Interim Internal Audit & Assurance Report

 

[i]

 

November 2017

Maidstone Borough Council

Introduction

1.             The Institute of Internal Audit gives the mission of internal audit: to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

2.             The mission and its associated code of ethics and Standards govern over 200,000 professionals in businesses and organisations around the world.  Within UK Local Government, authority for internal audit stems from the Accounts and Audit Regulations 2015.  The Regulations state services must follow the Public Sector Internal Audit Standards – an adapted and more demanding version of the global standards.  Those Standards set demands for our reporting:

Audit Charter

3.             This Committee approved our Audit Charter in March 2016. The Charter remains effective through the updated standards in April 2017.  We will consider whether to recommend updates alongside our 2018/19 audit plan.

Independence of internal audit

4.             Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each council supervises our work based on our collaboration agreement.

5.             Within Maidstone BC during 2017/18 we have continued to enjoy complete and unfettered access to officers and records to complete our work.  On no occasion have officers or Members sought or gained undue influence over our scope or findings.

6.             I confirm we have worked with full independence as defined in our Audit Charter and Standard 1100.

Management response to risk

7.             We include the results of our work in the year so far later in this report.  In our work we often raise recommendations for management action.  During the year so far management have agreed to act on all recommendations we have raised.  We report on progress towards implementation in the section titled Recommendation Follow Up Results.

8.             There are no risks we have identified in our work that we believe management have unreasonably accepted.

Resource Requirements

9.             We reported in our plan presented to this Committee in March 2017 an assessment on the resources available to the audit partnership for completing work at the Council.  That review decided:

We feel on current assessment the Audit Partnership has enough resources in both quantity and ability to deliver the audit plan and a robust overall audit opinion.

10.         Since that review we have seen various changes to our current and projected position.  First we report with pleasure that one of our audit trainees, Ben Davis, has accepted an offer to continue as a permanent auditor on completing his qualification in 2018.  When we began the training scheme in 2014 it was with the hope we would eventually develop our own qualified people who could continue contributing to our success. We take great pride in beginning to realise that hope.  This move will increase the number of audit days available to the partnership.

11.         However, we also continue dealing with long-term sickness absence of a senior member of the audit team.  While in 2016/17 we were largely able to compensate for the absence through use of contractors and increased general productivity we are less able to cover the gap in 2017/18.  In the spirit of greater resilience from working in partnership, no single authority will see a material loss but we do expect each will see some fall in available days. 

12.         Finally, we will look later in the year at our audit software.  Originally through the efforts of the then Ashford team, Mid Kent have pioneered the use of “e-audit”. We were one of the first local authority teams to adopt electronic working when we began using Teammate software in 2001.  Since then, though obviously upgraded, we have stuck with Teammate. 

13.         However, the increasing need to examine our costs carefully – the licence fees are by far our largest non-staff expense – have led us back to market.  We will seek to est the market, possibly jointly with Kent County Council, early in the New Year.  This exercise and associated training if we buy new software will impact on the 2017/18 audit plan.  However, we are confident that we will realise efficiencies in both cost and auditor time from 2018/19 onwards.

14.         The result of these changes is a good chance we will not deliver in full the number of audit days set out in the 2017/18 plan.  However, by continuing to focus on productivity and risk, we are confident that we will be in a position to deliver a robust overall opinion at year end.

Audit Plan Progress

15.         This Committee approved our Annual Audit & Assurance Plan 2017/18 in March 2017.  The plan set out an intended number of days devoted to each of the various tasks.  We began work on the plan during May 2017 and expect completing enough to form our Annual Opinion by June 2018.

16.         The table below shows progress in total number of days delivered against the plan (figures are up to end of October 2017, about 42% through the audit year).

 

 

17.         Based on resources available to the partnership for the rest of the year we forecast delivery of around 483 audit days.  This is 91% of planned days.

18.         We detail the specifics, and results, of this progress further within this report.

 

Results of Audit Work

19.         The tables below summarise audit project findings and outturn up to the date of this report.  Where there are material matters finished between report issue and committee meeting we will provide a verbal update.  (* = days split between partners, MBC only shown).

Completed Assurance Projects

	Title	Plan Days	17/18 Days	Report Issue	Assurance Rating	Notes
2016/17 Assurance Projects Completed After 1 April 2017
	Park & Ride	15	21	Apr-17	Weak	Reported to Members July 2017
	Residents’ Parking	8*	7*	May-17	Sound	Reported to Members July 2017
	Performance Management	10	16	May-17	Weak	Reported to Members July 2017
	Freedom of Information	15	10	May-17	Sound	Reported to Members July 2017
I	Payroll	5*	6*	Jun-17	Strong
II	Crematorium	15	15	Jun-17	Sound
III	ICT Controls and Access	8*	5*	Jun-17	Sound
IV	General Ledger	15	17	Jul-17	Sound
V	Corporate Governance: Transparency Review	5*	5*	Jul-17	N/A
VI	Public Health	15	13	Aug-17	Sound
VII	Accounts Payable	10	13	Aug-17	Sound
Planned 2017/18 Assurance Projects Completed so far
VIII	Business Rates	8*	8*	Oct-17	Strong
IX	IT Disaster Recovery	5*	5*	Oct-17	Sound
X	Debt Recovery Service	5*	5*	Oct-17	Strong
Assurance Projects Added to the 2017/18 Plan and Completed
	Mid Kent Audit Mid Term Review	n/a	4*	Aug-17	N/A	See “Standards Compliance” section

 

Assurance Projects Awaiting Completion

	Title	Plan Days	Days So Far	Expected Report Issue	Notes / Stage
Planned 2017/18 Assurance Projects In Progress
	Land Charges	5*	8*	Nov-17	Draft report
	Procurement	15	16	Nov-17	Draft report
	Payroll	6*	10*	Nov-17	Fieldwork
	Home Assistance Grants	12	7	Nov-17	Fieldwork
	Subsidiary Company Governance	12	3	Nov-17	Fieldwork
	Business Terrace	15	9	Dec-17	Fieldwork
	Emergency Planning	15	3	Dec-17	Planning
	Accounts Receivable	10	2	Jan-18	Planning
	Data Protection	15	2	Feb-18	Planning
	Legal Services	5*	1*	Mar-18	Planning
	Contract Management	15	1	Mar-18	Planning
	Promotion & Marketing	12	1	Mar-18	Planning
	Insurance	12	1	Mar-18	Planning
	Building Control	15	1	Mar-18	Planning
Planned 2017/18 Assurance Projects Yet To Begin
	Financial Planning	7*	0	Q3
	Complaints	12	0	Q4
	Homelessness	15	0	Q4
	Animal Welfare Control	12	0	Q4
	Street Scene Provision	12	0	Q4
	Member Training & Induction	12	0	Q4
	Food Safety	5*	0	Q4
	HR Policy Compliance	5*	0	Q4
	Information Security	5*	0	Q4
	Parking Income	6*	0	Q4
	Cemetery	12	0	Q4+
	Corporate Governance	6*	0	Q4+
	Workforce planning	15	0	Q4+

We will continue to keep these projects under review in the light of our available resources and the changing risk position at the authority.

 

 

 

Audit Project Summary Results

I: Payroll (June 2017)

20.         Our opinion based on our audit work is that there are Strong controls in both design and operation over the Payroll process.

21.         Our work confirmed the Payroll process is materially unchanged from our last review in May 2016. Controls are well designed and the payroll continues to be managed effectively across the shared service.

22.         Our testing confirmed that payroll payments made are accurate, authorised and processed in accordance with agreed procedures.

23.         The service has now acted to implement our recommendation, so this report is closed.

II: Crematorium (June 2017)

24.         Our opinion based on our audit work is that the Crematorium has Sound controls in place to manage its risks and support achievement of its objectives. 

25.         The service employs effective procedures around the cremations process which we found fully meet the requirements of the Crematorium Regulations.  The service is performing above expectation with a favourable trend from increasing cremation numbers and revenue, supported by detailed management information.

26.         However, we identified some improvements the service should make to improve aspects of its financial procedures.  While these are generally sound, increased reconciliations between supporting systems will reduce the risk of error in accounting.

27.         None of the recommendations raised have yet fallen due for implementation.

 

III: ICT Controls & Access (June 2017)

28.         Our opinion based on our audit work is the ICT shared service has Sound controls in place to manage its risks and support achievement of its objectives. 

29.         We identified the service annually receives external assurance around its access controls and takes actions as a result to improve.  The overall design and operation of controls is consistent with Government standards sufficient to permit access to the Public Sector Network (PSN Compliance).

30.         However the service needs to update procedures to improve controls around user access when an officer leaves the partnership that are currently inconsistently applied.  Our testing identified individuals who had accessed the Council’s system after leaving employment and a number of other accounts that closed only when we identified them in our sample. The service also needs to introduce controls to ensure the prompt closure of access to applications users no longer need when they change job roles.

31.         The service has since acted to implement all recommendations.  This report is now closed.

IV: General Ledger: Journals and Feeder Systems (July 2017)

32.         Our opinion based on our audit work is that there are Sound controls in place to manage the Council’s General Ledger processes and its risks, to support achievement of its objectives. 

33.         Our system mapping and testing established that the General Ledger Feeder Systems and Journal processes are adequately designed and effectively operated.  The Council properly controls inputs from feeder systems, manages risk appropriately and maintains data integrity. The service holds well documented procedures and responsibilities; however, guidance notes are required for two elements of the process.

34.         Journal transfers between financial codes within the General Ledger are correct.   Retrospective checking is prioritised to the highest value transactions to reflect the risk appetite of the Finance Service, but this is not accurately reflected in journal logs.  Controls should be improved by formalising the journal checking protocol and maintaining journal evidence.

35.         Most recommendations are now complete.  For one low priority recommendation related to procedure notes the service asked for a deferral into the new-year to allow for incorporation into year-end processes.  We are satisfied the action is relatively minor and so the delay poses no material risk.  

V: Governance Review (July 2017)

36.        

The purpose of this review was to focus on the transparency arrangements in place at Ashford, Maidstone, Swale and Tunbridge Wells Borough Council, against the requirements set out in Principle G of the Good Governance Framework (the Framework) and the Local Government Transparency Code 2015 (the Code).

37.         Our review has confirmed that all 4 Councils are fulfilling all transparency requirements.  However, we have identified some areas where further consideration is needed to ensure full compliance with the Framework and Code. 

38.         The following table summarises some of the good practice and areas for improvement identified during the audit.

39.         The table below summarises the transparency requirements considered during the audit and our assessment for each element.  An assessment key and a summary of the key findings are also provided below:

VI: Public Health (August 2017)

40.         Our opinion based on our audit work is that Public Health has Sound controls in place to manage its risks and support achievement of its objectives. 

41.         Public Health is delivered through the use of service level agreements (SLA) between Kent County Council (KCC) and Maidstone Borough Council (the Council). The Council uses sub-contractors to deliver the individual schemes and initiatives within the public health programme. KCC, who provide the grant to fund Public Health, is currently reviewing the future direction and operation of the service; this has led to the short term extension of the existing arrangements for the last two years. This creates a degree of uncertainty over the delivery of public health until such time that a final decision is made.

42.         Despite the uncertainty over the future of the Public Health programme, the Council continues to provide effective oversight of individual schemes and projects delivered through regular monitoring and reporting arrangements. Our testing confirms that the programmes are delivered in accordance with the SLAs.

43.         We have however found that due to changes in roles and responsibilities there is a lack of formal internal budget monitoring over the use of the Public Health grant.

44.         While reporting is possible, the current arrangements need to be improved in order to provide a clearer understanding of spend throughout the year. 

45.         The recommendations from this review have not yet fallen due for action. 

VII: Accounts Payable (August 2017)

46.         Our opinion based on our audit work is that the Accounts Payable system has SOUND controls in place to process and pay invoices. 

47.         Our testing confirmed that the Council raises purchase orders in accordance with agreed procedures and that all payments are appropriately authorised prior to payment. 

48.         We identified a number of deficiencies in the design and operation of controls with new supplier information not being checked and validated prior to being set up on the finance system. We note that the Council remains vigilant to check changes to standing supplier data (such as bank details) in order to prevent fraudulent changes. However, without initial checks on the validity of new supplier information there is a risk that incorrect or false supplier data is entered into the system.

49.         Our testing found appropriate separation of duties between departments raising orders and the payment of invoices by the Finance Team, but the current responsibilities and processes over the payment run, mean that an officer (within finance) could set up a supplier and make a payment without the details being checked.

50.         The recommendations from this review have not yet fallen due for action. 

VIII: Business Rates – Valuations, Liability, Billing and Write Offs (October 2017)

51.         Our opinion based on our audit work is that the Mid Kent Revenues and Benefits has Strong controls in place to ensure that Business Rates (valuation, liability, billing and write offs) are effectively administrated.

52.         Our review found only minor changes to the Business Rates system since we reviewed it in June 2015. These changes have not affected the overall effective design and operation of the system, and our testing confirms that Business Rates process is working effectively.

53.         From our testing, we are able to confirm that the Mid Kent Revenue and Benefits section has well established procedures in place to ensure that accurate valuation, liability and billing records are being maintained.

54.         Similarly, our testing of write offs confirmed that there are established procedures for the writing off of irrecoverable debts, in accordance with each Council’s Financial Procedure Rules.

55.         The recommendation from this review has not yet fallen due for action. 

IX: IT Disaster Recovery (October 2017)

56.         Our opinion based on our audit work is that the ICT shared service has Sound controls in place to manage its Disaster Recovery (DR) arrangements.

57.         The service has well designed arrangements to allow effective response to a disaster with prompt service restoration.  Documentation is clear with well-considered roles plus comprehensive backup arrangements, secure communication and regular testing.  However, we found some minor instances of documentation falling behind developments in wider business continuity that varied between the partner authorities.  The service holds significant experience and expertise including offering advice to other authorities, but we identified opportunities to better document and manage that resource.

58.         Mid Kent ICT has acted swiftly to address the recommendations, which are all due for action before the end of 2017.  We will follow up on those actions early in 2018.

X: Debt Recovery Service (October 2017)

59.         Our opinion based on our audit work is that the Debt Recovery Service has STRONG controls in place over the administration and management of enforcement cases and receipting and banking of enforcement income. 

60.         We found that there are sufficient procedures in place for the administration and management of enforcement cases. Our testing confirmed that enforcement action is taken in accordance with agreed procedures and fees and charges are applied in accordance with regulations. However, we identified a potential improvement in how data is transferred and stored between the partner authorities and the service.

61.         Our testing established that financial controls, including receipting, banking and reconciliations, are operating effectively and as designed, and the partner authorities are accurately and promptly paid. However, we identified a potential risk in the process when updating enforcement cases with the payments received due to manual inputting of income received.

62.         We do not review follow up actions on advisory recommendations and so this report is closed.

 

Recommendation Follow Up Results

63.         Our approach to recommendations is that we follow up each issue as it falls due in line with the action plan agreed with management when we finish our reporting.  We report progress on implementation to Corporate Leadership Team each quarter. This includes noting any matters of continuing concern and where we have revisited an assurance rating (typically after action on key recommendations).

64.         In total, we summarise in the table below the current position on following up agreed recommendations:

Project	Total	High Priority[1]	Medium Priority	Low Priority
Recommendations brought forward into 2017/18	26	7	9	10
New recommendations agreed in 2017/18	44	3	16	25
Total Recommendations Agreed	70	10	25	35
Fulfilled by 30 September 2017	37	6	9	22
Recommendations cfwd past 30 September	33	4	16	13
Not Yet Due	22	1	11	10
Delayed Implementation but no extra risk	11	3	5	3
Delayed Implementation with risk exposure	0	0	0	0

 

65.         We provide the definitions of our priority ratings in Annex 2. In the table below we summarise progress against all reports with recommendations that fell due during 2017/18. The table excludes reports that raised no risk-rated recommendations for follow-up:

 

Project	Report Issue Date & Rating	Recs Agreed	Delayed & Risk exposure	Delays but no extra risk	On track but not due	Completed	Full Completion date
Safeguarding	Oct-15 (Weak)	12	0	0	0	12	Nov-17
Procurement	Feb-16 (Sound)	2	0	1	0	1
Health & Safety	Nov-16 (Weak)	14	0	0	0	14	Oct-17
Hazlitt	Nov-16 (Weak)	15	0	1	0	14
Housing Benefits	Nov-16 (Sound)	4	0	0	0	4	Oct-17
Facilities Management	Dec-16 (Sound)	7	0	0	0	7	Oct-17
Elections & Registration	Jan-17 (Sound)	3	0	1	0	2
Public Conveniences	Jan-17 (Sound)	4	0	1	0	3
Discretionary Housing Payments	Jan-17 (Sound)	5	0	0	0	5	Aug-17
Park & Ride	Apr-17 (Weak)	7	0	1	0	6
Performance Management	May-17 (Weak)	9	0	3	2	4
Freedom of Information	May-17 (Sound)	3	0	1	2	0
Residents Parking	May-17 (Sound)	8	0	1	3	4
Crematorium	Jun-17 (Sound)	3	0	0	3	0
ICT Controls & Access	June-17 (Sound)	4	0	0	0	4	Oct-17
General Ledger	Jul-17 (Sound)	4	0	1	0	3
Accounts Payable	Aug-17 (Sound)	3	0	0	3	0
Public Health	Aug-17 (Sound)	5	0	0	5	0
Business Rates	Oct-17 (Strong)	1	0	0	1	0
IT Disaster Recovery	Oct-17 (Sound)	4	0	0	4	0

 

 

 

Other Audit Activity Results

Risk Management Update

66.         Risk management is how the Council identifies, quantifies and manages the risks it faces as it seeks to achieve objectives.

67.         The Council set up a new risk management approach in July 2015. Since then we have been providing risk management support to help ensure the success of the approach.   As part of setting up the risk approach, we have over the course of the last year discussed with Members and Corporate Leadership Team defining the Council’s risk appetite.  Members adopted a risk appetite statement in October 2017. 

68.         We report the Council’s risks twice a year to Policy and Resources Committee and quarterly to Corporate Leadership Team.  Audit, Governance and Standards Committee receive an annual report on the effectiveness of the Council’s risk management.  We set out the current risk profile below:

Likelihood	5		1	1	1
	4		3	1	2
	3		11	42	5
	2		38	51	29	9
	1		10	19	18	5
		1	2	3	4	5
		Impact					246

69.         Following a comprehensive exercise to identify operational risks, we have seen an increase in the total recorded in the comprehensive risk register. This increased to 246 at August 2017 compared with 187 in September 2016. 

 

Corporate level risks

70.         By definition these risks are more strategic, inherently hold a greater impact to the Council, and potentially affect multiple services. They are the key risks that link directly to achieving our priorities. The Council continuously oversees these risks and reports to provide assurance on their management and mitigating actions. These risks are often also a product of the external environment beyond the Council’s control.

71.         In July 2017 we ran a workshop with Members and Officers to refresh the corporate risks.  Its focus was to review the existing corporate risks and identify any new or emerging risks. We also sought to identify risks the Council has successfully managed to a conclusion or have otherwise fallen from prominence owing to passage of time.  

72.         The tables below provide a summary of the corporate level risks. The matrix shows how each risk owner has assessed the impact and likelihood (see annex 3 for definitions):

73.         Risks by definition are uncertain, and it is not possible to remove all uncertainty, especially for the risks that align directly to the achievement of our objectives. We will therefore continue to report to Members and monitor progress over the course of the year to highlight any significant movement of risks over time.

74.         Risk management is a continuing enterprise. We will continue providing general support to the Council and focus in particular in the coming months on:

·         Embedding risk management in decision making;

·         Better integration of the risk framework with project management framework;

·         Creation of a risk webpage as part of the shared Mid Kent Audit webpage;

·         Training and briefing sessions to Officers and Members.

Counter Fraud Update

75.         We consider counter fraud and corruption risks in all of our audit engagements when considering the effectiveness of control.  We also undertake distinct work to assess and support the Council’s arrangements.

Investigations

76.         During 2017/18 we have continue the significant investigation referred in the previous update to the Committee in June.  We are now working alongside Kent Police in seeking evidence to allow us to bring the investigation to a conclusion. 

Whistleblowing

77.         The Council’s whistleblowing policy names internal audit as one route through which Members and officers can safely raise concerns on inappropriate or even criminal behaviour.

78.         We have had two matters raised with us for review during 2017/18.  We have resolved both matters to the complainants’ satisfaction and there are no details we need to bring to the Committee’s attention.

National Fraud Initiative

79.         We continue to coordinate the Council’s response to the National Fraud Initiative (NFI).  NFI is a statutory data matching project and we must send in various forms of data to the Cabinet Office who manage the exercise.

80.         The Cabinet Office released the 2017 matches in January 2017 as reported to this Committee in June 2017.  Most matches (64%) fall to the MKS Revenues & Benefits Compliance team to look into.  That team report separately to this Committee.

81.         We have now embarked on a review of the remaining matches starting with those identified by the Cabinet Office as ‘high risk’. We aim to meet the Government expectation to review all matches within two years.  We will report results of the matches to Members as part of our year-end review.

Counter Fraud Policy

82.         We reported to Members in June an expectation that CIPFA would be working with local practitioners during 2017/18 to develop counter fraud standards for local government. Through the Head of Audit Partnership’s roles with the Internal Audit Standards Advisory Board and London Audit Group we understand that development is delayed.  We also note the DWP’s recent extension of its pilot on leading Council Tax fraud that might further limit fraud roles within local government.

83.         Our plan had been to use these new standards to review the Council’s counter fraud and associated policies to ensure they conform to current best practice.  However, given the delay in developing national standards, we will now go ahead with this policy review early in the new-year. We will draw on current examples of best practice in governance, such as the CIPFA Counter Fraud Code.

Other Audit and Advice Work

84.         We also continue to undertake a broad range of special and scheduled consultancy and advice work for the Council.  Examples include our attendance at Information Governance and Corporate Governance Groups and as part of the Wider Management Team. We have also completed specific reviews looking at individual parts of the Council’s control environment at the request of officers such as payment processes at the Council’s depot.

85.         More significantly, we undertook an Independent Management Report (IMR) for the Kent & Medway Safeguarding Adults Board.  That review followed a referral by Maidstone BC after the death in late 2016 of a vulnerable adult within the borough.  As part of that review we considered the Council’s interactions with the individual and identified whether opportunities exist to learn lessons to improve services in future. 

86.         We fed back results to the Chief Executive in July 2017 noting that, especially given the advances in the Council’s safeguarding procedures in the last few years, we had no further recommendations for improvement.  We presented the IMR to the Kent & Medway Safeguarding Adults Board for consolidation alongside similar reports from various public sector agencies.

87.         We remain engaged and flexible in seeking to meet the assurance needs of the Council. We are happy to discuss opportunities large and small where the Council can usefully employ the experience and expertise of the audit team.

 

Code of Ethics and Standards Compliance

88.         On 1 April 2017 the RIASS[2] published a changed set of Public Sector Internal Audit Standards (the “Standards”).  These updates made more than thirty changes and improvements, building on the recently published International Professional Practices Framework.

89.         All auditors working in the public sector (including, for instance, health and central government too) must work to these standards for 2017/18.  One specific change is the new demand to report to Senior Management and the Board (Audit Committee) on conformance with the Code of Ethics and the Standards.

Code of Ethics

90.         We include the full Code at Annex 2.  Although a new document, similar codes were already part of the profession especially for people holding membership of professional institutions.  We have included the Code within our Audit Manual and training for some years.

91.         We can report to Members we remain in conformance with the Code.  For further assurance, the chart below describes some of the working practices and controls we use to encourage and oversee continuing adherence.

Public Sector Internal Audit Standards

92.         Under the Public Sector Internal Audit Standards we must each year assess our conformance to those standards and report the results of that assessment to Members.

93.         We underwent an external independent assessment from the IIA in 2014 which confirmed our full conformance with all but 6 of the standards and partial conformance to the rest.  In 2015, following action to fulfil the IIA’s recommendations, we achieved full conformance to the standards – the first English local authority audit service to be so assessed by the IIA.

94.         In 2017 we undertook a self-assessment against the Standards and confirm to Members we remain in full conformance.  We will undertake a new self-assessment in 2018 alongside our annual opinion.  However, including considering the changes to Standards published for 2017/18, we are confident we remain in full conformance. Our next external assessment is due before 2020.

Mid-Term Review

95.         The collaboration agreement between the four authorities demands the service undergo a ‘mid-term review’ before January 2018.  The aim of the review is to ensure the authorities continue to draw the benefits they expect from working together and point towards how the partnership can continue to improve.

96.         We undertook this review principally as a self-assessment during late summer 2017.  However, we also sought a wide range of qualitative and quantitative evidence including a survey sent to more than a hundred members and officers and face-to-face discussions with key individuals.

97.         The overall picture of Mid Kent Audit that emerged from the review is of a service working well and delivering above expectations.  Several participants also remarked how much those expectations have risen in recent years, focusing on the clarity of our reporting and the increasing value of advice and wider governance work.  Authorities place great value in Mid Kent Audit as a template of how partnership working can deliver improved expertise, resilience and learning unavailable from a single-authority enterprise.  As a result, all four authorities show a strong wish to continue the arrangement beyond 2019. They also encourage Mid Kent Audit to take on extra roles and work outside the partnership where doing so can continue delivering benefits to the authorities.

98.         We found the current collaboration agreement contains various sections related to the detail of service delivery that do not work as intended.  However, we noted councils did not consider the variations important and most were unaware of them.  Essentially, while satisfaction is high, councils have not inquired deeply into the detail.  This gives strong support for the future agreement to focus more narrowly on governance with questions of service delivery for agreement with individual authorities through audit plans and charters.

99.         The full report goes into detail on the governance and survey results but we’d like to highlight one area.  The final question of the survey invited participants to score on a scale of 0-100 the question of how likely they would be, if asked, to recommend Mid Kent Audit to another authority.  The results showed a strong positive response to the audit service remaining consistent across members, officers and authorities.

Performance Indicators

100.     Aside from the progress against our audit plan we also report against some specific performance measures designed to oversee the quality of service we deliver to partner authorities.  The Audit Board (with Mark Green, Director of Finance & Business Improvement as the Council’s representative) considers these measures at each quarterly meeting. We also consolidate the results into reports presented to the MKS Board (which includes the Council’s Chief Executive and Leader).

101.     Note that all figures are for performance across the Partnership.  Given how closely we work together as one team, as well as the fact we examine services shared across authorities, it is not practical to present authority by authority data.  

Measure	2014/15 Results	2015/16 Results	2016/17 Results	2017/18 Q2 Results
Cost per audit day	Met target	Met target èç	Beat target é	Beating target é
% projects completed within budgeted number of days	47%	60% é	71% é	77% é
% of chargeable days	75%	63% ê	74% é	75% é
Full PSIAS conformance	56/56	56/56 èç	56/56 èç	58/58 é
Audit projects completed within agreed deadlines	41%	76% é	81% é	85% é
% draft reports within ten days of fieldwork concluding	56%	68% é	71% é	77% é
Satisfaction with assurance	100%	100% èç	100% èç	100% èç
Final reports presented within 5 days of closing meeting	89%	92% é	94% é	100% é
Respondents satisfied with auditor conduct	100%	100% èç	100% èç	100% èç
Recommendations fulfilled as agreed	95%	98% é	98% é	95% èç
Exam success	100%	100% èç	85% ê	67% ê
Respondents satisfied with auditor skill	100%	100% èç	100% èç	100% èç

 

102.     We note the continuing improvement in performance and productivity in our project reviews, while keeping high levels of satisfaction with the service. 

103.     While we seek comments from a broad range of sources, the principal driver for the satisfaction numbers is responses to the surveys we circulate with each final report.  Response rates to the surveys have varied over the years, but never been high.  The response rate at this authority is 15%, placing third amongst the partner authorities.  We continue to work with audit sponsors, recognising the many draws on their time, to develop ways to gain comments on our work.

104.     On exam success, we continue to see the influence of the IIA’s change to its qualification approach that has depressed pass rates across the country. Our results remain above the national average and our people continue to succeed at retake.

Swale Stars Team of the Year 2017

105.     We report with delight that we received “Team of the Year” at the Swale Stars awards earlier this year.  As a purely internal service with no public facing role we are aware that audit is often, understandably, overlooked for awards so take great pride in this honour.  Beyond the performance data and results noted above we believe firmly that an effective audit service is one that creates and nurtures close working with our clients.  It is only by that close working that we can fulfil the mission of internal audit to provide effective, insightful and future focused support.

106.     Our integrated working means almost the entire team has spent some time at Swale and so contributed to our achievement. However we’d like to praise the individuals who work most closely with the Council; Frankie Smith and Jo Herrington.

Acknowledgements

107.     We achieve these results through the hard work and dedication of our team and the resilience that comes from working a shared service across four authorities.

108.     As a management team in Mid Kent Audit, we wish to send our public thanks to the team for their work through the year so far.

109.     We would also like to thank Managers, Officers and Members for their continued support as we complete our audit work during the year.

Annex 1: Assurance & Priority level definitions

Assurance Ratings 2017/18 (Unchanged from 2014/15)

Full Definition	Short Description
Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any; recommendations and those will generally be priority 4.	Service/system is performing well
Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.	Service/system is operating effectively
Weak – Controls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.	Service/system requires support to consistently operate effectively
Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.	Service/system is not operating effectively

 

Recommendation Ratings 2017/18 (unchanged from 2014/15)

Priority 1 (Critical) – To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

 

Annex 2: Institute of Internal Audit Code of Ethics

 

ANNEX 3         Definitions for Impact and Likelihood

Risks are assessed for impact and likelihood. So that we achieve a consistent level of understanding when assessing risks, the following agreed definitions have been used to inform the assessment of risks on the comprehensive risk register.