasonable and not absolute assurance of effectiveness.� The system of internal control is based on an on-going process designed to identify and prioritise the risks to the achievement of the Council�s objectives, to evaluate the likelihood of those risks being realised and the impact should they be realised and manage them efficiently, effectively and economically.

14. The Public Sector Internal Audit Standards (the �Standards�) state that the control environment includes the following elements:

� Integrity and ethical values.

� Management�s philosophy and operating style.

� Organisational structure.

� Assignment of authority and responsibility.

� Human resource policies and practices.

� Competence of personnel.

15. In examining the control environment, I have had regard to these elements and how they support the Council�s framework of governance, risk management and internal control.

Basis of assurance

16. Mid Kent Audit has conducted its work both in accordance with the Standards and good practice as represented in our internal quality assurance system, which include operating to an agreed audit manual with adequate supervision and review.

17. My opinion is limited to the work carried out by Mid Kent Audit during the year on the effectiveness of the management of those risks identified within the Council�s assurance framework that are covered within the audit programme or associated sources of assurance.� Where risks are identified within the Council�s assurance framework that do not fall within the scope of audit�s coverage or associated sources of assurance I am satisfied that an assurance framework is in place that provides reasonable assurance that these risks are being managed effectively.

18. Our work for the year to 31 March 2016 and up to the date of this opinion was completed in line with the operational plan approved by the Audit Committee in March 2015.

Internal Control

19. From the internal control work undertaken in relation to 2015/16 it is my opinion that I can provide assurance that the system of internal control that has been in place at the Council for the year ended 31 March 2016 accords with proper practice.� This assurance extends to both financial and non-financial systems of the Council insofar as they have been subject to audit review or associated sources of assurance.

Corporate Governance

20. In my opinion the corporate governance framework operating at he Council for the year ended 31 March 2016 complies in all significant respects with the guidance on corporate governance issued by the Chartered Institute of Public Finance Accountancy (CIPFA) and the Society of Local Authority Chief Executives (SOLACE) in 2006 and updated in 2012.

Risk Management

21. I am satisfied that the risk management processes operating at the Council for the year ended 31 March 2016 are effective and provide reasonable assurance to officers and Members.

22. I have based these opinions on the work outlined in the detail of this report.

Internal Control

23. The system of internal control is the process for assuring achievement of the Council�s objectives in operational effectiveness and efficiency, reliable financial reporting and compliance with laws, regulations and policies.� It incorporates both financial and non-financial systems.�

24. We obtain audit evidence to support the Head of Audit opinion on internal control principally through completing the reviews set out within our agreed audit plan, approved by this Committee in March 2015.

Summary of Audit Plan Work in Maidstone 2015/16

25. Our plan presented in March 2015 moved away from a fixed number of audit projects and instead towards a total number of productive days per year.� This has considerable advantages in providing a flexible basis to keep our plans up to date and respond appropriately to the Council�s developing risks and priorities.

26. Up to the date of this report, our outturn days against each type of work separately identified in the plan is as set out below:

Type of work	Plan Days	Outturn days	Difference
Planned 2015/16 assurance projects	316	277	-41
Risk Management and Counter Fraud work	40	41	+1
Recommendation follow ups	60	47	-13
Other audit work[1]	54	112	+58
Total	470	477	+7

27. There are still a few days to be accounted as the remaining 2015/16 projects reach conclusion, but up to the date of this report we have delivered 100% of the planned audit days.� The variation above, and detailed in the tables to follow, also indicates the advantages to the flexibility and responsiveness of our audit planning.

Audit Review Findings to Date

28. The table below summarises audit project findings and outturn up to the date of this report.� Where there are material matters concluded between report issue and committee meeting we will provide a verbal update.� We are satisfied that sufficient work has been completed, and the risk of adverse findings in the remainder sufficiently low, that we can offer our annual opinion.

	Review Type	Title	Plan Days	Actual Days	Report Issue	Assurance Rating	Notes
Planned 2015/16 assurance projects completed
I	Finance	Business Rates System	12	13	Jun-15	STRONG	As reported to this Committee in Nov-15 interim report
II	Finance	Council Tax System	12	14	Sep-15	SOUND	As reported in Nov-15
III	Governance	Safeguarding	15	16	Oct-15	WEAK	As reported in Nov-15
IV	Governance	Members� Allowances	10	15	Nov-15	SOUND	As reported in Nov-15
V	Finance	Accounts Receivable System	10	16	Jan-16	SOUND	Scope expanded to include system documentation
VI	Service	Grounds Maintenance	15	22	Jan-16	SOUND
VII	Finance	Procurement	10	22	Feb-16	SOUND	Sample sizes increased to get full coverage on compliance
VIII	Finance	Budget Setting	15	14	Feb-16	SOUND	Focus on budget setting� following external review
IX	Governance	Business Continuity	15	15	Mar-16	WEAK
X	Service	Temporary Accommodation	15	15	Mar-16	SOUND
XI	Service	ICT Network Controls	6	4	Apr-16	STRONG
XII	Service	Service Improvement	15	21	Apr-16	STRONG	Scope expanded to include website development
XIII	Service	Licensing	15	20	Apr-16	SOUND
XIV	Service	Community Safety	15	17	May-16	SOUND
XV	Finance	Payroll	10	6	May-16	STRONG
XVI	Service	Learning & Development	8	8	May-16	SOUND
XVII	Service	Litter Enforcement	15	15	Jun-16	SOUND
Unplanned/additional projects 2015/16
XVIII	Consultancy	Planning Support Gateway Review	N/A	4	Oct-15	N/A
XIX	Consultancy	Whistleblowing Review	N/A	11	Jan-16	N/A
XX	Finance	Mote Park & Cobtree Caf�	N/A	17	May-16	WEAK
XXI	Service	Garage Review	N/A	12	Jun-16	SOUND
Planned 2015/16 assurance projects underway
	Governance	Good Governance Review	5	6			Draft Report stage
	Service	Section 106 Payments	15	13			Draft Report �stage
Planned 2015/16 assurance projects not completed
		Corporate Projects Review	10	1	Deferred to 2016/17 as projects not suitably advanced to examine for audit sample
		Commercial Projects	15	4	Scope altered to consultancy work focussing on single project with feedback to Director
		ICT Business Applications	6	0	Assurance received from extended follow up to 2014/15 ICT Service Desk review
		Parking	8	0	Deferred to 2016/1 following discussion with officers and to run alongside SBC work
		Park & Ride	15	0	Deferred to 2016/17 after Sittingbourne Road closure
		Planning Support	6	0	Replaced by project review following disaggregation decision from TWBC
		Asset Management	15	0	Deferred following delay to asset acquisition plans
		Discretionary Payments	8	0	Deferred to run alongside similar work elsewhere

I: Business Rates

29. We conclude based on our audit work that the Business Rates system demonstrates STRONG controls in both design and operation.

30. The controls within the Business Rates system are effective in design and operation. The Business Rates process is well controlled and mitigates the risk of fraud and error to an acceptably low level. Management controls exist to check validity and integrity of systems information. Our testing found no areas of concern, or significant areas where the service might reasonably seek to improve.

II: Council Tax

31. We conclude based on our audit work that the Council Tax service demonstrates SOUND controls in both design and operation.

32. The controls within the Council Tax system are generally effective in design and operation. The key controls in operation mitigate the risks of fraud and error to an acceptable level and incorporate elements representing best practice, such as prompt and comprehensive property inspections. We noted a discrepancy between the partner sites on refund authorisation where controls could be efficiently improved by harmonisation. Our sample testing also identified a weakness in write-off procedures that the service must address.

III: Safeguarding

33. We conclude based on our audit work that there are WEAK controls over the Council�s Safeguarding arrangements.� We have established that the Council is satisfying its statutory obligations for safeguarding, with no immediate concerns to report.� However, further improvements are needed to provide greater resilience to these arrangements and to ensure safeguarding risks are being adequately managed.

34. The Council is currently undertaking a large amount of work via the Safeguarding Working Party to make improvements to the controls in place over the Council�s safeguarding arrangements. We fully acknowledge and commend the Council for work currently in progress and note that this report describes the position identified in the course of our recent fieldwork.

35. We have identified a number of areas within the existing safeguarding arrangements where further improvement is needed which currently fall outside of the work being conducted by the Safeguarding Working Group.� The main areas for improvement include;

� clarifying the Council�s statutory obligation for safeguarding within the Constitution,

� introducing a Deputy Local Authority Designated Officer to provide resilience;

� including partnership and casual workers within the training programme;

� introducing a central database of all safeguarding referrals submitted and providing periodic reports to senior management on the number of referrals submitted.

36. In addition, we have highlighted that improvements in the procedures for disclosure and barring checks are necessary to ensure that checks are kept up-to-date and in accordance with the DBS policy.

37. The actions arising from this audit will provide the Head of Housing and Community Services and the Safeguarding Working Group with the necessary support to ensure the Council can be confident of satisfying its statutory safeguarding obligations in the long term.

IV: Members� Allowances

38. We conclude based on our audit work that the service has SOUND controls in place to ensure accurate payments of Members� Allowances in accordance with the Members� Allowance Scheme. We provide the definitions of our assurance ratings at appendix II.

39. The Council has in place a comprehensive Members� Allowance Scheme with a framework of procedures and guidance to ensure fair processing and payment of allowances and expenses. We tested the provision of these payments from request to completion and confirm that allowances and expenses are paid accurately and in accordance with the scheme.

40. During the review we identified that the published Members� Allowance Scheme had not been updated to reflect revised allowance rates. The scheme should be reviewed to ensure that it remains up to date and includes more comprehensive details in respect of broadband allowances. We identified one missing payment as a result of our testing, and this has been brought to the attention of officers to rectify.

V:Accounts Receivable System

41. We conclude based on our audit work that there are SOUND controls in operation within the Accounts Receivable system to manage its risks and support its objectives.

42. The controls within the Accounts Receivable system are well designed and operate effectively with receipts against invoices being reconciled daily. In particular we identified effective controls around user access, creating and managing credit notes and writing off irrecoverable debts.

43. However, before debts raised through the Accounts Receivable section are finally deemed irrecoverable we identified the Council seldom takes the full range of recovery action available. For example, few cases are referred to Legal, which is not in line with agreed procedures.

VI: Grounds Maintenance

44. We conclude based on our audit work that the Grounds Maintenance service has SOUND controls in place to manage its risks and support delivery of its service objectives.

45. The Grounds Maintenance service has set a clear objective within their service plan �to rationalise the Grounds Maintenance fleet�. During the audit, we tested the controls in place to enable the service to meet this objective, and reviewed the effectiveness of the measures and actions in place. We found that actions have been defined, and that the service is progressing well towards achievement of the objective.

46. The service has good controls in place with regards to security and use of fuel cards in order to limit the risk of theft or mis-use. Assets are kept safely and securely and controls are in place to check inventory records and account for equipment. However, we identified one instance where income from the disposal of an asset via auction had not been received. While we are satisfied that appropriate action is being taken to obtain the income due, there is an opportunity to firm up procedures for future disposals.

47. The service takes health and safety obligations very seriously, and risk assessments are in place for all of the Grounds Maintenance activities. Training is provided and completed; however, training records are not comprehensive and should be improved to enable the service to demonstrate compliance with health and safety requirements.

VII: Procurement

48. We conclude based on our audit work that the service has SOUND controls in place to manage the risks associated with procurement.

49. The Council has a set of standards to comply with in relation to procurement; these are the Contract Procedure Rules. Detailed guidance is in place in the form of the Purchasing Guide to assist officers through the procurement process. This review focused on 3 groups of procurement exercises: those with values between �10,001 - �24,999, �25,000 - �74,999 and �75,000 and over.

50. During the course of the audit, we found it difficult to identify procurement exercises between the values of �10,001 � �24,999. Such exercises are delegated and managed by Council departments. Without a systematic way of capturing these, it is difficult to say whether or not the rules and procedures are being consistently applied. This was reflected in our testing, as we identified one area of non-compliance with regards to the completion of risk assessments.�

51. We confirmed through testing, that the tendering process for the Council is working effectively, and that the process is appropriately supported and facilitated by the Procurement team.

VIII: Budget Setting

52. We conclude based on our audit work that Finance has SOUND controls in place to manage its risks and support its objectives for budget setting.�

53. The Medium Term Financial Strategy (MTFS) underpins the budget setting process. The risks associated with the budget and the barriers to achieving the resource levels assumed by the budget have been considered as part of the MTFS. Annual review of the strategy forms part of the corporate planning timetable which is approved by the Policy and Resources Committee. Members and Senior Officers are consulted as part of the budget setting process however, the findings from a survey conducted during the review indicates that budget holders do not feel engaged in the process, with the majority feeling as though they have limited ownership in setting their budget apart from setting the fees and charges for the forthcoming year.

54. Our testing confirmed that the budget is approved and accurately reflected in the Council�s Financial Management System, Agresso.

55. A Financial Health Check was undertaken in February 2015 by an independent consultant and the findings have been reported. The findings of this review formed an action plan, however, there has been no progress made towards implementing the recommendations made to date.�

IX: Business Continuity

56. We conclude based on our audit work that there are WEAK controls in operation surrounding Business Continuity across the Council as a whole. This means that the arrangements place the Council at excess risk and require remedial action in order to consistently operate at an effective level. We provide the definitions of our assurance ratings at appendix II.

57. Our work identified that the Council does not, at present, have fully developed business continuity arrangements.� Its overall plan was last updated in 2008 since which time the Council has changed premises rendering it essentially invalid.� Although some work has been undertaken in the past two years on impact assessments within individual services, there are key components still missing, such as finance and property, which risk making the overall response ineffective.

58. Beyond the lack of formal arrangements, the Council also has an underdeveloped understanding of what informal arrangements would operate, with no recent testing or training in this area meaning the large majority of staff would not know how to respond in an incident which impaired the Council�s ability to operate normally.� Some officers and services � importantly including ICT � do have some understanding and plans but we note these were developed principally because of the demands of other parties to shared services rather than at request of Maidstone.�

59. We also note that the Council is identified within the Civil Contingencies Act 2004 (�the act�) as a Category 1 responder. The Act places a responsibility on the Council to have continuity plans in place to assist others in the event of an emergency. This is only possible if the Council is able to maintain its own crisis response and core services.� Given the outlined limitations in Business Continuity Plans, the Council would be at risk of not being able to comply with the requirements of the Act.

60. We note that the Council�s recent experience suggests that, in the event of emergency, the resilience and goodwill of its staff will go a long way to mitigating the worst impacts.� However, without comprehensive and tested plans the Council cannot confidently manage its risk of failing to continue to deliver its core services in the event of an incident.

X: Temporary Accommodation

61. We conclude based on our audit work that there are SOUND controls in operation within the Housing Service to manage the key risks identified by management surrounding the provision of temporary accommodation.

62. Our testing confirms that the Council meets its statutory responsibility to provide and allocate temporary and emergency accommodation to eligible persons who are assessed as being both unintentionally homeless, and in priority need.

63. Management initially expressed concerns around the charges the Council incurs for temporary accommodation. Our review concludes that financial reporting and monitoring controls around the checking and payment of invoices are sound. Our testing confirms that suitable arrangements are in place to ensure that the Council only pays for the accommodation it uses. However, as demand increases the Council is starting to pay significant sums to a limited pool of housing suppliers. While expenditure remains at this level, the service should clarify its position with procurement to ensure that spend it consistent with financial standing orders and continues to demonstrate value for money.�

64. We also reviewed management of Council owned property; Aylesbury House. We found that the property is well managed and achieving high occupancy rates. However, the Council should move to reconfirm the relationship with the provider following expiry of the original contract.

XI: ICT Network Controls

65. We conclude based on our audit work that there are STRONG controls in operation within the Shared ICT Service to manage the key risks identified by management surrounding the security of the Mid Kent ICT network.

66. Our testing confirms that the Mid Kent ICT service is taking suitable action to gain independent assurance on the security of the ICT network across all three sites (Maidstone, Swale & Tunbridge Wells). The network undergoes rigorous testing by an external specialist to verify the security measures in place. Our testing confirms that suitable action is taken to respond to any recommendations to address weaknesses identified as a result of these tests. As a result, all three Councils achieved compliance with the Public Services Networks IT Health Check (ITHC) in 2015.

67. We also reviewed controls around user access for officers who have left the Council�s employment. Our testing identified that the ICT Service Desk is made aware when an officer is due to leave the Council and takes prompt action to ensure that network access is revoked. We are able to confirm that none of the 12 leavers we tested as part of the audit had accessed the ICT network after ceasing employment with the Council.

XII: Service Improvement

68. We conclude based on our audit work that Service Improvement has STRONG controls in place to manage its risks and support delivery of its objectives.

69. Service Improvement has set an objective within its service plan to minimise face to face contact and shift contacts to the web and to automated telephony wherever possible.� The Service is achieving this by developing new and enhancing existing online forms, promoting self-serve options and including assisted digital and telephone lines. The Council has also introduced an appointment system in the Gateway for Housing, Housing Benefit and Council Tax. Our review confirms that the controls in place are effective in design and operation, and as a result the service has already completed some of its planned actions and is making good progress on others.

70. At request of the service we also reviewed the Council�s website to consider ease of accessibility and navigation. Our testing confirmed that service information and Council documents available on the website could be located within three clicks (which is the Council�s benchmark); however, the search function did not always prove helpful or accurate. We are aware that a project is due in 16/17 to develop the intelligence of the search function through the implementation of Go Response. The service anticipates this will significantly improve functionality and accuracy of website searches.

XIII: Licensing

71. We conclude based on our audit work that the service has SOUND controls in operation to manage the risks relating to compliance and enforcement of licences.�

72. Our review found that the Council�s policies setting out its objectives for Licensing Enforcement are well set out based on our experience of undertaking similar work elsewhere in the Partnership with the exception of some minor areas that require updating.

73. We found that good procedures are employed to deliver the requirements of the Enforcement Strategy with regards to ensuring compliance with licensing conditions. At the time of our work the monitoring programme had progressed with approximately 45% of licensed premises having received a planned inspection (representing 240 risk assessments undertaken since January 2014).� Although we note that is less than half of licensed premises, we note progress the service has made and continues to make in this area.� Our test findings, which included checking the correct risk assessment of premises, returned positive results which confirmed compliance with the prescribed processes.

XIV: Community Safety

74. We conclude based on our audit work that there are SOUND controls in place over the Council�s Community Safety Partnership to manage the associated risks and to support them in the delivery of their priorities.

75. We found a clear and embedded process in place to determine the Community Safety Partnership�s strategic priorities. The plan to supports delivery is well defined and our testing established individual projects are chosen in keeping with its aims.

76. We also reviewed controls for administering Community Safety Grants, which for 2015/16 accounted for �37k spend. While the scheme overall operates to a clear process, we identified a range of administrative weaknesses in how grant applications are processed, monitored and paid. Although we are satisfied these weaknesses do not materially undermine the grant funding arrangements, improving controls will lead to a more effective process.

XV: Payroll

77. We conclude based on our audit work that the Payroll service to Maidstone and Swale has STRONG controls, for the area of deductions, to control its risks and support its objectives.�

78. Our work confirmed the system materially unchanged from our work in February 2015 which concluded the service had strong payroll controls.

79. This review focussed on payroll deductions.� Our testing confirmed robust processes in place to account for, approve and accurately pass on mandatory deductions.

80. We found that a variety of categories for discretionary deductions exist across the two administered payrolls, which should each be supported by an employee instruction.� We found a large majority of deductions adequately supported, with documentation absent for only some historic and long standing requests.� Given their duration, we are satisfied the deductions are valid and the missing documentation poses no appreciable risk to the Councils or their employees.

XVI: Learning & Development

81. We conclude based on our audit work that the Learning and Development service has SOUND controls to manage its risks and support its objectives.�

82. We found the Learning and Development service at Swale and Maidstone Borough Councils has an effective process to identify staffs training needs.� The service draws on a broad variety of sources when compiling the corporate training calendar. All staff can view the training calendar and book through a straightforward online process open to all.

83. We also examined procurement of training and found that while there is broad adherence to procedure, the service could do more to ensure compliance and evidence retention.

XVII: Litter Enforcement

84. We conclude based on our audit work that there are SOUND controls in place to monitor and manage the Litter Enforcement contract.

85. The Litter Enforcement service provided by Kingdom Security operates as set out in the contract. The strong and trusted relationship between the Council and Kingdom enables continuing service development, including body worn CCTV, standalone online monitoring and integrated financial reporting.� We also note Kingdom continues to meet performance targets specified in the contract.

86. However financial procedures over the reconciliation of income and verifying invoices should be improved to identify and resolve variances. While the current, largely informal, arrangements for contract monitoring work well, the Council should be clear on understanding and documenting its risks so its position is secure if in future the relationship with Kingdom changes.

XVIII: Planning Support Gateway Review

87. The [project] Board has proceeded largely on the basis that the option originally put to TWBC cabinet � of a TWBC withdrawal leaving a two-way partnership � would be the most likely outcome. As a result the Board has sought to fully appraise in greater detail this single and most likely option. While other options have been considered at the early stages of the project, they have not received a similar depth of analysis and, in the case of the option 3; have not been considered at all.

88. No options have been considered that involve TWBC remaining in the partnership as this fell outside of the mandated scope of the project. The Board therefore has largely been an exercise in constructing a business case rather than appraisal of different options as originally mandated.

89. Within those constraints, though, the Board has operated diligently in seeking to obtain the best evidence it can, including commissioning external advice where a need is identified. Each work stream has provided evidence to inform the Board in its decision to pursue the chosen option.

90. The inherent lack of clarity in operating ahead of a formal decision� means that some evidence relies upon assumptions and extrapolations which are difficult to pin down with certainty and are subject to wide error bars. This is particularly notable on information regarding human resource and finance considerations and data forwarded by parallel project groups operating in MBC and SBC.

91. However, we are satisfied that the Board has efficiently documented its processes meaning that those assumptions are, in general, apparent, open to fair challenge and not unreasonable.

XIX: Whistleblowing Review

92. Encouraging staff to identify and raise concerns is a key component for all organisations in being able to ensure they are consistently well governed and effective. A council�s staff are its first and, in some instances, only line of defence against bad or illegal practice. While the Council offers a range of methods for staff to raise concerns, one significant path is the formal Whistleblowing policy which � uniquely � provides a statutory protection to concerned employees shielding them from discrimination as a result of speaking up.

93. In our examination of the policy and practice of whistleblowing across the authorities we conclude that there are a number of encouraging aspects. All three authorities have legally compliant policies, although Maidstone in particular has some way to go to meet the best practice set out by Public Concern At Work. Also, while shallow, there is a broad awareness among staff and Members of the basics and principles of raising concerns and a clearly expressed willingness to not ignore troubling events and behaviours.

94. However, our work identified significant opportunities to update and refresh Maidstone�s approach (in particular) and to raise its profile among staff. This will be needed to reduce what is, according to the survey, a significant minority (almost 1/5) of staff who have noted concerns but not raised them.

XX: Mote Park & Cobtree Caf�

95. We conclude based on our audit work that there are WEAK controls in place for the management of cash and stock at Mote Park and Cobtree Manor Park caf�s.�

96. The management of the Mote Park and the Cobtree Manor Park caf�s was taken in-house by the Council in August and December 2015 respectively. Significant work has been conducted since this time to bring the caf�s into operation. Management requested that an audit be conducted to review the financial controls of both caf�s as the arrangements are still relatively new. Management are keen therefore to address any issues identified as part of this review.�

97. Our work identified that the caf�s do not currently have robust controls in place to prepare cash for banking in such a way to enable the reconciliation of income collected to that banked.� As a result discrepancies are not identified and investigated.� This was particularly evident at Cobtree Manor Park where our testing found variances between amounts received and amounts banked.� While work is currently underway to create an agreed set of procedures, no such guidance has been in place for the cashing up, banking and reconciliation processes. Our findings of the review are therefore outlined in more detail to assist the service in defining and creating a set of working procedures that incorporates the control improvements necessary.

98. The security of cash held at both caf�s needs to be improved, in particular through the purchase of a safe at Mote Park, and secure storage of keys.

99. The Council has software to enable stock to be accounted for and managed; however, at the time of our review this software was not fully operational. It is therefore not possible to fully account for the movement of stock from delivery to sale, and to waste. Quarterly stock checks are undertaken at Cobtree Manor Park but there are no routine stock checks undertaken at Mote Park. The checking of deliveries is not consistently recorded on goods received notes, and invoices are not being reconciled prior to payment in order to ensure accuracy.

100. Given that both caf�s face the same issues with regards to the collection of cash, and the management of stock, the opportunity should be taken to harmonise procedures across both sites as much as possible.�

XXI: Garage Review

101. We conclude based on our audit work that the Garage has SOUND controls in place to manage the risks associated with its current level of service.�

102. The Council�s garage undertakes work to appropriate quality standards and within a scheduled and effective programme.� However, the recent absence of one employee led to a maintenance backlog; exposing a lack of contingency arrangements the service is now working to address.

103. Physical security at the site is sound. However, in part owing to the �just in time� ordering common in garage environments, stock and equipment documentation is limited. This raises the risk of loss or misuse of Council assets.� We also consider there is scope for the garage to review its arrangements with high-value suppliers to test for value for money.

104. We also considered the capacity of the garage for taking on additional commercial work.� We concluded that the staffing levels at present are only sufficient to meet Council workload and vulnerable to absence. Additional resource would be needed to create the capacity for commercial service and there is no business plan yet in place to test viability.� We also note that there are training and regulatory hurdles the service would need to clear before a commercial operation could begin.

105.

Follow-up of Internal Audit Recommendations

106. Our approach to recommendations is that we follow up each issue as it falls due in line with the action plan agreed with management when we finalise our reporting.� We report progress on implementation to Senior Management Team each quarter, including noting where we have had reason to revisit an assurance rating (typically when a service has successfully implemented key recommendations) and raising any matters of ongoing concern.

107. Our most recent round of reports covered recommendations due for implementation on or before 31 March 2016 and consequently represents the full year outturn for 2015/16.� We are pleased to note those reports confirm there are no recommendations outstanding for action beyond their agreed implementation date.� This includes a few instances where, after request from the service and having considered the residual risk of delay posed to the Council, we have revised implementation date.

108. In the table below project titles shown in bold type are those that originally received an assurance rating of weak (we have issued no reports rated poor).

Project	Agreed Actions	Falling due on or before 31/3/16	Actions Completed	Outstanding Actions past due date	Actions Not Yet Due
Projects with actions brought forward from 2014/15 and completed during 2015/16
Project Management	14	14	14	0	0
Museum Collections	13	13	13	0	0
Food Safety	12	12	12	0	0
Emergency Planning	11	11	11	0	0
CCTV	10	10	10	0	0
Data Protection	8	8	8	0	0
ICT Service Desk	8	8	8	0	0
PC & Internet Controls	8	8	8	0	0
Leisure Centre Contract	6	6	6	0	0
Treasury Management	5	5	5	0	0
Computer Use Policy	5	5	5	0	0
Freedom of Information	5	5	5	0	0
Property Income	4	4	4	0	0
General Ledger	3	3	3	0	0
Communications	3	3	3	0	0
Members� Allowances	2	2	2	0	0
Projects with actions issued during 2015/16 and completed during 2015/16
Waste Collection Contract	4	4	4	0	0
Grounds Maintenance	2	2	2	0	0
Council Tax System	2	2	2	0	0
Housing Benefit System	2	2	2	0	0
Projects with actions to carry forward into 2016/17
Safeguarding	12	4	4	0	8
Business Continuity	9	0	0	0	9
Declarations of Interest	8	4	4	0	4
Housing Options	4	3	3	0	1
Temporary Accommodation	4	0	0	0	4
Budget Setting	3	0	0	0	3
Licensing	3	0	0	0	3
Members� Expenses	2	1	1	0	1
Accounts Receivable	2	0	0	0	2
Procurement	2	0	0	0	2
ICT Network Controls	1	0	0	0	1
Accounts Payable	1	0	0	0	1
TOTAL	178	139	139	0	38
		78%	78%	0%	22%

109. Note that the above list excludes projects where we raised no recommendations for action.

110. We note considerable progress made by managers in addressing the issues identified by our reports.� With all 139 due recommendations implemented as agreed, the Council is 78% of the way to full implementation � exactly on track for delivery.

111. Of the 32 audit projects followed up, 8 originally received an assurance rating of weak.� We have previously advised Members in our 2014/15 annual and 2015/16 interim reports that 5 of these (Museum Collections, Emergency Planning, Data Protection, ICT Service Desk and Freedom of Information) had made sufficient progress up to July 2015 for us to revisit the assurance rating as SOUND.�

112. For the remaining three reports assessed as weak many of the recommendations remain due for implementation (21 of 29), so we have not yet seen evidence of sufficient progress to revisit the assurance rating.� We will continue following up recommendations as they fall due and report progress to Members.

Corporate Governance

113. Corporate governance is the system of rules, practices and processes by which the Council is directed and controlled.�

114. We obtain audit evidence to support the Head of Audit Opinion through completion of relevant reviews in the audit plan, as well as specific roles on key project and management groups.� We also consider matters brought to our attention by Members or staff through whistleblowing and the Council�s counter fraud and corruption arrangements.

115. We attend the Council�s Information Governance and Corporate Governance Groups, as well as comment on other decisions and papers as required by the Council�s governance processes.

116. During the year we also undertook a specific review examining the Council�s readiness for compliance with the revised Code of Corporate Governance published by CIPFA/SOLACE in April 2016.

Counter Fraud & Corruption

117. We consider fraud and corruption risks in all of our regular audit projects as well as undertaking distinct activities to assess and support the Council�s arrangements.

Investigations

118. During 2015/16 we had correspondence from some areas of the Council noting three separate matters of concern requiring investigation.� None of these matters are sufficiently grave that they affect the overall audit opinion.� Two are still currently under investigation and so we cannot provide substantial detail at this time but will brief Members separately in the event of significant findings.

Whistle-blowing

119. The Council�s whistleblowing policy nominates internal audit as one route through which Members and officers can safely raise concerns on inappropriate or even criminal behaviour.� During 2015/16 we have received no such declarations.

120. In the latter part of 2015/16, following work completed at request of Members, we revised the Council�s whistleblowing policy and approach.� The result of that review is on the same agenda as this paper and will form the basis of our work and reporting to Members from now on.

National Fraud Initiative

121. We have continued as co-ordinator of the Council�s response to the National Fraud Initiative (NFI). NFI is a statutory data matching exercise, and we are required by law to submit various forms of data.� Since March 2015, the Cabinet Office administers NFI.

122. The current NFI exercise has been releasing data in tranches since January 2015 and includes the following services:

� Housing Benefits (1,233 total matches)

� Creditors (870 total matches)

� Payroll (11 total matches)

� Licensing (5 total matches)

� Insurance Claimants (4 total matches)

123. One further category (Residents� Parking) returned no matches for the Council.

124. The graph below plots progress to date.� Up to the end of March 2016, in reviewing the matches the Council has identified 14 cases of error (none of fraud) leading to the recovery of �11,572.� Cabinet Office guidance is that all matches should be investigated within the two year cycle of NFI data (so, by January 2017).

NFI Matches Investigation Progress

125. Work so far has focussed on the �recommended matches�; those that in the Cabinet Office�s experience are most likely to represent frauds or error.� We will be examining the remaining matches during 2016 with a view to closing the exercise in time for the fresh data release in January 2017.

National Fraud Initiative � Outcomes validation

126. In January 2016 the Cabinet Office announced they would be asking key contacts at each authority to undertake a separate testing exercise validating the NFI outcomes recorded on through the web portal.� Mid Kent Audit played a key role in this consultation; the eventual wording of the declaration asked of key contacts is the same as the form we proposed and reads:

The Cabinet Office require NFI outcomes to be validated by Key Contacts prior to reporting these outcomes externally, e.g. in a national report or to public accounts committee.� Key Contacts are responsible for co-ordinating an approach that is deemed appropriate for validating outcomes at their respective authorities.

I declare that reasonable checks have been undertaken to ensure that 2014/15 and FMS outcome summaries are a fair reflection of outcomes achieved by Maidstone Borough Council.

127. In response we designed a work programme that tested 10% of cases that recorded a costed outcome and 1% with a nil outcome (making for a total of 134 cases across the partnership).

128. We identified only one issue relating to an outcome where evidence was incomplete as a counter fraud officer had left the Council without leaving clear documentation behind.� However, we were satisfied in that instance of being reasonably certain through inspection of other material that the outcome was accurate.

129. Consequently, in line with the Cabinet Office�s deadlines, we made a positive declaration for the Council on 14 April 2016.

130. We understand that Cabinet Office will make this validation an annual requirement and so will, in consultation with partners across Kent, review our approach and methodology to the 2016 exercise to ensure it remains effective and efficient.

Counter Fraud and Corruption Tracker

131. During 2015/16 we also contributed to the CIPFA Counter Fraud Centre annual survey, using the NFI data and other information obtained from our own records and held by the shared Revenues and Benefits Counter Fraud team.� In February 2016 CIPFA published the full summary of results (available for free download here) which included the table below giving an indication of the major fraud threats in local government:

Attempted Frauds

132. We previously advised Members in our interim report that another Council within the Mid Kent area were subject to a fraud attempt involving the use of a �spoofed� email account purporting to be that of a Council employee and requesting a bank transfer.� Our investigation could not identify the culprit � �spoof� emails are created easily enough and very difficult to trace � but we did examine the Council�s controls and investigated to determine whether any similar attempts had been successful and undetected.�

133. In the remainder of 2015/16 we did not identify any further such attempts which, coupled with successful operation of financial and IT controls, led us to identify this as a low fraud risk.� Consequently, we have provided advice to finance teams on remaining vigilant and have reported the matter to the police but plan no continuing action unless there are further developments.

Risk Management

134. Risk management is the process of identifying, quantifying and managing the risks that the Council faces in attempting to achieve its objectives.

135. We obtain audit evidence to support the Head of Audit Opinion through completion of our audit plan plus continuing monitoring of and contribution to the Council�s risk management processes.

136. During 2015/16 we worked with the Council to produce a revised Risk Management Framework.� Policy & Resources Committee approved this framework in outline June 2015.�

137. Following that approval we undertook a series of workshops across the Council�s services to establish a comprehensive risk register.� This process also involved Members at a Strategic Risk Workshop led by Grant Thornton in December 2015.

138. The first output of the comprehensive risk register and the full framework was reported to Policy & Resources Committee in February 2016 (item 165).� This highlighted six overall risk themes being managed by the Council:

� Variation in Business Rates income,

� Significant commercial failure,

� Shortfall of income from festivals and events,

� Housing market failure and increased homelessness approaches,

� Lack of suitable temporary accommodation options, and

� Recruiting and retaining skilled staff Council wide.

139. Following adoption of a revised Audit Charter by this Committee in March 2016 which clarified the extent of our role in risk management we will be leading within the Council in expanding and settling the comprehensive risk register.� This draws together risks identified in the course of service planning and corporate projects to inform the Council�s decision making as well as audit planning.

140. We will continue to report outcomes and progress to the Audit, Governance & Standards Committee and substantive output to Policy & Resources Committee through the year.

Mid Kent Audit Service Update

Team Update

141. During 2015/16 following the departure of a long-serving manager, absences for maternity leave and a pair of recruitment exercises, the audit service averaged a vacancy rate of 2.5 FTE, around 20% of establishment.� However, due to a variety of factors including around 1xFTE of short term contractor support, efficiencies arising from our mid-year restructure and resilience of working in a shared service across four authorities we have been able to complete the work set out in this report which supports a definitive Head of Audit Opinion.

142. The whole management team of Mid Kent Audit convey their public thanks to the team for their hard work and dedication through 2015/16.

143. We have continued through the year to support our staff in their professional development.� During 2015/16 the audit team has added the following skills and qualifications to help support our partner authorities:

� Frankie Smith (Audit Manager, Swale & Tunbridge Wells) achieved Chartered status with the Institute of Internal Auditors (IIA) (CMIIA designation)

� Jo Herrington (Senior Auditor) achieved the practitioners� diploma from the IIA (PIIA designation)

� Helen Pike (Trainee Auditor) achieved the IIA�s Certificate in Internal Audit and Business Risk (IACert designation)

� Alison Blake (Audit Manager, Ashford & Maidstone) achieved the professional qualification of the Institute of Risk Management (IRM designation)

� Russell Heppleston (Deputy Head of Audit Partnership) achieved the International Certificate in Risk Management from the IRM.

� Rich Clarke (Head of Audit Partnership) achieved the Chartered Institute of Public Finance & Accountancy (CIPFA) professional qualification as an Accredited Counter Fraud Specialist (ACFS designation)

� Mark Goodwin (Senior Auditor) achieved CIPFA�s professional qualification as an Accredited Counter Fraud Technician (ACFT designation)

144. We congratulate all in the team on these achievements during 2015/16 and anticipate further exam success in 2016/17.

Quality and Improvement

145. Under the Public Sector Internal Audit Standards we must each year assess our conformance to those standards and report the results of that assessment to Members.� At least every five years that assessment must be external and independent.

146. We underwent an external independent assessment from the IIA in 2014 which confirmed our full conformance with all but 5 of the standards and partial conformance to the remainder.� In 2015, following action to implement the IIA�s recommendations, we were re-assessed as being in full conformance to the standards � the first English local authority audit service to be so assessed by the IIA.

147. In 2016 we have undertaken a self assessment against the Standards and confirm to Members we remain in full conformance.

148. Beyond simple conformance, as reported to Members in our interim report, we go further and comply with the requirements of the IIA�s revised International Professional Practices Framework (IPPF) unveiled in July 2015 but not mandatory for local government internal audit until 2016/17.� We are assisted in remaining at the leading edge of developing standards by the presence of the Head of Audit Partnership as the English Local Government representative on the Internal Audit Standards Advisory Board (IASAB), as well as roles as Chairman of Kent Audit Group and on the Executive Board of the London Audit Group.

149. During 2016/17 we hope to capitalise on this position by beginning to offer Quality Assessments against the Standards either in our own right or in partnership with a national body.� Aside from the benefits of sharing good practice, we hope that this route will provide income to the authorities.� We will keep Members updated on progress in this regard through our update reports.

Performance

150. Aside from the progress against our audit plan we also report against a number of specific performance measures designed to monitor the quality of service we deliver to partner authorities.� The Audit Board (with David Edwards, Paul Riley and now Mark Green as Maidstone�s representative over the past year) considers these measures at each of its quarterly meetings, and they are also consolidated into reports submitted to the MKIP Board (which includes the Council�s Chief Executive and Leader).

151. Note that all figures are for performance across the Partnership.� Given how closely we work together as one team, as well as the fact we examine services shared across authorities, it is not practical to present authority by authority data.�

Measure	2014/15 Outturn	2015/16 Target	2015/16 Outturn
Cost per audit day	Met target	Meet target	Met target
% projects completed within budgeted number of days	47%	60%	60%
% of chargeable days	75%	68%	63%
Full PSIAS conformance	56/56	56/56	56/56
Audit projects completed within agreed deadlines	41%	60%	76%
% draft reports within ten days of fieldwork concluding	56%	70%	68%
Satisfaction with assurance	100%	100%	100%
Final reports presented within 5 days of closing meeting	89%	90%	92%
Respondents satisfied with auditor conduct	100%	100%	100%
Recommendations implemented as agreed	95%	95%	98%
Exam success	100%	75%	100%
Respondents satisfied with auditor skill	100%	100%	100%

152. Of particular note in the figures above is the continuing improvement in completing projects within the scheduled budgeted days. This has shown steady improvement as the year progressed and our refreshed audit methodologies became more established, with a 78% outturn in quarter 4.� This bodes well for meeting the stretched 2016/17 target of 75%.

153. We also note the continued strong performance in customer satisfaction.� This has remained at a high level even as, with the help of the audit team�s new administrative assistant, we have increased response rate more than fivefold.

154. A note too on chargeable days (which is the percentage of audit time spent directly progressing the audit plan as opposed to, for example, training, administration, personnel management and so on).� This was affected during the year by the departure of one of our trainees during his probationary period meaning lost time both in the new recruitment and supporting integration of his replacement.� However, as noted earlier, by using additional contractor support, resilience in the team, and efficiencies introduced in our restructure this did not impair our ability to substantially complete the audit plan.

Acknowledgements:

We would also like to thank Managers, Officers and Members for their continued support, assistance and co-operation as we complete our audit work during the year.

Appendix I:�� Assurance & Priority level definitions

Assurance Ratings 2015/16

Full Definition	Short Description
Strong � Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.� There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.� Reports with this rating will have few, if any; recommendations and those will generally be priority 4.	Service/system is performing well
Sound � Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.� Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.	Service/system is operating effectively
Weak � Controls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.� Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.	Service/system requires support to consistently operate effectively
Poor � Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.	Service/system is not operating effectively

Recommendation Ratings 2015/16

Priority 1 (Critical) � To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.� Priority 1 recommendations are likely to require immediate remedial action.� Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) � To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council�s aims more challenging but not necessarily cause severe impediment.� This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.� Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) � To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.� There will often be mitigating controls that, at least to some extent, limit impact.� Priority 3 recommendations are likely to require remedial action within six months to a year.� Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) � To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.� There will usually be mitigating controls to limit impact.� Priority 4 recommendations are likely to require remedial action within the year.� Priority 4 recommendations generally describe actions the authority could take.

Advisory � We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.� These will be included for the service to consider and not be subject to formal follow up process.

[1] Includes unplanned reviews, Audit Committee training, preparation and attendance and various ad hoc assurance and advice provided to Maidstone BC during 2015/16.